See us at KUBECON NA - Booth Q37

Spooky Enhancements: Unveiling GUAC's OpenVEX Feature

GUAC's OpenVEX Integration

Nathan Naveen

October 31, 2023

As the leaves turn and the air chills, we at Kusari are excited to unveil a treat that will send shivers down your spine - our new OpenVEX feature! This Halloween, we're not just carving pumpkins. We're also enhancing our software supply chain security with the power of OpenVEX.

What is OpenVEX?

OpenVEX, or Open Vulnerability Exploitability eXchange, is a powerful tool that's been brewed up by the OpenVEX community. It's like a magic potion that provides a standardized language to whisper about the exploitability of vulnerabilities lurking in the shadows of software components.

OpenVEX provides a standardized way to communicate the exploitability of vulnerabilities in software components. OpenVEX documents are JSON-LD files that capture the minimal requirements for VEX as defined by the VEX working group organized by CISA.

The OpenVEX schema captures crucial information about software vulnerabilities, including their severity, the software components they affect, and their exploitability status. This information is crucial for understanding the risk posed by a vulnerability and making informed decisions about addressing it.

This is what an OpenVEX document looks like:

 	
{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://openvex.dev/docs/example/vex-9fb3463de1b57",
  "author": "Wolfi J Inkinson",
  "role": "Document Creator",
  "timestamp": "2023-01-08T18:02:03.647787998-06:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2014-123456"
      },
      "products": [
        {"@id": "pkg:apk/distro/git@2.39.0-r1?arch=armv7"},
        {"@id": "pkg:apk/distro/git@2.39.0-r1?arch=x86_64"}
      ],
      "status": "fixed"
    }
  ]
}
  

GUAC's OpenVEX Integration

Our integration of OpenVEX into GUAC is like adding antidotes to the spooky brew of security vulns. It enhances the depth and detail of the information we can provide about vulnerabilities in the software supply chain. 

The OpenVEX Parser in GUAC ingests OpenVEX documents, breaking them down into graph components that can be easily understood and analyzed. It maps out the relationship between software components, vulnerabilities, and their exploitability status, providing a comprehensive view of the software's security position.

By integrating OpenVEX, GUAC can provide more detailed information about the vulnerabilities in a software supply chain. This allows users to make more informed decisions about their software's security risk. For example, a user could prioritize addressing vulnerabilities that have a known exploit over those that are merely theoretical. This level of detail and insight is a significant enhancement to GUAC's capabilities, making it an even more powerful tool for managing software supply chain security.

How Does It Help the Community?

This new feature is like a flashlight guiding you through a dark, haunted forest. It illuminates the path, helping you navigate the complex landscape of software vulnerabilities.

By integrating OpenVEX, we're enabling users to gain a deeper understanding of the vulnerabilities in their software supply chain. It allows users to identify not just the vulnerabilities but also their exploitability, providing a more nuanced view of the software's security risk.

Moreover, the OpenVEX Parser also generates identifiers for each software component, making it easier to track and manage vulnerabilities across different components.

Conclusion

This Halloween, while you enjoy the thrills and chills of the season, rest assured that GUAC's OpenVEX feature is working to keep the ghouls of software vulnerabilities at bay. It's our treat to the community, helping to make software supply chain security a little less scary.

As the moonlight filters through the autumn leaves, take a moment to delve into the intricate web of your software supply chain with GUAC's OpenVEX feature. As the shadows of vulnerabilities recede, you'll find a clearer path toward enhanced security. Happy Halloween!

Whispers from the Shadows

Should you dare to delve deeper into the lore of OpenVEX, the following scrolls might satiate your thirst:

  1. The Doctrine of VEX: A parchment revealing the sacred rites for crafting VEX manuscripts.
  2. The OpenVEX Grimoire: A tome that harnesses the arcane powers of VEX, written in the ancient language of Go.
  3. GUAC's OpenVEX Codex: Delve into GUAC's meticulous documentation detailing the integration of the haunting OpenVEX.

Like what you read? Share it with others.

Other blog posts 

The latest industry news, interviews, technologies, and resources.

View all posts

Previous

No older posts

Next

No newer posts

Want to learn more?

See the demo
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.