[feature] Including OpenVEX

[nathannaveen]

What is VEX?

https://www.cisa.gov/resources-tools/resources/minimum-requirements-vulnerability-exploitability-exchange-vex

VEX, which stands for Vulnerability Exploitability Exchange, is a standard created by the Cybersecurity and Infrastructure Security Agency (CISA). VEX helps with organizing and sharing information about vulnerabilities and exploits. The primary purpose of VEX is to improve decision-making and strategies for dealing with vulnerabilities by enabling the exchange of important vulnerability information in a structured manner.

What is OpenVEX?

https://github.com/openvex

OpenVEX is an implementation of VEX that helps share information about vulnerabilities and exploits. It uses minimal JSON-LD files to capture the essential details about vulnerabilities in a structured way. OpenVEX aims to make it easier for software suppliers and consumers to exchange information about vulnerabilities and focus on the most critical ones.

An example of an OpenVEX document looks like:

https://github.com/openvex/spec#what-does-an-openvex-document-look-like

{
  "@context": "https://openvex.dev/ns",
  "@id": "https://openvex.dev/docs/example/vex-9fb3463de1b57",
  "author": "Wolfi J Inkinson",
  "role": "Document Creator",
  "timestamp": "2023-01-08T18:02:03.647787998-06:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": "CVE-2014-123456",
      "products": [
        "pkg:apk/distro/git@2.39.0-r1?arch=armv7",
        "pkg:apk/distro/git@2.39.0-r1?arch=x86_64"
      ],
      "status": "fixed"
    }
  ]
}

How is OpenVEX different from CSAF?

https://github.com/oasis-tcs/csaf

While OpenVEX and CSAF both serve the purpose of communicating vulnerability information, they have some differences.

OpenVEX focuses explicitly on implementing the VEX standard and providing tools for working with vulnerability information in the VEX format. It aims to be simple, compliant, and interoperable, capturing the essential requirements for VEX. OpenVEX helps eliminate unnecessary data and clearly represents vulnerability details, allowing effective communication between suppliers and consumers. It helps users focus on critical vulnerabilities and make informed decisions about vulnerability management and mitigation strategies.

On the other hand, CSAF is a broader cybersecurity standard developed by the Organization for the Advancement of Structured Information Standards (OASIS). Unlike OpenVEX, CSAF encompasses a comprehensive framework for representing security advisories, covering various aspects beyond vulnerability information.

While both OpenVEX and CSAF are used for communicating vulnerability information, OpenVEX focuses specifically on implementing the VEX specification and providing minimal, compliant, and interoperable tools for working with vulnerability data.

How to Implement

To implement OpenVEX, we will need to include a guesser, a parser, and a processor for OpenVEX.

Implementing OpenVEX will be something similar to GUAC's CSAF.

Note that OpenVEX isn't a tree data structure, unlike CSAF.

[nathannaveen]

👀 @pxp928

[pxp928]

Looks good! Thanks @nathannaveen