OpenVEX Spec v0.2.0

This is the release of the OpenVEX Specification v0.2.0.

This release introduces the first major revision of the OpenVEX specification. It introduces breaking changes to the OpenVEX document, specifically expanding the product and vulnerability fields to make them richer and easier to expand in the future.

The introduced changes were discussed and approved by the OpenVEX community in the following enhancement proposals:

• OPEV-0014: Expansion of the VEX Product Field
• OPEV-0015: Expansion of the Vulnerability Field

This release of the spec and its corresponding tooling updates address the following open issues:

• Ability to refer back to an SBOM? #28
• PURL matching with qualifiers #27
• VEX schema/spec version should be a field in the metadata #20
• More explicit expectations for package identifiers #16
• Modify Spec to Require Artifact Digest in PURL #10
• Allow for vulnerability to be a list #12

This is our best release yet 🚀 Thanks to everybody who supplied the feedback and ideas that went into the specification, especially to @camaleon2016 @cpanato @garethr @itaysk @jspeed-meyers @knqyf263 @luhring @lumjjb @mjnagel @rnjudge @SecurityCRob @taladrane @tpletcher-hpe @tschmidtb51 @wagoodman @zmanion

OpenVEX Spec v0.0.2

This release marks version v0.0.2 of the OpenVEX specification.

v0.0.2 matches the spec to the final version of the Minimum Requirements for VEX document produced by the VEX Working Group and published by CISA.