Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Add VEX as a property under security-artifacts #84

Closed
Danajoyluck opened this issue Jul 5, 2024 · 3 comments
Closed

Add VEX as a property under security-artifacts #84

Danajoyluck opened this issue Jul 5, 2024 · 3 comments
Assignees
@eddie-knight

Comments

@Danajoyluck
Copy link

when a project generates VEX feed for vulnerabilities that are not exploitable, SECURITY_INSIGHTS.yml is an ideal place to capture this information. The work around is to add VEX statement information under “security-artifacts” > “other-artifacts”.

Having VEX as an explicit property will make it a deterministic property for policy engines to pick it up and make decisions during software ingestion or scanners to reduce false positives.
@puerco
Copy link
Member

puerco commented Jul 5, 2024

We're defining a well known location in the repositories, the location could default to whatever resolves this issue:

openvex/spec#46

@eddie-knight
Copy link
Contributor

I've drafted this in #96:

project:
  release:
    latest:
      provenance:
        vex-data: https://foo.bar/vex

@eddie-knight eddie-knight self-assigned this Dec 25, 2024
@eddie-knight
Copy link
Contributor

Thanks for this suggestion @Danajoyluck!

As per a design proposed by @puerco, support for vex is implicit within the attestation objects that will be included in the upcoming release (#97)

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@eddie-knight eddie-knight

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@puerco @Danajoyluck @eddie-knight