Lmst

Watching Puerco demonstrate working VEX in action #osseu . Woot woot! #openvex

I'm about to present how to generate #OpenVEX data from #SBOM the hard and the easy way at #OSSummit. There will be fast cars, car crashes and lots of bad stock photos!

Come and have fun with me and @wolfi at 3:55 pm, room 0C.

SBOM alone may not encode enough detail to separate non-exploitable vulnerabilities from exploitable ones writes Surendra Pathak in our latest guest blog on #VDR, #VEX, #OpenVEX and #CSAF https://openssf.org/blog/2023/09/07/vdr-vex-openvex-and-csaf/

At the heart of the CVE process and the matching done with the NVD database is the name of the manufacturer and the artefact - the software, system, library or mobile application. It's vital for this to work that the name in the #SBOM is correct to make the match work. The community has developed #PURL - package URL - to improve but so far the CVE/NVD eco system has not adopted PURL.

This needs to be fixed to make sure that the name in the SBOM matches the right set of vulnerabilities.

#SBOM #securesupplychain #CycloneDX #OpenVEX #VEX #OpenSource

☝️I remember @lorenc_dan made a presentation in one of the meetings by @openssf Vulnerability Disclosures WG about #OpenVEX https://twitter.com/lorenc_dan/status/1634526797076258816?s=20

This is the second talk that you can learn more about #OpenVEX a new open standard for #VEX by @cloudnativeboy in his YouTube Channel at today 🎤
https://www.youtube.com/watch?v=b05kn_N6uIs

💃🤸 Have you ever wanted to learn more about the #VEX, #openvex and #SBOM? Here is the perfect opportunity for you! @lorenc_dan made a presentation about all of them in the @theopenssf meeting 🏅
• More info on openvex at http://openvex.dev!
• Invite details here:
https://t.co/A5jxKcwuvf
• Here is the recording of that meeting👇
➡️ https://t.co/eZm3XFXU1j