Support VEX

[fabriziosestito]

We want to support VEX (Vulnerability Exploitability Exchange) documents to filter or provide additional context to matches.

The user will be able to add VEX documents using a CRD, which will be used when scanning a SBOM manifest.
This is already supported by trivy and grype.

We need to understand how a user will configure a VEX document to be used against a certain set of images.
(will this be registry-based? global for all the registries in a namespace? should we implement filters by using image metadata?)

Moreover, the VulnerabilityReport generated should provide details about the VEX profile used to produce it.

[flavio]

Also, let's see how we can fetch data from trivy's Vex Hub

[macedogm]

Please consider supporting multiple VEX Hub entries, because we have our own in rancher/vexhub and it has VEXed entries that aren't sent to Trivy's VEX Hub. This happens, because we might VEX upstream CVEs in K8s and containerd, for example, that are applicable to our context in Rancher, but not generally applicable to contexts outside of it.

Note: VEX is now an integral part of Rancher, because only with it we can remove known-false positives. Only doing SBOM scan cannot remove such false-positives, because it checks only dependency and version combination, without doing a deeper scan of symbols that one can do with govulncheck (which is our main way to identify false-positives).