docs: add info about supporting cpe in vex

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.

https://cve-bin-tool.readthedocs.io/en/latest/

GNU General Public License v3.0

1.19k stars 457 forks source link

docs: add info about supporting cpe in vex #4383

Closed terriko closed 1 month ago

terriko commented 1 month ago

fixes #4012

Pinging @mastersans to make sure this is actually correct.

mastersans commented 1 month ago

@terriko looks good, but i think there might have been some misunderstanding currently the cpe is not used in the vex but probably is a 1-2 line addition should bring that since we already have decode_cpe function present.

mastersans commented 1 month ago

Also now I look at the original PR the support for the cpe in the sbom parser rather than vex, i need to look into if we can support cpe for vex and where should the identifier go and will be scanned from.

terriko commented 1 month ago

So sounds like this documentation attempt as written is not true and should not be merged, but we should update the sbom docs instead? I"ll leave this open so I don't forget but close it once I've got attempt number 2 going.

terriko commented 1 month ago

Closing because I'm moving this to "future" so I can think about what needs writing better.