feat: [bug description] Add support for SPDX VEX

[anthonyharrison]

Description

SPDX3.0 has introduced a VEX format

Why?

Ensures that cve-bin-tool supports all VEX formats

Anything else?

Lib4vex already includes support for SPDX VEX. Update is primarily updates to the CLI to introduce the spdx option

[JigyasuRajput]

Hey! @anthonyharrison,

I’m currently working on implementing the support for the SPDX VEX format. I’ve made some progress, let me know if there are any specific areas I should focus on..

[JigyasuRajput]

Hi! @anthonyharrison,

So far I have -

1. Added the spdx option to the CLI for VEX generation.
2. Implemented error handling for SPDX VEX files.
3. Integrated lib4vex for parsing SPDX VEX and mapped SPDX product info to the tool’s internal format.
4. Updated SBOM detection to identify SPDX VEX files based on content (e.g., spdxVersion and vulnerabilityAnalysis).
5. Added unit tests for SPDX VEX parsing and validation.

while running tests I am getting an error...
ImportError: cannot import name 'SpdxVexParserError' from 'lib4vex.parser'.

This suggests that the lib4vex library doesn't have the SpdxVexParserError class, could you suggest a workaround or should I mock these test for now?

More Details -
I used this import in input_engine.py to raise the error
from lib4vex.parser import VEXParser, SpdxVexParserError

[anthonyharrison]

You need an updated version of lib4vex which hasn't been released yet. They will be released under release 0.3.0

[JigyasuRajput]

Thanks for the update! I’ll proceed with mocking the missing classes for now to unblock testing. Once lib4vex 0.3.0 is released, I’ll update the dependencies and finalize the implementation. Should I open a draft PR for review in the meantime?