Listen to this Post
Last week, Marta Rybczynska attended VulnCon 2025, a conference dedicated to vulnerability management. Key highlights include discussions on VEX (Vulnerability Exploitability eXchange) documents, open-source vulnerability management, and the Cyber Resilience Act.
Key Takeaways
✔ CVE Program Progress – Structural issues persist, including lack of updates outside CNAs and data quality concerns.
✔ NVD Backlog – The National Vulnerability Database still struggles with delays.
✔ Open-Source Vulnerability Enrichment – Most organizations handle enrichment internally; open-source alternatives like OSV are emerging.
✔ Standardizing End-of-Life (EoL) – Initiatives like OpenEoX aim to improve software lifecycle management.
What Stood Out
✅ Strong open-source representation (OpenSSF, Apache, Eclipse Foundation).
✅ Lively Discord discussions for virtual participants.
✅ Real-world insights from industry experts.
What’s Missing?
🔹 More end-user voices, especially from embedded systems.
🔹 Faster session replay access.
🔹 More case studies on vulnerability management.
Full write-up: VulnCon 2025 Recap
Contribute to the Open Regulatory Compliance Working Group: Comment Here
You Should Know: Practical Vulnerability Management
1. Generate VEX Documents (Yocto Project Example)
VEX helps determine if a vulnerability affects a product. Use:
Generate SBOM (Software Bill of Materials) $ oe-generate-sbom -p <your_yocto_project> Cross-check with CVE databases $ grype sbom:./sbom.json
- Check for CVEs in Linux (Using OSV-Scanner)
Install OSV-Scanner $ curl -L https://osv.dev/install.sh | sh Scan a project $ osv-scanner -d /path/to/your/project
Query NVD for CVEs (Curl + jq)
$ curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-1234" | jq .
Automate Vulnerability Scanning in CI/CD (GitHub Actions)
<ul> <li>name: Scan for vulnerabilities uses: grype/grype-action@main with: image: "your-docker-image:latest"
5. Check End-of-Life (EoL) Status
Check Linux distro EoL $ curl -s https://endoflife.date/api/ubuntu.json | jq . Check Python EoL $ curl -s https://endoflife.date/api/python.json | jq .
What Undercode Say
Vulnerability management is evolving, but automation, standardization, and open-source collaboration remain critical. Key commands to integrate:
🔹 SBOM Generation: `syft`, `spdx-sbom-generator`
🔹 Dependency Scanning: `trivy`, `dependency-check`
🔹 CVE Lookup: `cve-search-tool`, `vulners-api`
🔹 Patch Management: `apt-get update && apt-get upgrade` (Debian), `yum update` (RHEL)
Embedded security needs more attention—tools like Yocto Project’s CVE checker (cve-check) help.
Expected Output:
A structured vulnerability report, SBOM, and automated CI/CD checks to ensure compliance with Cyber Resilience Act guidelines.
Further Reading:
References:
Reported By: Mrybczynska Last – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
