Skip to main content

VEX generator and consumer library

Project description

Lib4VEX

Lib4VEX is a library to parse and generate VEX documents. It supports VEX documents created in the OpenVEX, CycloneDX or CSAF specifications.

It has been developed on the assumption that having a generic abstraction of vulnerability regardless of the underlying format will be useful to developers.

The following facilities are provided:

  • Generate OpenVEX, CycloneDX and CSAF VEX documents in JSON format
  • Parse CycloneDX SBOM in JSON format and extract vulnerability information
  • Parse OpenVEX and CSAF documents to extract vulnerability information
  • Generated VEX document can be output to a file or to the console

Installation

To install use the following command:

pip install lib4vex

Alternatively, just clone the repo and install dependencies using the following command:

pip install -U -r requirements.txt

The tool requires Python 3 (3.8+). It is recommended to use a virtual python environment especially if you are using different versions of python. virtualenv is a tool for setting up virtual python environments which allows you to have all the dependencies for the tool set up in a single environment, or have different environments set up for testing using different versions of Python.

API

Metadata

Product

Vulnerability

Debug

Creating the environment variable LIB4VEX_DEBUG will result in some additional information being reported when a VEX document is being generated.

Examples

A number of example scripts are included in the examples subdirectory. Examples are provided for CSAF, CycloneDX and OpenVEX scenarios.

Tutorial

A tutorial showing a lifecycle of vulnerabilities is available. Whilst the tutorial uses CSAF as the VEX document, equivalent steps can be performed for producing a VEX document using CycloneDX or OpenVEX.

Implementation Notes

The following design decisions have been made in creating and processing VEX files:

  1. VEXes should be produced with reference to an SBOM so that only vulnerabilities for components included in the SBOM are included in the VEX document.

  2. The VEX document contains all reported vulnerabilities and the respective status. The latest VEX is indicated by the latest timestamp. The previous VEX documents are retained for audit purposes.

  3. The VEX document is intended to be used for a single product.

Future Development

  1. Add support for SPDX Security profile when released as part of the SPDX 3.0 release.

License

Licensed under the Apache 2.0 Licence.

Limitations

This library is meant to support software development. The usefulness of the library is dependent on the data which is provided. Unfortunately, the library is unable to determine the validity or completeness of such a VEX file; users of the library and the resulting VEX file are therefore reminded that they should assert the quality of any data which is provided to the library.

Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

lib4vex-0.1.0-py2.py3-none-any.whl (18.6 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file lib4vex-0.1.0-py2.py3-none-any.whl.

File metadata

  • Download URL: lib4vex-0.1.0-py2.py3-none-any.whl
  • Upload date:
  • Size: 18.6 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.10.8

File hashes

Hashes for lib4vex-0.1.0-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 dd044a297cf3c32264ffb9c473b0acf03f7077d43ea2f8dff8d94a714c452081
MD5 e987db5fefcdc7973e3a5f504c563c62
BLAKE2b-256 ab2d1e56d89e220b268a899dffcbb6086f42cbf71a29cfd5e098bf611619f2db

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page