> ## Documentation Index
> Fetch the complete documentation index at: https://docs.root.io/llms.txt
> Use this file to discover all available pages before exploring further.

# VEX Statements

> How Root uses Vulnerability Exploitability eXchange (VEX) to document the fix status of every CVE in its artifacts.

Every Root Patch is accompanied by a VEX statement - a machine-readable document that asserts the exploitability status of a specific CVE in a specific artifact. VEX lets your scanners know that a vulnerability has been addressed, eliminating false positives and keeping compliance reports accurate.

## What is a VEX Statement?

VEX (Vulnerability Exploitability eXchange) is a standard for communicating whether a known vulnerability in a software component is actually exploitable in a specific context. Where an SBOM says "this package is present," a VEX statement says "this CVE in this package has been fixed" or "this CVE is present but not exploitable in this artifact."

## Root's Use of VEX

Root generates VEX statements for every vulnerability it addresses. Each statement records:

* **The CVE** - the specific vulnerability identifier
* **The affected artifact** - the image or package version where it was present
* **The status** - `fixed` (Root Patch applied) or `not_affected` (present but not exploitable in this context)
* **The justification** - how it was fixed and why the fix can be trusted
* **The timestamp** - when the statement was issued

## Why VEX Matters for Scanner Output

Without VEX, scanners like Trivy, Grype, and Snyk will flag CVEs that Root has already patched. This creates noise in security reports and wastes triage time. With Root's VEX statements:

* Patched findings are suppressed automatically
* Remaining findings are genuinely unaddressed
* Compliance reports reflect actual risk, not scanner noise

## Supported Formats

| Format        | Notes                                                                |
| ------------- | -------------------------------------------------------------------- |
| OpenVEX       | CISA-endorsed open standard; broadly supported                       |
| CycloneDX VEX | Tightly integrated with CycloneDX SBOMs; preferred for toolchain use |

## Accessing VEX Statements

**For container images (RIC):** VEX documents are available as via API or in the UI using the unique image id (`rrtID`):

**Via the Root platform UI:** Download VEX statements per-artifact from the Inventory view.

**Via the Root API:** See [API Reference](/reference/api) for the `images/tags/{rrtID}/vex` endpoint.

## Using VEX with Scanners

```bash theme={null}
# Trivy - pass VEX file to suppress fixed findings
trivy image --vex root-vex.json cr.root.io/python:3.12

# Grype - use VEX to filter results
grype cr.root.io/python:3.12 --vex root-vex.json
```

See [VEX Reports](/reports/vex-reports) for bulk VEX export and scanner integration patterns.