Use this file to discover all available pages before exploring further.
The Binary Transparency Platform supports Vulnerability Exploitability Exchange
(VEX) formats CycloneDX and OpenVEX. VEX is a
specification
published by CISA that defines requirements for formats to exchange statements
about vulnerabilities and products. Binarly’s VEX export is accessed through the
report interface on the product overview and image overview pages.
The Transparency Platform’s VEX report includes all vulnerabilities detected in
one product’s image. The statements include the vulnerability’s unique
identifiers, description, its status in BTP and the affected dependency’s CPE
identifier.The following is a single VEX statement in OpenVEX as it’s exported from
Binarly.
vex-open-vex-example-file.json
{ "vulnerability": { "name": "CVE-2007-2768", "description": "OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.", "aliases": [ "GHSA-7c33-39g7-9rjm" ] }, "products": [ { "identifiers": { "cpe23": "cpe:2.3:a:openbsd:openssh:10.0p2:*:*:*:*:*:*:*" } } ], "status": "under_investigation"}
VEX statements consist of a vulnerability description, optional identifier,
the vulnerability’s remediation status, the affected product and a timestamp.
Thus, a VEX statement asserts that a product had a particular vulnerability with
a particular remediation status at a particular time. Multiple statements with the
same vulnerability and product can exist with different timestamps to describe
the timeline of remediation work being done on a vulnerability.The Binarly Transparency Platform can export VEX statements as OpenVEX or
CycloneDX formatted files.The CycloneDX format is a comprehensive standard for the software supply
chain. It defines a bill of materials that covers software, hardware, services,
cryptographic material, machine learning models and other types of assets. A
CycloneDX BOM can also contain VEX statements for the software it includes.
Choosing CycloneDX as export format will produce a SBOM with embedded VEX
statements as one standalone file.In contrast, the OpenVEX format is a lightweight, embeddable
implementation of the VEX standard. It’s purpose-built for VEX statements and
does not contain any non-VEX information. It’s composable and can cover
multiple products or systems.VEX reports can be requested from the product view’s image list: in the image’s
context menu (reachable via the three dots on the right). From the context menu,
selecting the desired VEX format will start the download of the report (see
below).
VEX reports can be used to rapidly find products that contain components that
are vulnerable to newly discovered vulnerabilities. CERT members can use the
VEX reporting capability of the Binarly Transparency Platform to acquire
vulnerability remediation statuses for products.
OpenVEX and CycloneDX are open formats that can be used to exchange technical
compliance statements with third parties. A VEX report can substantiate claims
about up-to-date dependencies and vulnerability remediation efforts.
VEX reports are composable and can be combined to provide a global view of a
larger system. Individual components’ images are uploaded to the Binarly
Transparency Platform, scanned and their VEX reports combined to help assessment
of system level risk.
