Vexy - Generate VEX in CycloneDX

This project provides a runnable Python-based application for generating VEX (Vulnerability Exploitability Exchange) in CycloneDX format.

This tool is intended to be supplied a CycloneDX SBOM file and will produce a separate VEX which contains known vulnerabilities from a selection of publicly available data sources.

CycloneDX is a lightweight BOM specification that is easily created, human-readable, and simple to parse.

Read the full documentation for more details.

Why?

A SBOM (Software Bill of Materials) is great for cataloging / knowing what components compose a software product.

The same SBOM (in CycloneDX format) can also note known vulnerabilities. What is known is for a given point in time - and will change as new vulnerabilities are discovered or disclosed.

CycloneDX allows for separate BOM documents to reference each other through their BOM Link capability.

Wouldn't it be great if you could periodically generate a VEX based from your SBOM to keep things up to date, without having to generate a fresh SBOM entirely?

That is where vexy comes in.

Installation

Install this from PyPi.org using your preferred Python package manager.

Example using pip:

pip install vexy

Example using poetry:

poetry add vexy

Usage

Basic usage

$ vexy --help

usage: vexy [-h] -i FILE_PATH [--format {xml,json}] [--schema-version {1.4}] [-o FILE_PATH] [--force] [-X]

Vexy VEX Generator

options:
  -h, --help            show this help message and exit
  -X                    Enable debug output

Input CycloneDX BOM:
  Where Vexy shall obtain it's input

  -i FILE_PATH, --in-file FILE_PATH
                        CycloneDX BOM to read input from. Use "-" to read from STDIN.

VEX Output Configuration:
  Choose the output format and schema version

  --format {xml,json}   The output format for your SBOM (default: xml)
  --schema-version {1.4}
                        The CycloneDX schema version for your VEX (default: 1.4)
  -o FILE_PATH, --o FILE_PATH, --output FILE_PATH
                        Output file path for your SBOM (set to '-' to output to STDOUT)
  --force               If outputting to a file and the stated file already exists, it will be overwritten.

Advanced usage and details

See the full documentation for advanced usage and details on input formats, switches and options.

Python Support

We endeavour to support all functionality for all current actively supported Python versions. However, some features may not be possible/present in older Python versions due to their lack of support.

Contributing

Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details.

Copyright & License

Vexy is Copyright (c) Paul Horton. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.