VEX SBOM Reference¶
EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Using externally referenced VEX documents¶
Trivy can discover and download VEX documents referenced in the externalReferences of a scanned CycloneDX SBOM. This
requires the references to be of type exploitability-statement.
To be picked up by Trivy, following top level content needs to be part of a CycloneDx SBOM to dynamically resolve a
remotely hosted file VEX file at the location https://vex.example.com:
  "externalReferences": [
    {
      "type": "exploitability-statement",
      "url": "https://vex.example.com/vex"
    }
  ]
This can also be used to dynamically retrieve VEX files stored on GitHub with an externalReference such as:
  "externalReferences": [
    {
      "type": "exploitability-statement",
      "url": "https://raw.githubusercontent.com/aquasecurity/trivy/refs/heads/main/.vex/trivy.openvex.json"
    }
  ]
This is not enabled by default at the moment, but can be used when scanning a CycloneDx SBOM and explicitly specifying
--vex sbom-ref.
$ trivy sbom trivy.cdx.json --vex sbom-ref
2025-01-19T13:29:31+01:00       INFO    [vex] Retrieving external VEX document from host vex.example.com type="externalReference"
2025-01-19T13:29:31+01:00       INFO    Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
All the referenced VEX files are retrieved via HTTP/HTTPS and used in the same way as if they were explicitly specified via a file reference.