anchore · wagoodman · Oct 6, 2025 · Jul 19, 2025 · Oct 6, 2025
diff --git a/grype/vex/openvex/implementation.go b/grype/vex/openvex/implementation.go
@@ -71,6 +71,18 @@ func productIdentifiersFromContext(pkgContext *pkg.Context) ([]string, error) {
 	}
 }
 
+// productIdentifierFromVEX reads the VEX documents and returns software
+// identifiers listed in the statements.
+func productIdentifierFromVEX(doc *openvex.VEX) []string {
+	var products []string
+	for _, stmt := range doc.Statements {
+		for _, product := range stmt.Products {
+			products = append(products, product.ID)
+		}
+	}
+	return products
+}
+
 func identifiersFromTags(tags []string, name string) []string {
 	identifiers := []string{}
 
@@ -164,11 +176,18 @@ func (ovm *Processor) FilterMatches(
 
 	remainingMatches := match.NewMatches()
 
+	// this works only when grype uses the SBOM syft format
 	products, err := productIdentifiersFromContext(pkgContext)
 	if err != nil {
 		return nil, nil, fmt.Errorf("reading product identifiers from context: %w", err)
 	}
 
+	// if the previous method didn't work to find products,
+	// we get them from the VEX document.
+	if len(products) == 0 {
+		products = productIdentifierFromVEX(doc)
+	}
+
 	// TODO(alex): should we apply the vex ignore rules to the already ignored matches?
 	// that way the end user sees all of the reasons a match was ignored in case multiple apply
 

diff --git a/grype/vex/openvex/implementation_test.go b/grype/vex/openvex/implementation_test.go
@@ -3,7 +3,13 @@ package openvex
 import (
 	"testing"
 
+	openvex "github.com/openvex/go-vex/pkg/vex"
 	"github.com/stretchr/testify/require"
+
+	"github.com/anchore/grype/grype/match"
+	"github.com/anchore/grype/grype/pkg"
+	"github.com/anchore/grype/grype/vulnerability"
+	"github.com/anchore/syft/syft/source"
 )
 
 func TestIdentifiersFromTags(t *testing.T) {
@@ -58,3 +64,191 @@ func TestIdentifiersFromDigests(t *testing.T) {
 		require.Equal(t, tc.expected, res)
 	}
 }
+
+func TestProductIdentifierFromVEX(t *testing.T) {
+	tests := []struct {
+		name     string
+		doc      *openvex.VEX
+		expected []string
+	}{
+		{
+			name: "single product in statement",
+			doc: &openvex.VEX{
+				Statements: []openvex.Statement{
+					{
+						Products: []openvex.Product{
+							{Component: openvex.Component{ID: "pkg:oci/alpine@sha256:abc123"}},
+						},
+					},
+				},
+			},
+			expected: []string{"pkg:oci/alpine@sha256:abc123"},
+		},
+		{
+			name: "multiple products in single statement",
+			doc: &openvex.VEX{
+				Statements: []openvex.Statement{
+					{
+						Products: []openvex.Product{
+							{Component: openvex.Component{ID: "pkg:oci/alpine@sha256:abc123"}},
+							{Component: openvex.Component{ID: "pkg:oci/ubuntu@sha256:def456"}},
+						},
+					},
+				},
+			},
+			expected: []string{"pkg:oci/alpine@sha256:abc123", "pkg:oci/ubuntu@sha256:def456"},
+		},
+		{
+			name: "multiple statements with products",
+			doc: &openvex.VEX{
+				Statements: []openvex.Statement{
+					{
+						Products: []openvex.Product{
+							{Component: openvex.Component{ID: "pkg:oci/alpine@sha256:abc123"}},
+						},
+					},
+					{
+						Products: []openvex.Product{
+							{Component: openvex.Component{ID: "pkg:oci/ubuntu@sha256:def456"}},
+						},
+					},
+				},
+			},
+			expected: []string{"pkg:oci/alpine@sha256:abc123", "pkg:oci/ubuntu@sha256:def456"},
+		},
+		{
+			name: "empty statements",
+			doc: &openvex.VEX{
+				Statements: []openvex.Statement{},
+			},
+			expected: nil,
+		},
+		{
+			name: "statement with no products",
+			doc: &openvex.VEX{
+				Statements: []openvex.Statement{
+					{
+						Products: []openvex.Product{},
+					},
+				},
+			},
+			expected: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := productIdentifierFromVEX(tt.doc)
+			require.Equal(t, tt.expected, result)
+		})
+	}
+}
+
+func TestFilterMatches_FallbackToVEXProducts(t *testing.T) {
+	tests := []struct {
+		name        string
+		pkgContext  *pkg.Context
+		vexDoc      *openvex.VEX
+		matches     *match.Matches
+		ignoreRules []match.IgnoreRule
+		wantErr     require.ErrorAssertionFunc
+	}{
+		{
+			name: "no error when context has empty products and VEX document has products",
+			// when context returns empty products, the code should fall back to VEX products without error
+			pkgContext: &pkg.Context{
+				Source: &source.Description{
+					Name: "alpine",
+					Metadata: source.ImageMetadata{
+						Tags:        []string{},
+						RepoDigests: []string{},
+					},
+				},
+			},
+			vexDoc: &openvex.VEX{
+				Statements: []openvex.Statement{
+					{
+						Vulnerability: openvex.Vulnerability{Name: "CVE-2024-1234"},
+						Products: []openvex.Product{
+							{Component: openvex.Component{ID: "pkg:oci/alpine@sha256:abc123"}},
+						},
+						Status: openvex.StatusNotAffected,
+					},
+				},
+			},
+			matches: func() *match.Matches {
+				m := match.NewMatches()
+				m.Add(match.Match{
+					Vulnerability: vulnerability.Vulnerability{
+						Reference: vulnerability.Reference{
+							ID: "CVE-2024-1234",
+						},
+					},
+					Package: pkg.Package{
+						PURL: "pkg:npm/[email protected]",
+					},
+				})
+				return &m
+			}(),
+			ignoreRules: []match.IgnoreRule{
+				{VexStatus: string(openvex.StatusNotAffected)},
+			},
+		},
+		{
+			name: "no error when VEX document has multiple products",
+			pkgContext: &pkg.Context{
+				Source: &source.Description{
+					Name: "ubuntu",
+					Metadata: source.ImageMetadata{
+						Tags:        []string{},
+						RepoDigests: []string{},
+					},
+				},
+			},
+			vexDoc: &openvex.VEX{
+				Statements: []openvex.Statement{
+					{
+						Vulnerability: openvex.Vulnerability{Name: "CVE-2024-5678"},
+						Products: []openvex.Product{
+							{Component: openvex.Component{ID: "pkg:oci/ubuntu@sha256:def456"}},
+							{Component: openvex.Component{ID: "pkg:oci/debian@sha256:abc789"}},
+						},
+						Status: openvex.StatusFixed,
+					},
+				},
+			},
+			matches: func() *match.Matches {
+				m := match.NewMatches()
+				return &m
+			}(),
+			ignoreRules: []match.IgnoreRule{
+				{VexStatus: string(openvex.StatusFixed)},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.wantErr == nil {
+				tt.wantErr = require.NoError
+			}
+
+			processor := New()
+			remainingMatches, _, err := processor.FilterMatches(
+				tt.vexDoc,
+				tt.ignoreRules,
+				tt.pkgContext,
+				tt.matches,
+				nil,
+			)
+			tt.wantErr(t, err)
+
+			if err != nil {
+				return
+			}
+
+			// basic sanity checks - we're mainly testing that the fallback doesn't cause errors
+			require.NotNil(t, remainingMatches)
+		})
+	}
+}