Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE Auditing With VEX #102

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

CVE Auditing With VEX #102

wants to merge 11 commits into from

Conversation

naibu3
Copy link

@naibu3 naibu3 commented Feb 27, 2025

VEX consumption in CVE audits

The aim of the project is to enhance CVE auditing accuracy using VEX profile.

Read rendered RFC.

@admd
Copy link
Contributor

admd commented Feb 28, 2025

@HoussemNasri I would appreciate if you could also take a look here.

CDellaGiusta
CDellaGiusta approved these changes Feb 28, 2025
View reviewed changes
accepted/0000-cve-auditing-with-vex.md

- **CSAF**, maintained by OASIS. Supports rich metadata, including product information, vulnerabilities, and remediation guidance.
- **CycloneDX**, is maintained by OWASP. Focuses on simplicity and interoperability. (Can be JSON or XML-based)
- **OpenVEX**, designed specifically for simplicity and ease of use. It is maintained by the OpenVEX community.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I strongly recommend CycloneDX, because as you said is maintained by OWASP.
I'd also suggest to check whether we could use a system like DependencyTracker (https://docs.dependencytrack.org/) to identify and reduce risk in the software supply chain.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi! The trouble here is that we're not generating new VEX files, but consuming those provided by vendors like SUSE. So we're limitated to the format they have chosen. For example SUSE provides VEX files in CSAF and OpenVEX formats.

rjmateus
rjmateus reviewed Feb 28, 2025
View reviewed changes
Copy link
Member

@rjmateus rjmateus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Juat two notes, otherwise looks good to me.

accepted/0000-cve-auditing-with-vex.md

### VEX Downloader

Retrieve VEX documents online. Is responsible finding, downloading and caching the files, like was done for OVAL [^2].
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add a line saying that the data will be processed in stream, to avoid any memory issues.3

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rjmateus rjmateus rjmateus approved these changes

@CDellaGiusta CDellaGiusta CDellaGiusta approved these changes

@parlt91 parlt91 Awaiting requested review from parlt91

@szachovy szachovy Awaiting requested review from szachovy

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@naibu3 @admd @rjmateus @CDellaGiusta