feat: use default product/vendor/version for vex triage files

[nancysangani]

Fixes #5072

When generating a VEX output file, --product, --vendor, and --release are now optional.
If not specified, defaults are used (product=unknown, vendor=unknown, release=0.0) and a warning is logged.

This makes VEX generation convenient when scanning directories or files that don't map cleanly to a product/vendor/version tuple.

Changes:

• cve_bin_tool/cli.py: use defaults instead of erroring when product/vendor/release are not provided
• test/test_vex.py: add test for VEX generation with default product info
• test/test_cli.py: add test that CLI no longer errors without product/vendor/release

[Copilot]

Pull request overview

This PR makes VEX generation more convenient by allowing --product, --vendor, and --release to be omitted when producing VEX output, falling back to default metadata values and logging a warning instead of erroring.

Changes:

• Update CLI VEX handling to use default product/vendor/release values (unknown / unknown / 0.0) when missing and log a warning.
• Add a CLI test ensuring VEX generation no longer fails without those flags and that defaults appear in the output.
• Add a VEX generation test that asserts the produced CycloneDX metadata matches the “unknown” values.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
cve_bin_tool/cli.py	Switch from “InsufficientArgs” error to warning + default product info for VEX output generation.
test/test_cli.py	Add coverage that CLI VEX output succeeds without product/vendor/release and logs a warning.
test/test_vex.py	Add an additional CycloneDX VEX output assertion for “unknown” product info fields.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The warning text is misleading: this branch runs when any of --product/--release/--vendor is missing, but the message says none were provided. Consider rewording to indicate which fields are missing (or say "Missing --product/--release/--vendor; using defaults...") to avoid confusing users who supplied one or two of the flags.

Suggested change

	"No --product, --release, or --vendor provided for VEX generation. "
	"Using defaults: product='unknown', vendor='unknown', release='0.0'."
	"One or more of --product, --release, or --vendor were not provided for VEX generation. "
	"Using defaults for missing values: product='unknown', vendor='unknown', release='0.0'."

[Copilot]

This test only inspects the VEX output if the file exists, which can let failures slip by silently. Since the purpose is to ensure VEX generation succeeds, assert that vex_out exists (and ideally validate its contents) unconditionally.

Suggested change

	if Path(vex_out).exists():
	with open(vex_out) as f:
	vex_data = json.load(f)
	component = vex_data.get("metadata", {}).get("component", {})
	assert component.get("name") == "unknown"
	assert component.get("version") == "0.0"
	assert component.get("supplier", {}).get("name") == "unknown"
	assert Path(vex_out).exists(), "Expected VEX output file to be created"
	with open(vex_out) as f:
	vex_data = json.load(f)
	component = vex_data.get("metadata", {}).get("component", {})
	assert component.get("name") == "unknown"
	assert component.get("version") == "0.0"
	assert component.get("supplier", {}).get("name") == "unknown"

[Copilot]

The test name/docstring say defaults are used "when not specified", but the test passes explicit values ("unknown"/"0.0"). Consider renaming/rewording the test to reflect what it's actually validating, or adjust it to exercise the defaulting behavior at the layer that implements it.

Suggested change

	def test_output_cyclonedx_default_product_info(self):
	"""Test VEX output generation uses default product/vendor/release when not specified"""
	def test_output_cyclonedx_with_provided_product_info(self):
	"""Test VEX output generation uses the provided product/vendor/release values"""