Show HN: Free API of 248M aggregated VEX statements: 45% of CVEs not affected

simoneree1 pts0 comments

reel-vex: the open-source VEX hub | reel<br>Free & Open Source<br>vex-hub<br>See which vulnerabilities actually matter

Vendors

CVEs

Statements

Product mappings

Aggregating vendor VEX from<br>OracleAmazon

Search by CVE<br>Enter a CVE ID to see every vendor statement for it.

Upload SBOM and / or VEX

Drop an SBOM, a VEX document, or both. Either one works on its own.<br>Drop CycloneDX SBOM<br>.json with vulnerabilities and components

Drop VEX<br>OpenVEX 0.2.0 or CycloneDX VEX

Analyzedrop at least one file<br>Or via APIcopy<br>jq '{sbom: .}' sbom.json | \<br>curl -X POST https://vex.getreel.dev/v1/analyze \<br>-H "Content-Type: application/json" \<br>-d @-

Example<br>sample-sbom.json<br>CycloneDX: log4j + Ubuntu 24.04 base · 9 CVEs, critical to medium, mixed verdicts

sample-user-vex.json<br>OpenVEX: user mitigations for log4j and libxml2

Or generate an SBOM: reel export sbom --scanners vuln --image > sbom.json<br>What you put in shapes what you get out:<br>You provideYou get backCycloneDX SBOM with vulnerabilities[]CycloneDX SBOM, annotated with the vendor verdict on each listed vulnerability.CycloneDX SBOM components onlyCycloneDX SBOM, with vulnerabilities filled in from vendor data, then annotated.VEX only (OpenVEX or CycloneDX)OpenVEX document, your statements merged, with the vendor's view alongside.SBOM + VEXCycloneDX SBOM, annotated, with your VEX overriding the vendor verdict on collision.

What is VEX?<br>A scanner hands you a long list of CVEs. Vendors publish a verdict on each one, saying whether it really affects their product. VEX carries that verdict, so you can clear the ones that do not apply.

Not Affected<br>The vendor confirms the CVE does not reach their product. You can suppress it.

Fixed<br>A patched version is out. Update to clear it.

Under Investigation<br>The vendor is still assessing impact. Keep an eye on it.

Affected<br>The vendor confirms the product is exploitable. Plan a fix.

Where the statements come from<br>vex-hub pulls verdicts from the vendors below. Here is what it covers today.

VendorCoverageFeedRed HatRHEL plus EUS, AUS, and E4S extended-support streamsCSAF · OVALSUSESUSE Linux Enterprise and openSUSECSAFUbuntu20.04, 22.04, 24.04 LTS plus Ubuntu Pro ESM tracksOpenVEX · OVALDebian11 (bullseye), 12 (bookworm), 13 (trixie)OVALRancher (SUSE)SUSE cloud-native product images, scoped per productOpenVEXAlpineAlpine Linux 3.19 through 3.23 (main and community)secdbAmazon LinuxAmazon Linux 2 and 2023ALASAlmaLinuxAlmaLinux 8, 9, and 10OVALOracle LinuxOracle Linux 8, 9, and 10OVAL

/v1/statements takes more filters: vendors, statuses, source formats, since, and more. The full API reference, response shape, and recipes live in docs/api.md.

Open Source<br>The VEX resolution service is free and open source under Apache 2.0.<br>View on GitHub

sbom vendor cyclonedx json statements source

Related Articles