Free & Open Source

vex-hub

Know which vulnerabilities actually matter

Vendors

CVEs

Statements

Product mappings

Search by CVE

All vendor statements matching a CVE ID.

Upload SBOM and / or VEX

What you give it determines what you get back:

You provide	You get back
CycloneDX SBOM with vulnerabilities[]	CycloneDX SBOM — annotated with the vendor verdict on each listed vulnerability.
CycloneDX SBOM components only	CycloneDX SBOM — vulnerabilities filled in from vendor data, then annotated.
VEX only (OpenVEX or CycloneDX)	OpenVEX document — your statements merged, with the vendor's view alongside.
SBOM + VEX	CycloneDX SBOM — annotated, your VEX overriding the vendor verdict on collision.

Drop an SBOM, a VEX document, or both — either input is valid on its own.

Drop CycloneDX SBOM

.json — vulnerabilities + components

Drop VEX

OpenVEX 0.2.0 or CycloneDX VEX

drop at least one file

Or via API

jq '{sbom: .}' sbom.json | \
  curl -X POST https://vex.getreel.dev/v1/analyze \
  -H "Content-Type: application/json" \
  -d @-

Example

sample-sbom.json

CycloneDX — log4j, openssl, p11-kit, glibc

sample-user-vex.json

OpenVEX — user mitigations for log4j, openssl, p11-kit

Or generate an SBOM: reel export sbom --scanners vuln --image <ref> > sbom.json

What is VEX?

Vendors publish statements saying whether a CVE actually affects their product. Scanners produce long lists of CVEs; VEX quiets the noise.

Not Affected

Vendor confirms the CVE does not affect their product. Safe to suppress.

Fixed

A fix is available. Update to the patched version.

Under Investigation

Vendor is still assessing impact. Monitor for updates.

Affected

Vendor confirms the product is exploitable. Plan mitigation.

Where the statements come from

vex-hub aggregates vendor security feeds. Here is what is covered today.

Vendor	Coverage	Feed
Red Hat	RHEL plus EUS, AUS, and E4S extended-support streams	CSAF · OVAL
SUSE	SUSE Linux Enterprise and openSUSE	CSAF
Ubuntu	20.04, 22.04, 24.04 LTS plus Ubuntu Pro ESM tracks	OpenVEX · OVAL
Debian	11 (bullseye), 12 (bookworm), 13 (trixie)	OVAL
Rancher (SUSE)	SUSE cloud-native product images — product-scoped suppressions	OpenVEX

More filters

POST/v1/statements

Single canonical query primitive over the VEX statements database. Returns OpenVEX 0.2.0; 204 on empty match. Omit cves and pass products (or an SBOM) to get every vendor statement touching those packages — broad mode, made to fetch once and reuse on every scan.

Filters

cves	array of CVE IDs — required unless products or an SBOM is supplied (broad mode)
products	array of PURL or CPE identifiers; runs through the resolver (alias + CPE-prefix expansion)
scopes	array of product @ids (image / module) — opts in product-scoped statements (Rancher) for those scopes; an SBOM's root component supplies it automatically
vendors	array — `redhat`, `suse`, `rancher`, `ubuntu`, `debian`
statuses	array — `not_affected`, `affected`, `fixed`, `under_investigation`
justifications	array — OpenVEX 0.2.0 enum (e.g. `vulnerable_code_not_present`)
source_formats	array — `csaf`, `oval`, `openvex`
since	RFC3339 timestamp; rows updated on or after this

AND across populated dimensions, IN within each non-empty list. An empty list (or omitted field) means no filter on that dimension.

Example

curl -X POST https://vex.getreel.dev/v1/statements \
  -H "Content-Type: application/json" \
  -d '{
    "cves":           ["CVE-2021-44228"],
    "products":       ["pkg:rpm/redhat/log4j"],
    "vendors":        ["redhat"],
    "statuses":       ["not_affected", "fixed"],
    "source_formats": ["csaf"],
    "since":          "2026-01-01T00:00:00Z"
  }'

Full reference, response shape, and recipes: docs/api.md.

GET/v1/stats

Vendor / CVE / statement / product-mapping counts.

// /v1/statements and /v1/analyze are taught inline above — try the search and the uploader

Open Source

The VEX resolution service is free and open source under Apache 2.0.

View on GitHub