openvex / spec

OpenVEX Specification
Creative Commons Zero v1.0 Universal
133 stars 18 forks source link

Notifications of new VEX #9

Open johnandersen777 opened 1 year ago

johnandersen777 commented 1 year ago

Are there any docs on how it is envisioned downstreams can be notified of new VEX? Hoping we can see this eventing integrated into transparency log infra federation to enable automated evaluation on new vulns via recursive application of policy and context local transparency services (see ID security threats WG notes in linked SCITT PR).

puerco commented 1 year ago

Hey @pdxjohnny, We don't have any at the moment, this week we started discussing some of the discovery/delivery means for OpenVEX data in the community call. It is not yet online on the OpenSSF youtube channel but be sure to check it out when it's uploaded (community meeting of Jun 12th).

We are working on the tooling to publish OpenVEX data through repositories and OCI registries, but I'm sure the SIG would love to hear more ideas, please feel free to join and share your thoughts.

johnandersen777 commented 1 year ago

Awesome!! I appreciate you letting me know. Glad to hear others are going with OCI registries as well. https://oras.land tooling has been helpful.

johnandersen777 commented 1 year ago

Above linked PR mentions claims with payload as VEX for reference to in SCITT and leveraging federation to receive events of new VEX ^

From @charliehart https://mailarchive.ietf.org/arch/msg/scitt/aNCUl-1aRR5NXxajGHzfk4j6ak8/

The VEX document(s) are good candidates for SCITT especially for two key reasons:

  1. There is no restriction on who can generate one (same for SBOM BTW) and it is essential to understand whether the issuer is trustworthy and/or any kind of source of authority.
  2. A VEX, unlike an SBOM, can be issued at any time and in fact multiple VEXes and CSAFs will be the norm rather than exception.

But to facilitate this, there has to be a way to connect related VEXes and CSAFs (including with any applicable SBOMs, software attestations, and other similar data.

OpenVEX’s JSON-LD definition might be helpful for those connections.