-
The structure currently lists only one `timestamp` in the VEX document and one in the VEX statement. However, the community paper lists a `first_issued` and `last_updated` for each. I'm a bit confused…
-
MVSR (Mission, Vision, Strategy, Roadmap)[1] is a tool that helps provide a consistent way of expressing our goals and efforts across the foundation. All working groups have been asked to express the…
-
It is clear that `pkg://my@1.2.3?arch=amd64` means just the `amd64` variation of package `my@1.2.3`, but what does `pkg://my@1.2.3` means? Instinctively, no qualifiers means all possible variations o…
-
Currently, it's only possible to filter CVE IDs with `vexctl filter`. Are there any plans to support GHSA, too?
We ran into this issue with the latest kics image, and need to filter a GHSA ID `GHSA…
-
### What kind of request is this?
New feature
### What is your request or suggestion?
https://github.com/openvex/vexctl
https://github.com/openvex/spec
outputs fixed vulnerabilities as `fixed`
-
- [ ] https://github.com/chainguard-dev/vex
- [ ] https://github.com/openvex/vexctl
-
[StatementFromID](https://github.com/openvex/go-vex/blob/87f92e79ed7b0f78ee309be66782dd98d3086e93/pkg/vex/vex.go#L172-L181) function always returns the first statement. However, the [data inheritance …
-
The current [Minimum Requirements for VEX document](https://docs.google.com/document/d/1uZPzQUoeoaCTaEmd7nQDf4lCl5ctpsNANh0phNC7IL0/edit?usp=sharing) requires an "impact_statement" when justification …
-
https://github.com/openvex/spec
-
VEX is an emerging spec, and tool set to ease the burden of determining vulnerability exploitation likelihood within components used during a build. OpenVEX is a community currently developing a spec,…