[SECURITY] publish a VEX/VDR

[jkowalleck]

This library might have/had vulnerabilities, see https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories
and #1061

We intend to have all security issues closed/fixed eventually, if not already.

We should make this transparent to the user, by publishing a Vulnerability Exploitability eXchange (VEX) documentand and a Vulnerability Disclosure Report (VDR).

Expected outcome:

• publish VEX and VDR - as separate files, at best. if neededd, use Bom-Links to cross-reference.
• files should be in format of CycloneDX 1.6
• the files should be schema-validated as part of the dogfooding-CI
• the files are dynamic (changes over time) - so no intention to ship it in distributing
• files should include a VEX and a VDR -- maybe use dedicated files {vex,vdr}.cdx.* , instead of one security.cdx.*

for the content, see distinction https://github.com/CycloneDX/bom-examples/blob/master/VDR/README.md#distinction-between-vulnerability-disclosure-report-vdr-and-vulnerability-exploitability-exchange-vex

[jbmaillet]

Re-reading @stevespringett article on the OWASP website (https://owasp.org/blog/2023/02/07/vdr-vex-comparison), and searching for the authoritative reference regarding VDR, I noticed that the NIST SP 800-161, originally from 2015, have been superseded:
https://csrc.nist.gov/pubs/sp/800/161/r1/final

The new revision can be found here, published in May 2022, so after @stevespringett article, but including updates as of 11-01-2024 (sic):
https://csrc.nist.gov/pubs/sp/800/161/r1/upd1/final
...and in this document, all reference to VDR disappeared. The revision history at the end does not specifically mention this change. I have no idea of the motivations behind this (unfortunate IMHO) removal. I must still have the original SP in my archive, I'll try to dig deeper in the section modified. On a higher level the update of this SP as a whole seem to be coming from the EO 14028.

Whatever the reason, as of today, at least this mention of this NIST SP is out of date in the CDX project:
https://github.com/CycloneDX/bom-examples/blob/master/VDR/README.md#distinction-between-vulnerability-disclosure-report-vdr-and-vulnerability-exploitability-exchange-vex

Note that I do not consider that this makes the VDR concept obsolete. Just that the NIST can't be referred to, except for historical purposes.

[jkowalleck]

Whatever the reason, as of today, at least this mention of this NIST SP is out of date in the CDX project:
https://github.com/CycloneDX/bom-examples/blob/master/VDR/README.md#distinction-between-vulnerability-disclosure-report-vdr-and-vulnerability-exploitability-exchange-vex

thanks for the update 👍
In case you want the lined document updated, please open an issue in the respective repo/project of the linked document.

[jbmaillet]

(Indeed, will do, just noticed this lib is not the right place for this. It's the only oppened issue about VDR I could found on CycloneDX as a whole.)

EDIT: done
CycloneDX/bom-examples#54