From a4a3d6d89433e46149fd7846f61946803d1b64fb Mon Sep 17 00:00:00 2001 From: Hubtrick-Git Date: Thu, 11 Jun 2026 15:53:34 +0200 Subject: [PATCH 1/6] added vex explanation page --- .../vulnerability-management/_meta.ts | 3 +++ .../vulnerability-management-overview.mdx | 1 + .../vulnerability-management/what-is-vex.mdx | 24 +++++++++++++++++++ 3 files changed, 28 insertions(+) create mode 100644 src/pages/explanations/vulnerability-management/what-is-vex.mdx diff --git a/src/pages/explanations/vulnerability-management/_meta.ts b/src/pages/explanations/vulnerability-management/_meta.ts index 4ac8162..177062e 100644 --- a/src/pages/explanations/vulnerability-management/_meta.ts +++ b/src/pages/explanations/vulnerability-management/_meta.ts @@ -17,6 +17,9 @@ export default { 'mitigation-strategies': { title: 'Mitigation Strategies & VEX Rules', }, + 'what-is-vex': { + title: 'What is VEX', + }, 'false-positive-detection': { title: 'False Positives', }, diff --git a/src/pages/explanations/vulnerability-management/vulnerability-management-overview.mdx b/src/pages/explanations/vulnerability-management/vulnerability-management-overview.mdx index 374a9a6..ae316fb 100644 --- a/src/pages/explanations/vulnerability-management/vulnerability-management-overview.mdx +++ b/src/pages/explanations/vulnerability-management/vulnerability-management-overview.mdx @@ -142,6 +142,7 @@ The result is that vulnerability management — and the evidence required to pro - [Risk Assessment Methodology](/explanations/vulnerability-management/risk-assessment-methodology/) — how DevGuard combines CVSS, EPSS, and context - [Vulnerability Matching](/explanations/vulnerability-management/vulnerability-matching/) — how findings are mapped to CVEs - [Mitigation Strategies](/explanations/vulnerability-management/mitigation-strategies/) — patching, dependency upgrades, VEX, and compensating controls +- [What is VEX](/explanations/vulnerability-management/what-is-vex/) — exchanging exploitability information for vulnerabilities - [False Positives](/explanations/vulnerability-management/false-positive-detection/) — handling noise without losing real risks - [DevGuard & Compliance Frameworks](/explanations/compliance/why-compliance-matters/) — mapping vulnerability management to CRA, NIS2, ISO 27001 - [CRA Compliance with DevGuard](https://devguard.org/cra_compliance) — how DevGuard maps to Cyber Resilience Act requirements diff --git a/src/pages/explanations/vulnerability-management/what-is-vex.mdx b/src/pages/explanations/vulnerability-management/what-is-vex.mdx new file mode 100644 index 0000000..59945c8 --- /dev/null +++ b/src/pages/explanations/vulnerability-management/what-is-vex.mdx @@ -0,0 +1,24 @@ +--- +title: What is VEX +description: "A description of the VEX standard" +seo: + robots: index,follow + og: + image: /og-image.png + type: article + schema: + type: TechArticle + keyword_primary: vulnerabilities vex +lang: en-US +ignoreChecks: null +--- + +# What is VEX + +VEX stands for Vulnerability Exploitability eXchange. In other words, VEX is about exchanging exploitability information for vulnerabilities found in a product. Common security advisory formats answer the question of *what* vulnerabilities are present in a product. VEX complements this by answering whether the product is *actually affected* by a given vulnerability. + +In today's vulnerability landscape, many findings reported by scanners turn out not to be exploitable in practice. This can have different causes, for example the vulnerable code may not be present, or it exists but is never reached during execution. VEX gives vendors a way to share exactly this kind of information with their customers (status: `not_affected`, plus a justification such as "vulnerable code not in execution path"), cutting down on noise and alert fatigue. + +But VEX isn't limited to "not affected" statuses. If a vulnerability does affect a product, this can be communicated as well (status: `affected`), together with mitigation steps such as upgrading to a patched version. Similarly, if a vulnerability has already been fixed (`fixed`) or is still being analyzed (`under_investigation`), this can also be expressed via VEX. + +Being machine-readable, VEX documents can be integrated into existing tooling and pipelines and consumed automatically by customers, for example alongside an SBOM: the SBOM tells you what's in a product, VEX tells you whether any of it is actually a problem. \ No newline at end of file From d4d2f7b28ac1c6db7adf03cd12fe97e536e4a71f Mon Sep 17 00:00:00 2001 From: Hubtrick-Git Date: Wed, 17 Jun 2026 14:27:39 +0200 Subject: [PATCH 2/6] overhauled what is vex with a first sketch of a new page structure --- .../vulnerability-management/what-is-vex.mdx | 58 +++++++++++++++++-- 1 file changed, 53 insertions(+), 5 deletions(-) diff --git a/src/pages/explanations/vulnerability-management/what-is-vex.mdx b/src/pages/explanations/vulnerability-management/what-is-vex.mdx index 59945c8..4e04144 100644 --- a/src/pages/explanations/vulnerability-management/what-is-vex.mdx +++ b/src/pages/explanations/vulnerability-management/what-is-vex.mdx @@ -13,12 +13,60 @@ lang: en-US ignoreChecks: null --- -# What is VEX +## Where does VEX originate from -VEX stands for Vulnerability Exploitability eXchange. In other words, VEX is about exchanging exploitability information for vulnerabilities found in a product. Common security advisory formats answer the question of *what* vulnerabilities are present in a product. VEX complements this by answering whether the product is *actually affected* by a given vulnerability. +Modern software depends on layers of third-party libraries, creating a real challenge around understanding +what components are in use and what risks they carry. The industry has developed solid infrastructure for +this: Software Bills of Materials (SBOMs) inventory a product's components, and Software Composition +Analysis (SCA) tools cross-reference those inventories against vulnerability databases like the NVD or OSV, +surfacing any component version with a known CVE. -In today's vulnerability landscape, many findings reported by scanners turn out not to be exploitable in practice. This can have different causes, for example the vulnerable code may not be present, or it exists but is never reached during execution. VEX gives vendors a way to share exactly this kind of information with their customers (status: `not_affected`, plus a justification such as "vulnerable code not in execution path"), cutting down on noise and alert fatigue. +But this pipeline has a fundamental limitation it answers the question of what vulnerabilities exist *in +the components your product uses*, not whether those vulnerabilities actually affect *your product*. A CVE +describes a flaw in a library in the abstract. Whether that flaw poses real risk in a specific product +depends on factors the database cannot know: Is the vulnerable code included in the final build? Is it ever +reached during execution? Does the surrounding environment neutralize the threat? -But VEX isn't limited to "not affected" statuses. If a vulnerability does affect a product, this can be communicated as well (status: `affected`), together with mitigation steps such as upgrading to a patched version. Similarly, if a vulnerability has already been fixed (`fixed`) or is still being analyzed (`under_investigation`), this can also be expressed via VEX. +The consequence is a high rate of false positives. Findings that look alarming often turn out not to apply — +the vulnerable function is stripped from the production artifact, the affected code path is never enabled, +the exploit requires network access to a service that isn't exposed. At scale, security teams work through +hundreds of such findings per release cycle, most leading nowhere. The noise erodes trust in tooling and +makes it structurally difficult to act on the vulnerabilities that genuinely matter. -Being machine-readable, VEX documents can be integrated into existing tooling and pipelines and consumed automatically by customers, for example alongside an SBOM: the SBOM tells you what's in a product, VEX tells you whether any of it is actually a problem. \ No newline at end of file +VEX emerged as a direct response to this gap. Where the existing ecosystem tells you *what vulnerabilities +are present* in a product's components, VEX provides a standardized way to communicate *whether those +vulnerabilities are actually exploitable* in a specific product — giving vendors and maintainers a format to +share the analysis they already perform internally, but have historically had no standard way to distribute. + +## What is the VEX standard + +A VEX document is a machine-readable assertion about the relationship between a specific product and a +specific vulnerability. Where a CVE entry describes a flaw in a library, a VEX statement answers a +different question: does that flaw apply to *this* product, in *this* version, as shipped? The distinction +matters because the same vulnerability might affect one vendor's product while being completely irrelevant +to another's, even when both include the same underlying library. VEX gives vendors a standardized way to +make that context explicit, rather than leaving each consumer to re-derive the same analysis independently. + +The core of a VEX statement is a status, one of four values that together cover the complete space of how a +product can relate to a known vulnerability. A product might not be affected at all, might be affected and +require action, might already have a fix in place, or might still be under investigation. These are not +arbitrary categories; they map directly to the real states a security team works through when a new CVE +lands. Under investigation is where every triage starts. Not affected, affected, and fixed are where it +ends. The design reflects the actual workflow of vulnerability response, not an abstract taxonomy. + +The most carefully considered part of the standard is what happens when a vendor claims not_affected. That +status requires a justification, a machine-readable explanation of *why* the product isn't vulnerable. The +standard defines a set of valid justification labels: the vulnerable component isn't present in the build, +the vulnerable code is present but never executed, the behavior is neutralized by environment or +configuration. This requirement exists because not_affected is the hardest assertion to verify from the +outside. Without a justification, it is an ungrounded declaration. With one, it becomes something that can +be audited, challenged, and trusted. + +VEX is a concept before it is a format. In practice it is implemented across three specifications: CSAF +VEX, CycloneDX VEX, and OpenVEX, each with its own encoding, tooling ecosystem, and design philosophy. +CSAF, developed by OASIS, is the most comprehensive and suits organizations distributing formal security +advisories. CycloneDX embeds VEX data directly into its SBOM structure, keeping component inventory and +exploitability information together. OpenVEX is the most minimal of the three, designed to be lightweight +and embeddable across formats. All three share the same fundamental data model: product, vulnerability, +status and justification, which means the underlying information translates across them, even if toolchain +interoperability remains imperfect in practice. From d15416836b7e53766eeb9a8a72289f0626343442 Mon Sep 17 00:00:00 2001 From: Hubtrick-Git Date: Wed, 17 Jun 2026 15:24:49 +0200 Subject: [PATCH 3/6] added corss links and related section to page. Added hands on /next steps section as well --- .../vulnerability-management/what-is-vex.mdx | 53 ++++++++++++++----- 1 file changed, 40 insertions(+), 13 deletions(-) diff --git a/src/pages/explanations/vulnerability-management/what-is-vex.mdx b/src/pages/explanations/vulnerability-management/what-is-vex.mdx index 4e04144..a68b1b1 100644 --- a/src/pages/explanations/vulnerability-management/what-is-vex.mdx +++ b/src/pages/explanations/vulnerability-management/what-is-vex.mdx @@ -13,30 +13,40 @@ lang: en-US ignoreChecks: null --- +# What is VEX + +**VEX (Vulnerability Exploitability eXchange)** is a standard for communicating whether a known +vulnerability actually affects a specific product. This page explains the problem it solves, the design of +the standard, and the formats it is implemented in. + ## Where does VEX originate from Modern software depends on layers of third-party libraries, creating a real challenge around understanding what components are in use and what risks they carry. The industry has developed solid infrastructure for -this: Software Bills of Materials (SBOMs) inventory a product's components, and Software Composition -Analysis (SCA) tools cross-reference those inventories against vulnerability databases like the NVD or OSV, +this: [Software Bills of Materials (SBOMs)](/explanations/explaining-sboms) inventory a product's +components, and [Software Composition Analysis (SCA)](/explanations/devsecops/software-composition-analysis) +tools cross-reference those inventories against vulnerability databases like the NVD or OSV, surfacing any component version with a known CVE. -But this pipeline has a fundamental limitation it answers the question of what vulnerabilities exist *in +But this pipeline has a fundamental limitation: it answers the question of what vulnerabilities exist *in the components your product uses*, not whether those vulnerabilities actually affect *your product*. A CVE describes a flaw in a library in the abstract. Whether that flaw poses real risk in a specific product depends on factors the database cannot know: Is the vulnerable code included in the final build? Is it ever reached during execution? Does the surrounding environment neutralize the threat? -The consequence is a high rate of false positives. Findings that look alarming often turn out not to apply — +The consequence is a high rate of [false positives](/explanations/vulnerability-management/false-positive-detection). Findings that look alarming often turn out not to apply — the vulnerable function is stripped from the production artifact, the affected code path is never enabled, the exploit requires network access to a service that isn't exposed. At scale, security teams work through hundreds of such findings per release cycle, most leading nowhere. The noise erodes trust in tooling and makes it structurally difficult to act on the vulnerabilities that genuinely matter. -VEX emerged as a direct response to this gap. Where the existing ecosystem tells you *what vulnerabilities -are present* in a product's components, VEX provides a standardized way to communicate *whether those -vulnerabilities are actually exploitable* in a specific product — giving vendors and maintainers a format to -share the analysis they already perform internally, but have historically had no standard way to distribute. +VEX — short for Vulnerability Exploitability eXchange — emerged as a direct response to this gap. The +concept grew out of the NTIA's Software Component Transparency working group around 2020 and is now +stewarded by CISA as part of its broader SBOM effort. Where the existing ecosystem tells you *what +vulnerabilities are present* in a product's components, VEX provides a standardized way to communicate +*whether those vulnerabilities actually affect* a specific product — giving vendors and maintainers a format +to share the analysis they already perform internally, but have historically had no standard way to +distribute. ## What is the VEX standard @@ -56,17 +66,34 @@ ends. The design reflects the actual workflow of vulnerability response, not an The most carefully considered part of the standard is what happens when a vendor claims not_affected. That status requires a justification, a machine-readable explanation of *why* the product isn't vulnerable. The -standard defines a set of valid justification labels: the vulnerable component isn't present in the build, -the vulnerable code is present but never executed, the behavior is neutralized by environment or -configuration. This requirement exists because not_affected is the hardest assertion to verify from the +standard defines five valid justification labels: the vulnerable component isn't present in the build, the +component is present but the vulnerable code isn't, the vulnerable code is present but never reached during +execution, the vulnerable code can't be controlled by an adversary, or an inline mitigation already +neutralizes the threat. This requirement exists because not_affected is the hardest assertion to verify from the outside. Without a justification, it is an ungrounded declaration. With one, it becomes something that can be audited, challenged, and trusted. VEX is a concept before it is a format. In practice it is implemented across three specifications: CSAF VEX, CycloneDX VEX, and OpenVEX, each with its own encoding, tooling ecosystem, and design philosophy. -CSAF, developed by OASIS, is the most comprehensive and suits organizations distributing formal security -advisories. CycloneDX embeds VEX data directly into its SBOM structure, keeping component inventory and +[CSAF](/explanations/compliance/csaf-vex-explained), developed by OASIS, is the most comprehensive and +suits organizations distributing formal security advisories. +[CycloneDX](/explanations/compliance/sbom-standards) embeds VEX data directly into its SBOM structure, +keeping component inventory and exploitability information together. OpenVEX is the most minimal of the three, designed to be lightweight and embeddable across formats. All three share the same fundamental data model: product, vulnerability, status and justification, which means the underlying information translates across them, even if toolchain interoperability remains imperfect in practice. + +## VEX in DevGuard + +DevGuard treats VEX as a built-in part of the vulnerability workflow: you record a status and justification +on a finding during triage, and DevGuard stores it as machine-readable VEX that can be exported or consumed +from upstream suppliers. For the hands-on steps, see the how-to guide on +[generating VEX documents](/how-to-guides/compliance/generate-vex-documents). + +## Related Documentation + +- [CSAF & VEX Standards](/explanations/compliance/csaf-vex-explained) — how the CSAF and CycloneDX VEX formats are structured, and how DevGuard publishes and consumes them +- [Vulnerability Lifecycle](/explanations/vulnerability-management/vulnerability-lifecycle) — how VEX states map onto the states a vulnerability moves through +- [False Positive Detection](/explanations/vulnerability-management/false-positive-detection) — the false-positive problem VEX is designed to address +- [External Vulnerability Sync](/explanations/vulnerability-management/external-vuln-sync) — importing and exporting vulnerability assessments From f58ebb4b58279d655b77290fd9f65bef75ad5b60 Mon Sep 17 00:00:00 2001 From: Hubtrick-Git Date: Wed, 17 Jun 2026 15:50:13 +0200 Subject: [PATCH 4/6] final touches --- .../vulnerability-management/what-is-vex.mdx | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/src/pages/explanations/vulnerability-management/what-is-vex.mdx b/src/pages/explanations/vulnerability-management/what-is-vex.mdx index a68b1b1..aa4d87e 100644 --- a/src/pages/explanations/vulnerability-management/what-is-vex.mdx +++ b/src/pages/explanations/vulnerability-management/what-is-vex.mdx @@ -1,6 +1,6 @@ --- title: What is VEX -description: "A description of the VEX standard" +description: "Understand the VEX standard for vulnerabilities — the problem it solves, its status values and justifications, and the CSAF, CycloneDX, and OpenVEX formats." seo: robots: index,follow og: @@ -49,30 +49,32 @@ to share the analysis they already perform internally, but have historically had distribute. ## What is the VEX standard - + A VEX document is a machine-readable assertion about the relationship between a specific product and a specific vulnerability. Where a CVE entry describes a flaw in a library, a VEX statement answers a different question: does that flaw apply to *this* product, in *this* version, as shipped? The distinction matters because the same vulnerability might affect one vendor's product while being completely irrelevant to another's, even when both include the same underlying library. VEX gives vendors a standardized way to make that context explicit, rather than leaving each consumer to re-derive the same analysis independently. - + The core of a VEX statement is a status, one of four values that together cover the complete space of how a product can relate to a known vulnerability. A product might not be affected at all, might be affected and require action, might already have a fix in place, or might still be under investigation. These are not arbitrary categories; they map directly to the real states a security team works through when a new CVE lands. Under investigation is where every triage starts. Not affected, affected, and fixed are where it ends. The design reflects the actual workflow of vulnerability response, not an abstract taxonomy. - -The most carefully considered part of the standard is what happens when a vendor claims not_affected. That -status requires a justification, a machine-readable explanation of *why* the product isn't vulnerable. The + +The most carefully considered part of the standard is what happens when a vendor claims a product is not +affected. That status requires a justification, a machine-readable explanation of *why* the product isn't +vulnerable. The standard defines five valid justification labels: the vulnerable component isn't present in the build, the component is present but the vulnerable code isn't, the vulnerable code is present but never reached during execution, the vulnerable code can't be controlled by an adversary, or an inline mitigation already -neutralizes the threat. This requirement exists because not_affected is the hardest assertion to verify from the -outside. Without a justification, it is an ungrounded declaration. With one, it becomes something that can +neutralizes the threat. This requirement exists because a not-affected claim is the hardest assertion to +verify from the outside. Without a justification, it is an ungrounded declaration. With one, it becomes +something that can be audited, challenged, and trusted. - + VEX is a concept before it is a format. In practice it is implemented across three specifications: CSAF VEX, CycloneDX VEX, and OpenVEX, each with its own encoding, tooling ecosystem, and design philosophy. [CSAF](/explanations/compliance/csaf-vex-explained), developed by OASIS, is the most comprehensive and From 40836be8543c8bfdb955501a29cf173ffe1f5339 Mon Sep 17 00:00:00 2001 From: Hubtrick-Git Date: Tue, 23 Jun 2026 12:33:08 +0200 Subject: [PATCH 5/6] implemented seo optimzations --- package-lock.json | 108 ------------------ .../vulnerability-management/what-is-vex.mdx | 6 +- 2 files changed, 3 insertions(+), 111 deletions(-) diff --git a/package-lock.json b/package-lock.json index 3cdc6ee..92ae215 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1876,9 +1876,6 @@ "cpu": [ "arm" ], - "libc": [ - "glibc" - ], "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1895,9 +1892,6 @@ "cpu": [ "arm64" ], - "libc": [ - "glibc" - ], "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1914,9 +1908,6 @@ "cpu": [ "ppc64" ], - "libc": [ - "glibc" - ], "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1933,9 +1924,6 @@ "cpu": [ "riscv64" ], - "libc": [ - "glibc" - ], "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1952,9 +1940,6 @@ "cpu": [ "s390x" ], - "libc": [ - "glibc" - ], "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1971,9 +1956,6 @@ "cpu": [ "x64" ], - "libc": [ - "glibc" - ], "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1990,9 +1972,6 @@ "cpu": [ "arm64" ], - "libc": [ - "musl" - ], "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -2009,9 +1988,6 @@ "cpu": [ "x64" ], - "libc": [ - "musl" - ], "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -2028,9 +2004,6 @@ "cpu": [ "arm" ], - "libc": [ - "glibc" - ], "license": "Apache-2.0", "optional": true, "os": [ @@ -2053,9 +2026,6 @@ "cpu": [ "arm64" ], - "libc": [ - "glibc" - ], "license": "Apache-2.0", "optional": true, "os": [ @@ -2078,9 +2048,6 @@ "cpu": [ "ppc64" ], - "libc": [ - "glibc" - ], "license": "Apache-2.0", "optional": true, "os": [ @@ -2103,9 +2070,6 @@ "cpu": [ "riscv64" ], - "libc": [ - "glibc" - ], "license": "Apache-2.0", "optional": true, "os": [ @@ -2128,9 +2092,6 @@ "cpu": [ "s390x" ], - "libc": [ - "glibc" - ], "license": "Apache-2.0", "optional": true, "os": [ @@ -2153,9 +2114,6 @@ "cpu": [ "x64" ], - "libc": [ - "glibc" - ], "license": "Apache-2.0", "optional": true, "os": [ @@ -2178,9 +2136,6 @@ "cpu": [ "arm64" ], - "libc": [ - "musl" - ], "license": "Apache-2.0", "optional": true, "os": [ @@ -2203,9 +2158,6 @@ "cpu": [ "x64" ], - "libc": [ - "musl" - ], "license": "Apache-2.0", "optional": true, "os": [ @@ -3288,9 +3240,6 @@ "cpu": [ "arm64" ], - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -3307,9 +3256,6 @@ "cpu": [ "arm64" ], - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -3326,9 +3272,6 @@ "cpu": [ "x64" ], - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -3345,9 +3288,6 @@ "cpu": [ "x64" ], - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -6348,9 +6288,6 @@ "arm64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -6368,9 +6305,6 @@ "arm64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -6388,9 +6322,6 @@ "x64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -6408,9 +6339,6 @@ "x64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -7495,9 +7423,6 @@ "arm64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -7512,9 +7437,6 @@ "arm64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -7529,9 +7451,6 @@ "ppc64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -7546,9 +7465,6 @@ "riscv64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -7563,9 +7479,6 @@ "riscv64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -7580,9 +7493,6 @@ "s390x" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -7597,9 +7507,6 @@ "x64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -7614,9 +7521,6 @@ "x64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -13679,9 +13583,6 @@ "arm64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MPL-2.0", "optional": true, "os": [ @@ -13703,9 +13604,6 @@ "arm64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MPL-2.0", "optional": true, "os": [ @@ -13727,9 +13625,6 @@ "x64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MPL-2.0", "optional": true, "os": [ @@ -13751,9 +13646,6 @@ "x64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MPL-2.0", "optional": true, "os": [ diff --git a/src/pages/explanations/vulnerability-management/what-is-vex.mdx b/src/pages/explanations/vulnerability-management/what-is-vex.mdx index aa4d87e..34d838f 100644 --- a/src/pages/explanations/vulnerability-management/what-is-vex.mdx +++ b/src/pages/explanations/vulnerability-management/what-is-vex.mdx @@ -1,5 +1,5 @@ --- -title: What is VEX +title: What is a VEX Report description: "Understand the VEX standard for vulnerabilities — the problem it solves, its status values and justifications, and the CSAF, CycloneDX, and OpenVEX formats." seo: robots: index,follow @@ -8,12 +8,12 @@ seo: type: article schema: type: TechArticle - keyword_primary: vulnerabilities vex + keyword_primary: what is a vex report lang: en-US ignoreChecks: null --- -# What is VEX +# What is a VEX Report **VEX (Vulnerability Exploitability eXchange)** is a standard for communicating whether a known vulnerability actually affects a specific product. This page explains the problem it solves, the design of From 8aa11ae94e8aea57ffbb9f927d4f2049643e2e8e Mon Sep 17 00:00:00 2001 From: Tim Bastin Date: Wed, 24 Jun 2026 15:24:26 +0200 Subject: [PATCH 6/6] reverts package-lock.json change --- package-lock.json | 368 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 357 insertions(+), 11 deletions(-) diff --git a/package-lock.json b/package-lock.json index 92ae215..5e96ccd 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11,6 +11,7 @@ "dependencies": { "@document-writing-tools/kernux-theme": "2.1.0-rc.2", "@ltonetwork/http-message-signatures": "^0.1.12", + "@radix-ui/react-collapsible": "1.1.13", "@radix-ui/react-dialog": "^1.1.15", "@radix-ui/react-separator": "^1.1.8", "@radix-ui/react-slot": "^1.2.4", @@ -32,6 +33,7 @@ "next": "^16.2.6", "next-sitemap": "^4.2.3", "ogl": "^1.0.11", + "openapi-types": "12.1.3", "radix-ui": "^1.4.3", "react": "^19.2.6", "react-dom": "^19.2.6", @@ -1876,6 +1878,9 @@ "cpu": [ "arm" ], + "libc": [ + "glibc" + ], "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1892,6 +1897,9 @@ "cpu": [ "arm64" ], + "libc": [ + "glibc" + ], "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1908,6 +1916,9 @@ "cpu": [ "ppc64" ], + "libc": [ + "glibc" + ], "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1924,6 +1935,9 @@ "cpu": [ "riscv64" ], + "libc": [ + "glibc" + ], "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1940,6 +1954,9 @@ "cpu": [ "s390x" ], + "libc": [ + "glibc" + ], "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1956,6 +1973,9 @@ "cpu": [ "x64" ], + "libc": [ + "glibc" + ], "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1972,6 +1992,9 @@ "cpu": [ "arm64" ], + "libc": [ + "musl" + ], "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -1988,6 +2011,9 @@ "cpu": [ "x64" ], + "libc": [ + "musl" + ], "license": "LGPL-3.0-or-later", "optional": true, "os": [ @@ -2004,6 +2030,9 @@ "cpu": [ "arm" ], + "libc": [ + "glibc" + ], "license": "Apache-2.0", "optional": true, "os": [ @@ -2026,6 +2055,9 @@ "cpu": [ "arm64" ], + "libc": [ + "glibc" + ], "license": "Apache-2.0", "optional": true, "os": [ @@ -2048,6 +2080,9 @@ "cpu": [ "ppc64" ], + "libc": [ + "glibc" + ], "license": "Apache-2.0", "optional": true, "os": [ @@ -2070,6 +2105,9 @@ "cpu": [ "riscv64" ], + "libc": [ + "glibc" + ], "license": "Apache-2.0", "optional": true, "os": [ @@ -2092,6 +2130,9 @@ "cpu": [ "s390x" ], + "libc": [ + "glibc" + ], "license": "Apache-2.0", "optional": true, "os": [ @@ -2114,6 +2155,9 @@ "cpu": [ "x64" ], + "libc": [ + "glibc" + ], "license": "Apache-2.0", "optional": true, "os": [ @@ -2136,6 +2180,9 @@ "cpu": [ "arm64" ], + "libc": [ + "musl" + ], "license": "Apache-2.0", "optional": true, "os": [ @@ -2158,6 +2205,9 @@ "cpu": [ "x64" ], + "libc": [ + "musl" + ], "license": "Apache-2.0", "optional": true, "os": [ @@ -3240,6 +3290,9 @@ "cpu": [ "arm64" ], + "libc": [ + "glibc" + ], "license": "MIT", "optional": true, "os": [ @@ -3256,6 +3309,9 @@ "cpu": [ "arm64" ], + "libc": [ + "musl" + ], "license": "MIT", "optional": true, "os": [ @@ -3272,6 +3328,9 @@ "cpu": [ "x64" ], + "libc": [ + "glibc" + ], "license": "MIT", "optional": true, "os": [ @@ -3288,6 +3347,9 @@ "cpu": [ "x64" ], + "libc": [ + "musl" + ], "license": "MIT", "optional": true, "os": [ @@ -3526,6 +3588,36 @@ } } }, + "node_modules/@radix-ui/react-accordion/node_modules/@radix-ui/react-collapsible": { + "version": "1.1.12", + "resolved": "https://registry.npmjs.org/@radix-ui/react-collapsible/-/react-collapsible-1.1.12.tgz", + "integrity": "sha512-Uu+mSh4agx2ib1uIGPP4/CKNULyajb3p92LsVXmH2EHVMTfZWpll88XJ0j4W0z3f8NK1eYl1+Mf/szHPmcHzyA==", + "license": "MIT", + "dependencies": { + "@radix-ui/primitive": "1.1.3", + "@radix-ui/react-compose-refs": "1.1.2", + "@radix-ui/react-context": "1.1.2", + "@radix-ui/react-id": "1.1.1", + "@radix-ui/react-presence": "1.1.5", + "@radix-ui/react-primitive": "2.1.3", + "@radix-ui/react-use-controllable-state": "1.2.2", + "@radix-ui/react-use-layout-effect": "1.1.1" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, "node_modules/@radix-ui/react-alert-dialog": { "version": "1.1.15", "resolved": "https://registry.npmjs.org/@radix-ui/react-alert-dialog/-/react-alert-dialog-1.1.15.tgz", @@ -3676,19 +3768,96 @@ } }, "node_modules/@radix-ui/react-collapsible": { - "version": "1.1.12", - "resolved": "https://registry.npmjs.org/@radix-ui/react-collapsible/-/react-collapsible-1.1.12.tgz", - "integrity": "sha512-Uu+mSh4agx2ib1uIGPP4/CKNULyajb3p92LsVXmH2EHVMTfZWpll88XJ0j4W0z3f8NK1eYl1+Mf/szHPmcHzyA==", + "version": "1.1.13", + "resolved": "https://registry.npmjs.org/@radix-ui/react-collapsible/-/react-collapsible-1.1.13.tgz", + "integrity": "sha512-F0s8+p2XNpfc3k02zBfB0jPWbkHVG162+p7BdUMyJ2308QMqZ+oaclX+FAzKFovgL5OqRU+Rvy6f/vbdlJVaqA==", "license": "MIT", "dependencies": { - "@radix-ui/primitive": "1.1.3", - "@radix-ui/react-compose-refs": "1.1.2", - "@radix-ui/react-context": "1.1.2", - "@radix-ui/react-id": "1.1.1", - "@radix-ui/react-presence": "1.1.5", - "@radix-ui/react-primitive": "2.1.3", - "@radix-ui/react-use-controllable-state": "1.2.2", - "@radix-ui/react-use-layout-effect": "1.1.1" + "@radix-ui/primitive": "1.1.4", + "@radix-ui/react-compose-refs": "1.1.3", + "@radix-ui/react-context": "1.1.4", + "@radix-ui/react-id": "1.1.2", + "@radix-ui/react-presence": "1.1.6", + "@radix-ui/react-primitive": "2.1.5", + "@radix-ui/react-use-controllable-state": "1.2.3", + "@radix-ui/react-use-layout-effect": "1.1.2" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-collapsible/node_modules/@radix-ui/primitive": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/@radix-ui/primitive/-/primitive-1.1.4.tgz", + "integrity": "sha512-7AdCK9PQyiljKoBDbN8OuctCbd/esdwZPQ8RtOE3SsyQtUpiPb+ND75q0jEhC1m1ecBI0MFNeLJvwIh9iKHRcQ==", + "license": "MIT" + }, + "node_modules/@radix-ui/react-collapsible/node_modules/@radix-ui/react-compose-refs": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/@radix-ui/react-compose-refs/-/react-compose-refs-1.1.3.tgz", + "integrity": "sha512-rYOP8OMnuuPMQF1uhPVlGNcCDlkokKqGFE3JcxFViIkAXP7EvFWUliJAstrapypaBLJNHbZL6jGhbVDGTwmVhA==", + "license": "MIT", + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-collapsible/node_modules/@radix-ui/react-context": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/@radix-ui/react-context/-/react-context-1.1.4.tgz", + "integrity": "sha512-QwH4PO5urrbO+FaGd5Aglg+YJgWTyyuZ3g/6mKvsqraLkglDdckw9JafgL5McL5VEJ6EPNduPaT3ZE9BttDAqg==", + "license": "MIT", + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-collapsible/node_modules/@radix-ui/react-id": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@radix-ui/react-id/-/react-id-1.1.2.tgz", + "integrity": "sha512-orBC88futVpqCmhX1p4cvquNHsELQ+w+vBJnuj3ftETI5bJb0bZn3Tqu3SWN2IOcPycTnMGnhwoermvISt72sA==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-use-layout-effect": "1.1.2" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-collapsible/node_modules/@radix-ui/react-presence": { + "version": "1.1.6", + "resolved": "https://registry.npmjs.org/@radix-ui/react-presence/-/react-presence-1.1.6.tgz", + "integrity": "sha512-zdTk4PlUO0E18HnZ3wYbW0KkJJxWCdiNYp6g6X1PtONFhxVkg01vliTJAmwIszU6mHiyBOoW9P0rAugl5/hULQ==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-use-layout-effect": "1.1.2" }, "peerDependencies": { "@types/react": "*", @@ -3705,6 +3874,99 @@ } } }, + "node_modules/@radix-ui/react-collapsible/node_modules/@radix-ui/react-primitive": { + "version": "2.1.5", + "resolved": "https://registry.npmjs.org/@radix-ui/react-primitive/-/react-primitive-2.1.5.tgz", + "integrity": "sha512-zifXeB8Y88qCYx8PLZ5oQb32KwZub+s925mMoZsBBq9KUQqWKkREubTfs6ASjRPPBe7Jt9O8OHH89+95VG+grA==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-slot": "1.2.5" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-collapsible/node_modules/@radix-ui/react-slot": { + "version": "1.2.5", + "resolved": "https://registry.npmjs.org/@radix-ui/react-slot/-/react-slot-1.2.5.tgz", + "integrity": "sha512-rCMO3QsIVKv5JTY5CVbo2MvO77SpEqqYc8AvRE7OWqRDOIqAKjsp+DrmnY9uc8NPdxB5E2z47HTYGeE2+NTptg==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-compose-refs": "1.1.3" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-collapsible/node_modules/@radix-ui/react-use-controllable-state": { + "version": "1.2.3", + "resolved": "https://registry.npmjs.org/@radix-ui/react-use-controllable-state/-/react-use-controllable-state-1.2.3.tgz", + "integrity": "sha512-PLzC90MS+ReootmjC597dvopoelpZ8Q61HJkDXZSExitIq7PL55vHNnesAHwguHK0aPfBnpdNzQtv1uliaqQrA==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-use-effect-event": "0.0.3", + "@radix-ui/react-use-layout-effect": "1.1.2" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-collapsible/node_modules/@radix-ui/react-use-effect-event": { + "version": "0.0.3", + "resolved": "https://registry.npmjs.org/@radix-ui/react-use-effect-event/-/react-use-effect-event-0.0.3.tgz", + "integrity": "sha512-6c8ZqvPTWILEKnyVkP53EGRCcpnJiKTC21sS/6R1GF5xKyHJJWQEPfkqlcgUkdRQivd6tb23abUwe4ngWmY0JA==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-use-layout-effect": "1.1.2" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-collapsible/node_modules/@radix-ui/react-use-layout-effect": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@radix-ui/react-use-layout-effect/-/react-use-layout-effect-1.1.2.tgz", + "integrity": "sha512-jrBWOxZITuGcnjRCM2t2U5ZPkCLxD+Ym6DjfssS5haTj2iiak/DOb64JeN6OdLfLgptb6/e2kKR+ZuTrGoZTPA==", + "license": "MIT", + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, "node_modules/@radix-ui/react-collection": { "version": "1.1.7", "resolved": "https://registry.npmjs.org/@radix-ui/react-collection/-/react-collection-1.1.7.tgz", @@ -6288,6 +6550,9 @@ "arm64" ], "dev": true, + "libc": [ + "glibc" + ], "license": "MIT", "optional": true, "os": [ @@ -6305,6 +6570,9 @@ "arm64" ], "dev": true, + "libc": [ + "musl" + ], "license": "MIT", "optional": true, "os": [ @@ -6322,6 +6590,9 @@ "x64" ], "dev": true, + "libc": [ + "glibc" + ], "license": "MIT", "optional": true, "os": [ @@ -6339,6 +6610,9 @@ "x64" ], "dev": true, + "libc": [ + "musl" + ], "license": "MIT", "optional": true, "os": [ @@ -7423,6 +7697,9 @@ "arm64" ], "dev": true, + "libc": [ + "glibc" + ], "license": "MIT", "optional": true, "os": [ @@ -7437,6 +7714,9 @@ "arm64" ], "dev": true, + "libc": [ + "musl" + ], "license": "MIT", "optional": true, "os": [ @@ -7451,6 +7731,9 @@ "ppc64" ], "dev": true, + "libc": [ + "glibc" + ], "license": "MIT", "optional": true, "os": [ @@ -7465,6 +7748,9 @@ "riscv64" ], "dev": true, + "libc": [ + "glibc" + ], "license": "MIT", "optional": true, "os": [ @@ -7479,6 +7765,9 @@ "riscv64" ], "dev": true, + "libc": [ + "musl" + ], "license": "MIT", "optional": true, "os": [ @@ -7493,6 +7782,9 @@ "s390x" ], "dev": true, + "libc": [ + "glibc" + ], "license": "MIT", "optional": true, "os": [ @@ -7507,6 +7799,9 @@ "x64" ], "dev": true, + "libc": [ + "glibc" + ], "license": "MIT", "optional": true, "os": [ @@ -7521,6 +7816,9 @@ "x64" ], "dev": true, + "libc": [ + "musl" + ], "license": "MIT", "optional": true, "os": [ @@ -13583,6 +13881,9 @@ "arm64" ], "dev": true, + "libc": [ + "glibc" + ], "license": "MPL-2.0", "optional": true, "os": [ @@ -13604,6 +13905,9 @@ "arm64" ], "dev": true, + "libc": [ + "musl" + ], "license": "MPL-2.0", "optional": true, "os": [ @@ -13625,6 +13929,9 @@ "x64" ], "dev": true, + "libc": [ + "glibc" + ], "license": "MPL-2.0", "optional": true, "os": [ @@ -13646,6 +13953,9 @@ "x64" ], "dev": true, + "libc": [ + "musl" + ], "license": "MPL-2.0", "optional": true, "os": [ @@ -15890,6 +16200,12 @@ "node": ">=12.20.0" } }, + "node_modules/openapi-types": { + "version": "12.1.3", + "resolved": "https://registry.npmjs.org/openapi-types/-/openapi-types-12.1.3.tgz", + "integrity": "sha512-N4YtSYJqghVu4iek2ZUvcN/0aqH1kRDuNqzcycDxhOUpg7GdvLa2F3DgS6yBNhInhv2r/6I0Flkn7CqL8+nIcw==", + "license": "MIT" + }, "node_modules/openid-client": { "version": "6.8.4", "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-6.8.4.tgz", @@ -16614,6 +16930,36 @@ } } }, + "node_modules/radix-ui/node_modules/@radix-ui/react-collapsible": { + "version": "1.1.12", + "resolved": "https://registry.npmjs.org/@radix-ui/react-collapsible/-/react-collapsible-1.1.12.tgz", + "integrity": "sha512-Uu+mSh4agx2ib1uIGPP4/CKNULyajb3p92LsVXmH2EHVMTfZWpll88XJ0j4W0z3f8NK1eYl1+Mf/szHPmcHzyA==", + "license": "MIT", + "dependencies": { + "@radix-ui/primitive": "1.1.3", + "@radix-ui/react-compose-refs": "1.1.2", + "@radix-ui/react-context": "1.1.2", + "@radix-ui/react-id": "1.1.1", + "@radix-ui/react-presence": "1.1.5", + "@radix-ui/react-primitive": "2.1.3", + "@radix-ui/react-use-controllable-state": "1.2.2", + "@radix-ui/react-use-layout-effect": "1.1.1" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, "node_modules/radix-ui/node_modules/@radix-ui/react-label": { "version": "2.1.7", "resolved": "https://registry.npmjs.org/@radix-ui/react-label/-/react-label-2.1.7.tgz",