Background
A year ago I wrote about VEX and why it's a more useful artifact than our current VDR. This issue tracks actually shipping it.
Briefly, to motivate the work:
- Our VDR duplicates public data. Everything in it is already in the public CVE feeds; downstream consumers gain nothing from reading ours.
- VEX statements add real signal. They let us tell downstream projects whether a CVE in one of our dependencies actually affects users of our components — which is the question downstream maintainers are actually trying to answer.
- Production can be largely automated. The VEX Generation Toolset generates candidate statements from SBOMs + callgraph analysis, and gives useful feedback on the quality of our SBOM data as a side effect.
- The volume is low. Vulnerabilities in our upstream dependencies typically surface as a Dependabot security PR (recognizable by the "You can disable automated security fix PRs…" footer even without Security Alerts access). One CVE corresponds to one VEX statement. This is not a large ongoing burden.
Roadmap
Background
A year ago I wrote about VEX and why it's a more useful artifact than our current VDR. This issue tracks actually shipping it.
Briefly, to motivate the work:
Roadmap
callgraph-metadatapost-release. Add a workflow step that uploads the release SBOMs to thevex-generation-toolset/callgraph-metadatarepo, so callgraphs are extracted from our JARs and dependencies are monitored for CVEs upstream. Add SBOMs for Log4j distribution vex-generation-toolset/callgraph-metadata#296metadata.component == vulnerability.affects) and CVEs in third-party components. Done for existing VDR entries in Generate the VDR from per-CVE source files #26.justification/responsefields.