Python API Reference¶
The Python API is usable by Vexcalibur’s CLI and tests, but public import paths and return shapes can still change before a stable 1.0 compatibility policy.
Domain Objects¶
Provider-neutral Vexcalibur domain objects.
- class vexcalibur.domain.VexAnalysisState(*values)¶
-
CycloneDX VEX analysis states supported by the domain model.
- class vexcalibur.domain.ComponentIdentity(ref, name, version, purl, type='library')¶
Bases:
objectMinimal component data needed by vulnerability sources and VEX output.
- class vexcalibur.domain.VulnerabilityFinding(id, source_name, source_url, component_ref, purl, modified=None, analysis_state=VexAnalysisState.IN_TRIAGE, analysis_detail='Detected by vulnerability source; manual exploitability analysis required.')¶
Bases:
objectProvider-neutral vulnerability finding for one affected component.
- exception vexcalibur.domain.VulnerabilitySourceError¶
Bases:
RuntimeErrorBase error raised by provider-neutral vulnerability sources.
- exception vexcalibur.domain.VulnerabilitySourceInputError¶
Bases:
VulnerabilitySourceError,ValueErrorRaised when source-specific findings cannot be produced from the input components.
- class vexcalibur.domain.VulnerabilitySource(*args, **kwargs)¶
Bases:
ProtocolProvider-neutral contract for vulnerability finding sources.
- findings_for_components(components)¶
Return VEX-ready vulnerability findings for SBOM components.
- Return type:
- Parameters:
components (tuple[ComponentIdentity, ...])
SBOM Ingest¶
Use load_cyclonedx_sbom for untrusted CycloneDX files. It applies
Vexcalibur’s size limits, XML parser hardening, component limits, and
duplicate-reference checks before returning component identities.
load_cyclonedx_json is the JSON-only compatibility helper.
component_identities_from_github_spdx_sbom extracts package identities from
the SPDX JSON shape returned by GitHub’s Dependency Graph SBOM API and lives in
vexcalibur.github_sbom.
Loader |
Accepted formats |
Encodings |
Limits and filtering |
|---|---|---|---|
|
CycloneDX JSON |
JSON must be UTF-8. XML may use parser-detected XML encodings such as UTF-8 or UTF-16. |
Files over 10 MiB, more than 10,000 components, nesting deeper than 50
component levels, malformed package URLs, and duplicate returned
|
|
CycloneDX JSON |
UTF-8 JSON. |
Applies the same file size, component count, nesting, package URL, and
duplicate returned |
|
GitHub Dependency Graph SBOM report containing SPDX |
Already-decoded Python mapping from a trusted JSON decoder. |
Applies the same component count, package URL, and duplicate returned reference checks. Packages without package URL references are ignored, and the repository package reference is not emitted as a component. |
These loaders return a tuple of ComponentIdentity values sorted by package
URL and component reference. XML input also rejects DTD, entity, and
external-reference declarations before component extraction.
CycloneDX SBOM ingestion.
- exception vexcalibur.sbom.SbomError¶
Raised when an SBOM cannot be parsed into supported component data.
- vexcalibur.sbom.load_cyclonedx_sbom(path)¶
Load supported component identities from a CycloneDX JSON or XML SBOM.
- Return type:
- Parameters:
path (Path)
GitHub SBOM Client¶
GithubSbomClient fetches a repository Dependency Graph SBOM from GitHub’s
REST API and returns the same ComponentIdentity values used by local SBOM
ingest. Public repositories can be fetched without a token, subject to GitHub
rate limits. Private repositories and higher rate limits require a token with
repository read access; the CLI can source this from common GitHub environment
variables or gh auth token.
GitHub Dependency Graph SBOM client.
- exception vexcalibur.github_sbom.GithubSbomError¶
Bases:
SbomErrorBase error raised for GitHub SBOM input failures.
- exception vexcalibur.github_sbom.GithubSbomConfigurationError¶
Bases:
GithubSbomErrorRaised when GitHub SBOM input configuration is invalid.
- exception vexcalibur.github_sbom.GithubSbomClientError¶
Bases:
GithubSbomErrorRaised when GitHub’s SBOM API cannot return usable data.
- class vexcalibur.github_sbom.GithubRepository(owner, repo)¶
Bases:
objectParsed GitHub repository owner and name.
- class vexcalibur.github_sbom.GithubSbomClient(*, api_url='https://api.github.com', token=None, timeout=30.0, report_poll_attempts=30, report_poll_interval=1.0, client=None)¶
Bases:
objectClient for GitHub’s Dependency Graph SBOM export endpoint.
- Parameters:
- vexcalibur.github_sbom.component_identities_from_github_spdx_sbom(raw_response, *, source)¶
Extract component identities from GitHub Dependency Graph SPDX JSON.
- Return type:
- Parameters:
- vexcalibur.github_sbom.parse_github_repository(value)¶
Parse OWNER/REPO repository text.
- Return type:
- Parameters:
value (str)
- vexcalibur.github_sbom.normalize_github_api_url(value)¶
Normalize and validate a GitHub API base URL.
- vexcalibur.github_sbom.resolve_github_token(*, api_url='https://api.github.com', token_env=None, allow_gh_cli=True, environ=None)¶
Resolve a GitHub token from explicit env, standard env, or gh auth token.
VEX Rendering¶
CycloneDX VEX document generation.
- exception vexcalibur.vex.VexRenderError¶
Raised when domain findings cannot be rendered as a valid VEX document.
- vexcalibur.vex.render_cyclonedx_vex_json(*, components, findings, timestamp=None)¶
Render deterministic CycloneDX VEX JSON for vulnerability findings.
- Return type:
- Parameters:
components (tuple[ComponentIdentity, ...])
findings (tuple[VulnerabilityFinding, ...])
timestamp (datetime | None)
Generation Workflow¶
SBOM-to-VEX generation workflow.
- vexcalibur.generate.generate_vex_from_source(*, input_file, source, timestamp=None)¶
Generate CycloneDX VEX JSON from a CycloneDX SBOM and source provider.
- Return type:
- Parameters:
input_file (Path)
source (VulnerabilitySource)
timestamp (datetime | None)
- vexcalibur.generate.generate_vex_from_components(*, components, source, timestamp)¶
Generate CycloneDX VEX JSON from component identities and a source provider.
- Return type:
- Parameters:
components (tuple[ComponentIdentity, ...])
source (VulnerabilitySource)
timestamp (datetime | None)
- vexcalibur.generate.generate_vex_from_sbom(*, input_file, timestamp=None, osv_client=None, osv_base_url='https://api.osv.dev', allow_public_osv=False)¶
Generate CycloneDX VEX JSON from a CycloneDX SBOM.
- vexcalibur.generate.generate_vex_from_github_sbom(*, repository, timestamp=None, github_client=None, osv_client=None, osv_base_url='https://api.osv.dev', allow_public_osv=False)¶
Generate CycloneDX VEX JSON from a GitHub Dependency Graph SBOM.
OSV Provider¶
The OSV client can contact the public OSV API by default. Library callers should prefer
OsvSource, osv_client_for_url, or ensure_osv_url_allowed so public OSV access
still requires an explicit opt-in before package URLs or SBOM-derived inventories leave
the local environment. generate_vex_from_source delegates policy to the supplied
source adapter; custom network sources must enforce their own trust boundary.
OSV API client.
- class vexcalibur.sources.osv.OsvVulnerabilitySummary(id, modified=None)¶
Bases:
objectMinimal OSV vulnerability data returned by query endpoints.
- class vexcalibur.sources.osv.OsvVulnerability(id, raw)¶
Bases:
objectFull OSV vulnerability payload.
The OSV schema evolves over time. Keep the raw payload available so callers can consume fields before Vexcalibur promotes them into typed attributes.
- class vexcalibur.sources.osv.OsvQueryResult(purl, vulnerabilities, version=None)¶
Bases:
objectOSV query result associated with the submitted package URL.
- Parameters:
purl (str)
vulnerabilities (tuple[OsvVulnerabilitySummary, ...])
version (str | None)
- class vexcalibur.sources.osv.OsvPackageQuery(purl, version=None)¶
Bases:
objectOSV package query with optional top-level version fallback.
- Parameters:
purl (PackageURL)
version (str | None)
- exception vexcalibur.sources.osv.OsvClientError¶
Bases:
VulnerabilitySourceErrorBase error raised for OSV client failures.
- exception vexcalibur.sources.osv.OsvResponseError¶
Bases:
OsvClientErrorRaised when OSV returns a response that does not match the expected API shape.
- exception vexcalibur.sources.osv.OsvConfigurationError¶
Bases:
OsvClientError,ValueErrorRaised when OSV source configuration is unsafe or invalid.
- class vexcalibur.sources.osv.OsvClient(*, base_url='https://api.osv.dev', timeout=30.0, max_pages=100, client=None)¶
Bases:
objectSmall client for OSV’s public API.
- query(purl, *, version=None)¶
Query OSV for one package URL.
- Return type:
- Parameters:
purl (PackageURL)
version (str | None)
- query_batch(purls)¶
Query OSV for package URLs using the batch endpoint.
- Return type:
- Parameters:
purls (list[PackageURL])
- query_batch_packages(queries)¶
Query OSV for packages using the batch endpoint.
- Return type:
- Parameters:
queries (list[OsvPackageQuery])
- class vexcalibur.sources.osv.OsvSource(client=None, osv_base_url='https://api.osv.dev', allow_public_osv=False)¶
Bases:
objectVulnerability source backed by an OSV-compatible API client.
- findings_for_components(components)¶
Return VEX-ready findings discovered from OSV query results.
- Return type:
- Parameters:
components (tuple[ComponentIdentity, ...])
- vexcalibur.sources.osv.osv_client_for_url(*, osv_base_url, allow_public_osv)¶
Build an OSV client, requiring explicit opt-in for public OSV.
- vexcalibur.sources.osv.ensure_osv_url_allowed(*, osv_base_url, allow_public_osv)¶
Reject public OSV URLs unless the caller explicitly opted in.
- vexcalibur.sources.osv.ensure_osv_client_allowed(*, osv_client, osv_base_url, allow_public_osv)¶
Reject injected public OSV clients unless the caller explicitly opted in.
- vexcalibur.sources.osv.normalize_osv_base_url(osv_base_url)¶
Normalize OSV base URL whitespace and trailing slashes.
- vexcalibur.sources.osv.validate_osv_base_url(osv_base_url)¶
Require OSV URLs to be HTTPS, except HTTP loopback for local test services.
- vexcalibur.sources.osv.findings_from_osv_results(*, components, results)¶
Map OSV query results onto affected SBOM component references.
- Return type:
- Parameters:
components (tuple[ComponentIdentity, ...])
results (list[OsvQueryResult])
- vexcalibur.sources.osv.osv_queries_for_components(components)¶
Build precise OSV package queries for SBOM components.
- Return type:
- Parameters:
components (tuple[ComponentIdentity, ...])
Local Findings Provider¶
Local finding source for offline VEX generation.
- exception vexcalibur.sources.local.LocalFindingsError¶
Bases:
VulnerabilitySourceError,ValueErrorRaised when a local findings document cannot be converted into VEX findings.
- class vexcalibur.sources.local.LocalFindingsSource(path)¶
Bases:
objectVulnerability source backed by a local findings JSON document.
- Parameters:
path (Path)
- findings_for_components(components)¶
Return VEX-ready findings loaded from the local findings document.
- Return type:
- Parameters:
components (tuple[ComponentIdentity, ...])
- vexcalibur.sources.local.load_local_findings(path, *, components)¶
Load provider-neutral vulnerability findings from a local JSON document.
- Return type:
- Parameters:
path (Path)
components (tuple[ComponentIdentity, ...])