You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: OPENVEX-SPEC.md
+34-24Lines changed: 34 additions & 24 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,11 @@
1
-
# OpenVEX Specification v0.0.0
1
+
# OpenVEX Specification v0.0.2
2
2
3
3
## Overview
4
4
5
5
OpenVEX is an implementation of Vulnerability Exploitability eXchange (VEX)
6
6
designed to be lightweight, and embeddable while meeting all requirements of
7
-
a valid VEX implementation as defined in the [Minimum Requirements for Vulnerability
8
-
Exploitability eXchange (VEX)](http://example.com) document published on XXX
9
-
by the VEX working group coordinated by the [Cybersecurity & Infrastructure
10
-
Security Agency](https://www.cisa.gov/) (CISA).
7
+
a valid VEX implementation as defined in the [Minimum Requirements for VEX] document published on April 2023 as defined by the VEX Working Group coordinated by the [Cybersecurity & Infrastructure Security
8
+
Agency](https://www.cisa.gov/) (CISA).
11
9
12
10
13
11
## The VEX Statement
@@ -132,7 +130,7 @@ Here is a sample of a minimal OpenVEX document:
@@ -153,14 +151,14 @@ The following table lists the fields in the document struct
153
151
154
152
| Field | Required | Description |
155
153
| --- | --- | --- |
156
-
|@context| ✓ | The URL linking to the OpenVEX context definition. Fixed to `https://openvex.dev/ns`. |
157
-
|@id| ✓ | The IRI identifying the VEX document. |
158
-
| author | ✓ | Author is the identifier for the author of the VEX statement. Ideally, a common name, may be a URI. `author`can be an individual or organization. The author identity SHOULD be cryptographically associated with the signature of the VEX statement or document or transport. |
159
-
| role |✓| role describes the role of the document author. |
154
+
|@context| ✓ | The URL linking to the OpenVEX context definition. Fixed to `https://openvex.dev/ns` before 1.0 is released. |
155
+
|@id| ✓ | The IRI identifying the VEX document. |
156
+
| author | ✓ | Author is the identifier for the author of the VEX statement. This field should ideally be a machine readable identifier such as an IRI, email address, etc. `author`MUST be an individual or organization. `author` identity SHOULD be cryptographically associated with the signature of the VEX document or other exchange mechanism. |
157
+
| role |✕| role describes the role of the document author. |
160
158
| timestamp | ✓ | Timestamp defines the time at which the document was issued. |
161
-
|version|✓|Version is the document version. It must be incremented when any content within the VEX document changes, including any VEX statements included within the VEX document. |
162
-
|tooling|✕|Tooling expresses how the VEX document and contained VEX statements were generated. It's optional. It may specify tools or automated processes used in the document or statement generation. |
163
-
|supplier| ✕ |An optional field specifying who is providing the VEX document. |
159
+
|last_updated|✕|Date of last modification to the document. |
160
+
|version|✓|Version is the document version. It must be incremented when any content within the VEX document changes, including any VEX statements included within the VEX document. |
161
+
|tooling| ✕ |Tooling expresses how the VEX document and contained VEX statements were generated. It may specify tools or automated processes used in the document or statement generation. |
164
162
165
163
### Statement
166
164
@@ -190,12 +188,16 @@ The following table lists the fields of the OpenVEX statement struct.
190
188
191
189
| Field | Required | Description |
192
190
| --- | --- | --- |
193
-
| vulnerability | ✓ | vulnerability SHOULD use existing and well known identifiers. For example: [CVE](https://cve.mitre.org/), [OSV](https://osv.dev/), (GHSA)[https://github.com/advisories], a supplier's vulnerability tracking system such as [RHSA](https://access.redhat.com/security/security-updates/#/) or a propietary system. It is expected that vulnerability identification systems are external to and maintained separately from VEX.<br>vulnerability MAY be URIs or URLs.<br>vulnerability MAY be arbitrary and MAY be created by the VEX statement `author`.
191
+
|@id| ✕ | Optional IRI identifying the statement to make it externally referenceable. |
192
+
| version | ✕ | Optional integer representing the statement's version number. Defaults to zero, required when incremented. |
193
+
| vulnerability | ✓ | Vulnerability SHOULD use existing and well known identifiers. For example: [CVE](https://cve.mitre.org/), [OSV](https://osv.dev/), [GHSA](https://github.com/advisories), a supplier's vulnerability tracking system such as [RHSA](https://access.redhat.com/security/security-updates/#/) or a propietary system. It is expected that vulnerability identification systems are external to and maintained separately from VEX.<br>`vulnerability` MAY be an IRI and MAY be arbitrary, created by the VEX document `author`. |
194
194
| vuln_description | ✕ | Optional free-form text describing the vulnerability |
195
195
| timestamp | ✕ | Timestamp is the time at which the information expressed in the Statement was known to be true. Cascades down from the document, see [Inheritance](#Inheritance). |
196
+
| last_updated | ✕ | Timestamp when the statement was last updated. |
196
197
| products | ✕ | Product identifiers that the statement applies to. Any software identifier can be used and SHOULD be traceable to a described item in an SBOM. The use of [Package URLs](https://github.com/package-url/purl-spec) (purls) is recommended. While a product identifier is required to have a complete statement, this field is optional as it can cascade down from the encapsulating document, see [Inheritance](#Inheritance). |
197
198
| subcomponents | ✕ | Identifiers of components where the vulnerability originates. While the statement asserts about the impact on the software product, listing `subcomponents` let scanners find identifiers to match their findings. |
198
-
| status | ✓ | A VEX statement MUST provide the status of the vulnerabilities with respect to the products and components listed in the statement. `status` MUST be one of the labels defined by VEX (see [Status](#Status-Labels)), some of which have further options and requirements. |
199
+
| status | ✓ | A VEX statement MUST provide the status of the vulnerabilities with respect to the products and components listed in the statement. `status` MUST be one of the labels defined by VEX (see [Status](#Status-Labels)), some of which have further options and requirements. |
200
+
| supplier | ✕ | Supplier of the product or subcomponent. |
199
201
| status_notes | ✕ | A statement MAY convey information about how `status` was determined and MAY reference other VEX information. |
200
202
| justification | ✓/✕ | For statements conveying a `not_affected` status, a VEX statement MUST include either a status justification or an impact_statement informing why the product is not affected by the vulnerability. Justifications are fixed labels defined by VEX. See [Status Justifications](#Status-Justifications) below for valid values. |
201
203
| impact_statement | ✓/✕ | For statements conveying a `not_affected` status, a VEX statement MUST include either a status justification or an impact_statement informing why the product is not affected by the vulnerability. An impact statement is a free form text containing a description of why the vulnerability cannot be exploited. This field is not intended to be machine readable so its use is highly discouraged for automated systems. |
@@ -253,7 +255,7 @@ why the vulnerability is not affected by reading the justification label
253
255
associated with the VEX statement. These labels are predefined and machine-readable
254
256
to enable automated uses such as deployment policies. The current label catalog
255
257
was defined by the VEX Working Group and published in the
256
-
[Status Justifications](status-doc) document on July 2022.
258
+
[Status Justifications] document on July 2022.
257
259
258
260
259
261
| Label | Description |
@@ -333,7 +335,7 @@ example, the sole statement has its timestamp data derived from the document:
333
335
"author": "Wolfi J Inkinson",
334
336
"role": "Document Creator",
335
337
"timestamp": "2023-01-08T18:02:03-06:00",
336
-
"version": "1",
338
+
"version": 1,
337
339
"statements": [
338
340
{
339
341
"vulnerability": "CVE-2023-12345",
@@ -358,7 +360,7 @@ to avoid duplication:
358
360
"author": "Wolfi J Inkinson",
359
361
"role": "Document Creator",
360
362
"timestamp": "2023-01-09T09:08:42-06:00",
361
-
"version": "1",
363
+
"version": 1,
362
364
"statements": [
363
365
{
364
366
"timestamp": "2023-01-08T18:02:03-06:00",
@@ -448,7 +450,7 @@ the project could issue an OpenVEX document as follows:
0 commit comments