lib4vex

0.2.3 verified Fri May 01 auth: no python

VEX (Vulnerability Exploitability eXchange) generator and consumer library supporting CSAF, CycloneDX, and OpenVEX formats. Current version 0.2.3, requires Python >=3.7. The library allows creating, parsing, and validating VEX documents in multiple formats. Release cadence is irregular, with updates focused on bug fixes and format compatibility.

pip install lib4vex

Common errors

error ImportError: cannot import name 'load' from 'lib4vex' ↓

cause Using an older version of lib4vex that does not have load function (added in v0.2.0).

fix

Upgrade lib4vex: pip install --upgrade lib4vex

error TypeError: version must be an integer, not str ↓

cause In OpenVEX generation, version field was provided as a string but must be integer.

fix

Set vex.version = 1 (integer) instead of '1'.

error ValueError: Unknown VEX format: ... ↓

cause load() received a VEX document in an unsupported format or malformed content.

fix

Ensure the input is valid JSON and one of the supported formats: csaf, cyclonedx, openvex.

error AttributeError: 'NoneType' object has no attribute 'json' ↓

cause generate() returned None because of invalid parameters or missing required arguments.

fix

Check the format argument is correct (e.g., 'csaf', 'cyclonedx', 'openvex').

Warnings

gotcha The version field in OpenVEX documents must be an integer, not a string. Prior to v0.2.3, using a string version would cause validation errors. ↓

fix Ensure version is an integer when generating OpenVEX documents.

deprecated Automatic detection of VEX document type was introduced in v0.2.0. Older versions required manual specification of format. ↓

fix Upgrade to >=0.2.0 and use load() for auto-detection.

gotcha Partial product names (e.g., missing namespace) may cause parsing errors in SPDX documents. This was fixed in v0.2.1. ↓

fix Ensure product names are fully qualified or upgrade to latest version.

breaking The API for adding vulnerabilities changed between v0.1.0 and v0.2.0. Methods like add_vulnerability signature may differ. ↓

fix Refer to documentation for current method signatures; upgrade to latest version.

Imports

load
```
from lib4vex import load
```
load is the main entry point for parsing VEX documents
generate
```
from lib4vex import generate
```
generate function for creating VEX documents

Quickstart

Generate a CSAF VEX document and print JSON; loading example commented out.

from lib4vex import load
from lib4vex import generate

# Create a VEX document (e.g., CSAF format)
vex = generate('csaf')
vex.author = 'me'
vex.product = 'myapp'
vex.version = '1.0.0'

# Add a vulnerability
vex.add_vulnerability(vulnerability_id='CVE-2024-12345', status='not_affected', impact_statement='Not applicable')

# Output JSON
print(vex.json())

# Load a VEX document from file
# with open('vex.json', 'r') as f:
#     loaded_vex = load(f.read())
#     print(loaded_vex.format())