What is VEX?
As we highlighted in our post on False Positives in Vulnerability Scanning,1 output of vulnerability assessment tools like
npm audit can be cumbersome because it lacks context. VEX (Vulnerability EXchange) is a new standard developed by the NTIA to exchange information about which vulnerabilities are actually exploitable in a product.
The Problem: False Positives
npm audit and other tools like it are good tools for checking your dependencies against known vulnerabilities. However, it commonly results in alerts for vulnerabilities that are inaccessible at runtime or otherwise irrelevant.2 This combined with the fact that
npm audit is run after install by default can result in users ignoring the output because the Signal to Noise Ratio is not high enough.3
A Solution: VEX
The NTIA is developing a standard containing the minimum information for exchanging security advisories in a machine readable format called VEX4. Besides being a clever bit of wordplay, VEX documents enable consumers to enhance the accuracy of their vulnerability assessment tools.
vex /veks/ • verb
make (someone) feel annoyed, frustrated, or worried, especially with trivial matters.
VEX documents contain a list of vulnerabilities and their status in a product. These statuses can be unknown, affected, or not affected.
For example, this VEX document describes that CVE-2021-44228 is exploitable in the application “DEF” and the vendor will not release a fix. This VEX document describes that Log4Shell is not exploitable in the application “ABC” because the code is not present.
VEX documents have some other interesting properties: they can contain partial or full results from a vulnerability assessment; multiple sources may issue VEX documents; and VEX documents are usually associated with an SBOM, but can be distributed separately.
The NTIA standard focuses on how security teams of software suppliers can use VEX to communicate with their customers about known vulnerabilities. The NTIA’s Use Case document is not meant to be complete, and we believe there are some interesting unexplored areas.
Software Suppliers: Inform Customers
Software Suppliers can publish VEX documents with their SBOMs to communicate the results of security assessments of their products programmatically. Consumers can cross reference this document with their own assessment to remove false positives and confirm the presence of specific vulnerabilities.
Security Engineers/End Users: Reduce Alert Fatigue
If Security Engineers and End Users have access to VEX documents, they can use them to make more informed decisions about which software to patch. This will reduce Alert Fatigue5 from false positives and lead to more effective utilization of time.
Security Researchers/Products: Publish Assessments
VEX documents can be issued by any source. Security Researchers may start publishing VEX documents along with their advisories. Further, VEX documents may be automatically generated by security analysis tools. For example, if a static analysis tool was run against a code base, it could automatically generate VEX documents stating a vulnerability is not exploitable because the code path is not reachable.
So how do I get started?
VEX is still in the early stages of development. There are currently two implementations of the standard. CycloneDX v1.4 has added a VulnerabilityAnalysis field6 and CSAF supports VEX content as an additional “profile”.7
At the time of writing, we are aware of these tools which support VEX:
- LunaTrace by LunaSec
While the NTIA’s standard defines the minimum data elements, there is not a standard for how VEX should be transmitted or exchanged. Dissemination of VEX is a critical part of making the standard effective for vulnerability response.
LunaTrace is building a global database and tooling to automatically generate VEX documents through analysis to increase the Signal to Noise Ratio of your Vulnerability Assessment tool. Contact us to learn more.
- False Positives in Vulnerability Scanning: Why We Think We Can Do Better | LunaSec↩
- npm audit: Broken by Design - Dan Abramov↩
- Don't be alarmed by vulnerabilities after running NPM Install - voitanos.io↩
- Vulnerability Exploitability eXchange (VEX) – Use Cases - cisa.gov↩
- Alarm fatigue - Wikipedia↩
- CycloneDX v1.4 Protobuf Spec L529-L650↩
- Common Security Advisory Framework Version 2.0↩