Skip to content

Commit fd75353

Browse files
authored
Merge pull request #572 from sboldyreva/claude/fervent-ritchie-yuTez
SBOM/VEX info update
2 parents 440fb60 + 3a3bb92 commit fd75353

8 files changed

Lines changed: 92 additions & 42 deletions

File tree

docs/.vuepress/config-client/sidebar.ts

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -520,6 +520,7 @@ export default {
520520
icon: '/images/star.webp',
521521
},
522522
"/els-for-libraries/managing-els-repository/",
523+
"/els-for-libraries/machine-readable-security-data/",
523524
]
524525
},
525526
],
@@ -587,7 +588,13 @@ export default {
587588
title: 'MySQL and Percona Server',
588589
icon: '/images/mysql.webp',
589590
},
591+
{
592+
title: 'Resources',
593+
type: 'section-header',
594+
icon: '/images/star.webp',
595+
},
590596
"/els-for-applications/managing-els-repository/",
597+
"/els-for-applications/machine-readable-security-data/",
591598
]
592599
},
593600
],

docs/els-for-applications/README.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -31,13 +31,13 @@ TuxCare's commitment to transparency and visibility is foundational to our ELS f
3131

3232
<!--* **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security.
3333
-->
34-
* **Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every package in the codebase, ensuring transparency and accountability in your software ecosystem.
34+
* **Software Bill of Materials (SBOM)**: Machine-readable SBOMs provide visibility into package composition and dependencies, supporting software supply chain transparency and accountability. Depending on the package, SBOMs are provided in industry-standard formats — SPDX and CycloneDX. See [Machine-Readable Security Data](./machine-readable-security-data/) for current availability.
3535

3636
:::warning
37-
Note: SBOM support for certain components is in progress and will be available soon. To confirm current availability or expected timeframes, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com).
37+
Note: SBOM availability for certain components is still expanding and may vary by package. Contact [sales@tuxcare.com](mailto:sales@tuxcare.com) for current availability details.
3838
:::
3939

40-
* **Enhanced Metadata in Standard Formats:** SBOMs are provided in SPDX and CycloneDX. CycloneDX VEX documents accompany them with exploitability status (`affected`, `not_affected`, `fixed`, `under_investigation`) so scanners can suppress non-applicable findings.
40+
* **Vulnerability Exploitability eXchange (VEX)**: Machine-readable VEX documents provide contextual vulnerability information, helping teams understand which known CVEs affect specific package versions and reduce remediation noise. VEX is published in standard formats, including CycloneDX VEX. See [Machine-Readable Security Data](./machine-readable-security-data/) for per-ecosystem feeds and details.
4141
* **Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy.
4242

4343
:::warning
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
# Machine-Readable Security Data (SBOM, VEX)
2+
3+
TuxCare provides machine-readable security data for ELS for Open-Source Applications in the following formats:
4+
5+
* **SBOM (Software Bill of Materials)** - package composition and dependency inventory in SPDX and CycloneDX formats
6+
* **VEX (Vulnerability Exploitability eXchange)** - exploitability status for known CVEs in CycloneDX VEX format
7+
8+
Released fixes are available via [tuxcare.com/cve-tracker](https://tuxcare.com/cve-tracker/) and [security.tuxcare.com](https://security.tuxcare.com/).
9+
10+
## Software Bill of Materials (SBOM)
11+
12+
Each application package built by TuxCare ships with an SBOM that lists its components, versions, and dependency relationships. SBOMs are provided in industry-standard formats — SPDX and CycloneDX — so they can be consumed by any SBOM-aware scanner or supply-chain tool.
13+
14+
To check whether an SBOM is available for a specific application or to request a copy, reach out to [sales@tuxcare.com](mailto:sales@tuxcare.com).
15+
16+
## Vulnerability Exploitability eXchange (VEX)
17+
18+
TuxCare publishes VEX as CycloneDX VEX documents, distributed alongside each package version and updated with every release. The feed is available at [security.tuxcare.com/vex/cyclonedx](https://security.tuxcare.com/vex/cyclonedx/). A VEX document tells you which known CVEs actually affect a given artifact version and which don't, so scanner results stay focused on real exposure.
19+
20+
Each entry links one CVE to one artifact version and carries a status:
21+
22+
* **exploitable** - the CVE affects this artifact version and has not yet been patched in this release.
23+
* **resolved** - the CVE has been patched through a TuxCare release.
24+
25+
The feed covers every supported base version, every released `-tuxcare.N` iteration, and transitive dependencies, so the entry count reflects all of these combinations rather than the number of unique CVEs. When checking coverage, filter to the artifact versions you actually use — usually the latest `-tuxcare.N` iteration of your chosen base version. Earlier iterations remain in the feed for historical completeness but aren't relevant once you've adopted a newer release.

docs/els-for-libraries/README.md

Lines changed: 7 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -31,13 +31,13 @@ TuxCare's commitment to transparency and visibility is foundational to our ELS f
3131

3232
<!-- * **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security.
3333
-->
34-
* **Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every package in the codebase, ensuring transparency and accountability in your software ecosystem.
34+
* **Software Bill of Materials (SBOM)**: Machine-readable SBOMs provide visibility into package composition and dependencies, supporting software supply chain transparency and accountability. Depending on the package, SBOMs are provided in industry-standard formats — SPDX and CycloneDX. See [Machine-Readable Security Data](./machine-readable-security-data/) for per-ecosystem links.
3535

3636
:::warning
37-
Note: SBOM support for certain components is in progress and will be available soon. To confirm current availability or expected timeframes, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com).
37+
Note: SBOM availability for certain components is still expanding and may vary by package. Contact [sales@tuxcare.com](mailto:sales@tuxcare.com) for current availability details.
3838
:::
3939

40-
* **Enhanced Metadata in Standard Formats:** SBOMs are provided in SPDX and CycloneDX. CycloneDX VEX documents accompany them with exploitability status (`affected`, `not_affected`, `fixed`, `under_investigation`) so scanners can suppress non-applicable findings.
40+
* **Vulnerability Exploitability eXchange (VEX)**: Machine-readable VEX documents provide contextual vulnerability information, helping teams understand which known CVEs affect specific package versions and reduce remediation noise. VEX is published in standard formats, including CycloneDX VEX. See [Machine-Readable Security Data](./machine-readable-security-data/) for per-ecosystem feeds and details.
4141
* **Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy.
4242

4343
:::warning
@@ -58,19 +58,9 @@ TuxCare provides technical support according to the standard [support policy](ht
5858

5959
It delivers 24/7/365 access to TuxCare’s support team through the [TuxCare Support Portal](https://tuxcare.com/support-portal/) and to TuxCare’s online knowledge base.
6060

61-
## Vulnerability Exploitability eXchange (VEX)
61+
<WhatsNext hide-title>
6262

63-
VEX is a machine-readable format that tells you if a known vulnerability is actually exploitable in your product. It reduces false positives, helps prioritize real risks.
64-
65-
Why it matters:
63+
* ![](/images/shield-alert.webp) [Machine-Readable Security Data](./machine-readable-security-data/) — SBOM and VEX feeds, formats, and consumption guidance
64+
* ![](/images/eye.webp) [CVE Tracker](https://tuxcare.com/cve-tracker/) — Track vulnerability fixes and updates
6665

67-
- Context-aware vulnerability status (“affected”, “not affected”, “fixed”)
68-
- Cuts scanner noise to what truly matters
69-
- Automation-friendly for tooling and CI/CD
70-
71-
Language-specific:
72-
73-
- [Python](https://security.tuxcare.com/vex/cyclonedx/els_lang_python/)
74-
- [Java](https://security.tuxcare.com/vex/cyclonedx/els_lang_java/)
75-
- [JavaScript](https://security.tuxcare.com/vex/cyclonedx/els_lang_javascript/)
76-
- [PHP](https://security.tuxcare.com/vex/cyclonedx/els_lang_php/)
66+
</WhatsNext>
Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
# Machine-Readable Security Data (SBOM, VEX)
2+
3+
TuxCare provides machine-readable security data for ELS for Libraries in the following formats:
4+
5+
* **SBOM (Software Bill of Materials)** — package composition and dependency inventory in SPDX and CycloneDX formats
6+
* **VEX (Vulnerability Exploitability eXchange)** — exploitability status for known CVEs in CycloneDX VEX format
7+
8+
Released fixes are available via [tuxcare.com/cve-tracker](https://tuxcare.com/cve-tracker/) and [security.tuxcare.com](https://security.tuxcare.com/).
9+
10+
## Software Bill of Materials (SBOM)
11+
12+
Each package built by TuxCare ships with an SBOM that lists its components, versions, and dependency relationships. SBOMs are provided in industry-standard formats — SPDX and CycloneDX — so they can be consumed by any SBOM-aware scanner or supply-chain tool.
13+
14+
Per-package SBOMs for Python and JavaScript libraries are published to TuxCare Nexus and require credentials:
15+
16+
* Python - [els_python_sbom](https://nexus.repo.tuxcare.com/#browse/browse:els_python_sbom)
17+
* JavaScript - [els-js-sbom](https://nexus.repo.tuxcare.com/#browse/browse:els-js-sbom)
18+
19+
For other ecosystems, reach out to [sales@tuxcare.com](mailto:sales@tuxcare.com) to check SBOM availability.
20+
21+
## Vulnerability Exploitability eXchange (VEX)
22+
23+
TuxCare publishes VEX as CycloneDX VEX documents, distributed alongside each package version and updated with every release. A VEX document tells you which known CVEs actually affect a given artifact version and which don't, so scanner results stay focused on real exposure.
24+
25+
Feeds are published per ecosystem:
26+
27+
* Java - [els_lang_java](https://security.tuxcare.com/vex/cyclonedx/els_lang_java/)
28+
* Python - [els_lang_python](https://security.tuxcare.com/vex/cyclonedx/els_lang_python/)
29+
* JavaScript - [els_lang_javascript](https://security.tuxcare.com/vex/cyclonedx/els_lang_javascript/)
30+
* PHP - [els_lang_php](https://security.tuxcare.com/vex/cyclonedx/els_lang_php/)
31+
* .NET - [els_lang_dotnet](https://security.tuxcare.com/vex/cyclonedx/els_lang_dotnet/)
32+
33+
Each entry links one CVE to one artifact version and carries a status:
34+
35+
* **exploitable** — the CVE affects this artifact version and has not yet been patched in this release.
36+
* **resolved** — the CVE has been patched through a TuxCare release.
37+
38+
The feed covers every supported base version, every released `-tuxcare.N` iteration, and transitive dependencies, so the entry count reflects all of these combinations rather than the number of unique CVEs. When checking coverage, filter to the artifact versions you actually use — usually the latest `-tuxcare.N` iteration of your chosen base version. Earlier iterations remain in the feed for historical completeness but aren't relevant once you've adopted a newer release.

docs/els-for-os/machine-readable-security-data/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ TuxCare provides the following security updates for ELS for OS:
77
* **CSAF** — Common Security Advisory Framework advisories in [OASIS](https://www.csaf.io/) CSAF 2.0 format (VEX and Security Advisory)
88
* **RSS** — release feeds for tracking updates
99

10-
Released fixes are available via [tuxcare.com/cve-tracker](https://tuxcare.com/cve-tracker/fixes) and can additionally be found on [security.tuxcare.com](https://security.tuxcare.com).
10+
Released fixes are available via [tuxcare.com/cve-tracker](https://tuxcare.com/cve-tracker/fixes) and [security.tuxcare.com](https://security.tuxcare.com).
1111

1212
## Security data feeds
1313

docs/els-for-runtimes/README.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -33,13 +33,13 @@ TuxCare's commitment to transparency and visibility is foundational to our ELS f
3333

3434
<!-- * **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security.
3535
-->
36-
* **Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every package in the codebase, ensuring transparency and accountability in your software ecosystem.
36+
* **Software Bill of Materials (SBOM)**: Machine-readable SBOMs provide visibility into package composition and dependencies, supporting software supply chain transparency and accountability. Depending on the package, SBOMs are provided in industry-standard formats — SPDX and CycloneDX.
3737

3838
:::warning
39-
Note: SBOM support for certain components is in progress and will be available soon. To confirm current availability or expected timeframes, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com).
39+
Note: SBOM availability for certain components is still expanding and may vary by package. Contact [sales@tuxcare.com](mailto:sales@tuxcare.com) for current availability details.
4040
:::
4141

42-
* **Enhanced Metadata in Standard Formats:** SBOMs are provided in SPDX and CycloneDX. CycloneDX VEX documents accompany them with exploitability status (`affected`, `not_affected`, `fixed`, `under_investigation`) so scanners can suppress non-applicable findings.
42+
* **Vulnerability Exploitability eXchange (VEX)**: Machine-readable VEX documents provide contextual vulnerability information, helping teams understand which known CVEs affect specific package versions and reduce remediation noise. For ELS for Runtimes, VEX is published as part of the CSAF advisory feed. See [Machine-Readable Security Data](./machine-readable-security-data/) for per-runtime CSAF feeds and details.
4343
* **Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy.
4444

4545
:::warning

docs/securechain/README.md

Lines changed: 8 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -33,18 +33,18 @@ Handling Multiple Vulnerabilities: In cases where several CVEs are reported simu
3333

3434
## Enhanced Transparency & Visibility
3535

36-
TuxCare's commitment to transparency and visibility is foundational to our SecureChain offering. We aim to provide comprehensive details about how each package is built, verified, and distributed, ensuring complete trust in the software supply chain.
36+
TuxCare's commitment to transparency and visibility is foundational to our SecureChain offering. We provide verifiable metadata that helps customers understand package composition, software provenance, and vulnerability impact across the software supply chain.
3737

38-
* **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance at Level 2 at launch, with Level 3 on the roadmap. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security.
39-
* **Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every package in the codebase, ensuring transparency and accountability in your software ecosystem.
38+
* **SLSA Compliance**: TuxCare packages are built and signed to support verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance at Level 2 at launch, with Level 3 on the roadmap. Builds run from vetted sources, include attestations for dependencies, and undergo continuous testing to maintain integrity and trust.
39+
* **Software Bill of Materials (SBOM)**: Machine-readable SBOMs provide visibility into package composition and dependencies, supporting software supply chain transparency and accountability. Depending on the package, SBOMs are provided in industry-standard formats — SPDX and CycloneDX. See [Machine-Readable Security Data](./machine-readable-security-data/) for current availability.
4040

4141
:::warning
42-
Note: SBOM support for certain components is in progress and will be available soon. To confirm current availability or expected timeframes, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com).
42+
Note: SBOM availability for certain components is still expanding and may vary by package. Contact [sales@tuxcare.com](mailto:sales@tuxcare.com) for current availability details.
4343
:::
4444

45-
* **Enhanced metadata in standard formats.** SBOMs are provided in SPDX and CycloneDX. CycloneDX VEX documents accompany them with exploitability status (affected, not_affected, fixed, under_investigation) so scanners can suppress non-applicable findings.
46-
* **Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy.
47-
* **Secure Distribution**: Signed versions of the packages and their metadata are distributed from a registry managed, secured, and protected by TuxCare, guaranteeing that your software updates are authentic and untampered.
45+
* **Vulnerability Exploitability eXchange (VEX)**: Machine-readable VEX documents provide contextual vulnerability information, helping teams understand which known CVEs affect specific package versions and reduce remediation noise. VEX is published in standard formats, including CycloneDX VEX. See [Machine-Readable Security Data](./machine-readable-security-data/) for the feed URL and details.
46+
* **Verifiable Integrity and Provenance**: Packages and metadata provide end-to-end provenance information, helping customers verify how software was built, tested, and distributed.
47+
* **Secure Distribution**: Signed packages and associated metadata are distributed through TuxCare-managed infrastructure to ensure authenticity and integrity.
4848

4949
## Support Duration
5050

@@ -58,19 +58,9 @@ TuxCare provides technical support according to the standard [support policy](ht
5858

5959
It delivers 24/7/365 access to TuxCare's support team through the [TuxCare Support Portal](https://tuxcare.com/support-portal/) and to TuxCare's online knowledge base.
6060

61-
## Vulnerability Exploitability eXchange (VEX)
62-
63-
VEX is a machine-readable format that tells you if a known vulnerability is actually exploitable in your product. It reduces false positives, helps prioritize real risks.
64-
65-
Why it matters:
66-
67-
* Context-aware vulnerability status ("affected", "not affected", "fixed")
68-
* Cuts scanner noise to what truly matters
69-
* Automation-friendly for tooling and CI/CD
70-
7161
<WhatsNext hide-title>
7262

73-
* ![](/images/shield-alert.webp) [VEX feed](https://security.tuxcare.com/vex/cyclonedx/)Vulnerability Exploitability eXchange feed
63+
* ![](/images/shield-alert.webp) [Machine-Readable Security Data](./machine-readable-security-data/)SBOM and VEX feeds, formats, and consumption guidance
7464
* ![](/images/eye.webp) [CVE Tracker](https://tuxcare.com/cve-tracker/) — Track vulnerability fixes and updates
7565

7666
</WhatsNext>

0 commit comments

Comments
 (0)