Skip to content

How to distinguish between VEX and SBOM #286

Answered by stevespringett
Razikus asked this question in Q&A
Discussion options

You must be logged in to vote

A VEX typically will not have any inventory - no components or services. It should only consist of vulnerabilities with the analysis node fully populated. A VEX would also typically use compositions and would indicate the aggregate as being incomplete, vs a VDR which would have an aggregate as complete.

Replies: 1 comment

Comment options

You must be logged in to vote
0 replies
Answer selected by jkowalleck
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
2 participants
Converted from issue

This discussion was converted from issue #285 on August 30, 2023 15:51.