Vulnerability Exploitability Exchange (VEX) 1/

Vulnerability Exploitability Exchange (VEX) 1/

OpenVEX specification based on work by CISA

[…] indicates the status of a software product or component with respect to a vulnerability

Can define that a product is not affected by a vulnerability

Defined by statements

JSON documents with one or more statements

Statement = Product(s) + Vulnerability(s) + Status

Vulnerability Exploitability Exchange (VEX) 2/2


Create VEX statements using vexctl

trivy parameter --vex

grype parameter --vex


Scan and identify a vulnerability as false positive

Create VEX statement using vexctl

Scan again using the VEX statement

VEX: trivy official demo

trivy image debian:11 --format spdx-json --output debian11.spdx.json
trivy sbom debian11.spdx.json --severity CRITICAL 
cat <<EOF >debian11.openvex
  "@context": "",
  "@id": "",
  "author": "Aqua Security",
  "timestamp": "2023-08-29T19:07:16.853479631-06:00",
  "version": 1,
  "statements": [
      "vulnerability": {"name": "CVE-2019-8457"},
      "products": [ {"@id": "pkg:deb/debian/libdb5.3@5.3.28+dfsg1-0.8"} ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path"
trivy sbom debian11.spdx.json --severity CRITICAL --vex debian11.openvex