VEX makes your SBOMs accurate and useful

VEX takes the noise out of an SBOM by showing which vulnerabilities are irrelevant and which have already been fixed.

  • Don't send a customer's security team an SBOM that reflects poorly on you.
  • Don't fix every SBOM issue — prioritize fixing the real issues.
  • Do generate automated VEX reports based off your live servers.

What is a Vulnerability Exploitability eXchange report?

A VEX report goes alongside an SBOM and VDR to communicate if and how a vulnerability can impact the security of the software when it’s running.

  • Is it active or dormant?
  • What components or configuration should I pay more attention to when assessing the risk of this version?
  • What is the plan to fix this?

A VEX report can be summed up in the statements section of its structure:

"statements": [
{
    "vulnerability": {
    "@id": "CVE-2019-1010022"
    },
    "timestamp": "2023-09-18T14:07:00.1097922Z",
    "products": [
    {
        "@id": "pkg:deb/debian/libc6@2.36-9?arch=amd64&upstream=glibc&distro=debian-12",
        "identifiers": {
        "purl": "pkg:deb/debian/libc6@2.36-9?arch=amd64&upstream=glibc&distro=debian-12"
        }
    }
    ],
    "status": "not_affected",
    "justification": "vulnerable_code_not_in_execute_path",
    "impact_statement": "EdgeBit automated analysis indicates that the vulnerable code is dormant and not executed"
},

Install once to generate VEX across all projects

Continually generated per project

Suppressions save developers time

Confirm remediation

What Is EdgeBit?

Fix vulnerabilities that matter in your apps

EdgeBit Vulnerability Management Highlight open source risks before code merges
EdgeBit Vulnerability Management Remove noise for developers and security teams
EdgeBit Vulnerability Management Burn down security backlog with while executing sprint work

Build Pipelines

Stop vulnerabilities before they merge

Production Servers

Prioritize what to fix based on how your apps run

Dependency Autofix

Merge safe updates to dependencies
Empower Engineers
Vulnerability Management
Prioritize your backlog to focus engineers on impactful patching.
Cross-App Insight
Software Inventory & SBOMs
Understand dependencies and communicate them to your customers.
Meet Compliance
Software Supply Chain Regulation
Meet supply chain regulation requirements with full automation.
Use Open Source Safely
OSS Dependency Governance
Help engineers make intelligent decisions when using open source.

Security Vulnerabilities
Found, Fixed & Merged,
Continuously

Less investigation toil.

More action on real issues.

Happy engineers.

Request Demo
Close Video