Inconsistent VEX details

[stevespringett]

In CDXVEX/CDX14.xml, the metadata component is specified as 1.1.8, however, the VEX specifies a range >=1.0.0

<range>vers:semver/>=1.0.0</range>

If the desire is to have a VEX for only one version of SAG-PM, then <range>vers:semver/&gt;=1.0.0</range> should change to <version>1.1.8</version> (or you can simply omit version altogether since the metadata component already specifies it).

If the desire is to have a VEX covering multiple versions of SAG-PM, starting at 1.0.0 and up to and including 1.1.8, then <range>vers:semver/&gt;=1.0.0</range> should change to <range>vers:semver/&lt;=1.1.8</range> AND you should omit <version>1.1.8</version> from the metadata component.

[rjb4standards]

Thanks Steve; good catch. The concept that I'm aiming for is a direct tie one SBOM -> one "CARFAX Report" link, that is updated independently but remains at the same URL listed in the SBOM.
Thanks for pointing out these issues. I'll take care of these today.

Your help and guidance are invaluable to my Company. Thanks very much.

[rjb4standards]

Steve,

I went with your first suggestion and kept version in the metadata/component and removed the duplicate version info from each vulnerability/target, because my use case will always be one SBOM -> one Vuln Disclosure Report Link.

Thanks for the insights.