Generating VEX statements

[another-rex]

Automatically generate VEX statements based on call graph analysis or ignored vulnerabilities set in the scanner config.

[puerco]

At Chainguard we are starting to run tests issuing vex for Wolfi, our linux distro. We are generating documents in a simplified VEX format which we also embed in in-toto attestations. We are proposing this format to the VEX working group and have been trying to capture the latest data model.

Here is the VEX structure and type we are using: https://github.com/chainguard-dev/vex/blob/main/pkg/vex/vex.go

We would love to collaborate and learn more about you rvex use case!

[oliverchang]

Hey @puerco! Thanks for reaching out!

The use case we have in mind right now is just generating VEX statements from:

• The ignore files provided by the user.
• Automated call graph analysis on vulnerable functions.

If possible we'd certainly like to re-use an existing VEX structure for this. Very happy to chat more here about this or other potential areas of collaboration!

CC @lumjjb

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks