Uploaded image for project: 'Clair'
  1. Clair
  2. CLAIRDEV-157

Vex: Account for rpmmod qualifier in component PURLs

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • matcher, updater
    • None
    • 3
    • True
    • Hide

      Need clarification on qualifier vs standalone PURL situation.

      Show
      Need clarification on qualifier vs standalone PURL situation.
    • False

      Previously, VEX files had rpm module information that could be walked through the relationships section:

      {"purl":"pkg:rpmmod/redhat/go-toolset:rhel8/golang"}

      This was parsed/ingested by the VEX parser and added to the vulnerability row (and also used as a matching constraint).

      Now the guidelines have changed and the module information is included as a qualifier in the component's PURL https://redhatproductsecurity.github.io/security-data-guidelines/purl/#identifying-rpm-modules.

      We should stop looking for individually defined rpmmod PURL type and start looking for the rpmmod= qualifier in the component's PURL.

      Example VEX file https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-24786.json

              jcroslan@redhat.com Joseph Crosland
              jcroslan@redhat.com Joseph Crosland
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: