Appendices

Appendices

Reference reading on SBOMs, VEX, SSVC, SARIF, reachability tiers, supply-chain threats, EOL, and per-language package-manager mechanics.

Reference reading on the formats, frameworks, and mechanics the scanner and rules guides assume. Start here if any concept lands cold, or come back as reference when a scanner guide mentions a field the output doesn’t explain.

Cross-cutting reference

  • AI Coding Agent — the Vulnetix plugin for Claude Code, Cursor, Windsurf, Copilot, Gemini, and a dozen other editors. Removes the burden of picking VEX formats, remediation strategies, and SSVC inputs by hand.
  • Glossary — A–Z lookup for PURL, SBOM, VEX, KEV, EPSS, SSVC, CWE, CWSS, SARIF, MAL-, EOL, safe-harbour, reachability tiers. Land here when a term lands cold.
  • SARIF — the SAST output format — the JSON shape every SAST tool emits, with the dialect differences that catch you out.
  • Reachability — the three-tier model — stated booleans vs real call-graph evaluation vs semantic intent-to-use. Where each scanner sits on the spectrum, and what evidence supports which VEX justification.
  • Supply-chain threats beyond CVEs — typosquatting, dependency confusion, maintainer takeover, protestware, install-script abuse. The OpenVEX shape for a MAL- record.
  • EOL gating — when a CVE means migrate, not patch. Per-runtime / per-package / per-container-base-image EOL data sources.

Formats

  • CycloneDX SBOM — the component inventory every triage workflow on this site assumes you have.
  • VEX overview — what a VEX statement is and which of the two formats below to pick.
  • CycloneDX VEX — SBOM-coupled VEX entries.
  • OpenVEX — standalone VEX statements (consumed natively by Grype’s --vex).

Frameworks

  • SSVC Engineer Triage — the developer-side decision framework: four inputs (Reachability, Remediation, Mitigation, Priority) → four outcomes (NIGHTLY_AUTO_PATCH, BACKLOG, SPIKE_EFFORT, DROP_TOOLS).

Per-language patching mechanics

  • Package managers — lockfile mechanics, transitive coercion, integrity verification, reachability tooling for each ecosystem (JavaScript, Python, JVM, Go, Rust, Ruby, .NET, PHP, Swift/iOS, and others).
Glossary
A–Z reference for the jargon that lands cold on a first-time reader — PURL, SBOM, VEX, KEV, EPSS, SSVC, CWE, CWSS, SARIF, MAL-, EOL, safe-harbour, reachability tiers.
AI Coding Agent — triage, remediation, VEX
The Vulnetix plugin for Claude Code, Cursor, Windsurf, Copilot, Gemini, and a dozen other editors. Removes the burden of picking VEX formats, remediation strategies, and SSVC inputs by hand.
CycloneDX SBOM
A machine-readable inventory of what your build actually contains — and the foundation everything else here rests on.
SSVC — Engineer Triage for developers
The decision framework that turns a scanner finding into one of four actions — NIGHTLY_AUTO_PATCH, BACKLOG, SPIKE_EFFORT, or DROP_TOOLS.
VEX — overview
What VEX is, why it exists, which of the two formats to pick, and why writing one is worth your time.
Reachability — the three-tier model
Stated booleans vs real call-graph evaluation vs semantic intent-to-use. The model the SSVC Reachability input is graded against, and where each scanner sits on it.
CycloneDX VEX
VEX as part of CycloneDX — travels with the SBOM, points to components by PURL.
SARIF — the SAST output format
Static Analysis Results Interchange Format. The JSON shape every SAST tool emits, with the dialect differences that catch you out.
EOL gating — when a CVE means migrate, not patch
End-of-life detection for runtimes, packages, and container base images. The SSVC mapping when no upstream fix will ever exist.
Supply-chain threats beyond CVEs
Typosquatting, dependency confusion, namespace squatting, maintainer takeover, protestware, install-script abuse. CVE-shaped triage doesn't fit any of them; OpenVEX against a MAL- record does.
OpenVEX
Standalone, lightweight VEX — for findings that don't map to an SBOM component.
Package managers — patching reference
Lockfile mechanics, transitive coercion, integrity verification, and gotchas — per ecosystem.