Generate VEX (Vulnerability Exploitability Exchange) CycloneDX documents
Project description
Vexy - Generate VEX in CycloneDX
This project provides a runnable Python-based application for generating VEX (Vulnerability Exploitability Exchange) in CycloneDX format.
This tool is intended to be supplied a CycloneDX SBOM file and will produce a separate VEX which contains known vulnerabilities from a selection of publicly available data sources.
CycloneDX is a lightweight BOM specification that is easily created, human-readable, and simple to parse.
Read the full documentation for more details.
Why?
A SBOM (Software Bill of Materials) is great for cataloging / knowing what components compose a software product.
The same SBOM (in CycloneDX format) can also note known vulnerabilities. What is known is for a given point in time - and will change as new vulnerabilities are discovered or disclosed.
CycloneDX allows for separate BOM documents to reference each other through their BOM Link capability.
Wouldn't it be great if you could periodically generate a VEX based from your SBOM to keep things up to date, without having to generate a fresh SBOM entirely?
That is where vexy comes in.
Installation
Install this from PyPi.org using your preferred Python package manager.
Example using pip:
pip install vexy
Example using poetry:
poetry add vexy
Usage
Basic usage
$ vexy --help
usage: vexy [-h] -i FILE_PATH [--format {xml,json}] [--schema-version {1.4}] [-o FILE_PATH] [--force] [-X]
Vexy VEX Generator
options:
-h, --help show this help message and exit
-X Enable debug output
Input CycloneDX BOM:
Where Vexy shall obtain it's input
-i FILE_PATH, --in-file FILE_PATH
CycloneDX BOM to read input from. Use "-" to read from STDIN.
VEX Output Configuration:
Choose the output format and schema version
--format {xml,json} The output format for your SBOM (default: xml)
--schema-version {1.4}
The CycloneDX schema version for your VEX (default: 1.4)
-o FILE_PATH, --o FILE_PATH, --output FILE_PATH
Output file path for your SBOM (set to '-' to output to STDOUT)
--force If outputting to a file and the stated file already exists, it will be overwritten.
Advanced usage and details
See the full documentation for advanced usage and details on input formats, switches and options.
Python Support
We endeavour to support all functionality for all current actively supported Python versions. However, some features may not be possible/present in older Python versions due to their lack of support.
Contributing
Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details.
Copyright & License
Vexy is Copyright (c) Paul Horton. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
