Observations about OpenVEX 

_From Stefan Fleckenstein_

I had a look at your lib4vex library and had a go with the parser. For OpenVEX I found some differences between their specification and what can be parsed by your library. Are these differences intended?

- A statement can not be parsed without a timestamp. According to the specification the timestamp is not mandatory but can cascade down from the document.
- The @id of a product must not necessarily be a PURL. You could specify the PURL in the `identifiers
- Due to the specification a statement can have a list of products, but your lib4vex supports only one product.
- Products in OpenVEX can have subcomponents. These can be useful to express which library in the product is actually affected by the vulnerability. Do you plan to support this in the future?


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Observations about OpenVEX #1

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

Observations about OpenVEX #1

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions