Provide VEX Documents for the Kubewarden stack

[flavio]

We currently don't have a process in place to create and distribute VEX Documents.

We've recently run into a security issue of one of our dependencies that caused our images to look vulnerable. However, we were not making use of the vulnerable bits of the library.

We ended up publishing a patch release of Policy Server and kwctl, plus a helm chart update. Our users then had to go through the "pain" of pulling a brand new image on their cluster.

It would have been great instead to just create a VEX document and mark the Policy Server image as not affected by it.

Acceptance Criteria

• Define a location where the VEX Documents can be hosted
• Ensure we are scraped by VEX HUB
• Define a process a developer has to follow to write and publish a VEX document

[flavio]

CC @kubewarden/kubewarden-developers

I would also love to hear @fabriziosestito and @alegrey91 opinions on the matter, given they have extensive knowledge of VEX.
Moreover, we should produce a solution that is used by all the components of the Kubewarden project.

[viccuad]

I would like for the solution to also work nicely in the case of release branches and monorepos (this seems to be possible by the VEX HUB readme).

[jvanz]

To be listed in the Vex Hub we need to registered ourselves in the crawler file. In fact, there are several Rancher/SUSE projects listed there. And, there is a repository to store the Vex reports under Rancher organization

[alegrey91]

Define a location where the VEX Documents can be hosted

Why not use https://github.com/rancher/vexhub ?
The security team actively maintains it.

Define a process a developer has to follow to write and publish a VEX document

I like the idea. We can link the rancher/vexhub repo and tell the user to use vexctl to create the document as the security team is already doing.