Red Hat has been publishing VEX documents for some time now. VEX stands for Vulnerability Exploitability eXchange, and the documents are machine-readable JSON files that describe vulnerabilities and status for them. For example, one CVE could impact a number of different products because of the component that it affects. The RapidReset vulnertability (or CVE-2023-44487) is one such vulnerability that, due to it affecting the handling of HTTP/2 requsts, affected numerous software projects such as nginx and Go. This CVE impacts a number of different products and components, and for Red Hat (if you look at the CVE page) there are over 2000 affected components across our products. Anyone trying to figure out whether they are affected or not, by looking at the CVE page, is bound to cry in frustration.
This article isn’t about VEX itself though; you can read about the specification via the Red Hat blog linked earlier.
When I was looking for something to parse the VEX files we produce, I found there really wasn’t anything available. Since I don’t get to write much code anymore, I decided to write a VEX reader and made it available on GitHub. I tried to have it read other VEX files, but unfortunately there aren’t a lot that are public out there, so there wasn’t much to test with. And what I did find, to my dismay, I learned that the CSAF and CSAF+VEX specs are quite a bit different. I had initially tried to read both formats but (for now) am sticking with CSAF+VEX. Which really means that there are only Red Hat documents that are publicly available. I’ve heard of others behind paywalls, so I don’t know if this will work with them or not.
Programming isn’t my day job so it’s not… what one might consider professional. =) But it was fun for me and hopefully useful for others.
It’s also available on PyPI which interestingly is the first published PyPI module (never too late right?).
As always, patches are welcome if you find any issues.