Add VEX as a property under security-artifacts

ossf / security-insights-spec

OPENSSF SECURITY INSIGHTS: Repository for development of the draft standard, where requests for modification should be made via Github Issues.

Other

46 stars 8 forks source link

Add VEX as a property under security-artifacts #84

Open Danajoyluck opened 4 days ago

Danajoyluck commented 4 days ago

when a project generates VEX feed for vulnerabilities that are not exploitable, SECURITY_INSIGHTS.yml is an ideal place to capture this information. The work around is to add VEX statement information under “security-artifacts” > “other-artifacts”.

Having VEX as an explicit property will make it a deterministic property for policy engines to pick it up and make decisions during software ingestion or scanners to reduce false positives.

puerco commented 4 days ago

We're defining a well known location in the repositories, the location could default to whatever resolves this issue:

https://github.com/openvex/spec/issues/46