Support Vulnerability Exploitability eXchange (VEX) in SBOM reports

We already have a feature to generate Cyclone DX SBOMS for GitLab projects. These reports could be enhanced with data about vulnerabilities not affecting the reported dependencies or the product.

Proposal

CycloneDX comes with a specification for sharing vulnerabilities as part of its format. It is named VEX for Vulnerability Exploitability eXchange: https://cyclonedx.org/capabilities/vex/

As explained as part of this page:

Inventory described in a BOM (SBOM, SaaSBOM, etc) will typically remain static until such time the inventory changes. However, vulnerability information is much more dynamic and subject to change. Therefore, it is recommended to decouple the VEX from the BOM. This allows VEX information to be updated without having to create and track additional BOMs.

Considering this recommendation, it doesn't make sense to just "decorate" existing reports with vulnerabilities. Therefore, it is best to create a new API endpoint to let users downloads VEX reports independently. The challenge to solve here before implementing anything is "how do we provide the right VEX for the right BOM?". BOMs are likely to evolve over time because dependencies do. But currently our Vulnerability Report page reflects the state of the default branch. Therefore, we can't provide VEX for Points In Time (like git tags). There are reports available via pipelines, but they suffer of two limitations:

They're ephemeral, and will be disposed after some time (expire_in is 30 days on gitlab.com)
There's no API endpoint to fetch these reports directly

Auto-Summary 🤖

Discoto Usage

Points

Discussion points are declared by headings, list items, and single lines that start with the text (case-insensitive) point:. For example, the following are all valid points:

#### POINT: This is a point

* point: This is a point

+ Point: This is a point

- pOINT: This is a point

point: This is a **point**

Note that any markdown used in the point text will also be propagated into the topic summaries.

Topics

Topics can be stand-alone and contained within an issuable (epic, issue, MR), or can be inline.

Inline topics are defined by creating a new thread (discussion) where the first line of the first comment is a heading that starts with (case-insensitive) topic:. For example, the following are all valid topics:

# Topic: Inline discussion topic 1

## TOPIC: **{+A Green, bolded topic+}**

### tOpIc: Another topic

Quick Actions

Action Description

/discuss sub-topic TITLE Create an issue for a sub-topic. Does not work in epics

/discuss link ISSUABLE-LINK Link an issuable as a child of this discussion

Action	Description
`/discuss sub-topic TITLE`	Create an issue for a sub-topic. Does not work in epics
`/discuss link ISSUABLE-LINK`	Link an issuable as a child of this discussion

Last updated by this job

TOPIC VEX as a Service #413694 (comment 2381507742)

Discoto Settings

---
summary:
  max_items: -1
  sort_by: created
  sort_direction: ascending

See the settings schema for details.

Edited Mar 05, 2025 by Lucas Charles