-
Would it be possible, please, to cut a new tag release?
A lot of nice improvements were merged to main since v0.2.6 was released in Dec 2023 - https://github.com/openvex/vexctl/compare/v0.2.6...main.…
-
A pain point this group identified between Finder/Researchers and Maintainers is the lack of an easy, consistent way to share vuln. reports that capture enough information that makes them actionable o…
-
@deissnerk and myself (and several of our respective coworkers) have been working through a number of scenarios in the last few months. There will be some PRs based on the outcome of this work, but I'…
-
## Description
Trivy is not using `encoding/gob`, so CVE-2024-34156 should not affect us. We should update our [VEX](https://github.com/aquasecurity/trivy/blob/main/.vex/trivy.openvex.json).
To en…
-
# What
There's an initiative from the Marketing Committee to gather up some standard info about Who/What/Where/When/Why/How on each of the new OpenSSF projects that have launched / are launching soon…
-
Open tasks for the Kubernetes Security Slam 2023
- [ ] Ensure SBOMs are generated by Kubernetes BOM (task 3) @SD-13
- [ ] Ensure SLSA Attestations are generated when possible (task 4) @shafeeqes …
SD-13 updated
5 months ago
-
Given a set of [VEX statements](https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#the-vex-statement), which represents status assessments relative to a vulnerability matched with a product, it…
-
We're currently thinking about how to solve the following scenarios:
1. A product version is affected by a vulnerability and there's a mitigation or a workaround available for it. This would map to…
-
Hi
I am trying to ingest this sbom, https://raw.githubusercontent.com/CycloneDX/bom-examples/master/VEX/vex.json, which is an example from CycloneDX.
It identifies the format correctly, but duri…
-
Since v0.2.5 multiple products specified in the `--product` flag are not respected, only the last entry is included in the generated document.
Input:
```
./vexctl create \
--product="pkg:apk…