Aqua Security, the pioneer in cloud-native security announced VEX Hub, a vendor-neutral repository for VEX (Vulnerability Exploitability eXchange).
VEX is a new industry standard for communicating and sharing information on security vulnerabilities for software artifacts, and VEX Hub provides users and software maintainers with a single library of vulnerability information and fewer false positives.
VEX Hub
VEX Hub aggregates VEX documents from software maintainers and organises them in a central repository, making them accessible for consumption by scanning tools.
VEX Hub information improves the accuracy of scanning results and provides actionable vulnerability reports to users. As part of the release, the latest version of Aqua Trivy open source consumes VEX Hub information so users can better prioritise vulnerabilities and reduce alert fatigue.
Collecting relevant vulnerability exploitation
“For years, users have struggled to locate and prioritise software vulnerabilities, and maintainers have struggled with how to share the information. VEX was created to solve these problems,” said Itay Shakury, VP of Open Source at Aqua Security.
“The missing piece to date is a system to collect the relevant vulnerability exploitation information into a central repository – that’s where VEX Hub comes in. We have worked with the VEX community since inception, and we’re ready to take VEX to the next level with VEX Hub.”
Trivy v0.54
VEX Hub is built for collaboration and simplifies the management of VEX information. Aqua’s open-source team has created one place for maintainers to easily share timely vulnerability updates, and for users to find and access critical vulnerability exploitation information.
VEX Hub was included in the latest version of Trivy v0.54, so those running on this version can use VEX Hub in their Trivy scans using the '--vex repo' flag. Trivy will deliver fewer false positives and more accurate, actionable vulnerability reports.
