OpenVEX JSON Example, Specification Details, and Verification

In OpenVEX, status justifications can have one of the five possible values: - `component_not_present` - `vulnerable_code_not_present` - `vulnerable_code_not_in_execute_path` - `vulnerable_code_cannot_be_controlled_by_adversary` - `inline_mitigations_already_exist` For more information about these values and their definitions, see [Status Justifications](https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications) in the OpenVEX specification. `--file` : Filename of the VEX document output ## Example JSON document Here's the OpenVEX JSON generated by this command: ```json { "@context": "https://openvex.dev/ns/v0.2.0", "@id": "https://openvex.dev/docs/public/vex-749f79b50f5f2f0f07747c2de9f1239b37c2bda663579f87a35e5f0fdfc13de5", "author": "author@example.com", "timestamp": "2024-05-27T13:20:22.395824+02:00", "version": 1, "statements": [ { "vulnerability": { "name": "CVE-2022-24999" }, "timestamp": "2024-05-27T13:20:22.395829+02:00", "products": [ { "@id": "pkg:docker/example/app@v1", "subcomponents": [ { "@id": "pkg:npm/express@4.17.1" } ] } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path" } ] } ``` Understanding how VEX documents are supposed to be structured can be a bit of a mouthful. The [OpenVEX specification](https://github.com/openvex/spec) describes the format and all the possible properties of documents and statements. For the full details, refer to the specification to learn more about the available fields and how to create a well-formed OpenVEX document. To learn more about the available flags and syntax of the `vexctl` CLI tool and how to install it, refer to the [`vexctl` GitHub repository](https://github.com/openvex/vexctl). ## Verifying VEX documents To test whether the VEX documents you create are well-formed and produce the expected results, use the `docker scout cves` command with the `--vex-location` flag to apply a VEX document to a local image analysis using the CLI. The following command invokes a local image analysis that incorporates all VEX documents in the specified location, using the `--vex-location` flag. In this example, the CLI is instructed to look for VEX documents in the current working directory. ```console $ docker scout cves <IMAGE> --vex-location . ``` The output of the `docker scout cves` command displays the results with any VEX statements found in under the `--vex-location` location factored into the results. For example, CVEs assigned a status of `not_affected` are filtered out from the results. If the output doesn't seem to take the VEX statements into account, that's an indication that the VEX documents might be invalid in some way. Things to look out for include: - The PURL of a Docker image must begin with `pkg:docker/` followed by the image name. - In a Docker image PURL, the image name and version is separated by `@`. An image named `example/myapp:1.0` has the following PURL: `pkg:docker/example/myapp@1.0`. - Remember to specify an `author` (it's a mandatory field in OpenVEX) - The [OpenVEX specification](https://github.com/openvex/spec) describes how and when to use `justification`, `impact_statement`, and other fields in the VEX documents. Specifying these in an incorrect way results in an invalid document. Make sure your VEX documents comply with the OpenVEX specification.

This section provides an example of an OpenVEX JSON document generated by the `vexctl` command, highlighting the structure and properties like `@context`, `@id`, `author`, `timestamp`, `version`, and `statements`. It refers to the OpenVEX specification for detailed information on document structure and available fields. It further instructs users on how to verify the validity and effectiveness of VEX documents using the `docker scout cves` command with the `--vex-location` flag and lists common issues to watch out for.