What is a VEX Statement?
VEX (Vulnerability Exploitability eXchange) is a standard for communicating whether a known vulnerability in a software component is actually exploitable in a specific context. Where an SBOM says “this package is present,” a VEX statement says “this CVE in this package has been fixed” or “this CVE is present but not exploitable in this artifact.”Root’s Use of VEX
Root generates VEX statements for every vulnerability it addresses. Each statement records:- The CVE — the specific vulnerability identifier
- The affected artifact — the image or package version where it was present
- The status —
fixed(Root Patch applied) ornot_affected(present but not exploitable in this context) - The justification — how it was fixed and why the fix can be trusted
- The timestamp — when the statement was issued
Why VEX Matters for Scanner Output
Without VEX, scanners like Trivy, Grype, and Snyk will flag CVEs that Root has already patched. This creates noise in security reports and wastes triage time. With Root’s VEX statements:- Patched findings are suppressed automatically
- Remaining findings are genuinely unaddressed
- Compliance reports reflect actual risk, not scanner noise
Supported Formats
| Format | Notes |
|---|---|
| OpenVEX | CISA-endorsed open standard; broadly supported |
| CycloneDX VEX | Tightly integrated with CycloneDX SBOMs; preferred for toolchain use |
Accessing VEX Statements
For container images (RIC): VEX documents are available as via API or in the UI using the unique image id (rrtID):
Via the Root platform UI: Download VEX statements per-artifact from the Inventory view.
Via the Root API: See API Reference for the images/tags/{rrtID}/vex endpoint.