Free & Open Source

vex-hub

Know which vulnerabilities actually affect you

Vendors
CVEs
Statements
Product mappings

Free to use. No account. Search by CVE or upload an SBOM below.

Search by CVE

Enter a CVE ID to see vendor VEX statements.

Upload SBOM

Upload a CycloneDX SBOM to see which of its vulnerabilities the vendor says don't actually affect you.

Drop a CycloneDX SBOM here or click to browse

.json files only

Your SBOM needs a vulnerabilities section. Generate one with reel, Trivy, or Grype.

Use with your scanner

Pipe vex-hub into the scanner you already run. Copy-paste recipes, reproducible against public images.

trivy
Suppress CVEs Red Hat already marked not_affected
grype, vexctl, reel
Coming soon

What is VEX?

Vendors publish statements saying whether a CVE actually affects their product. Scanners produce long lists of CVEs; VEX lets you quiet the noise.

Not Affected

Vendor confirms the CVE does not affect their product. Safe to suppress.

Fixed

A fix is available. Update to the patched version.

Under Investigation

Vendor is still assessing impact. Monitor for updates.

Affected

Vendor confirms the product is exploitable. Plan mitigation.

API

Free to use. No API key required.

GET/v1/cve/{CVE-ID}

All vendor statements for one CVE.

curl https://vex.getreel.dev/v1/cve/CVE-2021-44228
POST/v1/resolve

Batch match CVEs against product IDs. Optional source_formats filter.

curl -X POST https://vex.getreel.dev/v1/resolve \
-d '{"cves":["CVE-2021-44228"],"products":["pkg:rpm/redhat/log4j"]}'
POST/v1/sbom

Upload a CycloneDX SBOM; get it back annotated with VEX analysis on each vulnerability.

curl -X POST https://vex.getreel.dev/v1/sbom \
-H "Content-Type: application/json" \
-d @sbom.json
GET/v1/stats

Vendor / CVE / statement / product-mapping counts.

Data Sources

Aggregated from vendor security feeds. Updated daily.

Red Hat
RHEL and products
Red Hat EUS
extended-support streams
SUSE
SLES and products

Open Source

The VEX resolution service is free and open source under Apache 2.0.

View on GitHub