VEXGen

Description

VEXGen analyzes software dependencies and generates VEX documents that communicate whether known vulnerabilities are actually exploitable in a given context. It integrates data from multiple sources, including OSV.dev, SBOMs, and Git commit history.

Purpose

VEXGen is a tool for generating VEX (Vulnerability Exploitability eXchange) documents, which indicate whether specific vulnerabilities affect software artifacts.

It helps organizations and developers:

• Track and analyze vulnerabilities in dependencies
• Communicate exploitability status via VEX
• Store and visualize data using dependency graphs and SBOMs
• Integrate vulnerability data from OSV.dev and Git

Video tutorial

Prerequisites

Before deploying VEXGen, ensure the following are installed:

• Docker
• Git
• Git LFS (Git Large File Storage)

Deployment requirements

1. Docker to deploy the tool.

2. Git Large Files Storage (git-lfs) for cloning correctly the seeds of the repository.

Deployment with docker

Step 1

Create a .env file from template.env

Get API Keys

• How to get a GitHub API key.

• Modify the Json Web Token (JWT) secret key with your own. You can generate your own with the command node -e “console.log(require(‘crypto’).randomBytes(32).toString(‘hex’))”.

Step 2

Create the graphs folder inside the seeds folder in the root of the project, download the graphs seed from this link, and insert it into the graphs folder.

Step 3

Run command docker compose up –build.

Step 4

Enter here for the frontend Web API.

Other tools

1. It is recommended to use a GUI such as MongoDB Compass to see what information is being indexed in vulnerability database

2. You can see the created graph built for here, using the Neo4J browser interfaces.