Ingest Architecture File

EU CRA Compliance Engine (2027 Standards Ready)

Scanner noise reduced by —%

Loading attestation summary…

—

Total CVEs

in SBOM manifest

—

Suppressed

not_affected + fixed

—

Under Investigation

awaiting triage decision

—

Confirmed Affected

require remediation

CVE Disposition Breakdown

Not Affected (0)

Fixed (0)

Under Investigation (0)

Confirmed Affected (0)

Unattested (0)

EU CRA Article 13 Compliance Readiness

Calculating…

of obligations met

Update SBOM / Re-ingest

Upload SBOM Manifest

Ingest CycloneDX (JSON/XML) or SPDX 2.3 (JSON/YAML/TV) directly from your CI/CD pipeline. Format is auto-detected and normalised to the internal triage model.

Accepted formats: CycloneDX 1.4 / 1.5 JSON·XML SPDX 2.3 JSON·YAML·TV

Drop SBOM here or click to browse

CycloneDX JSON/XML · SPDX 2.3 JSON/YAML/TV — format auto-detected

Continuous Integration Link

Automate pipeline processing by placing a 50-line YAML engine construct inside your repository actions.

CRA Regulatory Statement

Satisfies Article 13 machine-readable security reporting duties for physical asset and embedded software control loops.

Select a dependency-flagged vulnerability from the asset list to construct a VEX response matrix.

CVE-XXXX-XXXX

CRITICAL

CVSS Base Score

—

EPSS Score (30d)

—

CISA KEV Listed

—

VEX Exploitation Impact State

Not-Affected Justification (CycloneDX/OpenVEX spec)

Select a justification to see guidance

Technical Context / Human-Readable Statement

OT/ICS Quick Templates

AI-Drafted Statement — Review Before Committing

Changes recorded to audit trail on commit

No attestation history for this CVE yet.

Public Engine Endpoint Summary

This URL serves downstream scanners (Wiz, Trivy, Dependency-Track) automatically, muting verified noise instantly. Select output format to match your toolchain or regulatory requirement.

GET /public/vex/heavy-machinery-ecu/v2.4.1?format=cdx

Output Format:

CycloneDX 1.5 VEX Output

/* Load an SBOM to render output */

GitHub Action Pipeline Integration

name: "VEXease SBOM Auto-Push Pipeline"
on:
  release:
    types: [released]

jobs:
  export-vex:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Source code tree
        uses: actions/checkout@v4

      - name: Push Machine SBOM Artifact
        uses: vexease/vexease-action@v1
        with:
          api-key: ${{ secrets.VEXOR_API_KEY }}
          sbom-path: "./build/reports/bom.json"
          product-id: "heavy-machinery-ecu"
          version: "${{ github.event.release.tag_name }}"

CVE Attack Surface Radar

Live from your triage data — commit attestations and watch the radar update in real time.

Colour key

Critical / KEV-listed

High (CVSS 7–8.9)

Medium (CVSS 4–6.9)

Attested — not_affected / fixed

Under investigation

Bearing = attack vector · Distance from centre = CVSS score · Pulsing ring = KEV listed

Sweep detections

Load an SBOM to begin scanning

—

VEX Exposure Heatmap

Heat = CVSS × EPSS × KEV weighting. Cells cool as you attest. Click any cell to jump to Triage.

Show:

—