{"id":"16f81df2-d14d-4fa7-af11-f22be3c74f8c","task":"Diff two SBOMs and correlate differences with vulnerability advisories using VEX (CSAF or OpenVEX)","domain":"openvex.dev","steps":["Obtain the before and after SBOM documents in a common format such as CycloneDX JSON","Run an SBOM diffing tool (e.g., cdxgen diff, bomber, or a custom script) to identify added, removed, and version-changed components","For each changed component, query a vulnerability database (OSV, NVD, or a commercial feed) for relevant advisories","Author a VEX document (OpenVEX or CycloneDX VEX) that states the status of each advisory against the new component version","Attach the VEX document alongside the SBOM so downstream consumers can suppress known-not-affected findings","Automate this diff-and-vex step in CI so every release produces an updated VEX alongside the SBOM"],"gotchas":["VEX justification values (not_affected, fixed, under_investigation, affected) have precise meanings; mislabeling a component as not_affected without a valid justification creates false assurance","CSAF VEX and OpenVEX use different document structures; choose one format consistently so consumer tooling does not need to handle both","Component identity across SBOMs must be normalized (e.g., via purl) before diffing; mismatched naming conventions cause spurious add/remove events"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:19.328Z"},"url":"https://mcp.waymark.network/r/16f81df2-d14d-4fa7-af11-f22be3c74f8c"}