Kubescape open-source project adds Vulnerability Exploitability eXchange (VEX) support – Help Net Security

With its innovative feature for generating reliable Vulnerability Exploitability eXchange (VEX) documents, Kubescape became the first open-source project to provide this functionality. This advancement offers security practitioners a powerful tool to effectively prioritize and address software vulnerabilities.

Kubescape VEX

What is Vulnerability Exploitability eXchange (VEX)?

Vulnerability Exploitability eXchange (VEX) is a standard that facilitates the sharing and analyzing of information about vulnerabilities and their potential for exploitation. VEX documents have emerged as a critical component in complementing Software Bill of Materials (SBOMs) by informing users about the applicability of vulnerability findings.

Sourcing reliable and accurate VEX documents has been a significant challenge in the industry. Software vendors with the most in-depth understanding of their products are ideally positioned to evaluate exploitable vulnerabilities. However, the continuous effort required to maintain up-to-date VEX documents has hindered widespread adoption.

Open-source projects face a greater challenge due to limited resources and reliance on community contributions. Consistently producing detailed VEX documents as part of these projects is a challenge. As a result, the practical implementation of VEX documents across diverse software ecosystems has remained limited.

VEX in Kubescape

Kubescape is leveraging its eBPF-based Kubernetes runtime reachability capability to generate VEX documents automatically that provide clear and actionable signaling for vulnerability prioritization and management. Using eBPF technology to detect loaded software packages during runtime, Kubescape distinguishes between less significant vulnerabilities and those that pose an actual risk in container environments.

Starting from version 1.16.2, the Kubescape Operator produces VEX documents and stores them as Kubernetes API objects. These VEX documents follow the OpenVEX standard and categorize vulnerabilities as “affected” or “not affected” based on their reachability. This distinction enables security practitioners to focus on vulnerabilities that pose a genuine risk, significantly improving the signal-to-noise ratio of vulnerability scan results.

Integrating Kubescape-generated VEX documents with open-source vulnerability scanners like Grype and Trivy enhances vulnerability management capabilities. By providing more precise results, Kubescape empowers users to prioritize and address vulnerabilities potentially harming their systems.

“We are excited to be the first open-source project to generate VEX documents,” said Ben Hirschberg, CTO and co-founder of ARMO and maintainer of the Kubescape project. “Our mission is to simplify vulnerability management and provide security practitioners with the tools to make informed decisions. With Kubescape’s VEX generation capability, we are enabling organizations to simplify the results of vulnerability scans and focus on the vulnerabilities that truly matter.”

Kubescape is available as a free download on GitHub.

More open-source tools to consider: