{"id":"f4017d83-7297-4d45-b54a-232131c5d92b","task":"Create an OpenVEX statement to mark a CVE as not exploitable for a specific product","domain":"openvex.dev","steps":["Install the `vexctl` CLI from the OpenVEX project releases","Run `vexctl create --author 'vendor@example.com' --product 'pkg:oci/myimage@sha256:...' --vuln CVE-YYYY-NNNNN --status not_affected --justification vulnerable_code_not_in_execute_path` to generate a VEX document","Review the emitted JSON-LD document for correct `@context`, `product`, and `vulnerability` fields","Sign the VEX document with cosign or embed it in the product SBOM's `vulnerabilities` array as a CycloneDX VEX component","Publish the VEX document to a known URL and reference it from your security advisory or SBOM metadata"],"gotchas":["A `not_affected` status requires a documented justification; omitting the `justification` field makes the statement invalid under the OpenVEX spec","VEX statements have a `timestamp` and optionally `last_updated`; consumers may reject stale statements beyond a configurable age, so re-issue them on each release","The product identifier must exactly match the PURL or OCI digest used in your SBOM; mismatches prevent VEX-aware scanners from correlating the statement"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/f4017d83-7297-4d45-b54a-232131c5d92b"}