Reduce CVE noise with OpenVEX assessments in Datadog

Software Composition Analysis (SCA) tools are crucial in modern security programs for identifying vulnerabilities in software supply chains by comparing component fingerprints against Common Vulnerabilities and Exposures (CVE) databases. However, these tools can flag vulnerabilities that might not pose real risks, placing the burden on security teams to assess the severity without complete information. To aid in this challenge, Datadog offers the Public Artifact Vulnerabilities page, which provides visibility and exploitability assessments for its software using the OpenVEX specification. OpenVEX, a lightweight format endorsed by the Cybersecurity and Infrastructure Security Agency (CISA), details the status, justification, impact, and recommended actions for vulnerabilities in machine-readable documents. Datadog combines automated scans with expert analysis to generate and validate VEX statements, which are published weekly and can be integrated into security pipelines to prioritize actionable issues. This approach helps reduce noise in scans and enhances decision-making regarding potential risks within Datadog-managed software.