By communicating exploitability status in a machine-readable format, CycloneDX empowers software producers, consumers, and auditors to make informed security decisions. VEX integrates seamlessly with broader system inventories, enabling contextual risk assessments and fostering trust throughout the software supply chain.

2022年2月21日 · 本白皮书解释了VEX的概念，及其在软件物料清单（SBOM）和漏洞管理领域中的重要作用。 VEX代表 Vulnerability Exploitability eXchange，漏洞可用性交流。 其概念和格式是美国国家通信和信息管理局（NTIA）开发，虽然开发VEX是为了满足软件物料清单（SBOM）的特殊需求，被美国国家电信和信息管理局（NTIA）称之为SBOM的“伴侣制品” (companion artifact)，但VEX并不限于要和SBOM一起使用。 VEX主要用来判断有关产品是否受到特定漏 …

2025年3月18日 · This paper presents a study that analyzed state-of-the-art vulnerability scanning tools applied to containers. We have focused the work on tools following the Vulnerability Exploitability eXchange (VEX) format, which has been introduced to complement Software Bills of Material (SBOM) with security advisories of known vulnerabilities.

2023年1月18日 · vexctl is a tool to create, apply, and attest VEX (Vulnerability Exploitability eXchange) data. Its purpose is to help with the creation and management of VEX documents that allow "turning off" security scanner alerts of vulnerabilities known not to affect a product. VEX can be thought of as a "negative security advisory".

OpenVEX is an implementation of the Vulnerability Exploitability Exchange (VEX for short) that is designed to be minimal, compliant, interoperable, and embeddable.

This project provides a runnable Python-based application for generating VEX (Vulnerability Exploitability Exchange) in CycloneDX format. This tool is intended to be supplied a CycloneDX SBOM file and will produce a separate VEX which contains known vulnerabilities from a selection of publicly available data sources.

2024年7月30日 · The Vulnerability Exploitability eXchange, or VEX, was created to help security teams understand whether a given vulnerability actually affects them. In this way, VEX provides critical context to vulnerability scanning and helps teams to zero in on critical vulnerabilities faster.

To reduce effort spent by users investigating non-exploitable vulnerabilities that don’t affect a software product, suppliers can issue a VEX. A VEX is an assertion about the status of a vulnerability in specific products.

In addition to VEX repositories, Trivy also supports the use of local VEX files for vulnerability filtering. This method is useful when you have specific VEX documents that you want to apply to your scans. Currently, Trivy supports the following formats: There are two VEX formats for …

In this paper, we present VEX, a framework for highlighting potential security vulnerabilities in browser extensions by applying static information-flow analysis to the JavaScript code used to implement extensions.