-
Docker builds are storing SBOMs and Attestations in a image manifest as described here in [OCI spec](https://github.com/opencontainers/image-spec/blob/main/manifest.md) . I wonder if we can store the …
-
Not a specific knock on logrus, but I only found 3 log lines using logrus in this library. Can we cut this third-party import and use standard library option?
```
$ grep logrus -r ./*
./go.mod: g…
-
I'm not fluent in go, so I could be missing something, but as I was trying to use the example in the README I noticed it doesn't seem to compile.
For example, `VEX.Vulnerability` is a struct, not a…
-
The recent [v0.2.0 release](https://github.com/openvex/spec/releases/tag/v0.2.0) introduced new enhancements to the spec, but while some examples were updated in [the original PR](https://github.com/o…
-
**Is your feature request related to a problem? Please describe.**
The initial support for ingesting CSAF uses an unreleased version of go-vex. A released version of go-vex with CSAF support should b…
lulf updated
10 months ago
-
This is a subjective thing, but I'll present the idea anyway. I think it might make sense to rename `csaf.CSAF` to `csaf.Document` to avoid repetition. This type "stuttering" is _sometimes_ considered…
-
# OPEV #0014: Expansion of the VEX Product Field
## 🖊️ Enhancement Overview
Six months after the introduction of OpenVEX, the initial integrations and
community feedback on the initial spe…
-
Preface: Over the past few years large strides have been made in moving OSS software artifact provenance tooling forward. OpenVEX is a continuation of that effort, and we need to make sure that steps …
-
Thanks so much for producing and maintaining this excellent tool!
**Summary**
When running in build systems, it would be convenient to generate a report to output the UI as well as save a re…
-
### What kind of request is this?
New feature
### What is your request or suggestion?
Output a report that includes which components got patched for what CVEs