Obtain the before and after SBOM documents in a common format such as CycloneDX JSON
Run an SBOM diffing tool (e.g., cdxgen diff, bomber, or a custom script) to identify added, removed, and version-changed components
For each changed component, query a vulnerability database (OSV, NVD, or a commercial feed) for relevant advisories
Author a VEX document (OpenVEX or CycloneDX VEX) that states the status of each advisory against the new component version
Attach the VEX document alongside the SBOM so downstream consumers can suppress known-not-affected findings
Automate this diff-and-vex step in CI so every release produces an updated VEX alongside the SBOM
Known gotchas
VEX justification values (not_affected, fixed, under_investigation, affected) have precise meanings; mislabeling a component as not_affected without a valid justification creates false assurance
CSAF VEX and OpenVEX use different document structures; choose one format consistently so consumer tooling does not need to handle both
Component identity across SBOMs must be normalized (e.g., via purl) before diffing; mismatched naming conventions cause spurious add/remove events
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp