Create a VEX report from a delivery

Updated 2025-01-20 SBOM Central

A Vulnerability Exploitability eXchange (VEX) is a type of security advisory, similar to those commonly issued by mature product security teams. The key distinction of the VEX model is that its reports are machine-readable, enabling seamless integration with security management tools and vulnerability tracking platforms. VEX data enhances the effective use of Software Bills of Materials (SBOM) data.

In SBOM Central, you can generate VEX reports for specific vulnerabilities and associated SBOMs from the list of deliveries with Delivery Reports. For details, see Why is VEX generation tied to Delivery Reports.

The SBOM is actively monitored for newly discovered vulnerabilities, with notifications automatically triggered upon detection. Any detected vulnerability must be carefully analyzed, and appropriate actions decided upon. This analysis and decision-making process will be directly tied to the SBOM/Delivery Report and will form the foundation for generating a VEX report (see What are the use cases for duplicating an SBOM)

Open the SBOM show page and select the delivieries tab. Push the Generate VEX for the selected Delivery report.

Select the vulnerabilities that you want to be included into the VEX report and push Save. The report will now be found in the Report section of SBOM Central.