Implementing a triage process supporting all flavours of VEX

As part of the Google Summer of Code 2024, Cve-Bin-tool (see https://github.com/intel/cve-bin-tool) upgraded it's triage process to support the various flavours of VEX

The triage process allows users of the tool to customise the reports they get by adding extra data on the vulnerabilities found, particularly any mitigations. This is often used for discarding false positives, or cases where the reported vulnerability is not exploitable based on a risk assessment of the context where the software is used..

Although Cve-Bin-Tool has supported a basic triage process for several years, the GSOC project was able to introduce support for the 4 flavours of VEX documents (CSAF, CycloneDX, OpenVEX and SPDX) by use of the lib4vex library which allows for the parsing and generation of VEX documents in the different formats.

This talk will describe the journey and some of the challenges which were encountered in producing the VEX support.