VEXGen
What is VEXGen?
VEXGen is an automated tool for generating VEX (Vulnerability Exploitability eXchange) and TIX (Threat Intelligence eXchange) documents from GitHub repositories.
Key Features
- 🔍 Automatic SBOM Discovery - Finds and processes Software Bill of Materials files
- 🧠 Smart Code Analysis - Multi-language analyzer detects actual component usage
- 📊 Vulnerability Assessment - Determines exploitability using package affected artefacts
- 📦 VEX/TIX Generation - Creates standards-compliant security documents
Development requirements
- Docker to deploy the tool.
- Docker Compose for container orchestration.
- It is recommended to use a GUI such as MongoDB Compass.
- The Neo4J browser interface to visualize the graph built from the data is in localhost:7474 when the container is running.
- Python 3.13 or higher.
Deployment with docker
1. Clone the repository
Clone the repository from the official GitHub repository:
git clone https://github.com/securechaindev/securechain-vexgen.git
cd securechain-vexgen
2. Configure environment variables
Create a .env file from the template.env file and place it in the app/ directory.
Get API Keys
-
How to get a GitHub API key.
-
Modify the Json Web Token (JWT) secret key and algorithm with your own. You can generate your own secret key with the command openssl rand -base64 32.
3. Create Docker network
Ensure you have the securechain Docker network created. If not, create it with:
docker network create securechain
4. Databases containers
For graphs and vulnerabilities information you need to download the zipped data dumps from Zenodo. Once you have unzipped the dumps, inside the root folder run the command:
docker compose up --build
The containerized databases will also be seeded automatically.
5. Start the application
Run the command from the project root:
docker compose -f dev/docker-compose.yml up --build
6. Access the application
The API will be available at http://localhost:8002. You can access the API documentation at http://localhost:8002/docs. Also, in http://localhost:8001/docs you can access the auth API documetation.
Endpoints Specification
Vulnerability Exploitybility eXchange (VEX) endpoints
Description: Fetches all VEX documents associated with a specific user.
Response: List of VEX documents with metadata and JSON content.
Description: Fetches a specific VEX document by its ID.
Path Parameters:
- VEX ID: The ID of the VEX document to retrieve.
Response: VEX document metadata and content in JSON format.
Description: Downloads a VEX document as a ZIP file using a specific VEX ID.
Path Parameters:
- VEX ID: The ID of the VEX document to retrieve.
Response: A downloadable ZIP file containing the VEX document.
Thread Intelligence eXchange (TIX) endpoints
Description: Fetches all TIX documents associated with a specific user.
Response: List of TIX documents with metadata and JSON content.
Description: Fetches a specific TIX document by its ID.
Path Parameters:
- TIX ID: The ID of the TIX document to retrieve.
Response: TIX document metadata and content in JSON format.
Description: Downloads a TIX document as a ZIP file using a specific TIX ID.
Path Parameters:
- TIX ID: The ID of the TIX document to retrieve.
Response: A downloadable ZIP file containing the TIX document.
Generation endpoints
Description: Generates VEX and TIX for a specific GitHub repository.
Request Body:
- owner: The owner of the GitHub repository.
- name: The name of the GitHub repository.
Response: A downloadable ZIP file containing generated VEX and TIX documents.