VEX

A companion document to an SBOM that communicates whether a known vulnerability in a component is actually exploitable in the specific product. Not every CVE in a dependency matters -- if you don't use the affected function, the vulnerability may not be exploitable. VEX reduces alert fatigue by letting vendors say "yes, we include log4j, but we don't use the vulnerable JNDI lookup feature" in a machine-readable format.