Notifications of new VEX

[johnandersen777]

Are there any docs on how it is envisioned downstreams can be notified of new VEX? Hoping we can see this eventing integrated into transparency log infra federation to enable automated evaluation on new vulns via recursive application of policy and context local transparency services (see ID security threats WG notes in linked SCITT PR).

• Acceptance of claims to a Transparency Service where payload data references or contains VEX, VSA, SBOM, S2C2F alignment attestations, etc. has the side effect of enabling a consistent pattern for notification of new vulnerability (OpenSSF Stream 8) and other Software Supply Chain Security data.
• References
  • https://www.w3.org/TR/activitypub/
    • https://linkedresearch.org/ldn/
  • https://ariadne.space/2022/12/03/building-fair-webs-of-trust-by-leveraging-the-ocap-model/
    • Ariadne mentioned a "Rapunzel" protocol/stack based on ActivityStream that might be most appropriate for this? Curious to hear more on that front.
  • Use Case: Attestations of alignment to S2C2F and org overlays ietf-scitt/use-cases#18
    • Simple decoupled file based policy engine scitt-community/scitt-api-emulator#27
    • Federation via ActivityPub scitt-community/scitt-api-emulator#37
  • Refine Definition of Feed ietf-wg-scitt/draft-ietf-scitt-architecture#11 (comment)

[puerco]

Hey @pdxjohnny, We don't have any at the moment, this week we started discussing some of the discovery/delivery means for OpenVEX data in the community call. It is not yet online on the OpenSSF youtube channel but be sure to check it out when it's uploaded (community meeting of Jun 12th).

We are working on the tooling to publish OpenVEX data through repositories and OCI registries, but I'm sure the SIG would love to hear more ideas, please feel free to join and share your thoughts.

[johnandersen777]

Awesome!! I appreciate you letting me know. Glad to hear others are going with OCI registries as well. https://oras.land tooling has been helpful.

[johnandersen777]

Above linked PR mentions claims with payload as VEX for reference to in SCITT and leveraging federation to receive events of new VEX ^

From @charliehart
https://mailarchive.ietf.org/arch/msg/scitt/aNCUl-1aRR5NXxajGHzfk4j6ak8/

The VEX document(s) are good candidates for SCITT especially for two key reasons:

1. There is no restriction on who can generate one (same for SBOM BTW) and it is essential to understand whether the issuer is trustworthy and/or any kind of source of authority.
2. A VEX, unlike an SBOM, can be issued at any time and in fact multiple VEXes and CSAFs will be the norm rather than exception.

But to facilitate this, there has to be a way to connect related VEXes and CSAFs (including with any applicable SBOMs, software attestations, and other similar data.

OpenVEX’s JSON-LD definition might be helpful for those connections.