You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As OpenVEX is intended to be a minimal VEX implementation, is there a plan to make it extensible to support additionnal cases without requiring to modify the core specification ?
Support other status labels and status justifications.
Indicate a targeted release for the fix of an "affected" product.
Add proof/demonstrations of fixes.
Include a third party acknowledgement/certification of the statement.
Link a vulnerability reported by a specific vulnerability assessment tool.
Have a structured mitigation field to describe several mitigation scenarios.
Support multiple authors of a statement. That is the product manufacturer confirmed an affected product and a 3rd party researcher propose a mitigation.
Support logical predicates for product and vulnerability matching.
etc.
Such extensions could be expressed in a Meta OpenVEX format which when processed againsts an SBOM could generate appropriate OpenVEX document, given the extension specification, to be included in the SBOM.
The text was updated successfully, but these errors were encountered:
As OpenVEX is intended to be a minimal VEX implementation, is there a plan to make it extensible to support additionnal cases without requiring to modify the core specification ?
Examples of such extensions includes :
Such extensions could be expressed in a Meta OpenVEX format which when processed againsts an SBOM could generate appropriate OpenVEX document, given the extension specification, to be included in the SBOM.
The text was updated successfully, but these errors were encountered: