Skip to content

feat(tool): Add VEX file validation tool #5144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

feat(tool): Add VEX file validation tool #5144

wants to merge 8 commits into from
+5,531 −2

Conversation

JigyasuRajput
Copy link
Contributor

@JigyasuRajput JigyasuRajput commented Jun 13, 2025
edited
Loading

Add VEX File Validation Tool with Status Transition Validation and lib4vex Integration

Overview

This PR implements a comprehensive VEX (Vulnerability Exploitability Exchange) file validation tool that addresses the need for robust VEX file validation and editing support as outlined in the GSoC 2025 project requirements.

Key Features Implemented

Multi-format VEX Validation

  • CycloneDX: Leverages lib4sbom validator (v0.8.6+) for schema validation (recommended by @anthonyharrison)
  • CSAF: JSON schema validation with format-specific requirements
  • OpenVEX: JSON schema validation with semantic checks

Status Transition Validation

  • Detects invalid status transitions (e.g., marking a CVE as "not_affected" without proper justification)
  • Validates that CycloneDX "not_affected" states include analysis.detail field
  • Validates that OpenVEX "not_affected" statements include action_statement field
  • Prevents common VEX authoring mistakes that could lead to incorrect vulnerability assessments

lib4vex Integration for Actionable Fixes

  • Integrates lib4vex parser for advanced vulnerability analysis
  • Provides specific, actionable error messages with exact syntax suggestions
  • Examples: "Add missing timestamp field: 'timestamp': '2024-01-01T00:00:00'"
  • Suggests missing author information and metadata improvements

Architectural Improvements

  • lib4sbom Integration: Updated dependency from v0.7.2 to v0.8.6+ to access validation functionality
  • Consistent Validation: CycloneDX VEX validation now uses the same proven validation logic as SBOM validation
  • Future-proof: Automatically benefits from lib4sbom validation improvements

CLI Usage

# Validate a VEX file
cve-bin-tool vex-validate --vex-file-to-validate my-vex-file.json

# Alternative syntax
cve-bin-tool my-vex-file.json vex-validate

# Offline validation (no schema downloads)
cve-bin-tool vex-validate --vex-file-to-validate my-vex-file.json --offline

anthonyharrison
anthonyharrison requested changes Jun 13, 2025
View reviewed changes
Copy link
Contributor

@anthonyharrison anthonyharrison left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For CycloneDX there is already a JSON schema which can be used to va;lidate the format. Rather than writing your own checks, it would be better to use the Standard schema (see here.

The same also applies for CSAF see here

Openvex schema See here

This should result in much less code!!!

@JigyasuRajput
Copy link
Contributor Author

For CycloneDX there is already a JSON schema which can be used to va;lidate the format. Rather than writing your own checks, it would be better to use the Standard schema (see here.

The same also applies for CSAF see here

Openvex schema See here

This should result in much less code!!!

thanks for the feedback, I'll apply the changes!!

@JigyasuRajput
Copy link
Contributor Author

this PR is not ready for a review yet ...It still needs more cleanup!
thanks!

@JigyasuRajput
Copy link
Contributor Author

Hey!
I've almost completed the implementation of the vex validate tool, I'll come back after some time when the CI checks have completed. I've added the standard JSON schemas to the code (which made the PR big) to improve performance and so it can work offline as well.
thanks!
cc @anthonyharrison @terriko

anthonyharrison
anthonyharrison requested changes Jun 20, 2025
View reviewed changes
Copy link
Contributor

@anthonyharrison anthonyharrison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CycloneDX schemas needs to support the different versions of the CycloneDX standard. Need to incluide schema for 1.5 and 1.6 as well. Schema validation will then need to validate against each version until it either validates or you have exhausted all the schemas.

@mastersans mastersans self-requested a review July 25, 2025 17:28
@JigyasuRajput JigyasuRajput force-pushed the feat/vex-validate-cli branch from b1cc9c6 to bc361f6 Compare August 16, 2025 09:44
@JigyasuRajput JigyasuRajput force-pushed the feat/vex-validate-cli branch from fc7ecc0 to f5619a0 Compare August 16, 2025 09:53
@JigyasuRajput JigyasuRajput force-pushed the feat/vex-validate-cli branch from 5e8acf3 to f873cb3 Compare August 17, 2025 05:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anthonyharrison anthonyharrison anthonyharrison requested changes

@mastersans mastersans Awaiting requested review from mastersans

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JigyasuRajput @anthonyharrison