Free & Open Source

vex-hub

Know which vulnerabilities actually affect you

Vendors

CVEs

Statements

Product mappings

Search by CVE, or upload an SBOM and / or VEX below. Output in standard OpenVEX.

Search by CVE

All vendor statements matching a CVE ID.

Upload SBOM and / or VEX

Upload a CycloneDX SBOM to see which of its vulnerabilities the vendor says don't actually affect you. Optionally layer your own OpenVEX assertions on top — your statements override vendor statements on collision.

Drop an SBOM, your VEX document, or both — either input is valid on its own.

Drop CycloneDX SBOM

.json — vulnerabilities + components

Drop your VEX

OpenVEX 0.2.0 — your assertions

drop at least one file

Or via API

jq '{sbom: .}' sbom.json | \
  curl -X POST https://vex.getreel.dev/v1/analyze \
  -H "Content-Type: application/json" \
  -d @-

Example

Need files? Drop both — the sample VEX models a user who's mitigated three CVEs internally (not_affected / fixed with justifications) and overrides the vendor view in the result table.

sample-sbom.json

CycloneDX — log4j, openssl, p11-kit, glibc

sample-user-vex.json

OpenVEX — user mitigations for log4j, openssl, p11-kit

Or generate your own SBOM: reel export sbom --scanners vuln --image <ref> > sbom.json

What is VEX?

Vendors publish statements saying whether a CVE actually affects their product. Scanners produce long lists of CVEs; VEX lets you quiet the noise.

Not Affected

Vendor confirms the CVE does not affect their product. Safe to suppress.

Fixed

A fix is available. Update to the patched version.

Under Investigation

Vendor is still assessing impact. Monitor for updates.

Affected

Vendor confirms the product is exploitable. Plan mitigation.

Where the statements come from

vex-hub aggregates vendor security feeds. Here is what is covered today.

Vendor	Coverage	Feed
Red Hat	RHEL plus EUS, AUS, and E4S extended-support streams	CSAF · OVAL
SUSE	SUSE Linux Enterprise and openSUSE	CSAF
Ubuntu	20.04, 22.04, 24.04 LTS plus Ubuntu Pro ESM tracks	OpenVEX · OVAL
Debian	11 (bullseye), 12 (bookworm), 13 (trixie)	OVAL

More filters

POST/v1/statements

Single canonical query primitive over the VEX statements database. Returns OpenVEX 0.2.0; 204 on empty match.

Filters

cves	array of CVE IDs — required, ≥1
products	array of PURL or CPE identifiers; runs through the resolver (alias + CPE-prefix expansion)
vendors	array — `redhat`, `suse`, `ubuntu`, `debian`
statuses	array — `not_affected`, `affected`, `fixed`, `under_investigation`
justifications	array — OpenVEX 0.2.0 enum (e.g. `vulnerable_code_not_present`)
source_formats	array — `csaf`, `oval`
since	RFC3339 timestamp; rows updated on or after this

AND across populated dimensions, IN within each non-empty list. An empty list (or omitted field) means no filter on that dimension.

Example

curl -X POST https://vex.getreel.dev/v1/statements \
  -H "Content-Type: application/json" \
  -d '{
    "cves":           ["CVE-2021-44228"],
    "products":       ["pkg:rpm/redhat/log4j"],
    "vendors":        ["redhat"],
    "statuses":       ["not_affected", "fixed"],
    "source_formats": ["csaf"],
    "since":          "2026-01-01T00:00:00Z"
  }'

Full reference, response shape, and recipes: docs/api.md.

GET/v1/stats

Vendor / CVE / statement / product-mapping counts.

// /v1/statements and /v1/analyze are taught inline above — try the search and the uploader

Open Source

The VEX resolution service is free and open source under Apache 2.0.

View on GitHub