Part of python/cpython#112302
Is your feature request related to a problem? Please describe.
CPython and its artifacts contain many dependencies which can have vulnerabilities. In the interest of not causing mass-confusion from SBOM consumers about the status of the vulnerabilities in dependencies (especially when those vulnerabilities aren't exploitable, like is usually the case for CPython's usage of OpenSSL) it is useful to provide a systematic and automatic mechanism to quell SBOM consumers questions on a potentially vulnerable component.
Describe the solution you'd like
- VEX document(s) which are capable of referencing dependencies inside of CPython SBOMs and making determinations about affectedness of vulnerabilities.
- Need to evaluate VEX formats (OpenVEX and CycloneDX are my current candidates)
- Referenceable location (via HTTPS) so that CPython SBOMs can reference the document(s)
- Easy way to update the VEX documents via GitHub PR process. Should be easy to contribute so core developers can do so when needed.
Part of python/cpython#112302
Is your feature request related to a problem? Please describe.
CPython and its artifacts contain many dependencies which can have vulnerabilities. In the interest of not causing mass-confusion from SBOM consumers about the status of the vulnerabilities in dependencies (especially when those vulnerabilities aren't exploitable, like is usually the case for CPython's usage of OpenSSL) it is useful to provide a systematic and automatic mechanism to quell SBOM consumers questions on a potentially vulnerable component.
Describe the solution you'd like