Create a VEX file for Node.js

[marco-ippolito]

Info on vex https://cyclonedx.org/capabilities/vex/
I was thinking that a lot of companies find CVEs in the Node.js distribution that do not actually apply to Node.js:
There is a long list of them in https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues but recently I came across the NPM one on Node v20.
Since we have a list of valid vulns https://github.com/nodejs/security-wg/tree/main/vuln it would be trivial to
generate a vex file, and whenever we get a report of a CVE in the Node.js dependencies that we don't think it is valid we can just include it in the vex file, so we avoid getting requested about it, and companies are happy because they are compliant.
Whenever we do a security release we have to update the vex file, this can be done with an automation.
@nodejs/security-wg wdyt?

[RafaelGSS]

How does it work with dependencies of our dependencies? For instance, npm.

[dwelch2344]

Just chiming in as a long time consumer, this would be amazing. The biggest problem with SCA/SAST is noise, and vex enables localized controls.

Happy to contribute to whatever the solution looks like!

[marco-ippolito]

How does it work with dependencies of our dependencies? For instance, npm.

we simply add in the vex file that CVE-XYZ does not apply to Node.js (with proper justification) and scanners will ignore it