Enabling Efficient Vulnerability Management with VEX, SBoM & CVE Scan Results

March 26, 2024

While building modern applications, developers often use third-party open source software (OSS) components as building blocks, which brings flexibility and efficiency to their software development processes. On the other hand, however, these applications end up being a highly complex mixture of components and dependencies that are often beyond the control and visibility of security teams and platform engineers. The Log4Shell vulnerability demonstrates how a supply chain vulnerability can put our entire environment at risk if you are not able to quickly identify where the affected dependencies are.


By combining the power of Vulnerability Exploitability eXchange (VEX), Sofware Bill of Materials (SBoM) and CVE scan reports, SecOps teams can significantly reduce the software supply chain risks they face from upstream vulnerabilities. VEX leverages the strategic value of SBoM and CVE scan reports by providing context to vulnerabilities and clarity of potential remediation measures. Thus, SecOps teams can prioritize their efforts to remediate what matters the most.


In this whitepaper, you will learn how Tanzu Application Catalog (formerly known as VMware Application Catalog) supports its users with SBoMs, CVE scan reports, and VEX documentation, how they complement each other, and how you can leverage the accurate risk assessment provided by VEX statements to reduce noise in your Trivy CVE report.

Previous
Gain Insights into the Risks You Face from Open Source Dependencies with VMware Tanzu OSS Health Assessment
Gain Insights into the Risks You Face from Open Source Dependencies with VMware Tanzu OSS Health Assessment

Get a clear picture of your OSS supply chain, and the risks you face from your open source software depende...

Next
Reduce Noise from False Positives in your Trivy CVE report with VEX from VMware Tanzu Application Catalog
Reduce Noise from False Positives in your Trivy CVE report with VEX from VMware Tanzu Application Catalog

Trivy can now utilize CSAF VEX data to filter out false positives in CVE reports, maximizing the value of V...