You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/els-for-applications/README.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,13 +31,13 @@ TuxCare's commitment to transparency and visibility is foundational to our ELS f
31
31
32
32
<!--* **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security.
33
33
-->
34
-
***Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every packagein the codebase, ensuring transparency and accountability in your software ecosystem.
34
+
***Software Bill of Materials (SBOM)**: Machine-readable SBOMs provide visibility into package composition and dependencies, supporting software supply chain transparency and accountability. Depending on the package, SBOMs are provided in industry-standard formats — SPDX and CycloneDX. See [Machine-Readable Security Data](./machine-readable-security-data/) for current availability.
35
35
36
36
:::warning
37
-
Note: SBOM support for certain components is in progress and will be available soon. To confirm current availability or expected timeframes, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com).
37
+
Note: SBOM availability for certain components is still expanding and may vary by package. Contact [sales@tuxcare.com](mailto:sales@tuxcare.com) for current availability details.
38
38
:::
39
39
40
-
***Enhanced Metadata in Standard Formats:** SBOMs are provided in SPDX and CycloneDX. CycloneDX VEX documents accompany them with exploitability status (`affected`, `not_affected`, `fixed`, `under_investigation`) so scanners can suppress non-applicable findings.
40
+
***Vulnerability Exploitability eXchange (VEX)**: Machine-readable VEX documents provide contextual vulnerability information, helping teams understand which known CVEs affect specific package versions and reduce remediation noise. VEX is published in standard formats, including CycloneDX VEX. See [Machine-Readable Security Data](./machine-readable-security-data/) for per-ecosystem feeds and details.
41
41
***Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy.
TuxCare provides machine-readable security data for ELS for Open-Source Applications in the following formats:
4
+
5
+
***SBOM (Software Bill of Materials)** - package composition and dependency inventory in SPDX and CycloneDX formats
6
+
***VEX (Vulnerability Exploitability eXchange)** - exploitability status for known CVEs in CycloneDX VEX format
7
+
8
+
Released fixes are available via [tuxcare.com/cve-tracker](https://tuxcare.com/cve-tracker/) and [security.tuxcare.com](https://security.tuxcare.com/).
9
+
10
+
## Software Bill of Materials (SBOM)
11
+
12
+
Each application package built by TuxCare ships with an SBOM that lists its components, versions, and dependency relationships. SBOMs are provided in industry-standard formats — SPDX and CycloneDX — so they can be consumed by any SBOM-aware scanner or supply-chain tool.
13
+
14
+
To check whether an SBOM is available for a specific application or to request a copy, reach out to [sales@tuxcare.com](mailto:sales@tuxcare.com).
15
+
16
+
## Vulnerability Exploitability eXchange (VEX)
17
+
18
+
TuxCare publishes VEX as CycloneDX VEX documents, distributed alongside each package version and updated with every release. The feed is available at [security.tuxcare.com/vex/cyclonedx](https://security.tuxcare.com/vex/cyclonedx/). A VEX document tells you which known CVEs actually affect a given artifact version and which don't, so scanner results stay focused on real exposure.
19
+
20
+
Each entry links one CVE to one artifact version and carries a status:
21
+
22
+
***exploitable** - the CVE affects this artifact version and has not yet been patched in this release.
23
+
***resolved** - the CVE has been patched through a TuxCare release.
24
+
25
+
The feed covers every supported base version, every released `-tuxcare.N` iteration, and transitive dependencies, so the entry count reflects all of these combinations rather than the number of unique CVEs. When checking coverage, filter to the artifact versions you actually use — usually the latest `-tuxcare.N` iteration of your chosen base version. Earlier iterations remain in the feed for historical completeness but aren't relevant once you've adopted a newer release.
Copy file name to clipboardExpand all lines: docs/els-for-libraries/README.md
+7-17Lines changed: 7 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,13 +31,13 @@ TuxCare's commitment to transparency and visibility is foundational to our ELS f
31
31
32
32
<!-- * **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security.
33
33
-->
34
-
***Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every packagein the codebase, ensuring transparency and accountability in your software ecosystem.
34
+
***Software Bill of Materials (SBOM)**: Machine-readable SBOMs provide visibility into package composition and dependencies, supporting software supply chain transparency and accountability. Depending on the package, SBOMs are provided in industry-standard formats — SPDX and CycloneDX. See [Machine-Readable Security Data](./machine-readable-security-data/) for per-ecosystem links.
35
35
36
36
:::warning
37
-
Note: SBOM support for certain components is in progress and will be available soon. To confirm current availability or expected timeframes, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com).
37
+
Note: SBOM availability for certain components is still expanding and may vary by package. Contact [sales@tuxcare.com](mailto:sales@tuxcare.com) for current availability details.
38
38
:::
39
39
40
-
***Enhanced Metadata in Standard Formats:** SBOMs are provided in SPDX and CycloneDX. CycloneDX VEX documents accompany them with exploitability status (`affected`, `not_affected`, `fixed`, `under_investigation`) so scanners can suppress non-applicable findings.
40
+
***Vulnerability Exploitability eXchange (VEX)**: Machine-readable VEX documents provide contextual vulnerability information, helping teams understand which known CVEs affect specific package versions and reduce remediation noise. VEX is published in standard formats, including CycloneDX VEX. See [Machine-Readable Security Data](./machine-readable-security-data/) for per-ecosystem feeds and details.
41
41
***Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy.
42
42
43
43
:::warning
@@ -58,19 +58,9 @@ TuxCare provides technical support according to the standard [support policy](ht
58
58
59
59
It delivers 24/7/365 access to TuxCare’s support team through the [TuxCare Support Portal](https://tuxcare.com/support-portal/) and to TuxCare’s online knowledge base.
60
60
61
-
## Vulnerability Exploitability eXchange (VEX)
61
+
<WhatsNexthide-title>
62
62
63
-
VEX is a machine-readable format that tells you if a known vulnerability is actually exploitable in your product. It reduces false positives, helps prioritize real risks.
64
-
65
-
Why it matters:
63
+
*[Machine-Readable Security Data](./machine-readable-security-data/) — SBOM and VEX feeds, formats, and consumption guidance
64
+
*[CVE Tracker](https://tuxcare.com/cve-tracker/) — Track vulnerability fixes and updates
66
65
67
-
- Context-aware vulnerability status (“affected”, “not affected”, “fixed”)
TuxCare provides machine-readable security data for ELS for Libraries in the following formats:
4
+
5
+
***SBOM (Software Bill of Materials)** — package composition and dependency inventory in SPDX and CycloneDX formats
6
+
***VEX (Vulnerability Exploitability eXchange)** — exploitability status for known CVEs in CycloneDX VEX format
7
+
8
+
Released fixes are available via [tuxcare.com/cve-tracker](https://tuxcare.com/cve-tracker/) and [security.tuxcare.com](https://security.tuxcare.com/).
9
+
10
+
## Software Bill of Materials (SBOM)
11
+
12
+
Each package built by TuxCare ships with an SBOM that lists its components, versions, and dependency relationships. SBOMs are provided in industry-standard formats — SPDX and CycloneDX — so they can be consumed by any SBOM-aware scanner or supply-chain tool.
13
+
14
+
Per-package SBOMs for Python and JavaScript libraries are published to TuxCare Nexus and require credentials:
For other ecosystems, reach out to [sales@tuxcare.com](mailto:sales@tuxcare.com) to check SBOM availability.
20
+
21
+
## Vulnerability Exploitability eXchange (VEX)
22
+
23
+
TuxCare publishes VEX as CycloneDX VEX documents, distributed alongside each package version and updated with every release. A VEX document tells you which known CVEs actually affect a given artifact version and which don't, so scanner results stay focused on real exposure.
Each entry links one CVE to one artifact version and carries a status:
34
+
35
+
***exploitable** — the CVE affects this artifact version and has not yet been patched in this release.
36
+
***resolved** — the CVE has been patched through a TuxCare release.
37
+
38
+
The feed covers every supported base version, every released `-tuxcare.N` iteration, and transitive dependencies, so the entry count reflects all of these combinations rather than the number of unique CVEs. When checking coverage, filter to the artifact versions you actually use — usually the latest `-tuxcare.N` iteration of your chosen base version. Earlier iterations remain in the feed for historical completeness but aren't relevant once you've adopted a newer release.
Copy file name to clipboardExpand all lines: docs/els-for-os/machine-readable-security-data/README.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ TuxCare provides the following security updates for ELS for OS:
7
7
***CSAF** — Common Security Advisory Framework advisories in [OASIS](https://www.csaf.io/) CSAF 2.0 format (VEX and Security Advisory)
8
8
***RSS** — release feeds for tracking updates
9
9
10
-
Released fixes are available via [tuxcare.com/cve-tracker](https://tuxcare.com/cve-tracker/fixes) and can additionally be found on [security.tuxcare.com](https://security.tuxcare.com).
10
+
Released fixes are available via [tuxcare.com/cve-tracker](https://tuxcare.com/cve-tracker/fixes) and [security.tuxcare.com](https://security.tuxcare.com).
Copy file name to clipboardExpand all lines: docs/els-for-runtimes/README.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,13 +33,13 @@ TuxCare's commitment to transparency and visibility is foundational to our ELS f
33
33
34
34
<!-- * **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security.
35
35
-->
36
-
***Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every package in the codebase, ensuring transparency and accountability in your software ecosystem.
36
+
***Software Bill of Materials (SBOM)**: Machine-readable SBOMs provide visibility into package composition and dependencies, supporting software supply chain transparency and accountability. Depending on the package, SBOMs are provided in industry-standard formats — SPDX and CycloneDX.
37
37
38
38
:::warning
39
-
Note: SBOM support for certain components is in progress and will be available soon. To confirm current availability or expected timeframes, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com).
39
+
Note: SBOM availability for certain components is still expanding and may vary by package. Contact [sales@tuxcare.com](mailto:sales@tuxcare.com) for current availability details.
40
40
:::
41
41
42
-
***Enhanced Metadata in Standard Formats:** SBOMs are provided in SPDX and CycloneDX. CycloneDX VEX documents accompany them with exploitability status (`affected`, `not_affected`, `fixed`, `under_investigation`) so scanners can suppress non-applicable findings.
42
+
***Vulnerability Exploitability eXchange (VEX)**: Machine-readable VEX documents provide contextual vulnerability information, helping teams understand which known CVEs affect specific package versions and reduce remediation noise. For ELS for Runtimes, VEX is published as part of the CSAF advisory feed. See [Machine-Readable Security Data](./machine-readable-security-data/) for per-runtime CSAF feeds and details.
43
43
***Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy.
Copy file name to clipboardExpand all lines: docs/securechain/README.md
+8-18Lines changed: 8 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,18 +33,18 @@ Handling Multiple Vulnerabilities: In cases where several CVEs are reported simu
33
33
34
34
## Enhanced Transparency & Visibility
35
35
36
-
TuxCare's commitment to transparency and visibility is foundational to our SecureChain offering. We aim to provide comprehensive details about how each package is built, verified, and distributed, ensuring complete trust in the software supply chain.
36
+
TuxCare's commitment to transparency and visibility is foundational to our SecureChain offering. We provide verifiable metadata that helps customers understand package composition, software provenance, and vulnerability impact across the software supply chain.
37
37
38
-
***SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance at Level 2 at launch, with Level 3 on the roadmap. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security.
39
-
***Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every packagein the codebase, ensuring transparency and accountability in your software ecosystem.
38
+
***SLSA Compliance**: TuxCare packages are built and signed to support verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance at Level 2 at launch, with Level 3 on the roadmap. Builds run from vetted sources, include attestations for dependencies, and undergo continuous testing to maintain integrity and trust.
39
+
***Software Bill of Materials (SBOM)**: Machine-readable SBOMs provide visibility into package composition and dependencies, supporting software supply chain transparency and accountability. Depending on the package, SBOMs are provided in industry-standard formats — SPDX and CycloneDX. See [Machine-Readable Security Data](./machine-readable-security-data/) for current availability.
40
40
41
41
:::warning
42
-
Note: SBOM support for certain components is in progress and will be available soon. To confirm current availability or expected timeframes, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com).
42
+
Note: SBOM availability for certain components is still expanding and may vary by package. Contact [sales@tuxcare.com](mailto:sales@tuxcare.com) for current availability details.
43
43
:::
44
44
45
-
***Enhanced metadata in standard formats.** SBOMs are provided in SPDX and CycloneDX. CycloneDX VEX documents accompany them with exploitability status (affected, not_affected, fixed, under_investigation) so scanners can suppress non-applicable findings.
46
-
***Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy.
47
-
***Secure Distribution**: Signed versions of the packages and their metadata are distributed from a registry managed, secured, and protected by TuxCare, guaranteeing that your software updates are authentic and untampered.
45
+
***Vulnerability Exploitability eXchange (VEX)**: Machine-readable VEX documents provide contextual vulnerability information, helping teams understand which known CVEs affect specific package versions and reduce remediation noise. VEX is published in standard formats, including CycloneDX VEX. See [Machine-Readable Security Data](./machine-readable-security-data/) for the feed URL and details.
46
+
***Verifiable Integrity and Provenance**: Packages and metadata provide end-to-end provenance information, helping customers verify how software was built, tested, and distributed.
47
+
***Secure Distribution**: Signed packages and associated metadata are distributed through TuxCare-managed infrastructure to ensure authenticity and integrity.
48
48
49
49
## Support Duration
50
50
@@ -58,19 +58,9 @@ TuxCare provides technical support according to the standard [support policy](ht
58
58
59
59
It delivers 24/7/365 access to TuxCare's support team through the [TuxCare Support Portal](https://tuxcare.com/support-portal/) and to TuxCare's online knowledge base.
60
60
61
-
## Vulnerability Exploitability eXchange (VEX)
62
-
63
-
VEX is a machine-readable format that tells you if a known vulnerability is actually exploitable in your product. It reduces false positives, helps prioritize real risks.
64
-
65
-
Why it matters:
66
-
67
-
* Context-aware vulnerability status ("affected", "not affected", "fixed")
0 commit comments