While building modern applications, developers often use third-party open source software (OSS) components as building blocks, which brings flexibility and efficiency to their software development processes. On the other hand, however, these applications end up being a highly complex mixture of components and dependencies that are often beyond the control and visibility of security teams and platform engineers. The Log4Shell vulnerability demonstrates how a supply chain vulnerability can put our entire environment at risk if you are not able to quickly identify where the affected dependencies are.
By combining the power of Vulnerability Exploitability eXchange (VEX), Sofware Bill of Materials (SBoM) and CVE scan reports, SecOps teams can significantly reduce the software supply chain risks they face from upstream vulnerabilities. VEX leverages the strategic value of SBoM and CVE scan reports by providing context to vulnerabilities and clarity of potential remediation measures. Thus, SecOps teams can prioritize their efforts to remediate what matters the most.
In this whitepaper, you will learn how Tanzu Application Catalog (formerly known as VMware Application Catalog) supports its users with SBoMs, CVE scan reports, and VEX documentation, how they complement each other, and how you can leverage the accurate risk assessment provided by VEX statements to reduce noise in your Trivy CVE report.