Guides
Start typing to search…

VEX & VDR Documents

This ability is limited to team members with Admin and/or Member roles.

Generate and manage Vulnerability Disclosure Reports (VDR) and Vulnerability Exploitability eXchange (VEX) documents to communicate the impact status of vulnerabilities across your software components.


Generating a VDR

A Vulnerability Disclosure Report (VDR) is an adjudication of vulnerabilities associated with a specific SBOM or product. This detailed report lists all identified vulnerabilities and their triage state, helping you track and manage potential security risks effectively.

For instance, imagine that your organization shares a product SBOM with a customer or regulator, who then scans the SBOM with a vulnerability scanner, and comes back to you with questions around why these vulnerabilities are present and what your organization has done about them. Rather than having to answer these questions over and over again, you can provide a VDR document (in json) as a companion document along with the SBOM, effectively getting ahead of these questions and demonstrating that your team has already triaged and adjudicated any potential risks in the software.

To download a VDR document,

  1. Go to Assets in the left menu and select your desired asset
  2. Click Download in the top right corner and click Download VDR in either a .csv or .json format.

Generating a VEX Document

A VEX document is meant to describe the list of products that one or more vulnerabilities affects, and the disposition of that vulnerability. While a VDR describes the vulnerabilities in a single SBOM, a VEX document can describe impact across products.

Imagine in the wake of Log4shell, a company could generate a VEX document that lists "for these given Log4shell CVEs, here's a list of our products that are impacted or are not impacted."

  1. Navigate to the specific vulnerability for which you want to create a VEX file.
  2. Select the ⠇ button and click Create VEX Document from the dropdown.
  3. In the panel that shows up, search and select all impacted assets and products. Please note that only first-party assets and products will be available to select.
    • If a product does not currently exist in Manifest, you can directly type the name of an affected product in PURL or CPE format.
  4. Set VEX status and justification notes for each asset or product. To enter a custom justification note, type the note directly in the field.
  5. Choose a format for the VEX document (CSAF VEX or OpenVEX).
  6. Click Generate VEX, which will automatically begin downloading the file.

Uploading VEX Documents

To upload a VEX document, go to the Uploads page and drag the VEX document directly into the upload zone. Manifest automatically maps VEX information to your assets, providing clear visibility of vulnerability status across your software supply chain. Please note only CSAF VEX and OpenVEX formats are accepted.

Updated about 2 months ago