Stay organized with collections
Save and categorize content based on your preferences.
This document describes how to upload existing
Vulnerability Exploitability eXchange (VEX)
statements to Artifact Analysis. You can also upload statements provided by other
publishers.
To get the permissions that
you need to upload VEX assessments and check the VEX status of vulnerabilities,
ask your administrator to grant you the
following IAM roles on the project:
Artifact Analysis stores vulnerability assessment notes as one note per
CVE. Notes are stored in the Container Analysis API, within the same project as the
specified image.
When you upload VEX statements, Artifact Analysis also carries VEX status
information into associated vulnerability occurrences so that
you can filter vulnerabilities by VEX status. If a VEX statement is applied to
an image, Artifact Analysis will carry over the VEX status to all versions
of that image, including newly pushed versions.
If a single version has two VEX statements, one written for the resource URL
and one written for the associated image URL, the VEX statement written for the
resource URL will take precedence and will be carried over to the vulnerability
occurrence.
What's next
Prioritize vulnerability issues using VEX. Learn how to
view VEX statements and filter vulnerabilities by their VEX
status.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eThis document details the process of uploading Vulnerability Exploitability eXchange (VEX) statements, which must adhere to the Common Security Advisory Format (CSAF) 2.0 standard in JSON, to Artifact Analysis.\u003c/p\u003e\n"],["\u003cp\u003eUploading VEX statements requires specific IAM roles, such as Container Analysis Notes Editor, to create and update notes within the project.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eartifacts vulnerabilities load-vex\u003c/code\u003e command is used to upload VEX data, where users specify the path to the CSAF-formatted JSON file and the URI of the resource or image.\u003c/p\u003e\n"],["\u003cp\u003eArtifact Analysis converts VEX statements into Grafeas \u003ccode\u003eVulnerabilityAssessment\u003c/code\u003e notes, storing them as one note per CVE within the Container Analysis API, and it carries VEX status information to associated vulnerability occurrences.\u003c/p\u003e\n"],["\u003cp\u003ePre-GA features are available "as is" and might have limited support, and using this feature is subject to the "Pre-GA Offerings Terms" found in the General Service Terms section of the service specific terms.\u003c/p\u003e\n"]]],[],null,["# Upload VEX statements\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis document describes how to upload existing\n[Vulnerability Exploitability eXchange (VEX)](https://www.cisa.gov/sites/default/files/2023-04/minimum-requirements-for-vex-508c.pdf)\nstatements to Artifact Analysis. You can also upload statements provided by other\npublishers.\n\nVEX statements must be formatted according to the\n[Common Security Advisory Format (CSAF)](https://oasis-open.github.io/csaf-documentation/) 2.0 standard in JSON.\n\nRequired roles\n--------------\n\n\nTo get the permissions that\nyou need to upload VEX assessments and check the VEX status of vulnerabilities,\n\nask your administrator to grant you the\nfollowing IAM roles on the project:\n\n- To create and update notes: [Container Analysis Notes Editor](/iam/docs/roles-permissions/containeranalysis#containeranalysis.notes.editor) (`roles/containeranalysis.notes.editor`)\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nUpload VEX statements\n---------------------\n\nRun the\n[`artifacts vulnerabilities load-vex`](/sdk/gcloud/reference/artifacts/vulnerabilities/load-vex)\ncommand to upload VEX data and store it in Artifact Analysis: \n\n gcloud artifacts vulnerabilities load-vex /\n --source \u003cvar translate=\"no\"\u003eCSAF_SOURCE\u003c/var\u003e /\n --uri \u003cvar translate=\"no\"\u003eRESOURCE_URI\u003c/var\u003e /\n\nWhere\n\n- \u003cvar translate=\"no\"\u003eCSAF_SOURCE\u003c/var\u003e is the path to your VEX statement file stored locally. The file must be a JSON file following the [CSAF schema](https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/json_schema/csaf_json_schema.json).\n- \u003cvar translate=\"no\"\u003eRESOURCE_URI\u003c/var\u003e can be one of:\n - the complete URL of the image, similar to `https://LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE_ID@sha256:HASH`.\n - the image URL, similar to `https://LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE_ID`.\n\nArtifact Analysis converts your VEX statements to\n[Grafeas `VulnerabilityAssessment`](https://github.com/grafeas/grafeas/blob/master/proto/v1/vex.proto#L28) notes.\n\nArtifact Analysis stores vulnerability assessment notes as one note per\nCVE. Notes are stored in the Container Analysis API, within the same project as the\nspecified image.\n\nWhen you upload VEX statements, Artifact Analysis also carries VEX status\ninformation into associated [vulnerability occurrences](/artifact-analysis/docs/metadata-storage#occurrence) so that\nyou can filter vulnerabilities by VEX status. If a VEX statement is applied to\nan image, Artifact Analysis will carry over the VEX status to all versions\nof that image, including newly pushed versions.\n\nIf a single version has two VEX statements, one written for the resource URL\nand one written for the associated image URL, the VEX statement written for the\nresource URL will take precedence and will be carried over to the vulnerability\noccurrence.\n\nWhat's next\n-----------\n\n- Prioritize vulnerability issues using VEX. Learn how to [view VEX statements](/artifact-analysis/docs/view-vex) and filter vulnerabilities by their VEX status.\n- Learn how to [generate a software bill of materials](/artifact-analysis/docs/sbom-overview) (SBOM) to support compliance requirements.\n- [Scan for vulnerabilities](/artifact-analysis/docs/scanning-types) in OS packages and language packages with Artifact Analysis."]]
