reel-vex: the open-source VEX hub | reel<br>Free & Open Source<br>vex-hub<br>See which vulnerabilities actually matter
Vendors
CVEs
Statements
Product mappings
Aggregating vendor VEX from<br>OracleAmazon
Search by CVE<br>Enter a CVE ID to see every vendor statement for it.
Upload SBOM and / or VEX
Drop an SBOM, a VEX document, or both. Either one works on its own.<br>Drop CycloneDX SBOM<br>.json with vulnerabilities and components
Drop VEX<br>OpenVEX 0.2.0 or CycloneDX VEX
Analyzedrop at least one file<br>Or via APIcopy<br>jq '{sbom: .}' sbom.json | \<br>curl -X POST https://vex.getreel.dev/v1/analyze \<br>-H "Content-Type: application/json" \<br>-d @-
Example<br>sample-sbom.json<br>CycloneDX: log4j + Ubuntu 24.04 base · 9 CVEs, critical to medium, mixed verdicts
sample-user-vex.json<br>OpenVEX: user mitigations for log4j and libxml2
Or generate an SBOM: reel export sbom --scanners vuln --image > sbom.json<br>What you put in shapes what you get out:<br>You provideYou get backCycloneDX SBOM with vulnerabilities[]CycloneDX SBOM, annotated with the vendor verdict on each listed vulnerability.CycloneDX SBOM components onlyCycloneDX SBOM, with vulnerabilities filled in from vendor data, then annotated.VEX only (OpenVEX or CycloneDX)OpenVEX document, your statements merged, with the vendor's view alongside.SBOM + VEXCycloneDX SBOM, annotated, with your VEX overriding the vendor verdict on collision.
What is VEX?<br>A scanner hands you a long list of CVEs. Vendors publish a verdict on each one, saying whether it really affects their product. VEX carries that verdict, so you can clear the ones that do not apply.
Not Affected<br>The vendor confirms the CVE does not reach their product. You can suppress it.
Fixed<br>A patched version is out. Update to clear it.
Under Investigation<br>The vendor is still assessing impact. Keep an eye on it.
Affected<br>The vendor confirms the product is exploitable. Plan a fix.
Where the statements come from<br>vex-hub pulls verdicts from the vendors below. Here is what it covers today.
VendorCoverageFeedRed HatRHEL plus EUS, AUS, and E4S extended-support streamsCSAF · OVALSUSESUSE Linux Enterprise and openSUSECSAFUbuntu20.04, 22.04, 24.04 LTS plus Ubuntu Pro ESM tracksOpenVEX · OVALDebian11 (bullseye), 12 (bookworm), 13 (trixie)OVALRancher (SUSE)SUSE cloud-native product images, scoped per productOpenVEXAlpineAlpine Linux 3.19 through 3.23 (main and community)secdbAmazon LinuxAmazon Linux 2 and 2023ALASAlmaLinuxAlmaLinux 8, 9, and 10OVALOracle LinuxOracle Linux 8, 9, and 10OVAL
/v1/statements takes more filters: vendors, statuses, source formats, since, and more. The full API reference, response shape, and recipes live in docs/api.md.
Open Source<br>The VEX resolution service is free and open source under Apache 2.0.<br>View on GitHub