This is the release of the OpenVEX Specification v0.2.0.
This release introduces the first major revision of the OpenVEX specification. It introduces breaking changes to the OpenVEX document, specifically expanding the product
and vulnerability
fields to make them richer and easier to expand in the future.
The introduced changes were discussed and approved by the OpenVEX community in the following enhancement proposals:
This release of the spec and its corresponding tooling updates address the following open issues:
- Ability to refer back to an SBOM? #28
- PURL matching with qualifiers #27
- VEX schema/spec version should be a field in the metadata #20
- More explicit expectations for package identifiers #16
- Modify Spec to Require Artifact Digest in PURL #10
- Allow for vulnerability to be a list #12
This is our best release yet 🚀 Thanks to everybody who supplied the feedback and ideas that went into the specification, especially to @camaleon2016 @cpanato @garethr @itaysk @jspeed-meyers @knqyf263 @luhring @lumjjb @mjnagel @rnjudge @SecurityCRob @taladrane @tpletcher-hpe @tschmidtb51 @wagoodman @zmanion