news products security Tanzu Application Catalog

Gain Actionable Visibility into Upstream Vulnerabilities with VEX from VMware Application Catalog

This blog post was co-written by Bala Bharathy U and Raquel Godoy.

In April, we announced that all open source software (OSS) artifacts from VMware Application Catalog will be delivered along a Software Bill of Materials (SBoM) in Software Package Data Exchange (SPDX) format. Now, as the next step in helping our customers move toward efficient vulnerability management and minimize CVEs, we are happy to announce that VMware Application Catalog delivers Vulnerability Exploitability eXchange (VEX) documentation in its security-focused subcatalog. This change is designed to help customers gain actionable visibility into exploitable upstream vulnerabilities, make well-informed security decisions, and avoid spending time and effort trying to fix unexploitable vulnerabilities in their applications.

This blog post outlines what VEX is and how customers can get VEX documentation from VMware Application Catalog. 

What is VEX and why is it important?

VEX was developed as part of the National Telecommunications and Information Administration (NTIA) Multistakeholder Process for Software Component Transparency. The primary use case of VEX, as defined by the NTIA, is to help development and operations teams identify whether a product is affected by a specific vulnerability in one of its upstream components and, if so, provide additional information about identified remediation actions. This allows development and operations teams dealing with vulnerability management to quickly review their options and mitigate risks. 

Often, the development, operations, and security teams working on a product are left trying to fix a vulnerability in an upstream component, unaware that not all vulnerabilities present in upstream components are exploitable in the final product. VEX can reduce the effort that is wasted investigating and remediating unexploitable vulnerabilities by categorizing the vulnerabilities in a given product by status.

The machine readability of VEX enables automation and supports integration with broader tooling and processes. Common Security Advisory Framework (CSAF) is a standard for machine-readable security advisories developed by the OASIS Open CSAF Technical Committee.

VEX, now a part of VMware Application Catalog

VMware Application Catalog now delivers VEX documentation for all container images built with Photon OS 4 as the base image. In addition to CVE scan reports and SBoMs, the build-time reports of all Photon OS 4–based containers now also incorporate CSAF VEX documents to give context to those vulnerabilities reported on a given container image. Our team of experts working behind the scenes will analyze new CVEs affecting the applications in VMware Application Catalog and will provide assessment details, vulnerability status, and applicable remediation actions as part of VEX documentation.

By combining CSAF VEX documents with CVE scan results and SBoM reports provided by VMware Application Catalog, customers receive an assessment of their upstream vulnerabilities to help make well-informed, risk-based security decisions. This enables customers to take advantage of OSS while achieving their security objectives.

How to get VEX reports from VMware Application Catalog

To illustrate how to get VEX reports through the VMware Application Catalog user interface, here we show an example using Apache Cassandra packaged by a VMware container built on top of Photon OS 4.

To access the VEX report, navigate to the Build Time Reports section and select the CSAF VEX Document option. Download the document and open it using your preferred code editor.

VMware Application Catalog UI showing the build-time reports of Apache Cassandra packaged by a VMware container, highlighting the CSAF VEX document.

The initial section of the document provides details about the document itself, such as its version, publisher, and data related to document tracking and revision history. Next, you'll find the specification of the application, followed by the Vulnerabilities section, which provides a comprehensive list of reported vulnerabilities associated with the given software.

As an example, look at the second CVE included in this report, CVE-2022-42003, and you'll notice the VEX document provides a comprehensive description of the CVE. 

Screenshot of VEX documentation for CVE-2022-42003

In the Threads -> Impact section, you will find an explanation of the severity of this vulnerability. In this example, the VMware Application Catalog team did extensive research and found that the maintainers of the Apache Cassandra project consider that this vulnerability doesn’t affect their code and therefore can be suppressed. In addition to this information, this section also provides a link to the vendor's Jira dashboard to get more information about the status of the issue. 

Thus, when customers cross-reference the VEX document with the CVE scanning file, they will be equipped with information to help assess the number of CVEs that actually affect the application, thereby reducing noise and the number of false positives that scanners are reporting.  

Learn more

As OSS plays an indispensable role in the software development processes of many businesses today, more and more enterprises are partnering with VMware Application Catalog to enable their developers to adopt OSS in a more secure and sustainable manner. Learn about the new security-focused subcatalog available in VMware Application Catalog announced at VMware Explore, or download this white paper on security measures in VMware Application Catalog.

If you are interested in learning more about VMware Application Catalog in general, check out the product webpage, Tech Zone page, technical documentation, and additional resources. If you would like to get in touch, contact us.

Read about all of the news announced by the VMware Tanzu team at VMware Explore 2023.