Add Vulnerability Exchange (VEX) statements for CPython SBOMs to reference #2340
Comments
|
Are there standards for, and tools for, mapping (or translation) all of these different VEX formats to each other? A quick search on the brought me here https://openssf.org/blog/2023/09/07/vdr-vex-openvex-and-csaf/... where I noticed this text listing multiple standards ...CycloneDX VEX, OpenVEX, and SPDX3.0 or CSAF...? Would that be helpful when dealing with a huge tree of dependencies? I can imagine all of the existing standards will be used by at least one library depended on by python across all the various platforms, linux images, languages, etc... so the above question came to mind right away. |
|
@surfaceowl I'm not aware of any tooling that allows converting between the different formats, although I wouldn't be surprised if it exists. We'll select our format based on some criteria like whether it works with existing tooling. I'm leaning towards OpenVEX currently since I've started using SPDX for CPython's SBOM, SBOM format agnostic, seems straightforward when compared to the others, and owned by the OpenSSF. This decision isn't set in stone, though, only evaluating from first impressions. |
JacobCoffee
added
needs-feedback
Part of python/cpython#112302
Is your feature request related to a problem? Please describe.
CPython and its artifacts contain many dependencies which can have vulnerabilities. In the interest of not causing mass-confusion from SBOM consumers about the status of the vulnerabilities in dependencies (especially when those vulnerabilities aren't exploitable, like is usually the case for CPython's usage of OpenSSL) it is useful to provide a systematic and automatic mechanism to quell SBOM consumers questions on a potentially vulnerable component.
Describe the solution you'd like
The text was updated successfully, but these errors were encountered: