Skip to main content

VEX: Permanently Silence False Positives with Vulnerability EXchange

· 4 min read
Alex Vanderpot

What is VEX?

As we highlighted in our post on False Positives in Vulnerability Scanning,1 output of vulnerability assessment tools like npm audit can be cumbersome because it lacks context. VEX (Vulnerability EXchange) is a new standard developed by the NTIA to exchange information about which vulnerabilities are actually exploitable in a product.

The Problem: False Positives

npm audit and other tools like it are good tools for checking your dependencies against known vulnerabilities. However, it commonly results in alerts for vulnerabilities that are inaccessible at runtime or otherwise irrelevant.2 This combined with the fact that npm audit is run after install by default can result in users ignoring the output because the Signal to Noise Ratio is not high enough.3

A Solution: VEX

The NTIA is developing a standard containing the minimum information for exchanging security advisories in a machine readable format called VEX4. Besides being a clever bit of wordplay, VEX documents enable consumers to enhance the accuracy of their vulnerability assessment tools.

vex /veks/ • verb

make (someone) feel annoyed, frustrated, or worried, especially with trivial matters.

VEX documents contain a list of vulnerabilities and their status in a product. These statuses can be unknown, affected, or not affected.

For example, this VEX document describes that CVE-2021-44228 is exploitable in the application “DEF” and the vendor will not release a fix. This VEX document describes that Log4Shell is not exploitable in the application “ABC” because the code is not present.

VEX documents have some other interesting properties: they can contain partial or full results from a vulnerability assessment; multiple sources may issue VEX documents; and VEX documents are usually associated with an SBOM, but can be distributed separately.

Use Cases

The NTIA standard focuses on how security teams of software suppliers can use VEX to communicate with their customers about known vulnerabilities. The NTIA’s Use Case document is not meant to be complete, and we believe there are some interesting unexplored areas.

Software Suppliers: Inform Customers

Software Suppliers can publish VEX documents with their SBOMs to communicate the results of security assessments of their products programmatically. Consumers can cross reference this document with their own assessment to remove false positives and confirm the presence of specific vulnerabilities.

Security Engineers/End Users: Reduce Alert Fatigue

If Security Engineers and End Users have access to VEX documents, they can use them to make more informed decisions about which software to patch. This will reduce Alert Fatigue5 from false positives and lead to more effective utilization of time.

Security Researchers/Products: Publish Assessments

VEX documents can be issued by any source. Security Researchers may start publishing VEX documents along with their advisories. Further, VEX documents may be automatically generated by security analysis tools. For example, if a static analysis tool was run against a code base, it could automatically generate VEX documents stating a vulnerability is not exploitable because the code path is not reachable.

So how do I get started?

VEX is still in the early stages of development. There are currently two implementations of the standard. CycloneDX v1.4 has added a VulnerabilityAnalysis field6 and CSAF supports VEX content as an additional “profile”.7

At the time of writing, we are aware of these tools which support VEX:

Next Steps

While the NTIA’s standard defines the minimum data elements, there is not a standard for how VEX should be transmitted or exchanged. Dissemination of VEX is a critical part of making the standard effective for vulnerability response.

LunaTrace is building a global database and tooling to automatically generate VEX documents through analysis to increase the Signal to Noise Ratio of your Vulnerability Assessment tool. Contact us to learn more.

Notes