What VEX formats does sbomify support?

TL;DR

CycloneDX VEX (JSON and XML), OpenVEX, and CSAF 2.0 VEX are all natively supported, with automatic format detection. Upload through the component page, the API, or CI with BOM_TYPE: vex.

Supported formats

sbomify ingests VEX documents in the three formats that matter in practice, and detects which one you uploaded automatically:

FormatTypical producersNotes
CycloneDX VEXDependency-Track exports, CycloneDX tooling, sbomify’s own triageJSON and XML accepted; the richest format, with five analysis states
OpenVEXvexctl, Chainguard toolingLightweight JSON-LD format from the OpenVEX project
CSAF 2.0 VEXOS and hardware vendor advisories (Red Hat, Cisco, SUSE, and others)The OASIS standard for machine-readable security advisories

One nuance worth knowing: not_affected statements suppress findings from all three formats, while the false_positive analysis state is specific to CycloneDX.

How to upload

  • In the app. Use the upload panel on the component page. VEX artifacts are listed next to SBOMs with their own badge.
  • Via the API. CycloneDX VEX goes to the CycloneDX artifact endpoint with bom_type=vex; OpenVEX and CSAF documents go to the format-agnostic /api/v1/sboms/artifact/vex/ endpoint, which detects the format for you.
  • From CI. Set BOM_TYPE: vex in your sbomify-action step. The document is uploaded verbatim, byte for byte, with no modification.

What happens after upload

Your VEX statements are applied to existing OSV and Dependency Track scan results, suppressing findings you have marked as not affected. Each release exposes a merged VEX download on both the internal release page and the public Trust Center release page.

For the full workflow, including in-app triage, CISA KEV flags, and generating VEX from your own triage decisions, see How do I use VEX with sbomify?.

Further reading