1.5 KiB
1.5 KiB
VEX Consensus JSON (Payload Reference)
This document describes the shape of consensus records returned by consensus APIs and exported in Offline Kit snapshots. Field names and structure may vary slightly by gateway serialization, but the semantic contract is stable.
Consensus Record (Conceptual)
{
"artifact": "pkg:rpm/redhat/openssl@3.0.9",
"advisory": "CVE-2025-13579",
"status": "not_affected",
"confidence": 0.92,
"issued_at": "2025-08-30T12:05:00Z",
"consensus_digest": "sha256:…",
"derived_from": [
{
"source_digest": "sha256:…",
"issuer": "vendor:redhat",
"status": "not_affected",
"timestamp": "2025-08-30T12:00:00Z",
"trust": { "tier": "vendor", "weight": 1.0 },
"verification": { "signature": "verified" }
}
],
"conflicts": [
{
"source_digest": "sha256:…",
"issuer": "vendor:upstream",
"status": "affected",
"timestamp": "2025-08-29T00:00:00Z",
"trust": { "tier": "vendor", "weight": 0.8 }
}
]
}
Determinism Rules
- Timestamps are UTC ISO-8601.
- Arrays (
derived_from,conflicts) are in a stable order (typically the evaluation sort order). consensus_digestis computed over canonical, deterministic JSON bytes for the record (or over an equivalent canonical projection).
Related Docs
- Algorithm overview:
docs/vex/consensus-algorithm.md - Endpoints:
docs/vex/consensus-api.md - Module details:
docs/modules/vex-lens/architecture.md