#openvex — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #openvex, aggregated by home.social.
-
🌟 OpenSSF Project Spotlight: #OpenVEX
Adolfo Veytia walks us through how OpenVEX helps developers clearly communicate which vulnerabilities actually impact their software - and which don’t.
-
One Open-source Project Daily
A vulnerability scanner for container
https://github.com/anchore/grype
#1ospd #opensource #docker #golang #security #tool #containers #oci #vulnerability #vex #vulnerabilities #containerimage #cyclonedx #openvex -
One Open-source Project Daily
A vulnerability scanner for container
https://github.com/anchore/grype
#1ospd #opensource #docker #golang #security #tool #containers #oci #vulnerability #vex #vulnerabilities #containerimage #cyclonedx #openvex -
One Open-source Project Daily
A vulnerability scanner for container
https://github.com/anchore/grype
#1ospd #opensource #docker #golang #security #tool #containers #oci #vulnerability #vex #vulnerabilities #containerimage #cyclonedx #openvex -
One Open-source Project Daily
A vulnerability scanner for container
https://github.com/anchore/grype
#1ospd #opensource #docker #golang #security #tool #containers #oci #vulnerability #vex #vulnerabilities #containerimage #cyclonedx #openvex -
One Open-source Project Daily
A vulnerability scanner for container
https://github.com/anchore/grype
#1ospd #opensource #docker #golang #security #tool #containers #oci #vulnerability #vex #vulnerabilities #containerimage #cyclonedx #openvex -
SBOM alone may not encode enough detail to separate non-exploitable vulnerabilities from exploitable ones writes Surendra Pathak in our latest guest blog on #VDR, #VEX, #OpenVEX and #CSAF https://openssf.org/blog/2023/09/07/vdr-vex-openvex-and-csaf/
-
At the heart of the CVE process and the matching done with the NVD database is the name of the manufacturer and the artefact - the software, system, library or mobile application. It's vital for this to work that the name in the #SBOM is correct to make the match work. The community has developed #PURL - package URL - to improve but so far the CVE/NVD eco system has not adopted PURL.
This needs to be fixed to make sure that the name in the SBOM matches the right set of vulnerabilities.
#SBOM #securesupplychain #CycloneDX #OpenVEX #VEX #OpenSource
-
I published a .NET library for #OpenVEX!
NuGet: https://www.nuget.org/packages/OpenVEX/
GitHub: https://github.com/JamieMagee/openvex.net -
Playing with #ActivityPub as a way to do notifications for new #VEX, and hoping to piggyback decentralized CD over that as comms channel. Very rough draft here RFCv5: https://github.com/ietf-scitt/use-cases/blob/3f10017af4cebb7d07e541c299ef277d43fb9c0d/openssf_metrics.md#use-case-attestations-of-alignment-to-s2c2f-and-org-overlays
#OpenVEX #Fediverse #supplychain #security
Comments appreciated!
https://github.com/intel/dffml/discussions/1406?sort=new#discussioncomment-4863663