VEX声明与可利用性治理（影响-缓解-门禁）最佳实践

实现示例type Vex = { cve: string; status: 'affected' | 'not_affected' | 'under_investigation' | 'fixed'; justification?: string; mitigations?: string[] }

function validCve(id: string): boolean { const m = /^CVE-(\d{4})-(\d{4,})$/.exec(id); if (!m) return false; const y = parseInt(m[1],10); return y >= 1999 && y <= new Date().getFullYear() }

function decide(v: Vex, policy: { allowIfNotAffected: boolean; allowIfMitigated: boolean }): 'block' | 'allow' {

if (!validCve(v.cve)) return 'block'

if (v.status === 'fixed') return 'allow'

if (v.status === 'not_affected' && policy.allowIfNotAffected) return 'allow'

if (v.status === 'affected' && policy.allowIfMitigated && v.mitigations && v.mitigations.length > 0) return 'allow'

return 'block'

}

审计与发布治理记录 VEX 状态、理由与缓解措施；不满足策略阻断发布并输出修复建议。VEX 变更需审批与归档。