Skip to content

Add OpenVEX vulnerability triage#267

Merged
JE-Chen merged 1 commit into
devfrom
feat/openvex
Jun 20, 2026
Merged

Add OpenVEX vulnerability triage#267
JE-Chen merged 1 commit into
devfrom
feat/openvex

Conversation

@JE-Chen

@JE-Chen JE-Chen commented Jun 20, 2026

Copy link
Copy Markdown
Member

Summary

The OSV scanner (scan_components) surfaces every known CVE on every run, with no way to record "we checked, this one does not affect us" and drop it. OpenVEX is the standard triage signal for that. This authors OpenVEX 0.2.0 statements and applies them to the scanner's findings.

  • vex_statement(vuln_id, status, *, products, justification, impact_statement) — one validated statement. statusnot_affected/affected/fixed/under_investigation; not_affected requires a justification (from VEX_JUSTIFICATIONS) or an impact statement.
  • build_vex(statements, *, author, vex_id, version, timestamp) — wrap in an OpenVEX document (inject timestamp for a reproducible @id).
  • apply_vex(findings, vex_doc)suppress not_affected/fixed findings, annotate the rest with vex_status. Joins on the vuln id or any alias, optionally product-scoped.

Composes directly with the OSV matcher: scan_componentsapply_vex. Pure stdlib (hashlib/json/datetime); Qt-free.

Five-layer wiring

  • Headless core: je_auto_control/utils/vex/
  • Facade: re-exported from __init__.py + __all__
  • Executor: AC_apply_vex
  • MCP: ac_apply_vex
  • Script Builder: "Apply VEX Triage to Findings" under Security

Tests & docs

  • test/unit_test/headless/test_vex_batch.py (12 tests incl. composition-with-scanner and validation cases)
  • v59 feature docs (EN + Zh) + toctree registration
  • What's-new sections in all three READMEs

Lint clean: ruff / pylint / bandit / radon (no function CC > 10, ≤5 args).

The OSV scanner surfaces every known CVE on every run with no way to
record that a vulnerability does not affect the product. Add OpenVEX
0.2.0 authoring (vex_statement/build_vex) and apply_vex, which suppresses
not_affected/fixed findings and annotates the rest, joining on the vuln
id or an alias with optional product scoping. Composes directly with the
OSV scanner; wired through the facade, AC_apply_vex executor command,
ac_apply_vex MCP tool and Script Builder.
@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 51 complexity · 1 duplication

Metric Results
Complexity 51
Duplication 1

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@JE-Chen
JE-Chen merged commit 5947144 into dev Jun 20, 2026
16 checks passed
@JE-Chen
JE-Chen deleted the feat/openvex branch June 20, 2026 17:43
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant