Add detailed VEX example Annex

[rnjudge]

This commit adds an annex explaining how to implement VEX in SPDX.

[rnjudge]

cc @puerco @jeff-schutt to take a look

[rnjudge]

oooh thanks @rnjudge you beat me to starting this document. This is a good start!

I think we are missing an overview of how VEX works in general. I think it would be helpful to first get the idea of the mechanics into the reader's head and then building up on how SPDX implements them.

I'm happy to help with some of it :)

My assumption was that if folks are coming to this annex they are probably already familiar with how VEX works and I didn't want to clutter the page with too much background. But I'm not opposed to a brief primer! Maybe easier to point them to an already written summary of it somewhere for more detailed info?

Thanks so much for your help with the first pass, I'm incorporating your suggestions and we can keep iterating on this! Maybe review at the security all on Wed if you're around?

[rjb4standards]

The SPDX V 3 spec says nothing about NIST's VDR - this is a significant oversight.

[Sintayew4]

#933

[zvr]

This should be moved to the https://github.com/spdx/using repository.

[rjb4standards]

The material shown in the commit text matches my understanding of how VEX is used to communicate vulnerability status.

"Because Elements in SPDX are immutable, it is best best practice to issue a new VulnAssessmentRelationship of type amendedBy each time the VEX status of a vulnerability changes (i.e. underInvestigationFor --> affects) in addition to creating the new type of VEX status relationship."

[goneall]

Reviewed on the 30 July 2024 tech call, approved.

We need to open this PR on the using repo and close this. Once the PR is open on the using repo, we should be able to merge it as approved.

@rnjudge - can you move this over?

[kestewart]

THis has been moved over to "Using" so going ahead and closing this.