Lib4VEX is a library to parse and generate VEX documents. It supports VEX documents created in the OpenVEX, CycloneDX or CSAF specifications.
It has been developed on the assumption that having a generic abstraction of vulnerability regardless of the underlying format will be useful to developers.
The following facilities are provided:
To install use the following command:
pip install lib4vex
Alternatively, just clone the repo and install dependencies using the following command:
pip install -U -r requirements.txt
The tool requires Python 3 (3.8+). It is recommended to use a virtual python environment especially
if you are using different versions of python. virtualenv is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.
Creating the environment variable LIB4VEX_DEBUG will result in some additional information being reported when a VEX document is being generated.
A number of example scripts are included in the examples subdirectory. Examples are provided for CSAF, CycloneDX and OpenVEX scenarios.
A tutorial showing a lifecycle of vulnerabilities is available. Whilst the tutorial uses CSAF as the VEX document, equivalent steps can be performed for producing a VEX document using CycloneDX or OpenVEX.
The following design decisions have been made in creating and processing VEX files:
VEXes should be produced with reference to an SBOM so that only vulnerabilities for components included in the SBOM are included in the VEX document.
The VEX document contains all reported vulnerabilities and the respective status. The latest VEX is indicated by the latest timestamp. The previous VEX documents are retained for audit purposes.
The VEX document is intended to be used for a single product.
Licensed under the Apache 2.0 Licence.
This library is meant to support software development. The usefulness of the library is dependent on the data which is provided. Unfortunately, the library is unable to determine the validity or completeness of such a VEX file; users of the library and the resulting VEX file are therefore reminded that they should assert the quality of any data which is provided to the library.
Bugs and feature requests can be made via GitHub Issues.
FAQs
VEX generator and consumer library
We found that lib4vex demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.
