Add Vulnerability Exchange (VEX) statements for CPython SBOMs to reference

[sethmlarson]

Part of python/cpython#112302

Is your feature request related to a problem? Please describe.

CPython and its artifacts contain many dependencies which can have vulnerabilities. In the interest of not causing mass-confusion from SBOM consumers about the status of the vulnerabilities in dependencies (especially when those vulnerabilities aren't exploitable, like is usually the case for CPython's usage of OpenSSL) it is useful to provide a systematic and automatic mechanism to quell SBOM consumers questions on a potentially vulnerable component.

Describe the solution you'd like

• VEX document(s) which are capable of referencing dependencies inside of CPython SBOMs and making determinations about affectedness of vulnerabilities.
• Need to evaluate VEX formats (OpenVEX and CycloneDX are my current candidates)
• Referenceable location (via HTTPS) so that CPython SBOMs can reference the document(s)
• Easy way to update the VEX documents via GitHub PR process. Should be easy to contribute so core developers can do so when needed.

[surfaceowl]

Are there standards for, and tools for, mapping (or translation) all of these different VEX formats to each other?

A quick search on the brought me here https://openssf.org/blog/2023/09/07/vdr-vex-openvex-and-csaf/... where I noticed this text listing multiple standards ...CycloneDX VEX, OpenVEX, and SPDX3.0 or CSAF...?

Would that be helpful when dealing with a huge tree of dependencies?

I can imagine all of the existing standards will be used by at least one library depended on by python across all the various platforms, linux images, languages, etc... so the above question came to mind right away.

[sethmlarson]

@surfaceowl I'm not aware of any tooling that allows converting between the different formats, although I wouldn't be surprised if it exists.

We'll select our format based on some criteria like whether it works with existing tooling. I'm leaning towards OpenVEX currently since I've started using SPDX for CPython's SBOM, SBOM format agnostic, seems straightforward when compared to the others, and owned by the OpenSSF. This decision isn't set in stone, though, only evaluating from first impressions.