VEX (Vulnerability Exploitability eXchange)
VEX (Vulnerability Exploitability eXchange) 是什么?
VEX (Vulnerability Exploitability eXchange)A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'.
VEX (Vulnerability Exploitability eXchange) is a class of attestation document, formalized by CISA and the U.S. NTIA in 2022–2023, designed to suppress SBOM noise. When a customer scans a vendor's product, they typically discover every CVE listed against every transitive dependency — most of which are not actually exploitable because the affected code path is unused, mitigated, or compiled out. A VEX statement, signed by the vendor or downstream maintainer, declares one of four statuses for each (product, CVE) pair: not_affected, affected, fixed, or under_investigation, plus a justification (e.g. 'vulnerable_code_not_in_execute_path'). VEX is format-agnostic and is currently produced as OpenVEX (a minimal JSON profile), CSAF VEX (an OASIS-standardized profile), or embedded in CycloneDX vulnerability extensions. It is becoming a contractual deliverable alongside SBOMs in regulated sectors.
● 示例
- 01
A library upgrade adds a transitive dep flagged with five CVEs; the vendor ships an OpenVEX document marking four as 'not_affected: vulnerable_code_not_in_execute_path'.
- 02
An automated scanner consumes the customer's SBOM plus the vendor's VEX statements and reduces 200 raw CVE findings to 7 actionable ones.
● 常见问题
VEX (Vulnerability Exploitability eXchange) 是什么?
A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'. 它属于网络安全的 应用安全 分类。
VEX (Vulnerability Exploitability eXchange) 是什么意思?
A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'.
VEX (Vulnerability Exploitability eXchange) 是如何工作的?
VEX (Vulnerability Exploitability eXchange) is a class of attestation document, formalized by CISA and the U.S. NTIA in 2022–2023, designed to suppress SBOM noise. When a customer scans a vendor's product, they typically discover every CVE listed against every transitive dependency — most of which are not actually exploitable because the affected code path is unused, mitigated, or compiled out. A VEX statement, signed by the vendor or downstream maintainer, declares one of four statuses for each (product, CVE) pair: not_affected, affected, fixed, or under_investigation, plus a justification (e.g. 'vulnerable_code_not_in_execute_path'). VEX is format-agnostic and is currently produced as OpenVEX (a minimal JSON profile), CSAF VEX (an OASIS-standardized profile), or embedded in CycloneDX vulnerability extensions. It is becoming a contractual deliverable alongside SBOMs in regulated sectors.
如何防御 VEX (Vulnerability Exploitability eXchange)?
针对 VEX (Vulnerability Exploitability eXchange) 的防御通常结合技术控制与运营实践,详见上方完整定义。
VEX (Vulnerability Exploitability eXchange) 还有哪些其他名称?
常见的别称包括: Vulnerability Exploitability eXchange, OpenVEX, CSAF VEX。
● 相关术语
- appsec№ 1185
软件物料清单(SBOM)
以机器可读形式正式描述构成一款软件的组件、库与依赖项及其版本与关系的清单。
- appsec№ 297
CycloneDX
An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases.
- appsec№ 1190
SPDX (Software Package Data Exchange)
A Linux Foundation-maintained, ISO/IEC 5962-standardized open format for software bills of materials, originally focused on license metadata and now broadly used for SBOMs.
- vulnerabilities№ 285
CVE(通用漏洞披露)
为每个已披露的软件或硬件漏洞分配唯一标识符的公共目录,使其能在全行业被明确引用。
- vulnerabilities№ 428
EPSS(漏洞利用预测评分系统)
由 FIRST 维护、基于数据驱动的模型,用于估计某个 CVE 在未来 30 天内被实际利用的概率。
- vulnerabilities№ 663
已知被利用漏洞(KEV)
由美国 CISA 确认正在被实际利用并加入公开 KEV 目录的 CVE,会触发美国联邦机构的修复时限。