VEX and Security Advisory Management
Automate VEX statements and publish CSAF advisories. CRA Evidence generates VEX automatically from your vulnerability management workflow.
VEX statuses
| Status | Meaning |
|---|---|
| Not Affected | Vulnerability does not impact your product (requires justification) |
| Affected | Vulnerability impacts your product |
| Fixed | Patched version available |
| Under Investigation | Still analysing impact |
Justifications (for Not Affected)
| Justification | When to use |
|---|---|
| Component not present | Vulnerable component is not in your product |
| Vulnerable code not present | Specific vulnerable code path does not exist in your build |
| Vulnerable code not in execute path | Code exists but is never executed |
| Cannot be controlled by adversary | Code cannot be triggered by an attacker |
| Inline mitigations exist | Product has defences that prevent exploitation |
Creating VEX statements
Manual
Create from:
- Vulnerability detail page > Create VEX Statement
- Version detail page > VEX tab
- CSAF advisory > add statements per product
Select status, justification (if not affected), statement text, and action statement (what customers should do).
Automated
CRA Evidence creates VEX statements automatically from 7 sources:
| Source | Trigger | Resulting VEX |
|---|---|---|
| Triage Dismissal | Dismiss a CVE from triage with any reason. The modal shows checkboxes for affected versions. | Draft: false_positive/not_applicable become not_affected (auto-justified), accepted_risk becomes affected, "VEX: Not affected" lets you choose justification. Deferred dismissals skip VEX. |
| Suppression | Create a suppressed finding | Draft: maps suppression reason to VEX status (e.g. false_positive becomes not_affected) |
| Remediation | Component remediation reaches a terminal state | Draft: fixed (if remediated), affected (if accepted risk), not_affected (if false positive) |
| Reachability Analysis | Static analysis determines code reachability | Draft: not_affected if unreachable, affected if reachable (flagged for human review) |
| SBOM Inline | Uploaded SBOM contains a vulnerabilities[] section with VEX data | Draft: as specified in the SBOM |
| Kernel Config Filter | Kernel .config compilation analysis determines vulnerable code is not compiled in | Draft: not_affected (vulnerable code not present) |
| Version Inheritance | Copy VEX statements from one version to another | Draft: matches source statement, with freshness validation (verified if same component version, unverified if different) |
All automated statements start as drafts unless auto-publish is enabled.
Deduplication: CRA Evidence prevents duplicate VEX for the same CVE + version + component combination. If a draft or published statement already exists, a new one is not created.
Publication workflow
Draft -> Published
| |
| +-> Deprecated (superseded by newer statement)
+-> Revoked (withdrawn)
Auto-publish
Two organisation settings control automatic publication:
| Setting | Options | Controls |
|---|---|---|
| VEX auto-publish | On / Off | Whether automated VEX drafts are published automatically |
| Auto-publish threshold | None / High only / Medium and above / All | Minimum confidence level for auto-publishing reachability-based VEX |
Exception: "Affected" statements are never auto-published. They always require human review to add an action statement (what customers should do).
Manual publish with review
| Setting | Purpose |
|---|---|
| Minimum publish role | Only users with this role or above can publish |
| Four-eyes check | Optional: publisher must be a different user than the creator |
Deprecation
When a VEX status changes (e.g. a fix ships for a previously "not affected" component), CRA Evidence:
- Deprecates the old published statement
- Creates a new draft with the updated status
- Links the old statement to the new one (superseded-by chain)
This maintains a full audit trail.
VEX Review tab
Part of the Security Events Hub. Shows all VEX statements pending review.
Draft view: statements awaiting publication with checkboxes for bulk publish. Published/Revoked/Deprecated view: read-only historical view with export option.
Filter by: status, source (manual vs automated), product, version.
Export
CRA Evidence exports VEX in CycloneDX 1.6 format per BSI TR-03183 Part 2.
Export options:
- Per-version export from the version detail page
- Bulk export from the VEX Review tab
- Included automatically in technical file exports
Published statements are exported by default. Optionally include drafts or revocations.
CSAF advisories
Create an advisory
- Navigate to CSAF from the main menu
- Click Create Advisory
- Fill in: title, CVE ID, severity, affected products, description, impact, remediation
Advisory statuses
| Status | When to use |
|---|---|
| Draft | Work in progress |
| Interim | Published but still gathering information |
| Final | Complete advisory |
Import and export
Import: Upload a CSAF 2.0 JSON file via CSAF > Import. CRA Evidence validates and creates the advisory.
Export: Open an advisory > Download JSON. Includes all embedded VEX statements. Also included in technical file exports.
Version comparison
When you update an advisory, CRA Evidence tracks changes. Open an advisory > Compare to see differences between versions.
Organisation settings
| Setting | Where | Purpose |
|---|---|---|
| VEX auto-publish | Settings > Organisation | Auto-publish automated VEX drafts |
| Auto-publish threshold | Settings > Organisation | Confidence level for reachability-based auto-publish |
| Minimum publish role | Settings > Organisation | Role required to publish VEX statements |
| Four-eyes check | Settings > Organisation | Require different user to publish vs create |
Best practices
| Practice | Why |
|---|---|
| Always provide justifications for Not Affected | "Component not present" is far more useful than unexplained "not affected" |
| Enable auto-publish for high-confidence sources | Reduces manual review burden for kernel config and high-confidence reachability |
| Review reachability "affected" results promptly | These need human action statements before publication |
| Use version inheritance when releasing updates | Carries forward VEX from prior versions, flagging unverified ones for review |
| Keep VEX current when remediations ship | Update "affected" to "fixed" when patches are available |
Related documentation
- Vulnerability Workflow - Detection, triage, and remediation
- Incident Reporting - Security incidents and ENISA Track B
- Supplier Portal - Customer-facing advisory access
- Technical File Export - Compliance bundles
Help us improve. What was missing or unclear?