No way to export a self-describing VEX document.

[ad8-adriant]

Current Behavior

(Apologies if this is a duplicate; there are related issues regarding VEX handling but nothing I found seemed to capture the essence of this problem.)

What I would like to do is export a single, self-describing/self-contained VEX document that I could distribute to external parties.

Right now, the options available are:

• Audit -> Export VEX - This option includes a description of the vulnerabilities but not the corresponding components they apply to. Since DT replaces imported BOM refs with UUIDs, an external party with no access to my DT instance has no idea what they refer to. Vulnerabilities have to be matched to components by their CVEs/CPEs/PURLs alone, leading to issues like Export and Import VEX fails to match Vulnerabilities correctly #3554.
• Components -> Download -> Inventory with Vulnerabilities - This option includes a description of both the vulnerabilities and their corresponding components, so it satisfies the requirement for being self-describing, but (as of 4.12.1 at least) it does not include any of the analyses, so it doesn't function as a VEX document.

Proposed Behavior

Ideally there would be a way to export the components, vulnerabilities, and analyses for a project as a single CDX document.

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested