lib4vex


Namelib4vex JSON
Version 0.2.0 PyPI version JSON
download
home_pagehttps://github.com/anthonyharrison/lib4vex
SummaryVEX generator and consumer library
upload_time2024-08-29 20:36:52
maintainerAnthony Harrison
docs_urlNone
authorAnthony Harrison
requires_python>=3.7
licenseApache-2.0
keywords security tools sbom devsecops spdx cyclonedx vex csaf openvex library
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            # Lib4VEX

Lib4VEX is a library to parse and generate VEX documents. It supports VEX documents created in the [OpenVEX](https://openvex.dev),
[CycloneDX](https://www.cyclonedx.org) or [CSAF](https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html) specifications.

It has been developed on the assumption that having a generic abstraction of vulnerability
regardless of the underlying format will be useful to developers.

The following facilities are provided:

- Generate OpenVEX, CycloneDX and CSAF VEX documents in JSON format
- Parse CycloneDX SBOM in JSON format and extract vulnerability information
- Parse OpenVEX and CSAF documents to extract vulnerability information
- Generated VEX document can be output to a file or to the console

## Installation

To install use the following command:

`pip install lib4vex`

Alternatively, just clone the repo and install dependencies using the following command:

`pip install -U -r requirements.txt`

The tool requires Python 3 (3.8+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.

## API

### Metadata

### Product

### Vulnerability

### Debug

Creating the environment variable _**LIB4VEX_DEBUG**_ will result in some additional information being reported when a VEX document is being generated.

## Examples

A number of example scripts are included in the _examples_ subdirectory. Examples are provided for CSAF, CycloneDX and OpenVEX scenarios.

## Tutorial

A tutorial showing a lifecycle of vulnerabilities is [available](TUTORIAL.md). Whilst the tutorial uses CSAF as the VEX document, equivalent
steps can be performed for producing a VEX document using CycloneDX or OpenVEX.
						
## Implementation Notes

The following design decisions have been made in creating and processing VEX files:

1. VEXes should be produced with reference to an SBOM so that only vulnerabilities for components included in the SBOM are included in the VEX document.

2. The VEX document contains all reported vulnerabilities and the respective status. The latest VEX is indicated by the latest timestamp. The previous VEX documents are retained for audit purposes.

3. The VEX document is intended to be used for a single product.

## Future Development

1. Add support for SPDX Security profile when released as part of the SPDX 3.0 release.

## License

Licensed under the Apache 2.0 Licence.

## Limitations

This library is meant to support software development. The usefulness of the library is dependent on the data
which is provided. Unfortunately, the library is unable to determine the validity or completeness of such a VEX file; users of the library and
the resulting VEX file are therefore reminded that they should assert the quality of any data which is provided to the library.

## Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.

            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/anthonyharrison/lib4vex",
    "name": "lib4vex",
    "maintainer": "Anthony Harrison",
    "docs_url": null,
    "requires_python": ">=3.7",
    "maintainer_email": "anthony.p.harrison@gmail.com",
    "keywords": "security, tools, SBOM, DevSecOps, SPDX, CycloneDX, VEX, CSAF, OpenVEX, library",
    "author": "Anthony Harrison",
    "author_email": "anthony.p.harrison@gmail.com",
    "download_url": null,
    "platform": null,
    "description": "# Lib4VEX\n\nLib4VEX is a library to parse and generate VEX documents. It supports VEX documents created in the [OpenVEX](https://openvex.dev),\n[CycloneDX](https://www.cyclonedx.org) or [CSAF](https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html) specifications.\n\nIt has been developed on the assumption that having a generic abstraction of vulnerability\nregardless of the underlying format will be useful to developers.\n\nThe following facilities are provided:\n\n- Generate OpenVEX, CycloneDX and CSAF VEX documents in JSON format\n- Parse CycloneDX SBOM in JSON format and extract vulnerability information\n- Parse OpenVEX and CSAF documents to extract vulnerability information\n- Generated VEX document can be output to a file or to the console\n\n## Installation\n\nTo install use the following command:\n\n`pip install lib4vex`\n\nAlternatively, just clone the repo and install dependencies using the following command:\n\n`pip install -U -r requirements.txt`\n\nThe tool requires Python 3 (3.8+). It is recommended to use a virtual python environment especially\nif you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which\nallows you to have all the dependencies for the tool set up in a single environment, or have different environments set\nup for testing using different versions of Python.\n\n## API\n\n### Metadata\n\n### Product\n\n### Vulnerability\n\n### Debug\n\nCreating the environment variable _**LIB4VEX_DEBUG**_ will result in some additional information being reported when a VEX document is being generated.\n\n## Examples\n\nA number of example scripts are included in the _examples_ subdirectory. Examples are provided for CSAF, CycloneDX and OpenVEX scenarios.\n\n## Tutorial\n\nA tutorial showing a lifecycle of vulnerabilities is [available](TUTORIAL.md). Whilst the tutorial uses CSAF as the VEX document, equivalent\nsteps can be performed for producing a VEX document using CycloneDX or OpenVEX.\n\t\t\t\t\t\t\n## Implementation Notes\n\nThe following design decisions have been made in creating and processing VEX files:\n\n1. VEXes should be produced with reference to an SBOM so that only vulnerabilities for components included in the SBOM are included in the VEX document.\n\n2. The VEX document contains all reported vulnerabilities and the respective status. The latest VEX is indicated by the latest timestamp. The previous VEX documents are retained for audit purposes.\n\n3. The VEX document is intended to be used for a single product.\n\n## Future Development\n\n1. Add support for SPDX Security profile when released as part of the SPDX 3.0 release.\n\n## License\n\nLicensed under the Apache 2.0 Licence.\n\n## Limitations\n\nThis library is meant to support software development. The usefulness of the library is dependent on the data\nwhich is provided. Unfortunately, the library is unable to determine the validity or completeness of such a VEX file; users of the library and\nthe resulting VEX file are therefore reminded that they should assert the quality of any data which is provided to the library.\n\n## Feedback and Contributions\n\nBugs and feature requests can be made via GitHub Issues.\n",
    "bugtrack_url": null,
    "license": "Apache-2.0",
    "summary": "VEX generator and consumer library",
    "version": "0.2.0",
    "project_urls": {
        "Homepage": "https://github.com/anthonyharrison/lib4vex"
    },
    "split_keywords": [
        "security",
        " tools",
        " sbom",
        " devsecops",
        " spdx",
        " cyclonedx",
        " vex",
        " csaf",
        " openvex",
        " library"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "747affe504386fe7fdebd96eeed330a1313702dffdc2c031984685ddec34ddf5",
                "md5": "611b244ec3abdc4b563d5f370d9c6691",
                "sha256": "bbe730148c1a7629473067ba9702b673af11e225fcd76e6431b881f0731f52ce"
            },
            "downloads": -1,
            "filename": "lib4vex-0.2.0-py2.py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "611b244ec3abdc4b563d5f370d9c6691",
            "packagetype": "bdist_wheel",
            "python_version": "py2.py3",
            "requires_python": ">=3.7",
            "size": 22711,
            "upload_time": "2024-08-29T20:36:52",
            "upload_time_iso_8601": "2024-08-29T20:36:52.569550Z",
            "url": "https://files.pythonhosted.org/packages/74/7a/ffe504386fe7fdebd96eeed330a1313702dffdc2c031984685ddec34ddf5/lib4vex-0.2.0-py2.py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-08-29 20:36:52",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "anthonyharrison",
    "github_project": "lib4vex",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": false,
    "requirements": [],
    "tox": true,
    "lcname": "lib4vex"
}
        
Elapsed time: 4.47556s