Create a VEX report from a vulnerability

• Updated 2025-01-20 SBOM Central

  A Vulnerability Exploitability eXchange (VEX) is a type of security advisory, similar to those commonly issued by mature product security teams. The key distinction of the VEX model is that its reports are machine-readable, enabling seamless integration with security management tools and vulnerability tracking platforms. VEX data enhances the effective use of Software Bills of Materials (SBOM) data.

  In SBOM Central, you can generate VEX reports for specific vulnerabilities and associated SBOMs from the list of deliveries with Delivery Reports. For details, see Why is VEX generation tied to Delivery Reports.

  SBOMs are continuously monitored for newly discovered vulnerabilities, with automatic notifications triggered upon detection. Each identified vulnerability requires careful analysis and appropriate actions.

  Open the vulnerability show page and push the Generate VEX button.

  

  Select one of the analyses (or the none alternative) and then pick one or more deliveries from the list. The list content is depending on the first analysis selection. Push Save. The report will now be found in the Report section of SBOM Central.