{"id":16768,"date":"2023-01-31T15:32:26","date_gmt":"2023-01-31T14:32:26","guid":{"rendered":"https:\/\/www.show.it\/openvex-spec-adds-clarity-to-supply-chain-vulnerability-warnings\/"},"modified":"2023-01-31T15:32:26","modified_gmt":"2023-01-31T14:32:26","slug":"openvex-spec-adds-clarity-to-supply-chain-vulnerability-warnings","status":"publish","type":"post","link":"https:\/\/www.show.it\/en\/openvex-spec-adds-clarity-to-supply-chain-vulnerability-warnings\/","title":{"rendered":"OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings"},"content":{"rendered":"

Chainguard on Tuesday published a draft OpenVEX specification to help software vendors and maintainers communicate precise metadata about the vulnerability status of products directly to end users.<\/strong><\/p>\n

The Chainguard specification is an implementation of the NTIA\u2019s VEX (Vulnerability Exploitability eXchange) concept that aims to provide additional information on whether a product is impacted by a specific vulnerability in an included component and, if affected, whether there are actions recommended to remediate.<\/p>\n

In an interview with SecurityWeek<\/em>, Chainguard chief executive Dan Lorenc said OpenVEX is designed to meet the minimum requirements defined by the U.S. government\u2019s CISA cybersecurity agency and will help reduce false-positives and improve the quality of SBOMs (software bill of material).<\/p>\n

Lorenc said OpenVEX<\/a>, which was designed in collaboration with CISA\u2019s VEX working group, will allow software suppliers to communicate precise, actionable metadata to improve the signal to noise ratio and add important context to vulnerability warnings.<\/p>\n

OpenVEX makes it easy for software producers to accurately describe their artifacts\u2019 exploitability [and] makes it easier for software consumers to filter out false positives from vulnerability scanners. This means security professionals spend more time investigating worthwhile security concerns, and less time wading through erroneous findings,\u201d Chainguard said in a note announcing the draft specification.<\/p>\n

\u201cOpenVEX encodes learnings of false positives and enables consumers to prioritize vulnerability reports much more effectively,\u201d the company added.<\/p>\n

Chainguard\u2019s Lorenc said OpenVEX is complementary to SBOMs and is the first format to meet the VEX Minimum Requirements.\u00a0 To prove functionality end-to-end, the company has also put OpenVEX into production in its Wolfi Linux distro<\/a> and its own Chainguard Images product.<\/p>\n

The spec, designed with support from Google, HPE, VMWare, and the Linux Foundation, is being positioned as an important piece of the industry wide push to improve the security of software supply chains.\u00a0\u00a0<\/p>\n

\u201cAs an end-user responsible for implementing solutions that secure our software supply chain, I often look to community efforts that show collaborative support because I know they can be trusted to deliver the best outcomes. OpenVEX is one of those projects that gives me hope we are getting to a better place both for vulnerability management but also solving some of the biggest challenges facing the production of quality SBOMs,\u201d said Tim Pletcher,\u00a0 a research engineer at Hewlett Packard Enterprise.<\/p>\n

Related:<\/strong> Chainguard Trains Spotlight on SBOM Quality Problem<\/a><\/p>\n

Related:<\/strong> Big Tech Vendors Object to US Gov SBOM Mandate<\/a><\/p>\n

Related:<\/strong> New \u2018Wolfi\u2019 Linux Distro Focuses on Software Supply Chain Security<\/a><\/p>\n

Related:<\/strong> Chainguard Bags Massive $50M Series A for Supply Chain Security<\/a><\/p>\n

The post OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings<\/a> appeared first on SecurityWeek<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Chainguard on Tuesday published a draft OpenVEX specification to help software vendors and maintainers communicate precise metadata about the vulnerability status of products directly to end users. The Chainguard specification is an implementation of the NTIA\u2019s VEX (Vulnerability Exploitability eXchange) concept that aims to provide additional information on whether a product is impacted by a […]<\/p>\n","protected":false},"author":2,"featured_media":16769,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[134,69,135,136,133],"tags":[],"class_list":["post-16768","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cisa","category-featured","category-openvex","category-sbom","category-supply-chain-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16768","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/comments?post=16768"}],"version-history":[{"count":0,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16768\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media\/16769"}],"wp:attachment":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media?parent=16768"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/categories?post=16768"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/tags?post=16768"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}