Hi Olle,
On 7.02.2025 10:27, Olle E. Johansson wrote:
In my head, the VEX files applies to an SBOM for a single version of a single
product.
At some point, that version becomes problematic and I would like to find a clear
way to say “This version is replaced by the next version and you should NOT EVER
use this version. It’s the end of the line. Get out of here.” because there is
indeed
a vulnerability that will be fixed in a new release.
Another statement would be “there’s no known problems here at this date,
but we will now stop looking and you should get out of this series of releases.”
marking end-of-support.
I am not sure we will publish a separate VEX file for each version, more
probably we will have a separate VEX file per minor version (TEA Leaf?)
or even a single file for the entire major version. In Log4j we check
vulnerability reports for all releases in the current major version, so
it would make sense to do the same for VEX files.
Besides that I totally agree, we need to have a way to say:
* Go out of here, we don't check this release against vulnerability
reports (and more important, we will not forward those reports to you).
* Go out of here or you risk a "smooth" upgrade between minor versions
if a problem occurs. In my experience, an upgrade between minor versions
has always some unexpected "side-effects".
Piotr
---------------------------------------------------------------------
To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org
For additional commands, e-mail: security-discuss-h...@community.apache.org
