Skip to main content
The Binary Transparency Platform supports Vulnerability Exploitability Exchange (VEX) formats CycloneDX and OpenVEX. VEX is a specification published by CISA that defines requirements for formats to exchange statements about vulnerabilities and products. Binarly’s VEX export is accessed through the report interface on the product overview and image overview pages.

​
Key Features

The Transparency Platform’s VEX report includes all vulnerabilities detected in one product’s image. The statements include the vulnerability’s unique identifiers, description, its status in BTP and the affected dependency’s CPE identifier. The following is a single VEX statement in OpenVEX as it’s exported from Binarly.
vex-open-vex-example-file.json
{
  "vulnerability": {
    "name": "CVE-2007-2768",
     "description": "OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.",
     "aliases": [
       "GHSA-7c33-39g7-9rjm"
     ]
  },
  "products": [
    {
      "identifiers": {
        "cpe23": "cpe:2.3:a:openbsd:openssh:10.0p2:*:*:*:*:*:*:*"
      }
    }
  ],
  "status": "under_investigation"
}
VEX statements consist of a vulnerability description, optional identifier, the vulnerability’s remediation status, the affected product and a timestamp. Thus, a VEX statement asserts that a product had a particular vulnerability with a particular remediation status at a particular time. Multiple statements with the same vulnerability and product can exist with different timestamps to describe the timeline of remediation work being done on a vulnerability. The Binarly Transparency Platform can export VEX statements as OpenVEX or CycloneDX formatted files. The CycloneDX format is a comprehensive standard for the software supply chain. It defines a bill of materials that covers software, hardware, services, cryptographic material, machine learning models and other types of assets. A CycloneDX BOM can also contain VEX statements for the software it includes. Choosing CycloneDX as export format will produce a SBOM with embedded VEX statements as one standalone file. In contrast, the OpenVEX format is a lightweight, embeddable implementation of the VEX standard. It’s purpose-built for VEX statements and does not contain any non-VEX information. It’s composable and can cover multiple products or systems. VEX reports can be requested from the product view’s image list: in the image’s context menu (reachable via the three dots on the right). From the context menu, selecting the desired VEX format will start the download of the report (see below). VEX options in the image context menu.

​
Use Cases

​
Incident Response

VEX reports can be used to rapidly find products that contain components that are vulnerable to newly discovered vulnerabilities. CERT members can use the VEX reporting capability of the Binarly Transparency Platform to acquire vulnerability remediation statuses for products.

​
Third Party Compliance Reporting

OpenVEX and CycloneDX are open formats that can be used to exchange technical compliance statements with third parties. A VEX report can substantiate claims about up-to-date dependencies and vulnerability remediation efforts.

​
System or Fleet-wide Risk Assessment

VEX reports are composable and can be combined to provide a global view of a larger system. Individual components’ images are uploaded to the Binarly Transparency Platform, scanned and their VEX reports combined to help assessment of system level risk.