How to distinguish between VEX and SBOM #286
-
|
Hello I have following problem - I want to apply VEX to existing SBOM How can I know that user applies VEX, but not SBOM? Thanks |
Beta Was this translation helpful? Give feedback.
Answered by
stevespringett
Aug 30, 2023
Replies: 1 comment
-
|
A VEX typically will not have any inventory - no components or services. It should only consist of vulnerabilities with the analysis node fully populated. A VEX would also typically use compositions and would indicate the aggregate as being incomplete, vs a VDR which would have an aggregate as complete. |
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
jkowalleck
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A VEX typically will not have any inventory - no components or services. It should only consist of vulnerabilities with the analysis node fully populated. A VEX would also typically use compositions and would indicate the aggregate as being incomplete, vs a VDR which would have an aggregate as complete.