Mastodawn

🌟 OpenSSF Project Spotlight: #OpenVEX

Adolfo Veytia walks us through how OpenVEX helps developers clearly communicate which vulnerabilities actually impact their software - and which don’t.

https://youtu.be/dGOiWFNKKpM?si=SJIpCxmHStRvT4Ml

OpenVEX Explained: Minimal, Interoperable VEX for Real-World Use | OpenSSF Project Spotlight

YouTube

anchore Oct 26

False positives from RHEL EUS? Not anymore.

Anchore 5.22 detects EUS content automatically for accurate vulnerability reports.

Learn what's new → https://anchore.com/blog/anchore-enterprise-5-22/

#OpenVex #PURL #SoftwareSupplyChain #VulnerabilityManagement

anchore Oct 24

You can't patch every CVE—but you can explain every one.

Anchore 5.22 brings VEX annotations + OpenVEX export to make vulnerability data contextual and credible.

https://anchore.com/blog/anchore-enterprise-5-22/

#OpenVex #PURL #SoftwareSupplyChain #VulnerabilityManagement

Patrick

Aug 12, 2025

One Open-source Project Daily

A vulnerability scanner for container

https://github.com/anchore/grype

#1ospd #opensource #docker #golang #security #tool #containers #oci #vulnerability #vex #vulnerabilities #containerimage #cyclonedx #openvex

GitHub - anchore/grype: A vulnerability scanner for container images and filesystems

A vulnerability scanner for container images and filesystems - anchore/grype

GitHub

SecurityCRob Sep 20, 2023

Watching Puerco demonstrate working VEX in action #osseu . Woot woot! #openvex

puerco Sep 20, 2023

I'm about to present how to generate #OpenVEX data from #SBOM the hard and the easy way at #OSSummit. There will be fast cars, car crashes and lots of bad stock photos!

Come and have fun with me and @wolfi at 3:55 pm, room 0C.

OpenSSF Sep 7, 2023

SBOM alone may not encode enough detail to separate non-exploitable vulnerabilities from exploitable ones writes Surendra Pathak in our latest guest blog on #VDR, #VEX, #OpenVEX and #CSAF https://openssf.org/blog/2023/09/07/vdr-vex-openvex-and-csaf/

VDR, VEX, OpenVEX and CSAF - Open Source Security Foundation

Early adopters of SBOM have proposed new standards as well as updates to existing standards to specify the status of each vulnerability alongside the SBOM itself. In this context, existing practices such as VDR, CSAF, and emerging standards VEX and OpenVEX are playing a key role.

Open Source Security Foundation

Oej Sep 2, 2023

At the heart of the CVE process and the matching done with the NVD database is the name of the manufacturer and the artefact - the software, system, library or mobile application. It's vital for this to work that the name in the #SBOM is correct to make the match work. The community has developed #PURL - package URL - to improve but so far the CVE/NVD eco system has not adopted PURL.

This needs to be fixed to make sure that the name in the SBOM matches the right set of vulnerabilities.

#SBOM #securesupplychain #CycloneDX #OpenVEX #VEX #OpenSource

devguy

Apr 7, 2023

☝️I remember @lorenc_dan made a presentation in one of the meetings by @openssf Vulnerability Disclosures WG about #OpenVEX https://twitter.com/lorenc_dan/status/1634526797076258816?s=20

This is the second talk that you can learn more about #OpenVEX a new open standard for #VEX by @cloudnativeboy in his YouTube Channel at today 🎤
https://www.youtube.com/watch?v=b05kn_N6uIs

Dan Lorenc on Twitter

“The recording from my presentation on OpenVEX at @theopenssf is now available! https://t.co/eZm3XFXU1j”

Twitter

devguy

Mar 20, 2023

💃🤸 Have you ever wanted to learn more about the #VEX, #openvex and #SBOM? Here is the perfect opportunity for you! @lorenc_dan made a presentation about all of them in the @theopenssf meeting 🏅
• More info on openvex at http://openvex.dev!
• Invite details here:
https://t.co/A5jxKcwuvf
• Here is the recording of that meeting👇
➡️ https://t.co/eZm3XFXU1j

GitHub - openvex/spec: OpenVEX Specification

OpenVEX Specification. Contribute to openvex/spec development by creating an account on GitHub.

GitHub