Vulnerability Exploitability EXchange (VEX)

Vulnerability Exploitability eXchange (VEX) reports in Black Duck SCA offer a standardized way to communicate the exploitability status of vulnerabilities in your products. These machine-readable reports help organizations efficiently inform stakeholders about whether specific vulnerabilities affect their offerings.

An SBOM (Software Bill of Materials) serves as a static declaration of components in a product release. After release, it's important to determine the exploitability of any vulnerabilities, and VEX reports facilitate this process. While the SBOM content remains unchanged, VEX allows for on-demand updates regarding the status of vulnerabilities for specific project versions.

Important: To take advantage of this feature, you must have Vulnerability Exploitability eXchange (VEX) enabled on your product registration key.

Creating a Global VEX Report

Global VEX reports summarize vulnerabilities across all projects in your Black Duck SCA environment, aiding in high-level assessments and remediation decisions. Follow the steps below to generate a global VEX report:

  1. Log in to Black Duck SCA.

  2. Click Reports icon.

  3. Click + Create new report. The Create New Report dialog box appears.

  4. Select Vulnerability Exploitability EXchange (VEX): CSAF 2.0 from the Vulnerability Report Type list.

  5. Select any projects from the Projects field.

  6. Select the desired project phases. The VEX report will include an entry for each CVE or BDSA within the selected project(s) as long as they have one of the following Black Duck SCA status values:

    • Under Investigation
    • Needs Review
    • Known Affected
    • Known Not Affected
    • Remediation Required
    • Remediation Complete

  7. Select whether to include user-generated vulnerability comments when a vulnerability is remediated.

  8. Click Save to run the report.

    The following links appear when the report completes:

    • csaf-report_YYYY-MM-DD_HHMMSS (time stamp in system timezone) for a global version of the report.

  9. Select the link to view the report.

VEX Report Format

The VEX report utilizes the CSAF 2.0 (profile 5) format, aligning with industry standards for vulnerability reporting. It clearly indicates which products are unaffected by vulnerabilities, making it a valuable resource for product security teams. This feature facilitates effective communication about security risks, enabling organizations to address customer inquiries and maintain a robust security posture.

Reports will be generated in JSON format, implementing only the minimum required elements for CSAF v2, profile 5. Each report will include entries for CVEs or BDSAs within the selected projects that have one of the following BD status values:

  • Under Investigation
  • Needs Review
  • Known Affected
  • Known Not Affected
  • Remediation Required
  • Remediation Complete

VEX Document Metadata

The VEX report includes essential metadata that is automatically populated and structured according to the CSAF 2.0 specifications. Below are the key elements of the VEX document metadata:

  • Document metadata

    • Category: Set to csaf_vex (cannot be modified).

    • CSAF Version: Set to 2.0 (cannot be modified).

  • Publisher Information

    • Category: Set to vendor (cannot be modified).

    • Name: Use the value from the existing Project Group SBOM Creator Organization field. If this field is set to the default value of "COMPANY NAME," a warning will be generated indicating that the default value is being used and should be changed. Users will have the option to Cancel or Continue:
      • Cancel: Returns to the report generation screen.
      • Continue: Generates the report using "COMPANY NAME" as the publisher name.

    • Namespace: A new text field will be added under the "Person" field in the Project Group SBOM fields for the Namespace. SBOM generation will utilize the BD namespace value to populate the namespace field in the SBOMs (for applicable SPDX/CycloneDX versions).

  • Additional Document Information

    • Title: Defined by Black Duck and currently not modifiable. The title will read: "Vulnerability status report using the CSAF 2.0 Profile 5 specification."

  • Tracking Information

    • Current Release Date: The date/timestamp of report generation (UTC).

    • ID: The ID will be the CSAF document filename (e.g., csaf-report_all_projects_2025-07-22_143038).

    • Initial Release Date: The timestamp of report creation.

    • Revision History: One entry will be added for the current (latest) information:
      • Date: Report generation date/timestamp (UTC).
      • Number: Hardcoded value of 1 for the version.
      • Summary: Either "Latest information" or "Initial," depending on whether tracking both is necessary.

    • Status: Set to draft. (Note: Future support may be added for final and interim options, as referenced in section 3.2.1.12.7 of the CSAF 2.0 specification.)

    • Version: Hardcoded value of 1 for the version.

    • Generator Information:

      • Date: Report generation date/timestamp (UTC).
      • Engine:
        • Name: "Black Duck HUB"
        • Version: The version of Black Duck HUB used to generate the report.