Skip to main content

Module vex

fleetreach_cli

Module vex 

Source
Expand description

The vex subcommands: product/assertion resolution shared by -f vex and SARIF, the pure cores of vex check (drift) and vex verify (witnesses), and the Check/Verify argument structs + runners. The binary only parses and dispatches into [run_vex_check]/[run_vex_verify].

Structs§

CommittedStatement
A committed VEX statement’s identity, status, and authoring role, parsed from a document for the drift gate.
Drift
The drift between a fresh projection and a committed document (§10).

Functions§

assemble_fresh
A plain fresh scan assembled with the config’s ignores + vex_assertions, for vex check/verify to compare against a committed document.
build_human_assertions
Promote each suppressed occurrence (an ignore or vex_assertion) into a human not_affected (§6), shared by the VEX and SARIF paths. warn_free_text nudges once per advisory toward a machine justification label.
check_drift
Diff a fresh projection against committed statements (§10):
committed_reachability_witnesses
The reachability not_affected statements (vulnerability, subcomponent) that vex verify re-derives. Phantom and human assertions are out of scope.
failed_reachability_witnesses
Witnesses that no longer hold against the fresh report: the advisory is still present but no longer a definite NotReachable. A disappeared advisory holds vacuously. Pure, so unit-tested without the reach-driver.
is_gating_severity
A gating-severity advisory is one we cannot prove is low-risk: High, Critical, or Unknown (fail-closed, consistent with the scan gate).
parse_committed_statements
One CommittedStatement per statement in the document; missing fields default to empty (surfaced as drift, never a panic).
projection_params
Minimal report::VexParams for report::project; the envelope fields (author/timestamp) are unused by projection.
resolve_product_id
Resolve a repo’s product @id (§4.3): explicit config, else the publishable-crate PURL, else product_id_base + id, else a urn: fallback.
resolve_product_ids
Resolve a product @id (§4.3) for every repo, keyed by repo id.