CYCLONEDX
/
GETTING STARTED
/
CAPABILITIES
/
VEX
Convey the exploitability of vulnerable components in the context of the product in which they're used
Vulnerability Exploitability eXchange (VEX) is a form of a security advisory where the goal is to communicate the exploitability of components with known vulnerabilities in the context of the product in which they are used. Often times, products are not affected by a vulnerability simply by including an otherwise vulnerable component. VEX allows software vendors and other parties to communicate the exploitability status of vulnerabilities, providing clarity on the vulnerabilities that pose risk and the ones that do not.
VEX is a critical capability necessary to operationalize SBOM.
Inventory described in a BOM (SBOM, SaaSBOM, etc) will typically remain static until such time the inventory changes. However, vulnerability information is much more dynamic and subject to change. Therefore, it is recommended to decouple the VEX from the BOM. This allows VEX information to be updated without having to create and track additional BOMs.
VEX is an integral part of the CycloneDX specification providing the convenience of leveraging a single format and tool chain.
With CycloneDX, it is possible to reference a component, service, or vulnerability inside a BOM from other systems or other BOMs. This deep-linking capability is referred to as BOM-Link and is a formally registered URN.
Learn more about how CycloneDX makes use of BOM-Link.
CycloneDX VEX BOMs can also be used with alternative SBOM formats such as SPDX, but without the tight integration or support of an IETF standard for linkage. Vendor support may vary.
CycloneDX also supports embedding VEX information inside a BOM, thus having a single artifact that describes both inventory and VEX data. There are several uses for embedding VEX data including:
Every component or service defined in a CycloneDX BOM may optionally define external references to security advisory feeds. CycloneDX is agnostic to the advisory format, however, the Common Security Advisory Framework (CSAF), an OASIS Open standard, is recommended. Refer to the Security Advisories Use Case for more information.
CSAF also supports an optional VEX profile which can be used with CycloneDX.
BOMs demonstrating VEX capabilities can be found at https://github.com/CycloneDX/bom-examples