Open another-rex opened 1 year ago
At Chainguard we are starting to run tests issuing vex for Wolfi, our linux distro. We are generating documents in a simplified VEX format which we also embed in in-toto attestations. We are proposing this format to the VEX working group and have been trying to capture the latest data model.
Here is the VEX structure and type we are using: https://github.com/chainguard-dev/vex/blob/main/pkg/vex/vex.go
We would love to collaborate and learn more about you rvex use case!
Hey @puerco! Thanks for reaching out!
The use case we have in mind right now is just generating VEX statements from:
If possible we'd certainly like to re-use an existing VEX structure for this. Very happy to chat more here about this or other potential areas of collaboration!
CC @lumjjb
Automatically generate VEX statements based on call graph analysis or ignored vulnerabilities set in the scanner config.