Vulnerabilities check : Using VEX to avoid false positive ?

[sbernard31]

Using VEX could be a good way to avoid some false positive during vulnerabilities check. But if it is used direct/transitive dependencies should be managed correctly which is generally not really done. So maybe using maven tooling like : depcheck-maven-plugin should be used in addition.

For me details see :

• https://www.aquasec.com/blog/introducing-vex-hub-unified-repository-for-vex-statements/
• https://aquasecurity.github.io/trivy/v0.56/docs/supply-chain/vex/file/#applying-vex-to-dependency-trees
• https://github.com/aquasecurity/trivy/discussions/7784

(Not 100% sure this is a good move but I open this issue to keep in mind the idea)