VEX: Fighting Vulnerability Noise

An SBOM tells a customer that a library like openssl is present. If a CVE is announced for that version of openssl, the customer will immediately ask for a patch. However, your developers might know that your app only uses the aes-encryption part of openssl, while the vulnerability is in the heartbeat extension which you have disabled.

VEX (Vulnerability Exploitability eXchange) is the solution to this "false positive" problem.

The Companion to the SBOM

VEX is a machine-readable document (often embedded in the CycloneDX SBOM) that provides the "publisher's perspective" on a vulnerability. It allows you to assert a status for a specific CVE relative to your product:
* Not Affected: The code is present, but the vulnerability cannot be exploited (e.g., the function isn't called, or a compiler flag mitigates it).
* Affected: The flaw is real and exploitable.
* Fixed: The flaw has been mitigated in this version.
* Under Investigation: We know about it, and we're checking.

Automated Triage

By providing VEX data alongside your SBOM, you save your customers from manual triaging and protect your support teams from thousands of "Are you vulnerable to CVE-XXXX?" emails. Security scanners that ingest VEX data will automatically "silence" alerts that are marked as Not Affected.