Skip to content

Include match details in the CycloneDX output format #3513

Description

@chovanecadam

What would you like to be added:

Include matchDetails object in the CycloneDX output format as well.

matchDetails object example
      "matchDetails": [
        {
          "type": "exact-indirect-match",
          "matcher": "rpm-matcher",
          "searchedBy": {
            "distro": {
              "type": "fedora",
              "version": "23"
            },
            "package": {
              "name": "krb5",
              "version": "1.14.1-6.fc23"
            },
            "namespace": "fedora:distro:fedora:23"
          },
          "found": {
            "vulnerabilityID": "CVE-2016-3120",
            "versionConstraint": "< 0:1.14.3-8.fc23||< 0:1.14.3-4.fc23 (rpm)"
          },
          "fix": {
            "suggestedVersion": "0:1.14.3-4.fc23"
          }
        }
      ]

Why is this needed:

Match details include important information about the match, including type of the match. Marking package as vulnerable based on a CVE issued to an upstream package may result in false positives and less confidence. Including information about direct/indirect match would allow consumers to understand how the match was made and avoid false positives.

Additional context:

The match details object is already part of the json format so I recon it's part of a public stable API. As such I don't see a reason to not include it in the CycloneDX format as well. CycloneDX allows setting custom properties for each vulnerability finding (see spec). Because only string values are allowed, I propose stringifying the matchDetails object. Syft already makes use of proterties to store syft:package:type.

Although I have only use case for the match type, I don't see a reason to not include the whole object.

Previously discussed on Discourse: Additional properties in CycloneDX-json Grype output

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Ready

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions