diff --git a/cmd/govulncheck/doc.go b/cmd/govulncheck/doc.go index dbfb957..c3c4744 100644 --- a/cmd/govulncheck/doc.go +++ b/cmd/govulncheck/doc.go @@ -67,12 +67,16 @@ Govulncheck also supports Static Analysis Results Interchange Format (SARIF) out format, following the specification at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif. For more details, please see [golang.org/x/vuln/internal/sarif]. +Govulncheck supports the Vulnerability EXchange (VEX) output format, following +the specification at https://github.com/openvex/spec. +For more details, please see [golang.org/x/vuln/internal/openvex]. + # Exit codes Govulncheck exits successfully (exit code 0) if there are no vulnerabilities, and exits unsuccessfully if there are. It also exits successfully if the -'format -json' ('-json') or '-format sarif' is provided, regardless of the number -of detected vulnerabilities. +'format -json' ('-json'), '-format sarif', or '-format openvex' is provided, +regardless of the number of detected vulnerabilities. # Limitations diff --git a/cmd/govulncheck/testdata/common/testfiles/usage/usage.ct b/cmd/govulncheck/testdata/common/testfiles/usage/usage.ct index 7d5a143..ff2c2ae 100644 --- a/cmd/govulncheck/testdata/common/testfiles/usage/usage.ct +++ b/cmd/govulncheck/testdata/common/testfiles/usage/usage.ct @@ -14,7 +14,7 @@ Usage: vulnerability database url (default "https://vuln.go.dev") -format value specify format output - The supported values are 'text', 'json', and 'sarif' (default 'text') + The supported values are 'text', 'json', 'sarif', and 'openvex' (default 'text') -json output JSON (Go compatible legacy flag, see format flag) -mode value diff --git a/internal/openvex/vex.go b/internal/openvex/vex.go index 2e30e58..e60ce75 100644 --- a/internal/openvex/vex.go +++ b/internal/openvex/vex.go @@ -7,6 +7,9 @@ // // These types match the OpenVEX standard. See https://github.com/openvex for // more information on VEX and OpenVEX. +// +// This is intended to be the minimimal amount of information required to output +// a complete VEX document according to the specification. package openvex import "time" diff --git a/internal/scan/flags.go b/internal/scan/flags.go index 0f3c677..5512540 100644 --- a/internal/scan/flags.go +++ b/internal/scan/flags.go @@ -42,7 +42,7 @@ func parseFlags(cfg *config, stderr io.Writer, args []string) error { flags.Var(&modeFlag, "mode", "supports 'source', 'binary', and 'extract' (default 'source')") flags.Var(&cfg.tags, "tags", "comma-separated `list` of build tags") flags.Var(&cfg.show, "show", "enable display of additional information specified by the comma separated `list`\nThe supported values are 'traces','color', 'version', and 'verbose'") - flags.Var(&cfg.format, "format", "specify format output\nThe supported values are 'text', 'json', and 'sarif' (default 'text')") + flags.Var(&cfg.format, "format", "specify format output\nThe supported values are 'text', 'json', 'sarif', and 'openvex' (default 'text')") flags.BoolVar(&version, "version", false, "print the version information") flags.Var(&scanFlag, "scan", "set the scanning level desired, one of 'module', 'package', or 'symbol' (default 'symbol')")