when a project generates VEX feed for vulnerabilities that are not exploitable, SECURITY_INSIGHTS.yml is an ideal place to capture this information. The work around is to add VEX statement information under “security-artifacts” > “other-artifacts”.
Having VEX as an explicit property will make it a deterministic property for policy engines to pick it up and make decisions during software ingestion or scanners to reduce false positives.
when a project generates VEX feed for vulnerabilities that are not exploitable, SECURITY_INSIGHTS.yml is an ideal place to capture this information. The work around is to add VEX statement information under “security-artifacts” > “other-artifacts”.
Having VEX as an explicit property will make it a deterministic property for policy engines to pick it up and make decisions during software ingestion or scanners to reduce false positives.