More Alpha VEX changes

Added component naming info, the future beta link and updated navigation to include scanning vendor md file.

Author: oaubrey

docs/vex-alpha-details.md

@@ -2,6 +2,8 @@
 
 This document is intended to cover the changes made in the new release of alpha VEX files compared to the legacy VEX files. These changes are broken out by the three main CSAF VEX document sections: Document, Product Tree and Vulnerabilities. 
 
+<u>Please Note: </u> The alpha VEX files are still in a state of flux as we address known issues. We aim to keep this documentation in sync with the changes, but there may be times when the documentation and implementation are not aligned. If you have questions on any of these changes, please see [How to Provide Feedback](https://redhatproductsecurity.github.io/security-data-guidelines/vex-alpha-details/#how-to-provide-feedback).
+
 ## Document Section 
 The new alpha VEX files include a few minor changes to the `document` section, outlined in the sections below. 
 
@@ -358,6 +360,65 @@ The new alpha VEX files change how multiple product variants are represented. Fo
 ### Component Changes
 In additon to the product representation changes, there are a few changes to component representation. 
 
+#### Component Naming 
+A minor change was made to the component naming in the new alpha VEX files. The `product_version.name` and `product.name` fields for components will not include any version information, even when fixed in the new alpha VEX files.
+
+```json
+# Example of legacy VEX component naming for unfixed component
+{
+  "category": "product_version",
+  "name": "libxml2.src",
+  "product": {
+    "name": "libxml2.src",
+    "product_id": "libxml2.src",
+    "product_identification_helper": {
+      "purl": "pkg:rpm/redhat/libxml2?arch=src"
+    }
+  }
+}
+
+# Example of legacy VEX component naming for fixed component
+{
+  "category": "product_version",
+  "name": "libxml2-0:2.9.13-10.el9_6.src",
+  "product": {
+    "name": "libxml2-0:2.9.13-10.el9_6.src",
+    "product_id": "libxml2-0:2.9.13-10.el9_6.src",
+    "product_identification_helper": {
+      "purl": "pkg:rpm/redhat/libxml2@2.9.13-10.el9_6?arch=src"
+    }
+  }
+}
+```
+
+```json
+# Example of alpha VEX component naming for unfixed component 
+{
+  "category": "product_version",
+  "name": "libxml2",
+  "product": {
+    "name": "libxml2",
+    "product_id": "libxml2",
+    "product_identification_helper": {
+      "purl": "pkg:rpm/redhat/libxml2?arch=src"
+    }
+  }
+}
+
+# Example of alpha VEX component naming for fixed component
+{
+  "category": "product_version",
+  "name": "libxml2",
+  "product": {
+    "name": "libxml2",
+    "product_id": "libxml2-2.9.13-10.el9_6",
+    "product_identification_helper": {
+      "purl": "pkg:rpm/redhat/libxml2@2.9.13-10.el9_6?arch=src"
+    }
+  }
+}
+```
+
 #### Architecture Removal
 In legacy VEX files, fixed components were represented multiple times for their different architectures. To reduce the total number of component and relationship entries, we have decided to remove architecture representation for components in both their `name`, `product_id` and `purl`. The only exception to this is for SRPM components, which will include a ".src" in the `name` and `product_id` and "arch=src" in the `purl`.
 
@@ -412,12 +473,22 @@ In legacy VEX files, fixed components were represented multiple times for their
 
 ```json
 # Example of alpha VEX component architecture
-TO DO: Pending component version fixes 
+# Note: Subject to change pending resolution of component version jiras 
+{ 
+  "category": "product_version", 
+  "name": "glibc", 
+  "product": { 
+    "name": "glibc", 
+    "product_id": "glibc-2.34-231.el9_7.10", 
+    "product_identification_helper": { 
+      "purl": "pkg:rpm/redhat/glibc@2.34-231.el9_7.10?arch=src" 
+    } 
+  }
+}, 
 
 ```
 #### Binary RPMs 
-TO DO 
-
+More information available soon 
 
 ## Vulnerabilities Section
 Finally, there were a few changes made the the `vulnerabilties` section of the new alpha VEX files. 

docs/vex-alpha.md

@@ -29,7 +29,7 @@ As we perform final data cleanup and address some remaining functionality, you m
 
 ### Short Term Adoption Timeline
 
-- **Beta VEX (End of March)**: Will address any outstanding known issues and initial vendor feedback. We will recommend that vendors begin the adoption process at this time.
+- **Beta VEX (End of March)**: Will address any outstanding known issues and initial vendor feedback. We will recommend that vendors begin the adoption process at this time. At this time, the VEX files will be moved into the final hosted location at https://security.access.redhat.com/data/csaf/v2/vex-feed/. The legacy VEX file location will remain unchanged.
 - **GA VEX (Red Hat Summit)**: Upon GA, legacy VEX files will be deprecated. No further enhancements will be made to legacy files, though they will remain published for a transition period based on vendor adoption.
 
 ### Future Enhancements

mkdocs.yml

@@ -41,6 +41,7 @@ nav:
     - "CSAF/VEX Overview": "csaf-vex.md"
     - "VEX-Alpha Release": "vex-alpha.md"
     - "VEX-Alpha Details": "vex-alpha-details.md"
+    - "Scanning Vendor Guidance": "scanning-vendors.md"
   - purl: "purl.md"
   - SBOM: "sbom.md"