Support Vulnerability Exploitability eXchange (VEX) in SBOM reports
We already have a feature to generate Cyclone DX SBOMS for GitLab projects. These reports could be enhanced with data about vulnerabilities not affecting the reported dependencies or the product.
Proposal
CycloneDX comes with a specification for sharing vulnerabilities as part of its format. It is named VEX for Vulnerability Exploitability eXchange: https://cyclonedx.org/capabilities/vex/
As explained as part of this page:
Inventory described in a BOM (SBOM, SaaSBOM, etc) will typically remain static until such time the inventory changes. However, vulnerability information is much more dynamic and subject to change. Therefore, it is recommended to decouple the VEX from the BOM. This allows VEX information to be updated without having to create and track additional BOMs.
Considering this recommendation, it doesn't make sense to just "decorate" existing reports with vulnerabilities. Therefore, it is best to create a new API endpoint to let users downloads VEX reports independently. The challenge to solve here before implementing anything is "how do we provide the right VEX for the right BOM?". BOMs are likely to evolve over time because dependencies do. But currently our Vulnerability Report page reflects the state of the default branch. Therefore, we can't provide VEX for Points In Time (like git tags). There are reports available via pipelines, but they suffer of two limitations:
- They're ephemeral, and will be disposed after some time (expire_in is 30 days on gitlab.com)
- There's no API endpoint to fetch these reports directly