vulncheck: update documentation for vex
Adds documentation/updates some tests & comments to reflect the
introduction of the openVEX standard as a valid output format for
govulncheck.
fixes golang/go#62486
Change-Id: I88c6fc830439606441bb1855ba8b36642007738c
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/590575
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Commit-Queue: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/cmd/govulncheck/doc.go b/cmd/govulncheck/doc.go
index dbfb957..c3c4744 100644
--- a/cmd/govulncheck/doc.go
+++ b/cmd/govulncheck/doc.go
@@ -67,12 +67,16 @@
format, following the specification at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif.
For more details, please see [golang.org/x/vuln/internal/sarif].
+Govulncheck supports the Vulnerability EXchange (VEX) output format, following
+the specification at https://github.com/openvex/spec.
+For more details, please see [golang.org/x/vuln/internal/openvex].
+
# Exit codes
Govulncheck exits successfully (exit code 0) if there are no vulnerabilities,
and exits unsuccessfully if there are. It also exits successfully if the
-'format -json' ('-json') or '-format sarif' is provided, regardless of the number
-of detected vulnerabilities.
+'format -json' ('-json'), '-format sarif', or '-format openvex' is provided,
+regardless of the number of detected vulnerabilities.
# Limitations
diff --git a/cmd/govulncheck/testdata/common/testfiles/usage/usage.ct b/cmd/govulncheck/testdata/common/testfiles/usage/usage.ct
index 7d5a143..ff2c2ae 100644
--- a/cmd/govulncheck/testdata/common/testfiles/usage/usage.ct
+++ b/cmd/govulncheck/testdata/common/testfiles/usage/usage.ct
@@ -14,7 +14,7 @@
vulnerability database url (default "https://vuln.go.dev")
-format value
specify format output
- The supported values are 'text', 'json', and 'sarif' (default 'text')
+ The supported values are 'text', 'json', 'sarif', and 'openvex' (default 'text')
-json
output JSON (Go compatible legacy flag, see format flag)
-mode value
diff --git a/internal/openvex/vex.go b/internal/openvex/vex.go
index 2e30e58..e60ce75 100644
--- a/internal/openvex/vex.go
+++ b/internal/openvex/vex.go
@@ -7,6 +7,9 @@
//
// These types match the OpenVEX standard. See https://github.com/openvex for
// more information on VEX and OpenVEX.
+//
+// This is intended to be the minimimal amount of information required to output
+// a complete VEX document according to the specification.
package openvex
import "time"
diff --git a/internal/scan/flags.go b/internal/scan/flags.go
index 0f3c677..5512540 100644
--- a/internal/scan/flags.go
+++ b/internal/scan/flags.go
@@ -42,7 +42,7 @@
flags.Var(&modeFlag, "mode", "supports 'source', 'binary', and 'extract' (default 'source')")
flags.Var(&cfg.tags, "tags", "comma-separated `list` of build tags")
flags.Var(&cfg.show, "show", "enable display of additional information specified by the comma separated `list`\nThe supported values are 'traces','color', 'version', and 'verbose'")
- flags.Var(&cfg.format, "format", "specify format output\nThe supported values are 'text', 'json', and 'sarif' (default 'text')")
+ flags.Var(&cfg.format, "format", "specify format output\nThe supported values are 'text', 'json', 'sarif', and 'openvex' (default 'text')")
flags.BoolVar(&version, "version", false, "print the version information")
flags.Var(&scanFlag, "scan", "set the scanning level desired, one of 'module', 'package', or 'symbol' (default 'symbol')")
