Generating VEX Documents

VEX documents are generated from the disposition data you recorded during triage. The document captures your assessment of every vulnerability found in your SBOM.

Prerequisites

Before generating a VEX document, ensure:

1. An SBOM has been uploaded for the release
2. Vulnerability scanning is complete
3. All vulnerabilities have a disposition — no untriaged vulnerabilities remain
4. No vulnerabilities are marked "Under Investigation" (these must be resolved first)

If any prerequisites are not met, the generate button will be disabled with an explanation.

How to generate

1. Navigate to the release page
2. Open the VEX tab
3. Click Generate VEX
4. Select a format:
   • CycloneDX VEX: Best for organizations already using CycloneDX SBOMs
   • OpenVEX: Best for lightweight, VEX-only use cases
   • CSAF: Best for organizations requiring OASIS CSAF compliance
5. Click Generate

The document is created in Draft status and can be reviewed before submission.

What is included in the VEX

The generated document contains:

• Product information: Name, vendor, version
• Release information: Version identifier, release date
• Vulnerability assessments: For each matched CVE:
  • CVE ID and description
  • Your disposition (affected, not affected, fixed)
  • Justification and impact statements you provided
  • Affected component information
• Document metadata: Author, creation timestamp, document version, tooling information

Generating multiple formats

You can generate VEX documents in multiple formats for the same release. Each format creates a separate document that follows its own approval workflow.

Regenerating a VEX document

If you need to update a draft VEX document (for example, after changing dispositions), delete the existing draft and generate a new one. You cannot regenerate a VEX that has been submitted or published.