Vulnerability Exploitability EXchange (VEX)

Vulnerability Exploitability eXchange (VEX) reports in Black Duck offer a standardized way to communicate the exploitability status of vulnerabilities in your products. These machine-readable reports help organizations efficiently inform stakeholders about whether specific vulnerabilities affect their offerings.

An SBOM (Software Bill of Materials) serves as a static declaration of components in a product release. After release, it's important to determine the exploitability of any vulnerabilities, and VEX reports facilitate this process. While the SBOM content remains unchanged, VEX allows for on-demand updates regarding the status of vulnerabilities for specific project versions.

By using the CSAF 2.0 (profile 5) format, Black Duck aligns with industry standards for vulnerability reporting. VEX clarifies which products are unaffected by vulnerabilities, making it a valuable tool for product security teams. This feature enhances communication regarding security risks, ensuring that organizations can respond effectively to customer inquiries and maintain a strong security posture.

Important: To take advantage of this feature, you must have Vulnerability Exploitability eXchange (VEX) enabled on your product registration key.

Creating a Vulnerability Exploitability EXchange (VEX) report

To create a Vulnerability Exploitability EXchange (VEX) report:

  1. Log in to Black Duck SCA.

  2. Click Reports icon.

  3. Click + Create new report. The Create New Report dialog box appears.

  4. Select Vulnerability Exploitability EXchange (VEX): CSAF 2.0 from the Vulnerability Report Type list.

  5. Select any projects from the Projects field.

  6. Select the desired project phases. The VEX report will include an entry for each CVE or BDSA within the selected project(s) as long as they have one of the following BD status values:

    • Under Investigation
    • Needs Review
    • Known Affected
    • Known Not Affected
    • Remediation Required
    • Remediation Complete

  7. Select whether to include user-generated vulnerability comments when a vulnerability is remediated.

  8. Click Save to run the report.

    The following links appear when the report completes:

    • csaf-report_YYYY-MM-DD_HHMMSS (time stamp in system timezone) for a global version of the report.

  9. Select the link to view the report.

The report(s) will be in CSAF v2, profile 5 format, implementing only the minimum required elements for this document. The report file format will be JSON only, as VEX is intended to be machine-readable. It will include an entry for each CVE or BDSA within the selected project(s) as long as they have one of the following BD status values:

  • Under Investigation
  • Needs Review
  • Known Affected
  • Known Not Affected
  • Remediation Required
  • Remediation Complete

VEX Document Metadata

The VEX report includes essential metadata that is automatically populated and structured according to the CSAF 2.0 specifications. Below are the key elements of the VEX document metadata:

  • Document metadata

    • Category: Set to csaf_vex (cannot be modified).

    • CSAF Version: Set to 2.0 (cannot be modified).

  • Publisher Information

    • Category: Set to vendor (cannot be modified).

    • Name: Use the value from the existing Project Group SBOM Creator Organization field. If this field is set to the default value of "COMPANY NAME," a warning will be generated indicating that the default value is being used and should be changed. Users will have the option to Cancel or Continue:
      • Cancel: Returns to the report generation screen.
      • Continue: Generates the report using "COMPANY NAME" as the publisher name.

    • Namespace: A new text field will be added under the "Person" field in the Project Group SBOM fields for the Namespace. SBOM generation will utilize the BD namespace value to populate the namespace field in the SBOMs (for applicable SPDX/CycloneDX versions).

  • Additional Document Information

    • Title: Defined by Black Duck and currently not modifiable. The title will read: "Vulnerability status report using the CSAF 2.0 Profile 5 specification."

  • Tracking Information

    • Current Release Date: The date/timestamp of report generation (UTC).

    • ID: The ID will be the CSAF document filename (e.g., csaf-report_all_projects_2025-07-22_143038).

    • Initial Release Date: The timestamp of report creation.

    • Revision History: One entry will be added for the current (latest) information:
      • Date: Report generation date/timestamp (UTC).
      • Number: Hardcoded value of 1 for the version.
      • Summary: Either "Latest information" or "Initial," depending on whether tracking both is necessary.

    • Status: Set to draft. (Note: Future support may be added for final and interim options, as referenced in section 3.2.1.12.7 of the CSAF 2.0 specification.)

    • Version: Hardcoded value of 1 for the version.

    • Generator Information:

      • Date: Report generation date/timestamp (UTC).
      • Engine:
        • Name: "Black Duck HUB"
        • Version: The version of Black Duck HUB used to generate the report.