Generate and transform VEX documents from SBOMs and vulnerability data sources.
Project description
Vexcalibur
Vexcalibur turns software bills of materials and vulnerability findings into VEX documents. It reads CycloneDX SBOMs or a GitHub Dependency Graph SBOM. Findings come from an OSV-compatible service or a local file.
Version 0.3.0 writes CycloneDX 1.6, OpenVEX 0.2.0, and CSAF 2.0 JSON. CSAF
output uses the csaf_vex profile.
The project is usable, but still pre-1.0. Pin an exact release because command flags, Python APIs, and detailed output may change.
What works today
| Area | Support |
|---|---|
| SBOM input | CycloneDX JSON and XML 1.4–1.6; GitHub Dependency Graph SPDX 2.3 JSON |
| Finding sources | Public OSV with explicit consent; private OSV-compatible endpoints; local findings files |
| VEX output | CycloneDX 1.6 JSON; OpenVEX 0.2.0 JSON; CSAF 2.0 JSON with the csaf_vex profile |
| Automation | A companion GitHub Action |
| Migration | A narrow vexy command-line compatibility layer |
| Python | 3.10–3.14 |
Install a release
Create an environment and pin the package version:
python -m venv .venv
.venv/bin/python -m pip install "vexcalibur==0.3.0"
.venv/bin/vexcalibur --help
On Windows, use .venv\Scripts\python and .venv\Scripts\vexcalibur.
Try local generation
Clone the repository, then install its locked dependencies:
uv sync
Dependency installation may contact the configured package index. The generation command below uses only local inputs and does not contact a vulnerability service.
Generate a VEX document from the committed example files:
uv run --frozen vexcalibur generate \
tests/fixtures/sbom/cyclonedx-json-simple.json \
--offline \
--findings-file tests/fixtures/findings/all-analysis-states.json \
--timestamp 2026-06-23T00:00:00Z \
--output /tmp/vexcalibur-vex.json
Check the result:
python - <<'PY'
import json
from pathlib import Path
vex = json.loads(Path("/tmp/vexcalibur-vex.json").read_text())
assert vex["bomFormat"] == "CycloneDX"
assert vex["specVersion"] == "1.6"
assert len(vex["vulnerabilities"]) == 5
print("generated CycloneDX VEX")
PY
See the quickstart for the guided version of this example.
CycloneDX remains the default output. Add --format openvex and identify the
document author to create OpenVEX. Add --format csaf and the required
document and publisher metadata to create a CSAF 2.0 VEX document. Follow the OpenVEX
guide
or CSAF
guide
for a runnable example and the format's evidence rules.
Choose a finding source
Vexcalibur requires one finding source for each generation run.
| Inventory and trust boundary | Use |
|---|---|
| Findings already exist locally | Use --findings-file findings.json. Add --offline for a local SBOM. |
| Inventory may go to an internal service | --osv-url https://osv.internal.example |
| Inventory is approved for public OSV | --allow-public-osv |
Warning:
--allow-public-osvsends package URLs and versions tohttps://api.osv.dev. Do not use it with a private SBOM or sensitive package inventory unless that disclosure is approved.
The default public endpoint fails closed without that flag. Fetching an SBOM from GitHub is a separate network boundary and does not grant permission to send the resulting inventory to public OSV.
Documentation
- Start with the quickstart.
- Follow the CycloneDX, OpenVEX, or CSAF generation guide.
- Use the CLI reference for flags and failure behavior.
- Read the CycloneDX, OpenVEX, or CSAF output contract before consuming generated files.
- Read the architecture before adding a source or output format.
- Check project status for current limits.
The complete manual is at vexcalibur-dev.github.io/vexcalibur.
Contributing
Run the local quality gate:
make check
Documentation changes must also build without warnings:
uv sync --extra docs
make docs
See CONTRIBUTING.md, the security policy, and the Python style policy before opening a pull request.
Use the issue forms for questions, bugs, and feature requests. The organization support policy explains which public route to use, and the code of conduct applies to project spaces.
Vexcalibur is licensed under the Apache License 2.0.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vexcalibur-0.3.0.tar.gz.
File metadata
- Download URL: vexcalibur-0.3.0.tar.gz
- Upload date:
- Size: 795.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c462f5bec006ab5fec231a2f5d3120e46cc7a70993c92af35e4299adc29655be
|
|
| MD5 |
a563a84039f93a821e4375b3cef6b5f0
|
|
| BLAKE2b-256 |
34617d98ca9649e9f38fcb953b9d10f65266cb267efee16d03ce404ea40ad4ae
|
Provenance
The following attestation bundles were made for vexcalibur-0.3.0.tar.gz:
Publisher:
pypi.yml on vexcalibur-dev/vexcalibur
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
vexcalibur-0.3.0.tar.gz -
Subject digest:
c462f5bec006ab5fec231a2f5d3120e46cc7a70993c92af35e4299adc29655be - Sigstore transparency entry: 2171672807
- Sigstore integration time:
-
Permalink:
vexcalibur-dev/vexcalibur@0a2988d183abcb70157445185e851045523e3315 -
Branch / Tag:
refs/tags/v0.3.0 - Owner: https://github.com/vexcalibur-dev
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi.yml@0a2988d183abcb70157445185e851045523e3315 -
Trigger Event:
release
-
Statement type:
File details
Details for the file vexcalibur-0.3.0-py3-none-any.whl.
File metadata
- Download URL: vexcalibur-0.3.0-py3-none-any.whl
- Upload date:
- Size: 53.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
32ab3c8b40272cdbeca2bac221dfcf4019f036ee818a88a70b83e5487215aa92
|
|
| MD5 |
124f6134b509dd2c34ff5892278c423b
|
|
| BLAKE2b-256 |
2555a167054b252a2bcfd48376bbf536dc18312f0900bdf27e6c2319204dd1fc
|
Provenance
The following attestation bundles were made for vexcalibur-0.3.0-py3-none-any.whl:
Publisher:
pypi.yml on vexcalibur-dev/vexcalibur
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
vexcalibur-0.3.0-py3-none-any.whl -
Subject digest:
32ab3c8b40272cdbeca2bac221dfcf4019f036ee818a88a70b83e5487215aa92 - Sigstore transparency entry: 2171672821
- Sigstore integration time:
-
Permalink:
vexcalibur-dev/vexcalibur@0a2988d183abcb70157445185e851045523e3315 -
Branch / Tag:
refs/tags/v0.3.0 - Owner: https://github.com/vexcalibur-dev
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi.yml@0a2988d183abcb70157445185e851045523e3315 -
Trigger Event:
release
-
Statement type: