Taking as input VEX files

[kikofernandez]

Hi there,

We work on ErlangOTP and we were wondering if it would be possible to add a new input field that takes a VEX file.
The semantics are that this Github Action should ignore any of the listed CVEs in the VEX files (for which there is a reason that the CVE does not apply).

For example, one could add the following new input field vex-args to pass such file

jobs:
  osv-scan:
    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.0.2"
    with:
      # takes as input a vex file that will make OSV to ignore some CVEs
      vex-args: |-
        otp.vex

      scan-args: |-
        ./
    permissions:
      # Require writing security events to upload SARIF file to security tab
      security-events: write

It would be great if the addition of VEX files is integrated into this action.

Alternative solutions

An alternative solution is to not use this action and rely instead on the OSV API. One can build a custom script that calls OSV API and ignores some of the errors reported by OSV taking into account a VEX file.

[oliverchang]

Hi, thank you for the feature request! This would also need changes to http://github.com/google/osv-scanner and https://github.com/google/osv-scalibr.

There are also multiple VEX formats -- can you let us know which one in particular you're using?

@another-rex

[kikofernandez]

Hi! Sorry for the silence. We have not yet produced any VEX files and are looking into which one to choose.
We are considering SPDX or OpenVex implementations, but we have not reached yet a clear conclusion... sorry.

Should I write in this issue once we get to a definitive conclusion?

[kikofernandez]

We will start using OpenVex for the foreseable future