Some users may be experiencing issues when trying to access customer resources like the Case Portal or the Product Licensing Center. Our team is aware of the issue and is working to resolve it. Click here for more information.

This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Providing Vulnerability Exclusion Data for the CycloneDX VEX Report in SBOM Insights

Providing Vulnerability Exclusion Data for the CycloneDX VEX Report in SBOM Insights

Introduction

SBOM Insights reports are generated for a given "bucket", which contains the SBOM parts used by the specific application or entity that the bucket represents.

The CycloneDX VDR (Vulnerability Disclosure Report) provides data about all the security vulnerabilities associated with the SBOM parts in a bucket. However, the CycloneDX VEX (Vulnerability Exploitability eXchange) report provides data for only vulnerability exclusions in a given bucket—that is, vulnerabilities that are associated with SBOM parts but, after your analysis, do not pose a security threat to your application. The details provided for each exclusion in this report justify why the vulnerability does not have the potential for exploitation within the context that the SBOM part associated with the vulnerability is used in your application.

Currently, the CycloneDX VEX report is blank unless you manually provide information for the exclusions. This process requires that you enter VEX details for each vulnerability exclusion associated with a given SBOM part in the Notes field for that part, as described in the following procedure.

When a VEX report is generated, SBOM Insights searches for VEX properties in the Notes field across SBOM parts in the selected bucket. For each exclusion encountered, a vulnerability section is added to the report, showing, among other information, an analysis subsection that lists the VEX details that you provided to explain the exclusion as it relates to a specific part. (See Excerpt from an Example CycloneDX VEX Report for an excerpt from an example VEX report.)

Instructions

Use the following procedure to create (or update) the contents to be included for a given SBOM part in the CycloneDX VEX report.

To provide the contents for the CycloneDX VEX report for a given SBOM part:

  1. Click Manage SBOM Parts in the left navigation panel to open the Manage SBOM Parts page. The SBOM of parts across all buckets in your Organization is displayed in a list grid.

    VEXreportData_start.png
  2. In the Bucket field, select the bucket containing the SBOM part associated with a security vulnerability whose analysis findings you want to include in the VEX report.

    The list is filtered to this bucket.

    VEXreportData_selectBucket.png
  3. Locate the SBOM part that you want to edit, and click anywhere within a non-linked portion of its row. A slideout (with the SBOM part name as its title) opens, showing details for the part.

    VEXreportData_selectPart.png
  4. Click Edit at the bottom of the slideout. A new slideout entitled Edit <SBOM part> opens, enabling you to update properties that define the current SBOM part.

    VEXreportData_editPart.png
  5. Scroll down to the Notes field.

    VEXreportData_Notes.png
  6. In the Notes field, enter the set of required VEX properties in JSON format for each excluded vulnerability, as shown in the following example (which defines two exclusions). For a description of the property keywords (state, justification, response, and detail) and their valid values, refer to the vulnerabilities - analysis section in CycloneDX JSON Reference on the CycloneDX site. (You should use valid VEX values for these properties, not custom values.)
    NOTE: If you provide JSON content to define exclusion data, do not enter any other content in the Notes field. Should additional content exist in the field when the VEX report is generated, no exclusion data for the given SBOM part is published in the report.
    {
    "Excluded Vulnerabilities": [
        {
            "name": "CVE-2021-9096",
            "state": "not_affected",
            "justification": "code_not_reachable",
            "response": "will_not_fix",
            "detail" : "This code is not executed"
        },
        {
            "name": "CVE-2021-34538",
            "state": "not_affected",
            "justification": "code_not_reachable",
            "response": "will_not_fix",
            "detail": "This code is not executed"
        }       
    ]
}​
  7. Click Save.

    When a VEX report is generated, SBOM Insights validates that the keywords for the required VEX properties for each exclusion are spelled correctly (as shown in the example) and that the overall content is in correct JSON format.

    Currently, SBOM Insights does not validate the values for the VEX properties, but you should use valid values (as plans are in place to implement this validation in a future SBOM Insights release). Additionally, if the vulnerability entered for the name property is not associated with the given SBOM part, the data for that exclusion is not included in the report.

Excerpt from an Example CycloneDX VEX Report

The following shows an excerpt from an example CycloneDX VEX report whose contents were created using the procedure above. The analysis section is highlighted for one of the excluded vulnerabilities.

VEXreport.png

More Information

For more information about SBOM Insights reports and SBOM parts, refer to the following sections in the SBOM Insights online user documentation:

Labels (1)
Labels:
Was this article helpful? Yes No
0 Kudos
No ratings
Version history
Last update:
‎Jun 21, 2023 02:37 PM
Updated by:
Technical Writer
Contributors