Skip to main content

Generate and transform VEX documents from SBOMs and vulnerability data sources.

Project description

Vexcalibur

Vexcalibur wordmark and sword logo

CI CodeQL OpenSSF Scorecard Dependency Review

Vexcalibur turns software bills of materials and vulnerability findings into VEX documents. It reads CycloneDX SBOMs or a GitHub Dependency Graph SBOM. Findings come from an OSV-compatible service or a local file.

Published version 0.2.0 writes CycloneDX 1.6 and OpenVEX 0.2.0 JSON.

The project is usable, but still pre-1.0. Pin an exact release because command flags, Python APIs, and detailed output may change.

What works today

Area Support
SBOM input CycloneDX JSON and XML 1.4–1.6; GitHub Dependency Graph SPDX 2.3 JSON
Finding sources Public OSV with explicit consent; private OSV-compatible endpoints; local findings files
VEX output CycloneDX 1.6 JSON; OpenVEX 0.2.0 JSON
Automation A companion GitHub Action
Migration A narrow vexy command-line compatibility layer
Python 3.10–3.14

Install a release

Create an environment and pin the package version:

python -m venv .venv
.venv/bin/python -m pip install "vexcalibur==0.2.0"
.venv/bin/vexcalibur --help

On Windows, use .venv\Scripts\python and .venv\Scripts\vexcalibur.

Try local generation

Clone the repository, then install its locked dependencies:

uv sync

Dependency installation may contact the configured package index. The generation command below uses only local inputs and does not contact a vulnerability service.

Generate a VEX document from the committed example files:

uv run --frozen vexcalibur generate \
  tests/fixtures/sbom/cyclonedx-json-simple.json \
  --offline \
  --findings-file tests/fixtures/findings/all-analysis-states.json \
  --timestamp 2026-06-23T00:00:00Z \
  --output /tmp/vexcalibur-vex.json

Check the result:

python - <<'PY'
import json
from pathlib import Path

vex = json.loads(Path("/tmp/vexcalibur-vex.json").read_text())
assert vex["bomFormat"] == "CycloneDX"
assert vex["specVersion"] == "1.6"
assert len(vex["vulnerabilities"]) == 5
print("generated CycloneDX VEX")
PY

See the quickstart for the guided version of this example.

CycloneDX remains the default output. Add --format openvex and identify the document author to create OpenVEX. Follow the OpenVEX guide for a runnable example and its stricter finding rules.

Choose a finding source

Vexcalibur requires one finding source for each generation run.

Inventory and trust boundary Use
Findings already exist locally Use --findings-file findings.json. Add --offline for a local SBOM.
Inventory may go to an internal service --osv-url https://osv.internal.example
Inventory is approved for public OSV --allow-public-osv

Warning: --allow-public-osv sends package URLs and versions to https://api.osv.dev. Do not use it with a private SBOM or sensitive package inventory unless that disclosure is approved.

The default public endpoint fails closed without that flag. Fetching an SBOM from GitHub is a separate network boundary and does not grant permission to send the resulting inventory to public OSV.

Documentation

The complete manual is at vexcalibur-dev.github.io/vexcalibur.

Contributing

Run the local quality gate:

make check

Documentation changes must also build without warnings:

uv sync --extra docs
make docs

See CONTRIBUTING.md, the security policy, and the Python style policy before opening a pull request.

Use the issue forms for questions, bugs, and feature requests. The organization support policy explains which public route to use, and the code of conduct applies to project spaces.

Vexcalibur is licensed under the Apache License 2.0.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vexcalibur-0.2.1.tar.gz (756.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vexcalibur-0.2.1-py3-none-any.whl (47.1 kB view details)

Uploaded Python 3

File details

Details for the file vexcalibur-0.2.1.tar.gz.

File metadata

  • Download URL: vexcalibur-0.2.1.tar.gz
  • Upload date:
  • Size: 756.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for vexcalibur-0.2.1.tar.gz
Algorithm Hash digest
SHA256 2d24bea0fa4c604e5d13230cd3fb1d951c863c1dd469c1723b951dd2a309ea79
MD5 b080a11650065c9c98ee41c6509aee63
BLAKE2b-256 428175b4ea8adf5f8d81a31adaf8cbed0e1154c1117b167b3156125b02836adf

See more details on using hashes here.

Provenance

The following attestation bundles were made for vexcalibur-0.2.1.tar.gz:

Publisher: pypi.yml on vexcalibur-dev/vexcalibur

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file vexcalibur-0.2.1-py3-none-any.whl.

File metadata

  • Download URL: vexcalibur-0.2.1-py3-none-any.whl
  • Upload date:
  • Size: 47.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for vexcalibur-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 a58dbbb703bb0719f2da8335b914e4f0b9644eb518911b3ce27f4525a4833e1d
MD5 e6b4e97a8a7aa62ee886a5f53eb5747a
BLAKE2b-256 edd6708c9bba141c4727212aad93cb81378936a6ba595f212c17169cb8ffea4d

See more details on using hashes here.

Provenance

The following attestation bundles were made for vexcalibur-0.2.1-py3-none-any.whl:

Publisher: pypi.yml on vexcalibur-dev/vexcalibur

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page