More updates :)

oaubrey · oaubrey · commit 4770ab590ef3 · 2026-03-04T21:11:00.000-08:00
diff --git a/docs/vex-alpha-details.md b/docs/vex-alpha-details.md
@@ -3,7 +3,7 @@
 This document is intended to cover the changes made in the new release of alpha VEX files compared to the legacy VEX files. These changes are broken out by the three main CSAF VEX document sections: Document, Product Tree and Vulnerabilities. 
 
 ## Document Section 
-The new alpha VEX files include a few minor changes to the document section, outlined in the sections below. 
+The new alpha VEX files include a few minor changes to the `document` section, outlined in the sections below. 
 
 ### Document Changes 
 
@@ -84,7 +84,7 @@ The `document.tracking.revision_history` has also been updated in the new alpha
 ```
 
 ### Removed Document Objects 
-The following optional objects were removed in the document section and will not be present in the new alpha VEX files:
+The following optional objects were removed from the `document` section and will not be present in the new alpha VEX files:
 
 * `document.distribution`
 * `document.lang`
@@ -93,10 +93,10 @@ The following optional objects were removed in the document section and will not
 
 
 ## Product Tree Section 
-The product tree section of VEX files includes the most significant changes between legacy VEX files and the new alpha VEX files. 
+The `product_tree` section of VEX files includes the most significant changes between legacy VEX files and the new alpha VEX files. 
 
 ### Branch Removal 
-In the product tree section of a VEX file, legacy VEX files use to nest `product_name` objects under `product_family` branches and `product_version` objects under `architecture` branches, depending on the fix status of each. The new alpha VEX files remove any branch nesting. All `product_name` and `product_version` objects will only be nested under the parent `vendor` branch. 
+In the `product_tree` section of a VEX file, legacy VEX files used to nest `product_name` objects under `product_family` branches and `product_version` objects under `architecture` branches, depending on the fix status of each. The new alpha VEX files remove any branch nesting. All `product_name` and `product_version` objects will only be nested under the parent `vendor` branch. 
 
 ```json
 # Example of legacy VEX branch nesting
@@ -266,6 +266,7 @@ By comparing the Openshift 4.18 in legacy VEX files for [CVE-2025-12801](https:/
   }
 }
 ```
+
 In new alpha VEX files for [CVE-2025-12801](https://security.access.redhat.com/data/csaf/v2/vex-alpha/2025/cve-2025-12801.json) and [CVE-2025-6176](https://security.access.redhat.com/data/csaf/v2/vex-alpha/2025/cve-2025-6176.json), the `product_id` value remains the same between fixed and unfixed states. 
 
 ```json
@@ -354,17 +355,75 @@ The new alpha VEX files change how multiple product variants are represented. Fo
 
 ```
 
-
 ### Component Changes
+In additon to the product representation changes, there are a few changes to component representation. 
 
 #### Architecture Removal
+In legacy VEX files, fixed components were represented multiple times for their different architectures. To reduce the total number of component and relationship entries, we have decided to remove architecture representation for components in both their `name`, `product_id` and `purl`. The only exception to this is for SRPM components, which will include a ".src" in the `name` and `product_id` and "arch=src" in the `purl`.
 
+```json
+# Example of legacy VEX component architecture
+{
+  "category": "product_version",
+  "name": "glibc-0:2.34-231.el9_7.10.aarch64",
+  "product": {
+    "name": "glibc-0:2.34-231.el9_7.10.aarch64",
+    "product_id": "glibc-0:2.34-231.el9_7.10.aarch64",
+    "product_identification_helper": {
+      "purl": "pkg:rpm/redhat/glibc@2.34-231.el9_7.10?arch=aarch64"
+    }
+  }
+},
+{
+  "category": "product_version",
+  "name": "glibc-0:2.34-231.el9_7.10.ppc64le",
+  "product": {
+    "name": "glibc-0:2.34-231.el9_7.10.ppc64le",
+    "product_id": "glibc-0:2.34-231.el9_7.10.ppc64le",
+    "product_identification_helper": {
+      "purl": "pkg:rpm/redhat/glibc@2.34-231.el9_7.10?arch=ppc64le"
+    }
+  }
+},
+{
+  "category": "product_version",
+  "name": "glibc-0:2.34-231.el9_7.10.x86_64",
+  "product": {
+    "name": "glibc-0:2.34-231.el9_7.10.x86_64",
+    "product_id": "glibc-0:2.34-231.el9_7.10.x86_64",
+    "product_identification_helper": {
+      "purl": "pkg:rpm/redhat/glibc@2.34-231.el9_7.10?arch=x86_64"
+    }
+  }
+},
+{
+  "category": "product_version",
+  "name": "glibc-0:2.34-231.el9_7.10.s390x",
+  "product": {
+    "name": "glibc-0:2.34-231.el9_7.10.s390x",
+    "product_id": "glibc-0:2.34-231.el9_7.10.s390x",
+    "product_identification_helper": {
+      "purl": "pkg:rpm/redhat/glibc@2.34-231.el9_7.10?arch=s390x"
+    }
+  }
+},
+
+```
+
+```json
+# Example of alpha VEX component architecture
+TO DO: Pending component version fixes 
+
+```
 #### Binary RPMs 
+TO DO 
 
 
 ## Vulnerabilities Section
+Finally, there were a few changes made the the `vulnerabilties` section of the new alpha VEX files. 
 
 ### Remediations 
+A minor change to the `vulnerabilites.remediations` object was included in the new alpha VEX files. Product and component pairs that have a 'fixed' product status will no longer be listed under a `category: workaround` remediation object. Fixed product and componets will only be listed under a `category: vendor_fix` remediation object. 
 
 
 ### CVSS Score
