Vulnerability-Exploitability eXchange (VEX) reports are designed to accompany SBOMs to provide an additional level of detail regarding whether or not identified vulnerabilities impact your products.

Use SOOS to export your own VEX documents in the following formats:

  • Common Security Advisory Framework (CSAF) VEX format as a JSON file
  • Included in CycloneDX SBOMs as either JSON or XML files
    • Refer to our article on Generating an SBOM to access VEX documentation vial CycloneDX SBOM.
To generate a CSAF VEX document:
  1. From the SOOS dashboard, select the project for which you are interested in generating the VEX report.
  2. Once on the Project Details page, click the View Project Actions menu in the upper right corner, and select Export SCA SBOM.
  3. In the Scan Export page select CSAF VEX  as the desired Scan Export Format. The JSON File Type will be auto populated.
  4. Select Export to create your report


VEX reports for past scans may be generated at any time by accessing the Export icon on any scan listed in the History tab within the Project Detail page and following the steps outlined above.