Check vulnerabilities against a SBOM and create VEX document

[anthonyharrison]

Please describe your feature request:

Add a SBOM containing a list of components and report the identified vulnerabilities are relevant to the SBOM. If so, optionally create a VEX document in one of the standard formats (CycloneDX (easiest), other options are CSAF, OpenVEX, SPDX)

Describe the use case of this feature:

Scanning SBOMs for vulnerabilities is #1 use case for SBOMs. Triaging and reporting vulnerabilities in a machine readable format (i.e. VEX) is a growing need.

[jjhwan-h]

Hi, I’m interested in this feature request and would like to contribute to implementing it.
Is there already any design discussion or direction on how SBOM + VEX support should be integrated into cvemap?

For example, assuming an SBOM is already provided (e.g., bom.json),
a possible workflow could look like:

cvemap scan --sbom bom.json --output vex.json --format cyclonedx-vex