Currently, when you want to produce a vex file it asks for you to specify the product, vendor and release of the file you're scanning. For example:

cve-bin-tool --offline test/assets/test-curl-7.34.0.out --vex-type cyclonedx --vex-output demo_triage.vex.json --product curl --vendor haxx --release 7.34.0

This is used to fill out some fields at the top of the vex file. I've been wondering: how important are these? I suspect we have a number of cases where people want to generate a vex (because they'll be doing triage) but what they're scanning is a directory or something else that might not map very well to a product/vendor/version tuple. Would it be safe to provide a set of default values when these aren't specified?

Pinging @anthonyharrison and @mastersans for thoughts.