Skip to content

Commit d97202a

Browse files
committed
Move to automating VEX creation and add grype
Signed-off-by: Erick Bourgeois <erick@jeb.ca>
1 parent 87c977b commit d97202a

76 files changed

Lines changed: 2189 additions & 1074 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.claude/CHANGELOG.md

Lines changed: 409 additions & 0 deletions
Large diffs are not rendered by default.

.claude/SKILL.md

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -326,8 +326,7 @@ done
326326

327327
### If preparing a release:
328328
- [ ] Every open Trivy finding has a corresponding statement in `.vex/` (triaged into one of: `not_affected`, `affected`, `fixed`, `under_investigation`). No silent "unknown" CVEs leave the door.
329-
- [ ] `./tools/validate-vex.sh` exits 0.
330-
- [ ] `./tools/tests/validate-vex-tests.sh` and `./tools/tests/assemble-openvex-tests.sh` pass.
329+
- [ ] `make vex-validate` exits 0 (every `.vex/*.json` parses cleanly via `vexctl merge`).
331330
- [ ] `.vex/` changes referenced in the release notes / changelog.
332331

333332
**Verification:** Every checked box above passes. A task is NOT complete until the full checklist is green.

.github/codeql/codeql-config.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
# Copyright (c) 2025 Erick Bourgeois, firestoned
2+
# SPDX-License-Identifier: Apache-2.0
3+
#
4+
# CodeQL config consumed by .github/workflows/codeql.yaml. Keeps
5+
# generated / vendored output out of the scanning database so the
6+
# analyzer doesn't waste time on files we don't ship and can't fix.
7+
8+
name: "5-Spot CodeQL Config"
9+
10+
# Exclude generated or third-party content from analysis. We still
11+
# scan every hand-written source file under src/, .github/, and
12+
# docs/src/javascripts/.
13+
paths-ignore:
14+
# Rust build output (compiled artifacts, incremental-build state,
15+
# Cargo-vendored registry caches).
16+
- target/**
17+
# MkDocs build output.
18+
- docs/site/**
19+
# Docs build dependencies — Poetry manifests, not source code.
20+
- docs/poetry.lock
21+
- docs/pyproject.toml
22+
- docs/.python-version

.github/workflows/build.yaml

Lines changed: 210 additions & 35 deletions
Large diffs are not rendered by default.

.github/workflows/codeql.yaml

Lines changed: 86 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,86 @@
1+
# Copyright (c) 2025 Erick Bourgeois, firestoned
2+
# SPDX-License-Identifier: Apache-2.0
3+
#
4+
# CodeQL analysis — explicit language list.
5+
#
6+
# Writing this workflow disables GitHub's "default setup" CodeQL config
7+
# and lets us pin exactly which languages get analyzed. We had to take
8+
# over the default setup because it auto-detected Python from
9+
# docs/pyproject.toml (Poetry manifest for MkDocs tooling) and then
10+
# failed with "CodeQL detected code written in GitHub Actions, Rust
11+
# and JavaScript/TypeScript, but not any written in Python" once the
12+
# 5-Spot VEX Python tooling was removed in the Phase 1 cleanup
13+
# (.claude/CHANGELOG.md 2026-04-22 19:45).
14+
#
15+
# Languages analyzed here are exactly the ones with real source files:
16+
# - `rust` — src/**/*.rs (beta in CodeQL; upstream
17+
# aware, stable enough for static
18+
# vulnerability checks on our surface)
19+
# - `actions` — .github/workflows/**/*.yaml
20+
# - `javascript-typescript`
21+
# — docs/src/javascripts/mermaid-init.js
22+
# (MkDocs Mermaid integration)
23+
#
24+
# We explicitly do NOT list `python`: the pyproject.toml under docs/
25+
# is a Poetry *manifest* for the MkDocs build, not Python source code,
26+
# and would cause the analyzer to finalize an empty database.
27+
28+
name: CodeQL
29+
30+
on:
31+
pull_request:
32+
branches:
33+
- main
34+
push:
35+
branches:
36+
- main
37+
schedule:
38+
# Weekly full re-scan on Sundays at 07:17 UTC. Offsets the minute
39+
# so we don't collide with the hourly cron queue. Keeps the Code
40+
# Scanning dashboard fresh when a week passes without code changes.
41+
- cron: '17 7 * * 0'
42+
43+
permissions:
44+
contents: read
45+
46+
jobs:
47+
analyze:
48+
name: 🔍 CodeQL - ${{ matrix.language }}
49+
runs-on: ${{ matrix.runner }}
50+
timeout-minutes: 30
51+
permissions:
52+
contents: read
53+
security-events: write
54+
packages: read
55+
56+
strategy:
57+
fail-fast: false
58+
matrix:
59+
include:
60+
- language: rust
61+
build-mode: none
62+
runner: ubuntu-latest
63+
- language: actions
64+
build-mode: none
65+
runner: ubuntu-latest
66+
- language: javascript-typescript
67+
build-mode: none
68+
runner: ubuntu-latest
69+
70+
steps:
71+
- name: Checkout code
72+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
73+
74+
- name: Initialize CodeQL
75+
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
76+
with:
77+
languages: ${{ matrix.language }}
78+
build-mode: ${{ matrix.build-mode }}
79+
# Repo-local config file (paths-ignore, query suites). Keeps
80+
# generated / vendored output out of the database.
81+
config-file: ./.github/codeql/codeql-config.yml
82+
83+
- name: Perform CodeQL analysis
84+
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
85+
with:
86+
category: "/language:${{ matrix.language }}"

.vex/CVE-2010-4756.json

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
{
2+
"@context": "https://openvex.dev/ns/v0.2.0",
3+
"@id": "https://github.com/finos/5-spot/.vex/CVE-2010-4756",
4+
"author": "erick.bourgeois@gmail.com",
5+
"statements": [
6+
{
7+
"impact_statement": "5-Spot performs no file-system glob expansion; the vulnerable glibc glob() implementation is never called from the controller.",
8+
"justification": "vulnerable_code_not_in_execute_path",
9+
"products": [
10+
{
11+
"@id": "pkg:oci/5-spot"
12+
}
13+
],
14+
"status": "not_affected",
15+
"timestamp": "2026-04-19T00:00:00Z",
16+
"vulnerability": {
17+
"name": "CVE-2010-4756"
18+
}
19+
}
20+
],
21+
"timestamp": "2026-04-19T00:00:00Z",
22+
"version": 1
23+
}

.vex/CVE-2010-4756.toml

Lines changed: 0 additions & 12 deletions
This file was deleted.

.vex/CVE-2018-20796.json

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
{
2+
"@context": "https://openvex.dev/ns/v0.2.0",
3+
"@id": "https://github.com/finos/5-spot/.vex/CVE-2018-20796",
4+
"author": "erick.bourgeois@gmail.com",
5+
"statements": [
6+
{
7+
"impact_statement": "5-Spot uses the Rust regex crate, a separate implementation from glibc's posix/regexec.c; the vulnerable C function is never invoked.",
8+
"justification": "vulnerable_code_not_in_execute_path",
9+
"products": [
10+
{
11+
"@id": "pkg:oci/5-spot"
12+
}
13+
],
14+
"status": "not_affected",
15+
"timestamp": "2026-04-19T00:00:00Z",
16+
"vulnerability": {
17+
"name": "CVE-2018-20796"
18+
}
19+
}
20+
],
21+
"timestamp": "2026-04-19T00:00:00Z",
22+
"version": 1
23+
}

.vex/CVE-2018-20796.toml

Lines changed: 0 additions & 12 deletions
This file was deleted.

.vex/CVE-2019-1010022.json

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
{
2+
"@context": "https://openvex.dev/ns/v0.2.0",
3+
"@id": "https://github.com/finos/5-spot/.vex/CVE-2019-1010022",
4+
"author": "erick.bourgeois@gmail.com",
5+
"statements": [
6+
{
7+
"impact_statement": "The controller does not execute adversary-supplied native code; the pre-conditions required to reach the glibc stack-guard bypass do not exist in this workload.",
8+
"justification": "vulnerable_code_cannot_be_controlled_by_adversary",
9+
"products": [
10+
{
11+
"@id": "pkg:oci/5-spot"
12+
}
13+
],
14+
"status": "not_affected",
15+
"timestamp": "2026-04-19T00:00:00Z",
16+
"vulnerability": {
17+
"name": "CVE-2019-1010022"
18+
}
19+
}
20+
],
21+
"timestamp": "2026-04-19T00:00:00Z",
22+
"version": 1
23+
}

0 commit comments

Comments
 (0)