Generate OpenVEX¶
Use vexcalibur generate --format openvex to write OpenVEX 0.2.0 JSON. CycloneDX remains the default when --format is absent.
OpenVEX requires a document author and at least one statement. Some statuses also require explicit evidence fields.
Prerequisites¶
Before you begin:
Install Git, Python 3.10 or newer, and the
uvversion in.tool-versions.Clone this repository at version 0.2.0 or later.
Open a Bash-compatible shell in the repository root.
Confirm that
/tmpis writable, or replace the example output path.
The offline example needs no service credentials. Dependency installation may contact your configured Python package index.
Generate from local inputs¶
Install the locked dependencies from the repository root:
uv sync --frozen
The example below reads committed fixtures. It does not contact GitHub or an OSV service.
uv run --frozen vexcalibur generate \
tests/fixtures/sbom/cyclonedx-json-simple.json \
--offline \
--findings-file tests/fixtures/findings/all-analysis-states.json \
--format openvex \
--author "Example Security Team" \
--author-role "VEX document producer" \
--timestamp 2026-06-23T00:00:00Z \
--output /tmp/vexcalibur-openvex.json
The command should exit with status 0 and print nothing. It writes five statements to /tmp/vexcalibur-openvex.json.
Validate the result¶
Validate the output against the pinned official schema used by the test suite:
uv run --frozen python - <<'PY'
import json
from pathlib import Path
from jsonschema import Draft202012Validator, FormatChecker
document = json.loads(Path("/tmp/vexcalibur-openvex.json").read_text())
schema = json.loads(
Path("tests/fixtures/schemas/openvex-0.2.0.schema.json").read_text()
)
Draft202012Validator(schema, format_checker=FormatChecker()).validate(document)
assert document["@context"] == "https://openvex.dev/ns/v0.2.0"
assert document["author"] == "Example Security Team"
assert len(document["statements"]) == 5
print("validated OpenVEX 0.2.0")
PY
You should see validated OpenVEX 0.2.0.
Supply affected actions¶
Set action_statement when a local finding uses analysis_state: exploitable:
{
"id": "CVE-2026-0002",
"component_ref": "pkg:npm/minimist@0.0.8",
"analysis_state": "exploitable",
"analysis_detail": "The affected feature is reachable.",
"action_statement": "Upgrade minimist to version 1.2.8 or later."
}
Vexcalibur maps exploitable to OpenVEX affected. It refuses to use analysis_detail as the action because reachability analysis is not remediation guidance.
Supply status evidence¶
OpenVEX rendering applies these field rules:
Analysis state |
OpenVEX status |
Required field |
Rule |
|---|---|---|---|
|
|
|
Must equal the version in the emitted product package URL. |
|
|
|
Must describe remediation or mitigation. |
|
|
None |
Do not supply an OpenVEX-only evidence field. |
|
|
|
Must explain why the product is not affected. |
|
|
|
Must explain why the product is not affected. |
Each evidence field is valid only for the states shown in the table. Vexcalibur does not substitute analysis_detail for one of these fields.
For a resolved finding on pkg:pypi/django@1.2, use the exact product version:
{
"id": "CVE-2026-0001",
"component_ref": "component:django",
"analysis_state": "resolved",
"analysis_detail": "The installed release contains the fix.",
"fixed_version": "1.2"
}
For a non-affected finding, state the deployment-specific impact:
{
"id": "CVE-2026-0005",
"component_ref": "component:django",
"analysis_state": "not_affected",
"analysis_detail": "The affected configuration is disabled.",
"impact_statement": "The deployment does not enable the affected configuration."
}
Change the inventory or finding source¶
OpenVEX uses the same inventory and finding sources as CycloneDX output. Keep the format and author options, then choose one source mode:
Task |
Replace the local source options with |
|---|---|
Query a private OSV-compatible service |
|
Query public OSV with approved inventory |
|
Fetch a GitHub SBOM |
Replace the input path with |
OSV findings enter the domain as in_triage. They become OpenVEX under_investigation statements.
Warning:
--allow-public-osvsends package URLs and versions tohttps://api.osv.dev. The OpenVEX author options do not change this data-sharing boundary.
See the CycloneDX generation guide for private mirror and GitHub authentication examples. The source flags behave the same for both output formats.
Resolve common failures¶
--author is required with --format openvex means the command cannot identify who makes the statements. Pass an individual or organization that accepts responsibility for the document.
OpenVEX output requires at least one vulnerability finding means the selected source returned no findings. OpenVEX has no standalone empty-document form, so Vexcalibur does not invent a placeholder statement.
requires an action_statement means an exploitable local finding lacks remediation or mitigation text. Add that field or correct the analysis state.
requires an impact_statement means a false_positive or not_affected finding lacks an explicit impact. Add the field or correct the analysis state.
requires fixed_version means a resolved finding does not confirm the fixed product version. Set it to the exact version in the emitted product package URL.
fixed_version ... does not match product means the declared fixed version differs from the emitted product. Correct the inventory or the finding instead of weakening the assertion.
must include a version means the matched component has no version in its package URL or inventory field. Add a precise component version before making an OpenVEX assertion.
overlapping assertions means the input makes different claims about one vulnerability and product. Keep one assertion for that pair. Differences in source, state, detail, evidence, or modification time make assertions distinct.
Read the OpenVEX output reference before publishing or converting the result.