Design VEX changes for Advisories

[mjherzog]

The planned Vulnerablecode change for the migration to Advisories instead of Vulnerabilities will have a significant impact on the current VEX functionality in DejaCode which is currently "keyed" by Vulnerability.

Looking at the example of: https://public.dejacode.com/products/Evaluation/DejaCode/5.1/#vulnerabilities in DjC Evaluation, it seems that we will be missing the VCID to group related advisories and this will make the display much more complex.

• Have we ruled out having something like VCID to group advisories - perhaps the aliases from the advisory record? It is difficult to suggest how to display without some way to group obviously related advisories.
• It looks like the change will make the VEX reporting more complex if we cannot logically group them so that a user can apply one VEX statement to many advisories.
• We may also need to consider a DejaCode configuration option to filter the Advisories that are imported into DejaCode based on the origin (importer). For example a user might want to ignore RedHat advisories if they do not use RedHat products. Red Hat is an interesting example because there are multiple datasets to exclude - e.g. Red Hat, Fedora and ? If some Advisories are excluded we would want some way to alert the user about the intentional exclusion and the availability of additional data.

[DennisClark]

See related issue aboutcode-org/vulnerablecode#2099

[DennisClark]

I think the design is moving toward the creation of an "advisory group" and it would make sense to report a VEX on that rather than individual advisories.