{ "version": "1.0.0", "generated_at": "2025-12-04T00:00:00Z", "entries": [ { "id": "VEX1.vulnerable_code_not_present", "title": "Vulnerable code removed or not shipped", "description": "Binary artifacts do not contain the vulnerable code paths; validated via reachability graph and reproducible build metadata.", "applicability": [ "not_affected" ], "required_evidence": [ "graph_hash", "entrypoint_coverage>=95", "negative_tests", "config_hash" ], "expiry_days": 90, "reevaluate_on": [ "sbom_change", "graph_change", "runtime_change" ], "rbac": [ "vex-author", "policy-admin" ], "policy_links": [ "docs/policy/dsl.md#requirevex" ], "uncertainty_gate": "U1-low" }, { "id": "VEX2.component_not_present", "title": "Component not present in runtime image", "description": "SBOM and runtime inventory confirm the vulnerable component is absent from the shipped artifact.", "applicability": [ "not_affected" ], "required_evidence": [ "sbom_digest", "runtime_inventory", "config_hash" ], "expiry_days": 60, "reevaluate_on": [ "sbom_change", "runtime_change" ], "rbac": [ "vex-author" ], "policy_links": [ "docs/modules/excititor/architecture.md#normalization" ], "uncertainty_gate": "U1-low" }, { "id": "VEX3.config_not_vulnerable", "title": "Configuration disables vulnerable feature", "description": "Configuration and feature flags disable the vulnerable execution path; enforced by config/flag hashing and negative tests.", "applicability": [ "not_affected" ], "required_evidence": [ "config_hash", "flags_hash", "negative_tests" ], "expiry_days": 45, "reevaluate_on": [ "config_change", "flags_change", "runtime_change" ], "rbac": [ "vex-author", "release-manager" ], "policy_links": [ "docs/benchmarks/vex-evidence-playbook.md" ], "uncertainty_gate": "U2-medium" }, { "id": "VEX4.vulnerable_code_not_in_execute_path", "title": "Code not reachable from declared entrypoints", "description": "Reachability analysis shows no call paths from declared entrypoints to vulnerable functions; runtime probes corroborate.", "applicability": [ "not_affected" ], "required_evidence": [ "graph_hash", "entrypoint_coverage>=95", "runtime_traces" ], "expiry_days": 45, "reevaluate_on": [ "graph_change", "runtime_change" ], "rbac": [ "vex-author", "signals-operator" ], "policy_links": [ "docs/reachability/function-level-evidence.md" ], "uncertainty_gate": "U1-low" }, { "id": "VEX5.mitigated_by_runtime_guard", "title": "Runtime guard blocks exploitation", "description": "Exploit is prevented by runtime guardrails (WAF/sandbox/feature flag) proven via negative test and telemetry.", "applicability": [ "not_affected", "affected" ], "required_evidence": [ "runtime_traces", "negative_tests", "guard_policy" ], "expiry_days": 30, "reevaluate_on": [ "runtime_change", "policy_change" ], "rbac": [ "vex-author", "security-ops" ], "policy_links": [ "docs/uncertainty/README.md" ], "uncertainty_gate": "U2-medium" }, { "id": "VEX6.compensating_control_documented", "title": "Compensating control accepted", "description": "A documented compensating control reduces exploitability; requires approval evidence and expiry.", "applicability": [ "affected", "under_investigation" ], "required_evidence": [ "control_record", "rbac_approval", "expiry" ], "expiry_days": 30, "reevaluate_on": [ "policy_change", "expiry" ], "rbac": [ "policy-admin", "risk-owner" ], "policy_links": [ "docs/migration/exception-governance.md" ], "uncertainty_gate": "U3-high" }, { "id": "VEX7.update_available", "title": "Update available and staged", "description": "Fix is available and staged for rollout; VEX documents status and planned activation window.", "applicability": [ "affected", "fixed" ], "required_evidence": [ "fixed_version", "staging_hash", "rollout_window" ], "expiry_days": 15, "reevaluate_on": [ "rollout_change" ], "rbac": [ "release-manager" ], "policy_links": [ "docs/ui/advisories-and-vex.md" ], "uncertainty_gate": "U2-medium" }, { "id": "VEX8.analysis_ongoing", "title": "Analysis ongoing with SLA", "description": "Investigation underway with defined SLA and evidence collection plan.", "applicability": [ "under_investigation" ], "required_evidence": [ "investigation_plan", "sla_date", "owner" ], "expiry_days": 7, "reevaluate_on": [ "sla_date" ], "rbac": [ "vex-author" ], "policy_links": [ "docs/modules/excititor/architecture.md#normalization" ], "uncertainty_gate": "U3-high" }, { "id": "VEX9.eol_not_applicable", "title": "Product out of scope / EOL", "description": "Asset is out of scope or end-of-life and isolated; policy enforces quarantine rather than blanket ignore.", "applicability": [ "not_affected" ], "required_evidence": [ "asset_scope", "quarantine_policy", "rbac_approval" ], "expiry_days": 30, "reevaluate_on": [ "asset_change" ], "rbac": [ "policy-admin" ], "policy_links": [ "docs/observability/policy.md" ], "uncertainty_gate": "U2-medium" }, { "id": "VEX10.false_positive_proven", "title": "Scanner false positive disproven", "description": "Deterministic reproduction shows the vulnerability is not actually present; includes counter-evidence and replay seed.", "applicability": [ "not_affected" ], "required_evidence": [ "replay_manifest", "negative_tests", "sbom_digest" ], "expiry_days": 45, "reevaluate_on": [ "scanner_update", "sbom_change" ], "rbac": [ "vex-author", "qa" ], "policy_links": [ "docs/replay/DETERMINISTIC_REPLAY.md" ], "uncertainty_gate": "U1-low" } ] }