intel
diff --git a/‎README.md
Lines changed: 17 additions & 0 deletions b/‎README.md
Lines changed: 17 additions & 0 deletions
diff --git a/‎cve_bin_tool/cli.py
Lines changed: 14 additions & 15 deletions b/‎cve_bin_tool/cli.py
Lines changed: 14 additions & 15 deletions
diff --git a/‎cve_bin_tool/vex_manager/validate.py
Lines changed: 216 additions & 22 deletions b/‎cve_bin_tool/vex_manager/validate.py
Lines changed: 216 additions & 22 deletions
@@ -47,6 +47,7 @@ For more details, see our [documentation](https://cve-bin-tool.readthedocs.io/en
     - [Scanning an SBOM file for known vulnerabilities](#scanning-an-sbom-file-for-known-vulnerabilities)
     - [Generating an SBOM](#generating-an-sbom)
     - [Generating a VEX](#generating-a-vex)
+    - [Validating VEX Files](#validating-vex-files)
     - [Triaging vulnerabilities](#triaging-vulnerabilities)
     - [Using the tool offline](#using-the-tool-offline)
     - [Using CVE Binary Tool in GitHub Actions](#using-cve-binary-tool-in-github-actions)
@@ -134,6 +135,22 @@ Valid VEX types are [CSAF](https://oasis-open.github.io/csaf-documentation/), [C
 
 The [VEX generation how-to guide](https://github.com/intel/cve-bin-tool/blob/main/doc/how_to_guides/vex_generation.md) provides additional VEX generation examples.
 
+### Validating VEX Files
+
+CVE Binary Tool includes a comprehensive VEX validation tool that ensures your VEX documents are correctly formatted and contain accurate vulnerability information:
+
+```bash
+cve-bin-tool vex-validate --vex-file-to-validate <vex_filename>
+```
+
+The validation tool supports all VEX formats (CycloneDX, CSAF, OpenVEX) and provides:
+- Schema compliance checking
+- Status transition validation
+- Missing field detection
+- Actionable error messages with specific fixes
+
+The [VEX validation how-to guide](https://github.com/intel/cve-bin-tool/blob/main/doc/how_to_guides/vex_validation.md) provides detailed validation examples and troubleshooting information.
+
 ### Triaging vulnerabilities
 
 The `--vex-file` option can be used to add extra triage data like remarks, comments etc. while scanning a directory so that output will reflect this triage data and you can save time of re-triaging (Usage: `cve-bin-tool --vex-file test.json /path/to/scan`).
 
@@ -79,7 +79,6 @@
 from cve_bin_tool.version import VERSION
 from cve_bin_tool.version_scanner import VersionScanner
 from cve_bin_tool.vex_manager.parse import VEXParse
-from cve_bin_tool.vex_manager.validate import validate_vex_file
 
 sys.excepthook = excepthook  # Always install excepthook for entrypoint module.
 
@@ -174,6 +173,14 @@ def main(argv=None):
         default="",
     )
 
+    # Add command argument before directory to ensure proper parsing order
+    parser.add_argument(
+        "command",
+        nargs="?",
+        choices=["vex-validate"],
+        help="Command to run: vex-validate to validate VEX files",
+    )
+
     input_group = parser.add_argument_group("Input")
     input_group.add_argument(
         "directory", help="directory to scan", nargs="?", default=""
@@ -575,18 +582,6 @@ def main(argv=None):
         default=False,
     )
 
-    parser.add_argument(
-        "command",
-        nargs="?",
-        choices=["vex-validate"],
-        help="Command to run: vex-validate to validate VEX files",
-    )
-
-    # Change directory to be optional when using commands
-    input_group.add_argument(
-        "directory", help="directory to scan", nargs="?", default=""
-    )
-
     with ErrorHandler(mode=ErrorMode.NoTrace):
         raw_args = parser.parse_args(argv[1:])
         args = {key: value for key, value in vars(raw_args).items() if value}
@@ -602,8 +597,12 @@ def main(argv=None):
         # Use directory as file path if vex_file_to_validate not provided
         vex_file_path = raw_args.vex_file_to_validate or raw_args.directory
 
-        # Import and run validation
-        exit_code = validate_vex_file(vex_file_path, offline=args.get("offline", False))
+        # Import and run validation locally to avoid scope issues
+        from cve_bin_tool.vex_manager.validate import validate_vex_file
+
+        exit_code = validate_vex_file(
+            vex_file_path, logger=None, offline=args.get("offline", False)
+        )
         return exit_code
 
     configs = {}
 
@@ -4,8 +4,8 @@
 """
 VEX Validation Module
 
-Provides functionality to validate VEX files for schema compliance using standard
-JSON schemas for CycloneDX, CSAF, and OpenVEX formats.
+Provides functionality to validate VEX files for schema compliance using
+lib4sbom for CycloneDX validation and standard JSON schemas for CSAF and OpenVEX formats.
 """
 
 import json
@@ -16,6 +16,8 @@
 
 import jsonschema
 from jsonschema import ValidationError as JsonSchemaValidationError
+from lib4sbom.validator import SBOMValidator
+from lib4vex.parser import VEXParser
 
 from cve_bin_tool.log import LOGGER
 
@@ -161,33 +163,67 @@ def validate_file(
         self.logger.info(f"Detected VEX format: {vex_type} (version: {version})")
 
         # Validate against appropriate schema
-        try:
-            schema = self._get_schema(vex_type, version)
-            if schema:  # Only validate if schema was successfully loaded
-                jsonschema.validate(instance=raw_data, schema=schema)
-                self.logger.info(f"VEX file passed {vex_type} schema validation")
-        except JsonSchemaValidationError as e:
-            # Convert jsonschema validation error to our format
-            path = ".".join(str(p) for p in e.path) if e.path else None
+        if vex_type == "cyclonedx":
+            # Use lib4sbom validator for CycloneDX VEX files
+            try:
+                sbom_validator = SBOMValidator()
+                validation_result = sbom_validator.validate_file(vex_file_path)
+
+                # Check validation result
+                cyclonedx_valid = validation_result.get("CycloneDX", False)
+                if not cyclonedx_valid:
+                    self.errors.append(
+                        ValidationError(
+                            "SCHEMA_ERROR",
+                            "CycloneDX schema validation failed. File does not comply with CycloneDX specification.",
+                        )
+                    )
+                else:
+                    self.logger.info(
+                        "VEX file passed CycloneDX schema validation using lib4sbom"
+                    )
 
-            self.errors.append(
-                ValidationError(
-                    "SCHEMA_ERROR",
-                    f"Schema validation error: {e.message}",
-                    field=path,
-                    location=str(e.schema_path) if e.schema_path else None,
+            except Exception as e:
+                self.errors.append(
+                    ValidationError(
+                        "VALIDATION_ERROR",
+                        f"Error during CycloneDX validation: {str(e)}",
+                    )
                 )
-            )
-        except Exception as e:
-            self.errors.append(
-                ValidationError(
-                    "VALIDATION_ERROR", f"Error during schema validation: {str(e)}"
+        else:
+            # Use traditional jsonschema validation for CSAF and OpenVEX
+            try:
+                schema = self._get_schema(vex_type, version)
+                if schema:  # Only validate if schema was successfully loaded
+                    jsonschema.validate(instance=raw_data, schema=schema)
+                    self.logger.info(f"VEX file passed {vex_type} schema validation")
+            except JsonSchemaValidationError as e:
+                # Convert jsonschema validation error to our format
+                path = ".".join(str(p) for p in e.path) if e.path else None
+
+                self.errors.append(
+                    ValidationError(
+                        "SCHEMA_ERROR",
+                        f"Schema validation error: {e.message}",
+                        field=path,
+                        location=str(e.schema_path) if e.schema_path else None,
+                    )
+                )
+            except Exception as e:
+                self.errors.append(
+                    ValidationError(
+                        "VALIDATION_ERROR", f"Error during schema validation: {str(e)}"
+                    )
                 )
-            )
 
         # Perform format-specific validations
         self._perform_format_specific_validation(raw_data, vex_type)
 
+        # Validate status transitions and provide actionable fixes using lib4vex
+        self._validate_status_transitions_and_suggest_fixes(
+            raw_data, vex_type, vex_file_path
+        )
+
         # Add warnings for empty sections
         self._check_for_empty_sections(raw_data, vex_type)
 
@@ -463,6 +499,164 @@ def _validate_csaf_vulnerability(self, vulnerability: Dict, index: int) -> None:
                 )
             )
 
+    def _validate_status_transitions_and_suggest_fixes(
+        self, raw_data: Dict, vex_type: str, vex_file_path: str
+    ) -> None:
+        """
+        Validate status transitions and provide actionable fixes using lib4vex.
+
+        Checks for invalid status transitions (e.g., marking a resolved CVE as not_affected
+        without justification) and uses lib4vex to suggest improvements.
+        """
+        # For CycloneDX, use basic validation since lib4sbom handles schema validation
+        if vex_type == "cyclonedx":
+            self._validate_status_transitions_basic(raw_data, vex_type)
+            self._suggest_actionable_fixes(raw_data, vex_type)
+            return
+
+        # For other formats, try lib4vex first, then fall back to basic validation
+        try:
+            # Use lib4vex parser to analyze the VEX file
+            vex_parser = VEXParser()
+            vex_parser.parse(vex_file_path)
+
+            # Get vulnerabilities from lib4vex parser
+            vulnerabilities = vex_parser.get_vulnerabilities()
+
+            for vuln in vulnerabilities:
+                self._validate_individual_vulnerability_status(vuln, vex_type)
+
+            # Check for missing required fields and suggest fixes
+            self._suggest_actionable_fixes(raw_data, vex_type)
+
+        except Exception as e:
+            self.logger.debug(f"lib4vex validation failed: {str(e)}")
+            # Fall back to basic validation if lib4vex fails
+            self._validate_status_transitions_basic(raw_data, vex_type)
+            self._suggest_actionable_fixes(raw_data, vex_type)
+
+    def _validate_individual_vulnerability_status(
+        self, vuln: Dict, vex_type: str
+    ) -> None:
+        """Validate individual vulnerability status transitions."""
+        status = vuln.get("status", "").lower()
+
+        # Check for invalid status transitions
+        if status == "not_affected":
+            # If status is not_affected, should have justification
+            justification = (
+                vuln.get("justification")
+                or vuln.get("detail")
+                or vuln.get("action_statement")
+            )
+            if not justification:
+                self.errors.append(
+                    ValidationError(
+                        "INVALID_STATUS_TRANSITION",
+                        "CVE marked as 'not_affected' without justification. Add justification field explaining why this vulnerability does not affect the product.",
+                        field="justification",
+                        location=f"vulnerability {vuln.get('id', 'unknown')}",
+                    )
+                )
+
+        elif status == "resolved" or status == "fixed":
+            # If status is resolved/fixed, should have timestamp and details
+            timestamp = vuln.get("updated") or vuln.get("timestamp")
+            if not timestamp:
+                self.warnings.append(
+                    ValidationError(
+                        "MISSING_TIMESTAMP",
+                        "Fixed/resolved vulnerability should have a timestamp indicating when it was resolved. Add timestamp field.",
+                        field="timestamp",
+                        location=f"vulnerability {vuln.get('id', 'unknown')}",
+                        severity="warning",
+                    )
+                )
+
+    def _validate_status_transitions_basic(self, raw_data: Dict, vex_type: str) -> None:
+        """Basic status transition validation when lib4vex is not available."""
+        if vex_type == "cyclonedx":
+            vulnerabilities = raw_data.get("vulnerabilities", [])
+            for i, vuln in enumerate(vulnerabilities):
+                analysis = vuln.get("analysis", {})
+                state = analysis.get("state", "").lower()
+
+                if state == "not_affected" and not analysis.get("detail"):
+                    self.errors.append(
+                        ValidationError(
+                            "INVALID_STATUS_TRANSITION",
+                            "CVE marked as 'not_affected' without justification in analysis.detail field.",
+                            field="analysis.detail",
+                            location=f"vulnerabilities[{i}]",
+                        )
+                    )
+
+        elif vex_type == "openvex":
+            statements = raw_data.get("statements", [])
+            for i, stmt in enumerate(statements):
+                status = stmt.get("status", "").lower()
+
+                if status == "not_affected" and not stmt.get("action_statement"):
+                    self.errors.append(
+                        ValidationError(
+                            "INVALID_STATUS_TRANSITION",
+                            "Statement marked as 'not_affected' without action_statement explaining why.",
+                            field="action_statement",
+                            location=f"statements[{i}]",
+                        )
+                    )
+
+    def _suggest_actionable_fixes(self, raw_data: Dict, vex_type: str) -> None:
+        """Suggest actionable fixes for common VEX file issues."""
+
+        # Check for missing timestamp in document metadata
+        if vex_type == "cyclonedx":
+            metadata = raw_data.get("metadata", {})
+            if not metadata.get("timestamp"):
+                self.warnings.append(
+                    ValidationError(
+                        "MISSING_FIELD",
+                        "Add missing timestamp field to metadata for better traceability: 'timestamp': '2024-01-01T00:00:00Z'",
+                        field="metadata.timestamp",
+                        severity="warning",
+                    )
+                )
+
+        elif vex_type == "openvex":
+            if not raw_data.get("timestamp"):
+                self.warnings.append(
+                    ValidationError(
+                        "MISSING_FIELD",
+                        "Add missing timestamp field: 'timestamp': '2024-01-01T00:00:00'",
+                        field="timestamp",
+                        severity="warning",
+                    )
+                )
+
+        # Check for missing author information
+        if vex_type == "cyclonedx":
+            metadata = raw_data.get("metadata", {})
+            if not metadata.get("authors") and not metadata.get("supplier"):
+                self.warnings.append(
+                    ValidationError(
+                        "MISSING_FIELD",
+                        "Add author information in metadata.authors or metadata.supplier for accountability",
+                        field="metadata.authors",
+                        severity="warning",
+                    )
+                )
+
+        elif vex_type == "openvex":
+            if not raw_data.get("author"):
+                self.warnings.append(
+                    ValidationError(
+                        "MISSING_FIELD",
+                        "Add missing author field: 'author': 'Your Organization'",
+                        field="author",
+                        severity="warning",
+                    )
+                )
+
     def _check_for_empty_sections(self, raw_data: Dict, vex_type: str) -> None:
         """Check for empty vulnerability/statement sections and add warnings."""
         if vex_type == "cyclonedx":