Anchore Enterprise 5.23: CycloneDX VEX and VDR Support
None
<p>Anchore Enterprise 5.23 adds CycloneDX VEX and VDR support, completing our vulnerability communication capabilities for software publishers who need to share accurate vulnerability context with customers. With OpenVEX support shipped in 5.22 and CycloneDX added now, teams can choose the format that fits their supply chain ecosystem while maintaining consistent vulnerability annotations across both standards.</p><p>This release includes:</p><div class="code-block code-block-13" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-13-1" data-info="WyIxMy0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="U2hvcnQ=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://www.techstrongevents.com/cruisecon-virtual-west-2025/home?ref=in-article-ad-2&utm_source=sb&utm_medium=referral&utm_campaign=in-article-ad-2" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2025/10/Banner-770x330-social-1.png" alt="Cruise Con 2025"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><ul class="wp-block-list"> <li>CycloneDX VEX export for vulnerability annotations</li> <li>CycloneDX VDR (Vulnerability Disclosure Report) for standardized vulnerability inventory</li> <li>Expanded policy gates for one-time scans (see below for full list)</li> <li>STIG profiles delivered via Anchore Data Service</li> </ul><h2 class="wp-block-heading" id="h-the-publisher-s-dilemma-when-your-customers-find-vulnerabilities-you-ve-already-fixed"><strong>The Publisher’s Dilemma: When Your Customers Find “Vulnerabilities” You’ve Already Fixed</strong></h2><p>Software publishers face a recurring challenge: customers scan your delivered software with their own tools and send back lists of vulnerabilities that your team already knows about, has mitigated, or that simply don’t apply to the deployed context. Security teams waste hours explaining the same fixes, architectural decisions, and false positives to each customer—time that could be spent on actual security improvements.</p><p>VEX (Vulnerability Exploitability eXchange) standards solve this by allowing publishers to document vulnerability status alongside scan data—whether a CVE was patched in your internal branch, affects a component you don’t use, or is scheduled for remediation in your next release. With two competing VEX formats—OpenVEX and CycloneDX VEX—publishers need to support both to reach their entire ecosystem. Anchore Enterprise 5.23 completes this picture.</p><h2 class="wp-block-heading" id="h-how-cyclonedx-vex-works-in-anchore-enterprise"><strong>How CycloneDX VEX Works in Anchore Enterprise</strong></h2><p>The vulnerability annotation workflow remains identical to the <a href="https://anchore.com/blog/anchore-enterprise-5-22/">OpenVEX implementation introduced in 5.22</a>. Teams can add annotations through either the UI or API, documenting whether vulnerabilities are:</p><ul class="wp-block-list"> <li><strong>Not applicable</strong> to the specific deployment context</li> <li><strong>Mitigated</strong> through compensating controls</li> <li><strong>Under investigation</strong> for remediation</li> <li><strong>Scheduled</strong> for fixes in upcoming releases</li> </ul><p>The difference is in the export. When you download the vulnerability report, you can now select CycloneDX VEX format instead of (or in addition to) OpenVEX. The annotation data translates cleanly to either standard, maintaining context and machine-readability.</p><h3 class="wp-block-heading" id="h-adding-annotations"><strong>Adding Annotations</strong></h3><p>Via UI: Navigate to the Vulnerability tab for any scanned image, select vulnerabilities requiring annotation, and choose <strong>Annotate</strong> to add status and context.</p><p>Via API: Use the <code>/vulnerabilities/annotations</code> endpoint to programmatically apply annotations during automated workflows.</p><h3 class="wp-block-heading" id="h-exporting-cyclonedx-vex"><strong>Exporting CycloneDX VEX</strong></h3><p>After annotations are applied:</p><ol class="wp-block-list"> <li>Navigate to the Vulnerability Report for your image</li> <li>Click the <strong>Export</strong> button above the vulnerability table</li> <li>In the export dialog, select <strong>CycloneDX VEX</strong> (JSON or XML format)</li> <li>Download the machine-readable document for distribution</li> </ol><p>The exported CycloneDX VEX document includes all vulnerability findings with their associated annotations, PURL identifiers for precise package matching, and metadata about the scanned image. Customers can import this document into CycloneDX-compatible tools to automatically update their vulnerability databases with your authoritative assessments.</p><h2 class="wp-block-heading" id="h-vdr-standardized-vulnerability-disclosure"><strong>VDR: Standardized Vulnerability Disclosure</strong></h2><p>The Vulnerability Disclosure Report (VDR) provides a complete inventory of identified vulnerabilities in CycloneDX format, regardless of annotation status. Unlike previous raw exports, VDR adheres to the CycloneDX standard for vulnerability disclosure, making it easier for security teams and compliance auditors to process the data.</p><p>VDR serves different use cases than VEX:</p><ul class="wp-block-list"> <li><strong>VEX</strong> communicates vulnerability <em>status</em> (not applicable, mitigated, under investigation)</li> <li><strong>VDR</strong> provides comprehensive vulnerability <em>inventory</em> (all findings with available metadata)</li> </ul><p>Organizations can export both formats from the same Export dialog: VDR for complete vulnerability disclosure to auditors or security operations teams, and VEX for communicating remediation status to customers or downstream consumers.</p><p>To generate a VDR, click the <strong>Export</strong> button above the vulnerability table and select <strong>CycloneDX VDR</strong> (JSON or XML format). The resulting CycloneDX document includes vulnerability identifiers, severity ratings, affected packages with PURLs, and any available fix information.</p><h2 class="wp-block-heading" id="h-enforce-gates-policy-support-for-one-time-scans"><strong>Enforce Gates Policy Support for One-Time Scans</strong></h2><p>Anchore One-Time Scans now support eight additional policy gates beyond vulnerability checks, enabling comprehensive compliance evaluation directly in CI/CD pipelines without persistent SBOM storage. The newly supported gates include:</p><ul class="wp-block-list"> <li><a href="https://docs.anchore.com/current/docs/compliance_management/policy_gates/distro/">Distro</a></li> <li><a href="https://docs.anchore.com/current/docs/compliance_management/policy_gates/dockerfile/">Dockerfile</a></li> <li><a href="https://docs.anchore.com/current/docs/compliance_management/policy_gates/files/">Files</a></li> <li><a href="https://docs.anchore.com/current/docs/compliance_management/policy_gates/metadata/">Image Metadata</a></li> <li><a href="https://docs.anchore.com/current/docs/compliance_management/policy_gates/licenses/">Licenses</a></li> <li><a href="https://docs.anchore.com/current/docs/compliance_management/policy_gates/packages/">Packages</a></li> <li><a href="https://docs.anchore.com/current/docs/compliance_management/policy_gates/passwd_file/">Password File</a></li> <li><a href="https://docs.anchore.com/current/docs/compliance_management/policy_gates/retrieved_files/">Retrieved Files</a></li> </ul><p>This expansion allows teams to enforce compliance requirements—NIST SSDF, CIS Benchmarks, FedRAMP controls—at build time through the API. Evaluate Dockerfile security practices, verify license compliance, check for exposed credentials, and validate package integrity before artifacts reach registries.</p><h2 class="wp-block-heading" id="h-stig-profiles-delivered-via-anchore-data-service">STIG profiles delivered via Anchore Data Service</h2><p>STIG profiles are now delivered through <a href="https://anchore.com/blog/anchore-enterprise-fall-product-update-2024/">Anchore Data Service</a>, replacing the previous feed service architecture. DoD customers receive DISA STIG updates with the same enterprise-grade reliability as other vulnerability data, supporting both static container image evaluations and runtime Kubernetes assessments required for continuous ATO processes.</p><p>The combination means organizations can implement policy-as-code for both commercial compliance frameworks and DoD-specific requirements through a single, streamlined scanning workflow.</p><h2 class="wp-block-heading" id="h-get-started-with-5-23"><strong>Get Started with 5.23</strong></h2><p><strong>Existing Anchore Enterprise Customers:</strong></p><ul class="wp-block-list"> <li>Contact your account manager to upgrade to Anchore Enterprise 5.23</li> <li>Review<a href="https://docs.anchore.com/current/docs/overview/"> implementation documentation</a> for CycloneDX VEX/VDR configuration</li> <li>Reach out to your Customer Success Engineer for guidance on annotation workflows</li> </ul><p>The post <a href="https://anchore.com/blog/anchore-enterprise-5-23-cyclonedx-vex-and-vdr-support/">Anchore Enterprise 5.23: CycloneDX VEX and VDR Support</a> appeared first on <a href="https://anchore.com/">Anchore</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/anchore-enterprise-5-23-cyclonedx-vex-and-vdr-support/" data-a2a-title="Anchore Enterprise 5.23: CycloneDX VEX and VDR Support"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fanchore-enterprise-5-23-cyclonedx-vex-and-vdr-support%2F&linkname=Anchore%20Enterprise%205.23%3A%20CycloneDX%20VEX%20and%20VDR%20Support" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fanchore-enterprise-5-23-cyclonedx-vex-and-vdr-support%2F&linkname=Anchore%20Enterprise%205.23%3A%20CycloneDX%20VEX%20and%20VDR%20Support" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fanchore-enterprise-5-23-cyclonedx-vex-and-vdr-support%2F&linkname=Anchore%20Enterprise%205.23%3A%20CycloneDX%20VEX%20and%20VDR%20Support" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fanchore-enterprise-5-23-cyclonedx-vex-and-vdr-support%2F&linkname=Anchore%20Enterprise%205.23%3A%20CycloneDX%20VEX%20and%20VDR%20Support" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fanchore-enterprise-5-23-cyclonedx-vex-and-vdr-support%2F&linkname=Anchore%20Enterprise%205.23%3A%20CycloneDX%20VEX%20and%20VDR%20Support" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://anchore.com/">Anchore</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Jono Bergquist">Jono Bergquist</a>. Read the original post at: <a href="https://anchore.com/blog/anchore-enterprise-5-23-cyclonedx-vex-and-vdr-support/">https://anchore.com/blog/anchore-enterprise-5-23-cyclonedx-vex-and-vdr-support/</a> </p>