|
1 | | -# CSAF VEX-Alpha Files |
| 1 | +# CSAF VEX-Alpha Release |
| 2 | + |
| 3 | +## VEX-Alpha Announcement |
2 | 4 |
|
3 | | -## VEX Alpha Release |
4 | 5 | Red Hat Product Security is pleased to share that the Alpha version of our new VEX (Vulnerability Exploit eXchange) files is now available [here](https://security.access.redhat.com/data/csaf/v2/vex-alpha/). |
5 | 6 |
|
6 | | -### Current Updates |
| 7 | +### Current Update Overview |
| 8 | + |
7 | 9 | This update focuses on data precision and standardizing our CSAF VEX format. Key improvements include: |
8 | 10 |
|
9 | | -* **Improved Product Granularity**: Currently, unfixed products are only represented at the major version (RHEL 9). The new version of VEX files will explicitly list affected supported streams (RHEL 9.6, RHEL 9.4 EUS, RHEL 9.2 EUS, etc.). |
10 | | -Simplified Product Trees: Removing inconsistent branch nesting for ‘architecture’ and ‘product_family’ branches to simplify the product tree structure. We are also removing redundant architecture representation for components and duplication of product variants to reduce the total number of product entries. |
11 | | -* **Enhanced Validation**: Better validation for CSAF VEX formats and identification helpers like CPEs and PURLs |
12 | | -* **Consistency Fixes**: Standardized product ‘name’ and ‘product_id’ formats to ensure consistency between "fixed" and "unfixed" statuses. |
13 | | -* **Streamlined Content**: We’ve removed unrequired fields (duplicate titles, redundant CVSS scores, unnecessary note objects) and ensured ‘fixed’ product and components no longer appear in ‘workaround’ remediation objects. |
14 | | -* **Modernized Infrastructure**: We have migrated VEX publication to a completely new service that improves performance and supportability. |
| 11 | +- **Improved Product Granularity**: Currently, unfixed products are only represented at the major version (RHEL 9). The new version of VEX files explicitly lists supported streams (RHEL 9.6, RHEL 9.4 EUS, RHEL 9.2 EUS, etc.). |
| 12 | +- **Simplified Product Trees**: Removing inconsistent branch nesting for `architecture` and `product_family` branches to simplify the product tree structure. We are also removing redundant architecture representations for components and multiple product variants to reduce the total number of product entries. |
| 13 | +- **Enhanced Validation**: Better validation for CSAF VEX formats and identification helpers like CPEs and PURLs. |
| 14 | +- **Consistency Fixes**: Standardized product `name` and `product_id` formats to ensure consistency between `fixed` and `unfixed` statuses. |
| 15 | +- **Streamlined Content**: We’ve removed unrequired fields (duplicate titles, redundant CVSS scores, unnecessary note objects) and ensured `fixed` product and components no longer appear in `workaround` remediation objects. |
| 16 | +- **Modernized Infrastructure**: We have migrated VEX publication to a completely new service that improves performance and supportability. |
15 | 17 |
|
| 18 | +More detailed information on the differences between legacy VEX files and Alpha VEX files will be found [here](https://security.access.redhat.com/data/csaf/v2/vex-alpha-details/). |
16 | 19 |
|
17 | 20 | ### Alpha Limitations & Known Issues |
| 21 | + |
18 | 22 | As we perform final data cleanup and address some remaining functionality, you may notice daily fluctuations in file content. Please be aware of the following known issues: |
19 | 23 |
|
20 | | -* **Binary RPMs**: Currently unavailable for unfixed items. Product security has a critical dependency that must be unblocked before this is able to be addressed. |
21 | | -* **Data Accuracy**: Some products and components may be missing or product statuses may be temporarily incorrect during this transition. |
22 | | -Legacy Data: Some older CVEs may display inaccurate CPEs (e.g., RHEL 7 transitioning from mainstream to EUS CPEs). |
23 | | -* **Data Deletion**: Removing files and handling rejected flaws is currently unsupported. |
24 | | -* **Scope**: Middleware remains out of scope for this project phase. |
| 24 | +- **Binary RPMs**: Currently unavailable for unfixed items. Product Security is working to address this as soon as possible. |
| 25 | +- **Data Accuracy**: Some products and components may be missing or product statuses may be temporarily incorrect during this transition. |
| 26 | +- **Legacy Data**: Some older CVEs may display inaccurate CPEs (e.g., RHEL 7 transitioning from mainstream to EUS CPEs). |
| 27 | +- **Data Deletion**: Removing files and handling rejected flaws is currently unsupported. |
| 28 | +- **Scope**: Middleware remains out of scope for this project phase. |
25 | 29 |
|
26 | | -### Short Term Adoption Timeline |
| 30 | +### Short Term Adoption Timeline |
27 | 31 |
|
28 | | -* **Beta VEX (End of March)**: Will address any outstanding known issues and initial vendor feedback. We will recommend that vendors begin the adoption process at this time. |
29 | | -* **GA VEX (Red Hat Summit)**: Upon GA, old VEX files will be deprecated. No further enhancements will be made to the SD Engine for old files, though they will remain published for a transition period based on vendor adoption. |
| 32 | +- **Beta VEX (End of March)**: Will address any outstanding known issues and initial vendor feedback. We will recommend that vendors begin the adoption process at this time. |
| 33 | +- **GA VEX (Red Hat Summit)**: Upon GA, legacy VEX files will be deprecated. No further enhancements will be made to legacy files, though they will remain published for a transition period based on vendor adoption. |
30 | 34 |
|
31 | 35 | ### Future Enhancements |
32 | 36 |
|
33 | | -* **CSAF Advisory File Improvements**: While this effort currently only focuses on VEX files, we plan to make similar changes to our CSAF Advisory files as well. |
34 | | -* **Component-level Accuracy**: Instead of determining affectedness at the SRPM level, we will begin reporting the affectedness of binary RPMs and eventually aim to report down to the individual libraries/files that are affected. |
35 | | -* **Unified Container Reporting**: Direct reporting of all vulnerabilities (RPM and non-RPM) to the container image to provide a more streamlined scanning experience for vendors and better remediation information for customers. |
36 | | -* **CSAF 2.1 Adoption**: We will assess and plan support following the publication of the new version of the CSAF standard. |
| 37 | +- **CSAF Advisory File Improvements**: While this effort currently only focuses on VEX files, we plan to make similar changes to our CSAF Advisory files as well. |
| 38 | +- **Component-level Accuracy**: Instead of determining affectedness at the SRPM level, we will begin reporting the affectedness of binary RPMs and eventually aim to report down to the individual libraries/files that are affected. |
| 39 | +- **Unified Container Reporting**: Direct reporting of all vulnerabilities (RPM and non-RPM) to the container image to provide a more streamlined scanning experience for vendors and better remediation information for customers. |
| 40 | +- **CSAF 2.1 Adoption**: We will assess and plan support following the publication of the new version of the CSAF standard. |
37 | 41 |
|
38 | 42 | ### How to Provide Feedback |
| 43 | + |
39 | 44 | For any issues or questions you have, please file a jira issue with the following: |
40 | 45 |
|
41 | | -* Project: [SECDATA](https://issues.redhat.com/projects/SECDATA/summary) |
42 | | -* Issue Type: Ticket |
43 | | -* Component: ‘feedback-new-vex’ |
44 | | -* Description: The question or issue you wish to raise. Please provide a detailed explanation, the VEX file you are referencing and a specific example of the data. |
| 46 | +- **Project**: [SECDATA](https://issues.redhat.com/projects/SECDATA/summary) |
| 47 | +- **Issue Type**: Ticket |
| 48 | +- **Component**: ‘feedback-new-vex’ |
| 49 | +- **Description**: The question or issue you wish to raise. Please provide a detailed explanation, the VEX file you are referencing and a specific example of the data. |
| 50 | + |
0 commit comments