Vexcalibur Documentation¶
Vexcalibur is a general-purpose toolkit for producing and transforming Vulnerability Exploitability eXchange documents from SBOMs and vulnerability data sources.
The current implementation supports CycloneDX JSON and XML SBOM ingest, GitHub Dependency Graph SBOM input, OSV-compatible finding discovery, local no-network findings, CycloneDX 1.6 VEX JSON output, and a narrow vexy compatibility command. Public OSV access is fail-closed: commands must opt in with --allow-public-osv before package URLs, versions, or SBOM-derived inventories are sent to https://api.osv.dev.
Vexcalibur is usable for those workflows today, but public contracts remain unstable before 1.0. CLI flags, Python APIs, and output details can change until the project publishes a stable compatibility policy.
Start Here¶
Quickstart tutorial walks through generating a VEX document from the repository’s public fixture SBOM.
No-network local findings tutorial walks through generating VEX without contacting a public service.
Generate CycloneDX VEX covers task-oriented generation commands and source configuration.
Use a private OSV mirror shows how to keep private SBOM inventories away from public OSV.
Publish to PyPI is the release runbook for tag-derived package publishing.
CLI reference lists the current command surface.
CycloneDX VEX output reference describes generated document shape and determinism.
Provider contract reference documents the extension contract for vulnerability sources.
Python API reference is generated from source docstrings.
Local findings reference defines the offline findings JSON format.
Architecture explains the current trust boundary and processing flow.
Project status explains what is usable now and what is still unstable before 1.0.
CI and recurring checks describes scheduled security gates and live-service check handling.