Project Status

Vexcalibur is usable for documented SBOM-to-VEX workflows, but it has not published a stable 1.0 compatibility policy. Treat command names, flags, Python imports, and detailed output shapes as changeable until a release notes page or compatibility policy says otherwise.

Usable Now

The current implementation supports:

  • CycloneDX JSON and XML SBOM ingest for CycloneDX 1.4, 1.5, and 1.6.

  • GitHub Dependency Graph SBOM input with --github-repo OWNER/REPO.

  • Public OSV queries when the caller explicitly opts in with --allow-public-osv.

  • Private OSV-compatible endpoints with --osv-url.

  • No-network local findings with --offline --findings-file.

  • CycloneDX 1.6 VEX JSON output.

  • Deterministic metadata and serial numbers when --timestamp and controlled finding inputs are used.

  • A narrow vexy compatibility executable for CycloneDX JSON VEX generation from supported SBOM inputs and explicit Vexcalibur source modes.

  • CI quality gates for tests, typing, linting, package build, installed CLI checks, documentation build, secret scanning, dependency audit, CodeQL, dependency review, and OpenSSF Scorecard.

Compatibility Limits

Before 1.0, these surfaces can still change:

  • CLI command names, flags, defaults, and exit behavior.

  • Python import paths, type shapes, and exception classes.

  • Generated VEX details beyond the documented CycloneDX 1.6 output contract.

  • Provider configuration and extension hooks.

  • GitHub SBOM token resolution and GitHub Enterprise configuration.

  • GitHub Action release tags and package compatibility tables.

Pin exact package and action versions once releases begin. Do not use mutable branches for production workflows.

Deferred Work

The vexy compatibility executable does not support legacy CycloneDX XML VEX output, CycloneDX 1.4 VEX output, or legacy OSS Index data-source behavior. Those paths are intentionally not part of the current compatibility subset.

Policy-driven VEX state selection for OSV-derived findings is also deferred. OSV-derived findings currently use in_triage with an analysis detail that requires manual exploitability analysis.