From cb19d8109712b34bc519445c701648e2e04c3384 Mon Sep 17 00:00:00 2001
From: Feroz Salam <feroz@argh.in>
Date: Tue, 5 Dec 2023 14:25:25 +0000
Subject: [PATCH] Add support for the `--vex` flag (#254)

Signed-off-by: Feroz Salam <feroz.salam@isovalent.com>
---
 README.md                   |  1 +
 action.yml                  |  3 +++
 dist/index.js               |  7 +++++++
 index.js                    |  7 +++++++
 tests/action_args.test.js   |  1 +
 tests/grype_command.test.js | 17 +++++++++++++++++
 6 files changed, 36 insertions(+)

diff --git a/README.md b/README.md
index bd16308f..6c0b562f 100644
--- a/README.md
+++ b/README.md
@@ -131,6 +131,7 @@ The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the sou
 | `only-fixed`        | Specify whether to only report vulnerabilities that have a fix available.                                                                                                                                                                                        | `false`       |
 | `add-cpes-if-none`  | Specify whether to autogenerate missing CPEs.                                                                                                                                                                                                                    | `false`       |
 | `by-cve`            | Specify whether to orient results by CVE rather than GHSA.                                                                                                                                                                                                       | `false`       |
+| `vex`               | Specify a list of VEX documents to consider when producing scanning results.                                                                                                                                                                                     | `false`       |
 
 ### Action Outputs
 
diff --git a/action.yml b/action.yml
index 2261b7aa..1ba095e3 100644
--- a/action.yml
+++ b/action.yml
@@ -40,6 +40,9 @@ inputs:
   grype-version:
     description: "A specific version of Grype to install"
     required: false
+  vex:
+    description: "Specify a list of VEX documents to consider when producing scanning results."
+    required: false
 outputs:
   sarif:
     description: "Path to a SARIF report file for the image"
diff --git a/dist/index.js b/dist/index.js
index 1dc458f9..e985df7a 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -106,6 +106,7 @@ async function run() {
     const onlyFixed = core.getInput("only-fixed") || "false";
     const addCpesIfNone = core.getInput("add-cpes-if-none") || "false";
     const byCve = core.getInput("by-cve") || "false";
+    const vex = core.getInput("vex") || "";
     const out = await runScan({
       source,
       failBuild,
@@ -114,6 +115,7 @@ async function run() {
       outputFormat,
       addCpesIfNone,
       byCve,
+      vex,
     });
     Object.keys(out).map((key) => {
       core.setOutput(key, out[key]);
@@ -131,6 +133,7 @@ async function runScan({
   outputFormat,
   addCpesIfNone,
   byCve,
+  vex,
 }) {
   const out = {};
 
@@ -219,6 +222,10 @@ async function runScan({
   if (byCve === true) {
     cmdArgs.push("--by-cve");
   }
+  if (vex) {
+    cmdArgs.push("--vex");
+    cmdArgs.push(vex);
+  }
   cmdArgs.push(source);
 
   // This /dev/null writable stream is required so the entire Grype output
diff --git a/index.js b/index.js
index 49e91cf7..8ec6da0f 100644
--- a/index.js
+++ b/index.js
@@ -92,6 +92,7 @@ async function run() {
     const onlyFixed = core.getInput("only-fixed") || "false";
     const addCpesIfNone = core.getInput("add-cpes-if-none") || "false";
     const byCve = core.getInput("by-cve") || "false";
+    const vex = core.getInput("vex") || "";
     const out = await runScan({
       source,
       failBuild,
@@ -100,6 +101,7 @@ async function run() {
       outputFormat,
       addCpesIfNone,
       byCve,
+      vex,
     });
     Object.keys(out).map((key) => {
       core.setOutput(key, out[key]);
@@ -117,6 +119,7 @@ async function runScan({
   outputFormat,
   addCpesIfNone,
   byCve,
+  vex,
 }) {
   const out = {};
 
@@ -205,6 +208,10 @@ async function runScan({
   if (byCve === true) {
     cmdArgs.push("--by-cve");
   }
+  if (vex) {
+    cmdArgs.push("--vex");
+    cmdArgs.push(vex);
+  }
   cmdArgs.push(source);
 
   // This /dev/null writable stream is required so the entire Grype output
diff --git a/tests/action_args.test.js b/tests/action_args.test.js
index c3773dd9..5cabc507 100644
--- a/tests/action_args.test.js
+++ b/tests/action_args.test.js
@@ -13,6 +13,7 @@ describe("Github action args", () => {
       "output-format": "json",
       "severity-cutoff": "medium",
       "add-cpes-if-none": "true",
+      "vex": "test.vex",
     };
     const spyInput = jest.spyOn(core, "getInput").mockImplementation((name) => {
       try {
diff --git a/tests/grype_command.test.js b/tests/grype_command.test.js
index d8e827b3..70978bbd 100644
--- a/tests/grype_command.test.js
+++ b/tests/grype_command.test.js
@@ -69,4 +69,21 @@ describe("Grype command", () => {
       `${cmdPrefix} -o json --fail-on low --add-cpes-if-none asdf`
     );
   });
+
+  it("adds VEX processing if requested", async () => {
+    let cmd = await mockExec({
+      source: "asdf",
+      failBuild: "false",
+      outputFormat: "json",
+      severityCutoff: "low",
+      version: "0.6.0",
+      onlyFixed: "false",
+      addCpesIfNone: "true",
+      byCve: "false",
+      vex: "test.vex",
+    });
+    expect(cmd).toBe(
+      `${cmdPrefix} -o json --fail-on low --add-cpes-if-none --vex test.vex asdf`
+    );
+  });
 });