Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to summarize and alter VEX documents #637

Open
wagoodman opened this issue Feb 17, 2022 · 1 comment
Open

Ability to summarize and alter VEX documents #637

wagoodman opened this issue Feb 17, 2022 · 1 comment
Labels
enhancement New feature or request format:cyclonedx CycloneDX related enhancement or bug

Comments

@wagoodman
Copy link
Contributor

As we start to introduce producing VEX documents #591 , there are some input values which are manually curated (e.g. "affected" / "not affected", "justification", "response", etc). There are (at least) two opportunities here:

  1. Provide a way to summarize documents provided as input
  2. Provide a way to add or modify contents (such as indicate "not affected", add a justification, etc) without having the consumer resort to scripting
@wagoodman wagoodman added enhancement New feature or request format:cyclonedx CycloneDX related enhancement or bug labels Feb 17, 2022
@rjb4standards
Copy link

FYI: The SPDX SBOM team is working on a V2.3 release that includes the ability for a software vendor to provide a link to a vulnerability report that is independently updated from the static SBOM. The SPDX proposal uses existing ExternalRef capabilities and supports any type of vulnerability report format, i.e.

CDX VEX:
ExternalRef: SECURITY Disclosure https://raw.githubusercontent.com/rjb4standards/REA-Products/master/CDXVEX/CDX14.xml

SBOM VDR:
ExternalRef: SECURITY Disclosure https://raw.githubusercontent.com/rjb4standards/REA-Products/master/SAGVulnDisclosureSAMPLE.xml

@spiffcs spiffcs added this to OSS Jun 1, 2022
@spiffcs spiffcs removed this from OSS Jun 1, 2022
@wagoodman wagoodman added this to OSS Feb 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request format:cyclonedx CycloneDX related enhancement or bug
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wagoodman @rjb4standards