The VEX Tooling Project is an Alpha-Omega Fund initiative providing open-source tooling for analyzing the impact of vulnerabilities in third-party dependencies and generating VEX (Vulnerability Exploitability eXchange) documents.

These tools support the entire lifecycle of VEX document creation, from the disclosure of a vulnerability in a dependency to the automated generation of accurate VEX statements. The goal is to help organizations determine which vulnerabilities are truly exploitable in their software and communicate that information clearly and efficiently.

Project Components

Root Cause Service

Analyzes publicly available data to determine which method or function introduces a vulnerability in a third-party dependency.

Java CallGraph generator

Generates precomputed call graphs for Java dependencies to accelerate analysis of which vulnerable methods are actually invoked by an application.

Metadata database

Provides a sample metadata dataset containing precomputed CVE root causes and call graphs for dependencies used by Apache Solr.

VEX statement generator

Automatically generates VEX documents based on results from the root cause and call graph analyses — enabling high-quality, machine-readable vulnerability reports.

GitHub Actions integration

Provides prebuilt GitHub Actions to easily integrate VEX document generation into existing CI/CD pipelines, supporting automated vulnerability analysis and reporting.