Version ranges in product_id/subcomponent_id

[knqyf263]

Is there any way to specify the version range in product_id and subcomponent_id?

The minimum requirements for VEX denote as below:

[product_id] and [subcomponent_id] MAY specify sets of products or components, for example: ● Every product or component owned by a supplier ● A product family or product line ● Version ranges ● A specific branch

It makes sense to use version ranges. Otherwise, VEX documents must be updated every time product or subcomponent version changes.

And the OpenVEX spec recommends PURLs.

The use of Package URLs (purls) is recommended.

"Any versions" probably can be described by omitting the version since the version is optional in PURL. e.g. pkg:maven/org.apache.xmlgraphics/batik-anim

How about version ranges? I may be missing something.

[puerco]

Since we are favoring the use purls across the spec, I think we should recognize and implement in our libraries the purl vers: ranges specification. It has not merged yet but it seems to have been frozen for a couple of years now and it is already baked into the CycloneDX 1.4 spec. My only worry here is that we would be producing purls that may not be universally recognized, thoughts?

[michael-j-oconnor]

I'm looking for an OpenVEX-compliant way to list a CVE/vulnerability in a VEX report twice, once for a version of the product that is impacted, and once for a newer version of the same product that is Fixed. I want to show, in a single VEX report, that one version of our product is impacted and the next version is fixed.

Will the version ranges discussed here be able to address this use case?

[shanu-26]

Adding on to the question above.. For some CVE if we have information on both the impacted and the fixed version, can we specify this in the 'action_statement' field under statements? Something like "Fixed in version x.y"? Reference to OpenVEX Specification.