Some question about VEX for library

[sbernard31]

I understand that VEX is good for Image or Container or Software but does it also work for library ?

Imagine that :

• I'm maintainer of library A
• A depends of B
• B is affected by a vulnerability V
• A doesn't use B in a way A is affected.

If someone else have a C project which depends on A (and so indirectly on B)
Is it possible to create a VEX to avoid him to be alerted because of V ?

This sounds a good idea. In this other hand that means that user should take lot of care about if its dependencies is direct or not ?
I mean in java/maven world it happens that some one depends on A but will also use B API without adding B as direct dependencies.
And so in that case VEX could hide the issue 🤔

Please let me know if I misunderstood something 🙏

[knqyf263]

Yes, Trivy supports that. I think this is what you're looking for.
https://aquasecurity.github.io/trivy/v0.56/docs/supply-chain/vex/file/#applying-vex-to-dependency-trees

[sbernard31]

@knqyf263 Thx a lot 🙏 !

So this is very important to try to explicitly declare all direct dependencies right ?

In case above, imagine that the C project owner depends to A (direct dependencies).
This will automatically add B to its project (e.g. this will add it to the classpath in java)
If he uses A API (it's OK as A use B but is not affected by V)
BUT if he also uses B API maybe it is concern by V but this will be hidden by the VEX ?

Right ?

[knqyf263]

Yes, that's correct. If project C implicitly uses B, applying VEX will be problematic as the dependency graph cannot be created accurately.

[sbernard31]

VEX (Vulnerability eXploitability Exchange) is an emerging industry standard for communicating the relevance and impact of security vulnerabilities on software artifacts. This approach allows software maintainers to indicate when a specific vulnerability in a software dependency is irrelevant to their software due to the specific use case of that dependency. By conveying this crucial information to scanning tools via VEX, the accuracy of scan results is improved, leading to more actionable vulnerability reports for end users.

OK, so I guess IF VEX is the right direction to manage more efficiently vulnerabilities.
THEN It should come with tooling which checks that there is no indirect dependencies usage, like maybe depcheck-maven-plugin (I didn't test it I just quickly do web research for this kind of tooling for maven)

@knqyf263 thx a lot for your answers 🙏