daniel:// stenberg://Sep 8, 2025

The other day me and @gregkh shot down a draft proposal to add a new role in the CVE ecosystem (SADP: "supplier ADP") that would append data to CVEs with details about dependencies and how they are or are not vulnerable to each particular CVE.

Imagine the amount of dependencies that use curl or the Linux kernel etc. These sweet innocent proposal makers thought in the terms of 5-10 dependencies per CVE. Not tens or hundreds of thousands which is far from unthinkable.

Show threadJacques ChesterSep 8, 2025
@bagder @gregkh isn’t this what VEX is meant for?
Show threaddaniel:// stenberg://Sep 8, 2025
@jacques @gregkh possibly sure, but that's not info inserted into the CVE records like this proposal does.
Show threadJacques ChesterSep 8, 2025

@bagder @gregkh got it. Sounds like some is trying to create the Universal Asset Graph by accident rather than on purpose.

(Relevant self-post: https://theoryof.predictable.software/articles/some-requirements-for-a-universal-asset-graph/ )

Some Requirements for a Universal Asset Graph :: Theory of Predictable Software

Show threaddaniel:// stenberg://Sep 8, 2025
@jacques @gregkh yeah, I think some of us realized that which also made us immediately realize the scale it would have to support to work - and how that alone would make the proposal not work.
Show threadMichael Lieberman

@bagder @jacques @gregkh

Do you think the opposite can be done? e.g. push on downstream software to declare (through VEX or otherwise) whether or not they're vulnerable to something upstream?

Sep 8, 2025 at 4:51pmWeb
Show threaddaniel:// stenberg://Sep 8, 2025
@mlieberman @jacques @gregkh we as producers of CVEs for a component cannot tell which users that are vulnerable nor how sever their problems are if they are vulnerable
Show threadMichael LiebermanSep 8, 2025

@bagder @jacques @gregkh

Of course. Upstream has no way of knowing how downstream is using their tools/libraries. Do you think though that there should be a bigger push on downstream consumers to declare how they might/might not be vulnerable to a CVE?

I think of things like the Takata airbag recall from years ago. Manufacturers had to declare they were using the airbags.