OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings

Chainguard on Tuesday published a draft OpenVEX specification to help software vendors and maintainers communicate precise metadata about the vulnerability status of products directly to end users.

The Chainguard specification is an implementation of the NTIA’s VEX (Vulnerability Exploitability eXchange) concept that aims to provide additional information on whether a product is impacted by a specific vulnerability in an included component and, if affected, whether there are actions recommended to remediate.

In an interview with SecurityWeek, Chainguard chief executive Dan Lorenc said OpenVEX is designed to meet the minimum requirements defined by the U.S. government’s CISA cybersecurity agency and will help reduce false-positives and improve the quality of SBOMs (software bill of material).

Lorenc said OpenVEX, which was designed in collaboration with CISA’s VEX working group, will allow software suppliers to communicate precise, actionable metadata to improve the signal to noise ratio and add important context to vulnerability warnings.

OpenVEX makes it easy for software producers to accurately describe their artifacts’ exploitability [and] makes it easier for software consumers to filter out false positives from vulnerability scanners. This means security professionals spend more time investigating worthwhile security concerns, and less time wading through erroneous findings,” Chainguard said in a note announcing the draft specification.

“OpenVEX encodes learnings of false positives and enables consumers to prioritize vulnerability reports much more effectively,” the company added.

Chainguard’s Lorenc said OpenVEX is complementary to SBOMs and is the first format to meet the VEX Minimum Requirements.  To prove functionality end-to-end, the company has also put OpenVEX into production in its Wolfi Linux distro and its own Chainguard Images product.

The spec, designed with support from Google, HPE, VMWare, and the Linux Foundation, is being positioned as an important piece of the industry wide push to improve the security of software supply chains.  

“As an end-user responsible for implementing solutions that secure our software supply chain, I often look to community efforts that show collaborative support because I know they can be trusted to deliver the best outcomes. OpenVEX is one of those projects that gives me hope we are getting to a better place both for vulnerability management but also solving some of the biggest challenges facing the production of quality SBOMs,” said Tim Pletcher,  a research engineer at Hewlett Packard Enterprise.

Related: Chainguard Trains Spotlight on SBOM Quality Problem

Related: Big Tech Vendors Object to US Gov SBOM Mandate

Related: New ‘Wolfi’ Linux Distro Focuses on Software Supply Chain Security

Related: Chainguard Bags Massive $50M Series A for Supply Chain Security