Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blogpost Discussion: Intermediate VEX #1080

Closed
lumjjb opened this issue Mar 1, 2023 · 4 comments
Closed

Blogpost Discussion: Intermediate VEX #1080

lumjjb opened this issue Mar 1, 2023 · 4 comments
Labels
stale The issue or PR is stale and pending automated closure

Comments

@lumjjb
Copy link
Contributor

lumjjb commented Mar 1, 2023
edited by another-rex
Loading

This issue is a place for discussion for the blog post on Intermediate VEX (https://osv.dev/blog/posts/automating-and-scaling-vex-generation/) on the osv.dev blog.
@hayleycd hayleycd mentioned this issue Mar 3, 2023
Merged
andrewpollock pushed a commit that referenced this issue Mar 6, 2023
@hayleycd
Upcoming VEX post (#1088)
ea00fb9 
Forum for discussion: #1080 

Author: @lumjjb
@fridex
Copy link

fridex commented Mar 7, 2023

AFAIK, Chainguard is also putting some effort into VEX - maybe it would worth a sync (if not done already) so the industry could consolidate. CC @dlorenc @puerco

The approach looks interesting, it might open a question how reliable and trusted the proposed intermediate VEX files will be. I could imagine the proposed intermediate VEX files helping creating trust in the industry. If a community/company reviews VEX files then they could sign it and create a public record about the review.

@fridex
Copy link

fridex commented Mar 7, 2023
edited
Loading 

$ cat .vex  
libfoo, CVE-2022-123456, NOT_AFFECTED, inline_mitigations_already_exist  
libbar, CVE-2022-654321, NOT_AFFECTED, vulnerable_code_not_in_execute_path

A link to the security analysis done might be valuable here (eg. a GitHub issue) - if others want to review VEX, they can see how the security analysis was done together with additional reasoning.

EDIT: Also, assuming that all the repos adopt .vex is somehow an ideal state. Some projects might not be open to maintain VEX information (lack of security knowledge, not familiar with the approach, unmaintained, ...). It might be worth to offer a way to include VEX information also for transitive deps for such cases.

@lumjjb
Copy link
Contributor Author

lumjjb commented Mar 7, 2023

Hey @fridex ! Thanks for the heads up! Yep - we are in sync and have a hand in OpenVEX maintenance! This motivation was a bit more on thinking through the automation and distribution once we have a VEX document standard :).

A link to the security analysis done might be valuable here (eg. a GitHub issue) - if others want to review VEX, they can see how the security analysis was done together with additional reasoning.

+1 on this, that would be helpful!

Also, assuming that all the repos adopt .vex is somehow an ideal state. Some projects might not be open to maintain VEX information (lack of security knowledge, not familiar with the approach, unmaintained, ...). It might be worth to offer a way to include VEX information also for transitive deps for such cases.

Yep! i'd also imagine that there would be some kind of policy as well to reconcile, like if there are two vex statements with conflicting affected statuses, the user would be able to pick which one they trust more.

@github-actions GitHub Actions
Copy link

This issue has not had any activity for 60 days and will be automatically closed in two weeks

@github-actions github-actions bot added the stale The issue or PR is stale and pending automated closure label Jul 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale The issue or PR is stale and pending automated closure
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@oliverchang @fridex @lumjjb