Support embedded CycloneDX VEX documents

[asadjaffar]

Hi everyone, I recently uploaded a sbom and then scanned it but when i scanned with VEX it gives an error which is this:

without vex flag

asad@asad-Lenovo-V330-15IKB:~/Downloads/wwe$ grype sbom:0vo0efli.cdx.json 
 ✔ Vulnerability DB                [no update available]  
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 1 medium, 0 low, 0 negligible
   └── by status:   1 fixed, 0 not-fixed, 0 ignored 
[0000]  WARN attempted CPE search on OWASP Dependency-Track, which has no CPEs. Consider re-running with --add-cpes-if-none
NAME    INSTALLED  FIXED-IN  TYPE          VULNERABILITY        SEVERITY 
lucene  8.11.4     9.12.0    java-archive  GHSA-g643-xq6w-r67c  Medium

with vex flag

asad@asad-Lenovo-V330-15IKB:~/Downloads/wwe$ grype sbom:0vo0efli.cdx.json --vex 0vo0efli.cdx.json 
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 1 medium, 0 low, 0 negligible
   └── by status:   1 fixed, 0 not-fixed, 0 ignored 
[0000]  WARN attempted CPE search on OWASP Dependency-Track, which has no CPEs. Consider re-running with --add-cpes-if-none
[0000] ERROR unable to find matches against VEX sources: unable to find matches against VEX documents: parsing vex document: merging vex documents: opening 0vo0efli.cdx.json: unable to detect document format reading 0vo0efli.cdx.json

THE SBOM FILE IS ATTACHED, any reason for this?

0vo0efli.cdx.json

[wagoodman]

It seems that you passed in a cyclonedx SBOM in as the vex document, however, we only support openvex at this time. We plan on adding more vex implementation support in the future. I'll change the title so that this is oriented around a feature request to support embedded vex documents for cyclonedx.

[asadjaffar]

Hi, thank you. I apologize for the misunderstanding on my side, and I really appreciate the clarification.