Skip to content

feat(tool): Add VEX file validation tool #5144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat(tool): Add VEX file validation tool #5144

wants to merge 4 commits into from

Conversation

JigyasuRajput
Copy link
Contributor

Add VEX File Validation Tool (PR 1/2)

Overview

This PR implements a VEX (Vulnerability Exploitability Exchange) file validation tool.

Features Added

  • Multi-format VEX validation: Support for CycloneDX, CSAF, and OpenVEX formats
  • Schema compliance checking: Validates required fields and format-specific requirements
  • CLI integration: New vex-validate command with flexible file input options
  • Comprehensive error reporting: Clear, actionable error messages with field locations
  • Robust error handling: Handles file errors, JSON parsing errors, and schema violations

Usage

# Validate a VEX file
cve-bin-tool vex-validate TRIAGE.json

# Using the explicit flag
cve-bin-tool vex-validate --vex-file-to-validate my-vex-file.json

anthonyharrison
anthonyharrison requested changes Jun 13, 2025
View reviewed changes
Copy link
Contributor

@anthonyharrison anthonyharrison left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For CycloneDX there is already a JSON schema which can be used to va;lidate the format. Rather than writing your own checks, it would be better to use the Standard schema (see here.

The same also applies for CSAF see here

Openvex schema See here

This should result in much less code!!!

@JigyasuRajput
Copy link
Contributor Author

For CycloneDX there is already a JSON schema which can be used to va;lidate the format. Rather than writing your own checks, it would be better to use the Standard schema (see here.

The same also applies for CSAF see here

Openvex schema See here

This should result in much less code!!!

thanks for the feedback, I'll apply the changes!!

@JigyasuRajput
Copy link
Contributor Author

this PR is not ready for a review yet ...It still needs more cleanup!
thanks!

@JigyasuRajput
Copy link
Contributor Author

Hey!
I've almost completed the implementation of the vex validate tool, I'll come back after some time when the CI checks have completed. I've added the standard JSON schemas to the code (which made the PR big) to improve performance and so it can work offline as well.
thanks!
cc @anthonyharrison @terriko

anthonyharrison
anthonyharrison requested changes Jun 20, 2025
View reviewed changes
Copy link
Contributor

@anthonyharrison anthonyharrison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CycloneDX schemas needs to support the different versions of the CycloneDX standard. Need to incluide schema for 1.5 and 1.6 as well. Schema validation will then need to validate against each version until it either validates or you have exhausted all the schemas.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anthonyharrison anthonyharrison anthonyharrison requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JigyasuRajput @anthonyharrison