Safeguard Documentation Center
Enterprise Software Supply Chain Manager (ESSCM)IntegrationsFile Uploads

CSAF/VEX Upload

Upload CSAF and VEX files for vulnerability analysis

CSAF/VEX Upload

Upload Common Security Advisory Framework (CSAF) and Vulnerability Exploitability eXchange (VEX) documents to Safeguard for vulnerability analysis and management.

What are CSAF and VEX?

CSAF (Common Security Advisory Framework)

CSAF is a standardized format for security advisories. It provides machine-readable vulnerability information that can be automatically processed.

VEX (Vulnerability Exploitability eXchange)

VEX documents communicate the exploitability status of vulnerabilities in a product. They help determine whether a known vulnerability actually affects your specific software.

Supported Formats

FormatExtensionSpecification
CSAF 2.0.jsonOASIS Standard
VEX (CycloneDX).jsonCycloneDX VEX
VEX (OpenVEX).jsonOpenVEX
VEX (CSAF).jsonCSAF VEX profile

Upload Workflow

Step 1: Navigate to Integrations

Go to Integrations from the sidebar and filter by Upload.

Step 2: Select CSAF/VEX Upload

Click Connect on the Upload CSAF/VEX card.

Step 3: Upload File

  1. Enter a Name for this upload
  2. Optionally add a Description
  3. Drag and drop your CSAF or VEX file, or click Browse to select
  4. The file will be validated automatically

Step 4: Configure Project

  1. Set the Project Name
  2. Set the Version
  3. Click Upload to complete

Use Cases

Importing Security Advisories

Upload CSAF files from vendors to track vulnerabilities that affect your software:

  • Software vendor security bulletins
  • CVE advisories in CSAF format
  • Internal security assessments

Managing Vulnerability Status

Upload VEX documents to:

  • Mark vulnerabilities as "not affected" for your products
  • Document mitigation status
  • Track exploitability assessments
  • Reduce false positives in vulnerability reports

Example CSAF Document

{
  "document": {
    "category": "csaf_vex",
    "title": "Example Security Advisory",
    "publisher": {
      "category": "vendor",
      "name": "Example Corp"
    },
    "tracking": {
      "id": "EXAMPLE-2024-001",
      "status": "final",
      "version": "1.0.0",
      "current_release_date": "2024-01-15T00:00:00Z"
    }
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-12345",
      "product_status": {
        "known_not_affected": ["PRODUCT-1.0"]
      }
    }
  ]
}

Example VEX Document (OpenVEX)

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://example.com/vex/2024/001",
  "author": "Example Corp",
  "timestamp": "2024-01-15T00:00:00Z",
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2024-12345"
      },
      "products": [
        {
          "@id": "pkg:npm/example-package@1.0.0"
        }
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_present"
    }
  ]
}

Troubleshooting

"Invalid file format"

  • Ensure the file is valid JSON
  • Verify the file follows CSAF 2.0 or supported VEX schema
  • Check for syntax errors in the JSON

"Schema validation failed"

  • The document structure may not match the expected schema
  • Verify required fields are present
  • Check the CSAF or VEX specification for requirements

"Unsupported VEX format"

  • Safeguard supports CycloneDX VEX, OpenVEX, and CSAF VEX profiles
  • Convert your VEX document to a supported format

File Uploads

Upload files directly for SBOM generation

APK Upload

Upload Android APK files for scanning

On this page

CSAF/VEX UploadWhat are CSAF and VEX?CSAF (Common Security Advisory Framework)VEX (Vulnerability Exploitability eXchange)Supported FormatsUpload WorkflowStep 1: Navigate to IntegrationsStep 2: Select CSAF/VEX UploadStep 3: Upload FileStep 4: Configure ProjectUse CasesImporting Security AdvisoriesManaging Vulnerability StatusExample CSAF DocumentExample VEX Document (OpenVEX)Troubleshooting"Invalid file format""Schema validation failed""Unsupported VEX format"