dejacode icon indicating copy to clipboard operation
dejacode copied to clipboard
verified publisher icon aboutcode-org

CRAVEX: Export VEX document: CycloneDX VEX

Open pombredanne opened this issue 1 year ago • 1 comments

Export the results of the vulnerabilities triage and processing as CycloneDX VEX document

https://cyclonedx.org/capabilities/vex/ https://github.com/CycloneDX/bom-examples/tree/master/VEX

pombredanne avatar May 08 '24 18:05 pombredanne

See #15 for additional background.

DennisClark avatar May 17 '24 14:05 DennisClark

@DennisClark Implementation of the tCycloneDX VEX-only and SBOM+VEX combined outputs available for review. Those new links are available in the Product "Share" dropdown, when the enable_vulnerablecodedb_access is enabled.

See https://cyclonedx.org/capabilities/vex/#independent-bom-and-vex-bom and https://cyclonedx.org/capabilities/vex/#bom-with-embedded-vex and

tdruez avatar Sep 03 '24 14:09 tdruez

@tdruez A quick review of the new VEX export feature looks quite good, no problems found. I'll need some time to explore the details more thoroughly.

DennisClark avatar Sep 03 '24 16:09 DennisClark

Once the analysis fields from https://github.com/aboutcode-org/dejacode/issues/98#issuecomment-2331996219 are available, those can be added in the Vulnerability.as_cyclonedx() method at https://github.com/aboutcode-org/dejacode/blob/main/vulnerabilities/models.py#L206 The content of as_cyclonedx() is directly available in the new VEX output.

tdruez avatar Sep 05 '24 15:09 tdruez

This is LGTM. Closing as done. I added a comment to https://github.com/aboutcode-org/dejacode/issues/98#issuecomment-2346428724 to track the part related to #98

pombredanne avatar Sep 12 '24 14:09 pombredanne