vex-hub merges CSAF and OVAL so Trivy's --vex flag sees what Red Hat CSAF alone misses.
CVE-2025-2487 on RHEL 9.6 EUScurl -X POST https://vex.getreel.dev/v1/statements \
-H "Content-Type: application/json" \
-d '{
"cves": ["CVE-2026-2100"],
"products": ["pkg:rpm/redhat/p11-kit"]
}' > vex.jsontrivy image --vex vex.json --show-suppressed \
registry.access.redhat.com/ubi9/ubi:latestRe-scanning a UBI9 image with --vex vex.json --show-suppressed: the CVE moves out of findings and into the suppressed table, with the vendor's reasoning attached.
Suppressed Vulnerabilities (Total: 1)
=====================================
┌────────────┬───────────────┬──────────┬──────────────┬─────────────────────────────┬──────────┐
│ Library │ Vulnerability │ Severity │ Status │ Statement │ Source │
├────────────┼───────────────┼──────────┼──────────────┼─────────────────────────────┼──────────┤
│ p11-kit │ CVE-2026-2100 │ MEDIUM │ not_affected │ vulnerable_code_not_present │ vex.json │
└────────────┴───────────────┴──────────┴──────────────┴─────────────────────────────┴──────────┘The flow above is distro-agnostic. Trivy emits the right PURL when it scans an image — vex-hub answers for whichever vendor it lands on.
| Vendor | Coverage | Feed |
|---|---|---|
| Red Hat | RHEL plus EUS, AUS, and E4S extended-support streams | CSAF · OVAL |
| SUSE | SUSE Linux Enterprise and openSUSE | CSAF |
| Ubuntu | 20.04, 22.04, 24.04 LTS plus Ubuntu Pro ESM tracks | OpenVEX · OVAL |
| Debian | 11 (bullseye), 12 (bookworm), 13 (trixie) | OVAL |
For example, swap pkg:rpm/redhat/p11-kit for pkg:deb/debian/openssl?distro=debian-12 when scanning a Debian image.