Verified steps

Install the `vexctl` CLI from the OpenVEX project releases
Run `vexctl create --author 'vendor@example.com' --product 'pkg:oci/myimage@sha256:...' --vuln CVE-YYYY-NNNNN --status not_affected --justification vulnerable_code_not_in_execute_path` to generate a VEX document
Review the emitted JSON-LD document for correct `@context`, `product`, and `vulnerability` fields
Sign the VEX document with cosign or embed it in the product SBOM's `vulnerabilities` array as a CycloneDX VEX component
Publish the VEX document to a known URL and reference it from your security advisory or SBOM metadata

Known gotchas

A `not_affected` status requires a documented justification; omitting the `justification` field makes the statement invalid under the OpenVEX spec
VEX statements have a `timestamp` and optionally `last_updated`; consumers may reject stale statements beyond a configurable age, so re-issue them on each release
The product identifier must exactly match the PURL or OCI digest used in your SBOM; mismatches prevent VEX-aware scanners from correlating the statement

openvex.dev · 6 steps · unrated

Build a vuln prioritization pipeline enriching CVEs with EPSS scores and the CISA KEV catalog

first.org · 5 steps · unrated

Retrieve CVEs from the NVD API 2.0 with API-key paging and rate limits

nvd.nist.gov · 5 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Create an OpenVEX statement to mark a CVE as not exploitable for a specific product

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes