1 comment

[ 3.3 ms ] story [ 9.8 ms ] thread
Using tools like syft and gryft, we can create detailed release SBOM for docker images, including a list of security vulnerabilities. As a software developer or release manager you want to keep track of these vulnerabilities and provide information downstream, but where?

Bogrod solves this problem by using a simple YAML file to keep track of all vulnerabilities, their effect downstream, and its status for the image in question, a.k.a. Vulnerability Exploit Exchange (VEX). The VEX data can be merged into the SBOM and delivered to users in the release notes.