Labsco
microsoft logo

vex

✓ Official1,245

by microsoft · part of microsoft/hve-core

OpenVEX v0.2.0 specification reference plus VEX management playbooks - Brought to you by microsoft/hve-core.

🧩 One of 7 skills in the microsoft/hve-core package — works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates — you don't need to read it to use the skill, but it's here to audit before installing.

VEX skill

This skill is the entrypoint for VEX operations in hve-core. It combines the OpenVEX v0.2.0 specification reference with reusable management playbooks for implementing, reviewing, and validating VEX documents. The normative reference material below remains the authoritative source for schema, status logic, and public-source guidance.

VEX management playbooks

Detection, drafting, and attestation are workflow-owned automation. This skill supplies the reusable procedures, mutation rules, and review criteria. The CVE Analyzer subagent performs the per-CVE exploitability analysis that feeds those workflows.

Implement VEX in a target project

Use this playbook when standing up VEX in a target project. Scaffold the VEX document under security/vex, wire the vex-detect and vex-draft workflows, reference the PR-body scaffold in assets/pr-body-scaffold.yml, connect the release attestation step for provenance and OpenVEX-over-SBOM attestation, and set CODEOWNERS on the VEX document. Use references/vex-status-logic.md and the vex-standards.instructions.md instructions for the detailed rules.

Review and validate VEX

Use this playbook when reviewing drafted VEX statements. Assess the status determination against the evidence and confidence bands, honor the document mutation and forbidden-transition contract, and validate the release attestation output. Attestation generation is owned by the release workflow, not by the reviewer. The forthcoming tested gate module and tests will live in this skill so the workflow and interactive entry points can share the same rules.

VEX statuses

StatusMeaning
not_affectedThe vulnerability is not exploitable in this product. Requires a justification or impact_statement.
affectedThe vulnerability is exploitable. Requires an action_statement describing remediation.
fixedThe vulnerability was present but has been remediated in this product version.
under_investigationThe author is evaluating whether the vulnerability affects this product. Safe default for uncertain cases.

Justification codes for not_affected

When a statement uses not_affected status, it must include a machine-readable justification:

CodeMeaning
component_not_presentThe vulnerable component is not included in the product.
vulnerable_code_not_presentThe component is present but the vulnerable code is not included.
vulnerable_code_not_in_execute_pathThe vulnerable code is present but cannot be reached at runtime.
vulnerable_code_cannot_be_controlled_by_adversaryThe code is reachable but an attacker cannot influence the inputs.
inline_mitigations_already_existExisting controls prevent exploitation of the vulnerability.

Product identifiers

Products use Package URL (PURL) format (for example, pkg:npm/@microsoft/hve-core@3.10.0).

Normative references

  1. OpenVEX JSON Schema Reference: field definitions, required versus optional fields, and example documents.
  2. VEX Status Logic: status determination decision tree, evidence requirements per status, and forbidden transitions.
  3. CVE Data Sources: OSV.dev, NVD, and GitHub Advisory Database API references with licensing posture.

Skill layout

  • SKILL.md: this file (skill entrypoint).
  • references/: normative reference documents.
    • openvex-schema.md: JSON schema reference with field definitions and examples.
    • vex-status-logic.md: status determination decision tree and forbidden transitions.
    • cve-data-sources.md: CVE data source API references and licensing.

Attribution and licensing

The OpenVEX specification reference content in this skill is derived from the OpenVEX Community specification and remains attributed to the OpenVEX Community. The reusable VEX management playbooks and the surrounding guidance in this skill are hve-core-authored content. The skill frontmatter uses a mixed-attribution metadata set so the upstream specification reference and the hve-core playbooks are clearly distinguished.

Third-Party Attribution

AttributeValue
SpecificationOpenVEX Specification v0.2.0
Copyright© OpenVEX Contributors
LicenseApache License 2.0
Sourcehttps://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md
ModificationsSpecification restructured into agent-consumable reference documents with added status determination logic, evidence requirements, and CVE data source guidance.