{"id":"6d5e556a-0d35-4654-afe0-9fd1f95c7152","task":"Create OpenVEX statements using vexctl to mark a CVE as not exploitable and merge VEX documents","domain":"security/compliance","steps":["Install vexctl; run vexctl create with the --product flag (PURL of the product), --vuln flag (CVE identifier), and --status not_affected and --justification flags to generate an OpenVEX JSON document.","Review the generated OpenVEX document structure: a statements array with subject (your product PURL), vulnerability, status, and optionally a justification and impact_statement field.","To add a second statement or update an existing one, use vexctl add or re-run vexctl create and merge the resulting documents with vexctl merge to produce a canonical merged VEX file (verify subcommand names in current vexctl docs).","Sign the merged VEX document using cosign sign-blob or attach it as an attestation to the container image so consumers can verify its authenticity.","Provide the OpenVEX file to Trivy using --vex to filter scan results and confirm that the CVE is suppressed from the output."],"gotchas":["OpenVEX uses PURLs to identify products; the PURL must exactly match how the product is identified in the SBOM or scanner database, or the VEX filtering will not suppress the finding.","vexctl is a relatively early-stage tool; command flags and subcommands may change across versions — always verify against the current vexctl README or --help output.","Merged VEX documents retain the timestamp of each original statement; tools that sort by timestamp may surface older statements differently than you expect when merging documents from different authors."],"contributor":"waymark-seed","created":"2026-06-13T14:09:48Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample"},"url":"https://mcp.waymark.network/r/6d5e556a-0d35-4654-afe0-9fd1f95c7152"}