vex
This command provides different operations on VEX/SBOM files with embedded vulnerabilities. The vex-command has the following subcommands:
list: returns a list of all vulnerability-IDs.trim: returns a file with filtered vulnerabilities.search: returns a file with a specific vulnerability.extract: extract all vulnerabilities from an SBOM file to a VEX file.
usage: cdx-ev vex [-h] {list,search,trim,extract} ...
Positional Arguments
- sub_command
Possible choices: list, search, trim, extract
list
This subcommand returns a list of all vulnerability-IDs inside the input file. There are two different options:
--state default(default) returns:CVE-ID,Description,Status CVE-1012-0001,some description of a vulnerability,exploitable CVE-1013-0002,some description of a vulnerability 2,not_affected CVE-1013-0003,some description of a vulnerability 3,exploitable
--state lightweightreturns:CVE-ID CVE-1012-0001 CVE-1013-0002 CVE-1013-0003
The output can be a text file or a CSV (default) file.
usage: cdx-ev vex list [-h] [--schema {default,lightweight}]
[--format {txt,csv}] [--output <file>]
<input>
Positional Arguments
- <input>
Path to the SBOM file.
Named Arguments
- --schema
Possible choices: default, lightweight
Set schema of return list.
Default:
'default'- --format
Possible choices: txt, csv
Set format of return file.
Default:
'csv'- --output, -o
The path to where the output should be written. If this is a file, output is written there. If it’s a directory, output is written to a file with an auto-generated name inside that directory. If it’s not specified, output is written to stdout.
Example:
# Write all vulnerability-IDs to list_vex.json
cdxev vex list input_file.json --scheme default --format csv --output list_vex.json
trim
This subcommand returns a JSON file which contains only filtered vulnerabilities. The vulnerabilities can be filtered by any key-value pair.
usage: cdx-ev vex trim [-h] [--key <key>] [--value <value>] [--output <file>]
<input>
Positional Arguments
- <input>
Path to the SBOM file.
Named Arguments
- --key
Specifies the key by which the filtering should be done.
- --value
Specifies the value of the provided key that should be used for filtering.
- --output, -o
The path to where the output should be written. If this is a file, output is written there. If it’s a directory, output is written to a file with an auto-generated name inside that directory. If it’s not specified, output is written to stdout.
Example:
# Writes all vulnerabilities with state "not_affected" to new file
cdxev vex trim input_file.json key=state value=not_affected --output not_affected_vex.json
search
This subcommand searches a file for a specific vulnerability based on its ID. The command returns a JSON file.
usage: cdx-ev vex search [-h] [--output <file>] <input> <vul_id>
Positional Arguments
- <input>
Path to the SBOM file.
- <vul_id>
The ID of the vulnerability to search for.
Named Arguments
- --output, -o
The path to where the output should be written. If this is a file, output is written there. If it’s a directory, output is written to a file with an auto-generated name inside that directory. If it’s not specified, output is written to stdout.
Example:
# Writes specific vulnerability with based on its ID to new file
cdxev vex search input_file.json CVE-1013-0002 --output searched_vul.json
extract
This subcommand extracts all vulnerabilities from an SBOM file and returns it as a VEX file in JSON format.
usage: cdx-ev vex extract [-h] [--output <file>] <input>
Positional Arguments
- <input>
Path to the SBOM file.
Named Arguments
- --output, -o
The path to where the output should be written. If this is a file, output is written there. If it’s a directory, output is written to a file with an auto-generated name inside that directory. If it’s not specified, output is written to stdout.
Example:
# Writes specific vulnerability with based on its ID to new file
cdxev vex extract input_file.json --output vex.json