How is a vendor going to answer the justification and impact data requirements without conducting actual research into the reasons why a product is not affected by a vulnerability.
I'll try one last time :) Maybe this is something for a whiteboard/beer session ;-)
I believe part of the confusion is that you seem to (I might be wrong!) want or are implying complete coverage while I'm saying is that it is trivial to create not-affected VEXes for a subset of CVEs.
If a vulnerability is filed against component A and my SBOM for my own product says that component A is nowhere in the dependency chain then I can more or less automatically issue not-affected VEX statements for all products that do not have component A in their SBOM. This is mostly useful for manufacturers which do not provide a SBOM.
If however component A is in my chain then I might have to (according to CRA if it is "exploitable") analyze anyway and if I find that I'm not affected then I can also issue a not-affected VEX.
> If VEX is as easy as some people are saying, then why did Cassie Crossly make the statements she made about her experiences with VEX?
> Was she doing it wrong, which led to her statements?
She doesn't go into detail so it's hard to say what she did and even harder to comment.
