chore: fix documentation and remove older test

.github/actions/spelling/allow.txt

@@ -71,6 +71,7 @@ cabextract
 capnproto
 cbt
 CDNs
+CDX
 ceph
 cfa
 cfea

README.md

@@ -136,16 +136,18 @@ The [VEX generation how-to guide](https://github.com/intel/cve-bin-tool/blob/mai
 
 ### Triaging vulnerabilities
 
-The `--triage-input-file` option can be used to add extra triage data like remarks, comments etc. while scanning a directory so that output will reflect this triage data and you can save time of re-triaging (Usage: `cve-bin-tool --triage-input-file test.vex /path/to/scan`).
-The supported format is the [CycloneDX](https://cyclonedx.org/capabilities/vex/) VEX format which can be generated using the `--vex` option.
+The `--vex-file` option can be used to add extra triage data like remarks, comments etc. while scanning a directory so that output will reflect this triage data and you can save time of re-triaging (Usage: `cve-bin-tool --vex-file test.json /path/to/scan`).
+The supported format is the [CycloneDX](https://cyclonedx.org/capabilities/vex/),[CSAF](https://oasis-open.github.io/csaf-documentation/) and [OpenVEX](https://edu.chainguard.dev/open-source/sbom/what-is-openvex/) VEX format which can be generated using the `--vex-output` option.
 
 Typical usage:
 
-1. Generate triage file using `cve-bin-tool /path/to/scan --vex triage.vex`
-2. Edit triage.vex with your favourite text editor to provide triage information on the vulnerabilities listed.
-3. Use this triage file for future scans as follows: `cve-bin-tool /path/to/scan --triage-input-file triage.vex`
+1. Generate triage file using `cve-bin-tool /path/to/scan --vex-output triage.json`
+2. Edit triage.json with your favourite text editor to provide triage information on the vulnerabilities listed.
+3. Use this triage file for future scans as follows: `cve-bin-tool /path/to/scan --vex-file triage.json`
 
-It should be possible to share triage data across different runs of cve-bin-tool or with other tools that support the CycloneDX VEX format.  This would be particularly useful for teams that scan related products or containers, teams that need to use multiple tools for compliance reasons, companies that have a central security policy group that provides guidance on vulnerability triage, and more.
+For better usage guide refer this [link](https://cve-bin-tool.readthedocs.io/en/latest/triaging_process.html) .
+
+It should be possible to share triage data across different runs of cve-bin-tool or with other tools that support the CycloneDX VEX, OpenVEX and CSAF format.  This would be particularly useful for teams that scan related products or containers, teams that need to use multiple tools for compliance reasons, companies that have a central security policy group that provides guidance on vulnerability triage, and more.
 
 ### Using the tool offline
 
@@ -172,8 +174,8 @@ cve-bin-tool file -f csv,json,html -o report
 Note: You must not use spaces between the commas (',') and the output formats.
 
 The reported vulnerabilities can additionally be reported in the
-Vulnerability Exchange (VEX) format by specifying `--vex` command line option.
-The generated VEX file can then be used as a `--triage-input-file` to support
+Vulnerability Exchange (VEX) format by specifying `--vex-output` with type defined using `--vex-type` command line option.
+The generated VEX file can then be used as a `--vex-file` to support
 a triage process.
 
 If you wish to use PDF support, you will need to install the `reportlab`
@@ -377,7 +379,7 @@ Users can add triage information to reports to mark issues as false positives, i
 
 Triage details can be re-used on other projects so, for example, triage on a Linux base image could be applied to multiple containers using that image.
 
-For more information and usage of triage information with the tool kindly have a look [here](https://cve-bin-tool.readthedocs.io/en/latest/MANUAL.html#triage-input-file-input-file).
+For more information and usage of triage information with the tool kindly have a look [here](https://cve-bin-tool.readthedocs.io/en/latest/triaging_process.html).
 
 If you are using the binary scanner capabilities, be aware that we only have a limited number of binary checkers (see table above) so we can only detect those libraries. Contributions of new checkers are always welcome! You can also use an alternate way to detect components (for example, a bill of materials tool such as [tern](https://github.com/tern-tools/tern)) and then use the resulting list as input to cve-bin-tool to get a more comprehensive vulnerability list.
 
@@ -451,8 +453,6 @@ Input:
   <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#directory-positional-argument">directory</a>             directory to scan
   <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-i-input_file---input-file-input_file">-i INPUT_FILE, --input-file INPUT_FILE</a>
                         provide input filename
-  <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#--triage-input-file-input_file">--triage-input-file TRIAGE_INPUT_FILE</a>
-                        provide input filename for triage data
   <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-c-config---config-config">-C CONFIG, --config CONFIG</a>
                         provide config file
   <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-l-package_list---package-list-package_list">-L PACKAGE_LIST, --package-list PACKAGE_LIST</a>

cve_bin_tool/cli.py

@@ -345,45 +345,48 @@ def main(argv=None):
         choices=["tag", "json", "yaml"],
         help="specify format of software bill of materials (sbom) to generate (default: tag)",
     )
-    output_group.add_argument(
+    vex_output_group = parser.add_argument_group(
+        "Vex Output", "Arguments related to Vex output document."
+    )
+    vex_output_group.add_argument(
         "--vex-output",
         action="store",
         help="Provide vulnerability exchange (vex) filename to generate",
         default="",
     )
-    output_group.add_argument(
+    vex_output_group.add_argument(
         "--vex-type",
         action="store",
         default="",
         choices=["cyclonedx", "csaf", "openvex"],
         help="specify type of vulnerability exchange (vex) to generate (default: cyclonedx)",
     )
-    output_group.add_argument(
+    vex_output_group.add_argument(
         "--product",
         action="store",
         default="",
         help="Product Name",
     )
-    output_group.add_argument(
+    vex_output_group.add_argument(
         "--release",
         action="store",
         default="",
         help="Release Version",
     )
-    output_group.add_argument(
+    vex_output_group.add_argument(
         "--vendor",
         action="store",
         default="",
         help="Vendor/Supplier of Product",
     )
-    output_group.add_argument(
+    vex_output_group.add_argument(
         "-rr",
         "--revision-reason",
         action="store",
         default="",
         help="a reason for the update to the vex document should be specified in double quotes",
     )
-    output_group.add_argument(
+    vex_output_group.add_argument(
         "--filter-triage",
         action="store_true",
         default=False,

cve_bin_tool/config_generator.py

@@ -46,6 +46,7 @@ def config_generator(config_format, organized_arguments):
                     group_args["sbom-type"]["arg_value"] = None
                     group_args["sbom-format"]["arg_value"] = None
                     group_args["sbom-output"]["arg_value"] = None
+            if group_title == "vex_output":
                 if group_args["vex-output"]["arg_value"] == "":
                     group_args["vex-type"]["arg_value"] = None
                     group_args["vex-output"]["arg_value"] = None

doc/MANUAL.md

@@ -40,7 +40,6 @@
   - [Input Arguments](#input-arguments)
     - [directory (positional argument)](#directory-positional-argument)
     - [-i INPUT\_FILE, --input-file INPUT\_FILE](#-i-input_file---input-file-input_file)
-    - [--triage-input-file INPUT\_FILE](#--triage-input-file-input_file)
     - [--sbom-file SBOM\_FILE](#--sbom-file-sbom_file)
     - [--vex-file VEX\_FILE](#--vex-file-vex_file)
     - [-L PACKAGE\_LIST, --package-list PACKAGE\_LIST](#-l-package_list---package-list-package_list)
@@ -703,140 +702,6 @@ Note that `--input-file`, unlike `cve-bin-tool directory` scan, will work on _an
 
 > Note: For backward compatibility, we still support `csv2cve` command for producing CVEs from csv but we recommend using new `--input-file` command instead.
 
-### --triage-input-file INPUT_FILE
-
-This option allows you to provide triage data and incorporate that into the output so that people could spend less time re-triaging. The supported format
-is the [CycloneDX](https://cyclonedx.org/capabilities/vex/) VEX format which can be generated using the `--vex` option.
-For the triage process, the **state** value in the analysis section of each CVE should have one of the following values:
-
-```
-"under_review" - this is the default state and should be used to indicate the vulnerability is to be reviewed
-"in_triage" - this should be used to indicate that the vulnerability is being reviewed
-"exploitable" - this should be used to indicate that the vulnerability is known to be exploitable
-"not_affected" - this should be used to indicate that the vulnerability has been mitigated
-```
-
-The **detail** value in the analysis section can be used to provide comments related to the state
-
-For example, if `input_file.csv` contains the following data:
-
-```
-| vendor          | product   | version   |
-| --------------- | --------- | --------- |
-| plot            | plotly    | h5.10.0   |
-| pocoo           | jinja2    | 3.1.2     |
-| aiohttp_project | aiohttp   | 3.8.1     |
-| pyyaml          | pyyaml    | 6.0       |
-| python          | requests  | 2.28.1    |
-| python          | urllib3   | 1.26.12   |
-| skontar         | cvss      | 2.5       |
-| getbootstrap    | bootstrap | 5.2.0     |
-| plotly          | plotly.js | 2.13.2    |
-```
-
-Where `aiohttp_project` and `plotly` are affected by `CVE-2022-33124` and `GMS-2016-69`, respectively,
-you could provide the following triage file:
-
-```
-{
-   "bomFormat": "CycloneDX",
-   "specVersion": "1.4",
-   "version": 1,
-   "vulnerabilities": [
-      {
-         "id": "GMS-2016-69",
-         "source": {
-            "name": "NVD",
-            "url": "https://nvd.nist.gov/vuln/detail/GMS-2016-69"
-         },
-         "ratings": [
-            {
-               "source": {
-                  "name": "NVD",
-                  "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=GMS-2016-69&vector=unknown&version=2.0"
-               },
-               "score": "unknown",
-               "severity": "unknown",
-               "method": "CVSSvunknown",
-               "vector": "unknown"
-            }
-         ],
-         "cwes": [],
-         "description": "If an attacker can trick an unsuspecting user into viewing a specially crafted plot on a site that uses plotly.js, then the attacker could potentially retrieve authentication tokens and perform actions on behalf of the user.",
-         "recommendation": "",
-         "advisories": [],
-         "created": "NOT_KNOWN",
-         "published": "NOT_KNOWN",
-         "updated": "NOT_KNOWN",
-         "analysis": {
-            "state": "not_affected",
-            "response": [ "code_not_reachable" ],
-            "justification": "",
-            "detail": ""
-         },
-         "affects": [
-            {
-               "ref": "urn:cdx:NOTKNOWN/1#plotly.js:2.13.2"
-            }
-         ]
-      }
-   ]
-}
-```
-
-Then when you invoke `cve-bin-tool` like this:
-
-```console
-cve-bin-tool -i="input_file.csv" --triage-input-file triage.vex
-```
-
-The output will look like following:
-
-```
-╔══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╗
-║                                            CVE BINARY TOOL version: 3.1.1                                            ║
-╚══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╝
-
- • Report Generated: 2022-11-09  13:52:20
- • Time of last update of CVE Data: 2022-11-09  13:39:31
-╭─────────────╮
-│ CVE SUMMARY │
-╰─────────────╯
-┏━━━━━━━━━━┳━━━━━━━┓
-┃ Severity ┃ Count ┃
-┡━━━━━━━━━━╇━━━━━━━┩
-│ CRITICAL │ 0     │
-│ HIGH     │ 0     │
-│ MEDIUM   │ 1     │
-│ LOW      │ 0     │
-└──────────┴───────┘
-╭───────────────────╮
-│  Unexplored CVEs  │
-╰───────────────────╯
-┏━━━━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓
-┃ Vendor          ┃ Product ┃ Version ┃ CVE Number     ┃ Source ┃ Severity ┃ Score (CVSS Version) ┃
-┡━━━━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩
-│ aiohttp_project │ aiohttp │ 3.8.1   │ CVE-2022-33124 │ NVD    │ MEDIUM   │ 5.5 (v3)             │
-└─────────────────┴─────────┴─────────┴────────────────┴────────┴──────────┴──────────────────────┘
-┏━━━━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━┳━━━━━━━━━━┓
-┃ Vendor          ┃ Product ┃ Version ┃ Root ┃ Filename ┃
-┡━━━━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━╇━━━━━━━━━━┩
-│ aiohttp_project │ aiohttp │ 3.8.1   │      │          │
-└─────────────────┴─────────┴─────────┴──────┴──────────┘
-╭──────────────────╮
-│  Mitigated CVEs  │
-╰──────────────────╯
-┏━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓
-┃ Vendor ┃ Product   ┃ Version ┃ CVE Number  ┃ Source ┃ Severity ┃ Score (CVSS Version) ┃
-┡━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩
-│ plotly │ plotly.js │ 2.13.2  │ GMS-2016-69 │ GAD    │ unknown  │ unknown              │
-└────────┴───────────┴─────────┴─────────────┴────────┴──────────┴──────────────────────┘
-┏━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━┳━━━━━━━━━━┓
-┃ Vendor ┃ Product   ┃ Version ┃ Root ┃ Filename ┃
-┡━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━╇━━━━━━━━━━┩
-│ plotly │ plotly.js │ 2.13.2  │      │          │
-└────────┴───────────┴─────────┴──────┴──────────┘
-```
 
 ### --sbom-file SBOM_FILE
 
@@ -931,7 +796,7 @@ input:
   directory: test/assets
   # To supplement triage data of previous scan or run standalone as csv2cve
   # Currently we only support vex file.
-  triage_input_file: triage.vex
+  vex_file: triage.json
 
 checker:
   # list of checkers you want to skip