VEX (Vulnerability Exploitability eXchange)

VEX (Vulnerability Exploitability eXchange) is a machine-readable way to say whether a known vulnerability actually affects a product. HeroDevs publishes OpenVEX statements so your scanners can skip issues that are already fixed or never applied to NES packages.

What is VEX

OpenVEX is a compact JSON profile for VEX that lists a vulnerability, the product it relates to, and a status such as not_affected, fixed, affected, or under_investigation. Security tools that understand VEX use those statuses to suppress or prioritize findings instead of showing every CVE in a dependency tree.

Why it reduces scanner noise

VEX pairs a vulnerability with the exact package and an exploitability status, which lets scanners hide items marked not_affected or already fixed. Teams can still review suppressed items by enabling "show suppressed" modes in their scanner, so auditability isn't lost even when the daily noise is.

HeroDevs VEX feed

Live endpoint

GET https://apps.herodevs.com/api/ontology/vex/statements

The endpoint returns OpenVEX v0.2.0 and covers all NES packages — no authentication required. Responses include a top-level nes object; ignore any keys inside it until formally documented.

Fetch the document

Download the OpenVEX feed from the VEX API and cache locally.

curl -sSL https://apps.herodevs.com/api/ontology/vex/statements -o herodevs.openvex.json

Store the file in your build workspace and reuse it across scans to avoid extra requests.

Integration examples (demo scanners)

All runnable examples live in the demo-scanners repo. The trivy folder contains ready-to-run scripts and expected outputs using --vex, while grype walks through SBOM generation, sbom: scans, --name filtering, and VEX application. Both include sample SBOMs and the HeroDevs OpenVEX file so you can diff your results.

Follow the README in each folder; swap in your project path and always download the latest OpenVEX from HeroDevs before running.