This document describes how to upload existing Vulnerability Exploitability eXchange (VEX) statements to Artifact Analysis. You can also upload statements provided by other publishers.
VEX statements must be formatted according to the Common Security Advisory Format (CSAF) 2.0 standard in JSON.
Required roles
To get the permissions that you need to upload VEX assessments and check the VEX status of vulnerabilities, ask your administrator to grant you the following IAM roles on the project:
-
To create and update notes:
Container Analysis Notes Editor (
roles/containeranalysis.notes.editor)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Upload VEX statements
Run the
artifacts vulnerabilities load-vex
command to upload VEX data and store it in Artifact Analysis:
gcloud artifacts vulnerabilities load-vex /
--source CSAF_SOURCE /
--uri RESOURCE_URI /
Where
- CSAF_SOURCE is the path to your VEX statement file stored locally. The file must be a JSON file following the CSAF schema.
- RESOURCE_URI can be one of:
- the complete URL of the image, similar to
https://LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE_ID@sha256:HASH. - the image URL, similar to
https://LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE_ID.
- the complete URL of the image, similar to
Artifact Analysis converts your VEX statements to
Grafeas VulnerabilityAssessment notes.
Artifact Analysis stores vulnerability assessment notes as one note per CVE. Notes are stored in the Container Analysis API, within the same project as the specified image.
When you upload VEX statements, Artifact Analysis also carries VEX status information into associated vulnerability occurrences so that you can filter vulnerabilities by VEX status. If a VEX statement is applied to an image, Artifact Analysis will carry over the VEX status to all versions of that image, including newly pushed versions.
If a single version has two VEX statements, one written for the resource URL and one written for the associated image URL, the VEX statement written for the resource URL will take precedence and will be carried over to the vulnerability occurrence.
What's next
- Prioritize vulnerability issues using VEX. Learn how to view VEX statements and filter vulnerabilities by their VEX status.
- Learn how to generate a software bill of materials (SBOM) to support compliance requirements.
- Scan for vulnerabilities in OS packages and language packages with Artifact Analysis.