SPDX 3.0.1
The latest ISO/IEC 5962 standard with full supplier metadata and SPDX license expressions.
First-Class SBOM & VEX
Know What’s in Your Containers
Generate industry-standard SBOMs and apply VEX statements from multiple sources — with intelligent conflict resolution and offline verification built in.
What this means for your business
Know exactly what's in every release and which advisories apply. Stella generates signed SBOMs and resolves conflicting VEX statements so compliance teams get one clear picture. VEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your context
Industry-Standard Formats
Stella generates SBOMs in the formats your auditors and compliance teams expect, with full component metadata and provenance.
CycloneDX 1.7
OWASP CycloneDX with integrated VEX support and dependency graph extensions.
Generate, verify, and publish SBOMs from the CLI
$ stella sbom generate --image myapp:v2.1.0 --format spdx-json
stella sbom verify --archive sbom.tar.gz --offline\nstella sbom publish --image myapp:v2.1.0 --overwriteWhy It Matters
SBOMs are becoming mandatory. Stella makes them practical.
Reproducible Results
Same image, same SBOM — every time. Auditors can verify your results independently.
Works Offline
Generate and verify SBOMs in air-gapped environments. No external calls required.
Compliance Ready
Supports EO 14028, EU CRA, and other supply chain security requirements with signed, verifiable SBOMs.
Cryptographically Signed
Every SBOM is signed and tamper-evident. Evidence you can trust.
VEX: Context for Vulnerabilities
Not every CVE affects you. VEX (Vulnerability Exploitability eXchange) statements let vendors and your own analysis say which vulnerabilities actually matter for your specific deployment.
Affected
Not Affected
Fixed
Under Investigation
VEX cuts through the noise: a CVE in a library you don’t use isn’t your problem. Stella applies VEX statements automatically to focus your attention on what matters.
What this means for your business
When scanners disagree, see all evidence instead of a silent override. Stella surfaces conflicts so your team makes informed decisions — fewer missed vulnerabilities, less wasted remediation.
How conflict states are computed (advanced)
When multiple VEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your context sources disagree, Stella uses Belnap’s four-valued logic to compute the definitive state. Conflicts become visible, not hidden. ⊥ Unknown No information yet. Default state before any VEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your context statement applies. T Affected At least one issuer says this vulnerability affects you. F Not Affected At least one issuer says you’re not affected. ⊤ Conflict Multiple issuers disagree. Requires review or higher-authority override. Vendor says “not affected” but your runtime probe saw the function called? Result: Conflict (⊤) — the disagreement is visible, not silently suppressed. No silent suppression. No hidden assumptions. Uncertainty is tracked and surfaced.Read more
How conflict states are computed (advanced)
When multiple
Read moreVEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your context sources disagree, Stella uses Belnap’s four-valued logic to compute the definitive state. Conflicts become visible, not hidden. ⊥ Unknown No information yet. Default state before any VEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your context statement applies. T Affected At least one issuer says this vulnerability affects you. F Not Affected At least one issuer says you’re not affected. ⊤ Conflict Multiple issuers disagree. Requires review or higher-authority override. Vendor says “not affected” but your runtime probe saw the function called? Result: Conflict (⊤) — the disagreement is visible, not silently suppressed. No silent suppression. No hidden assumptions. Uncertainty is tracked and surfaced.When multiple VEX sources disagree, Stella uses Belnap’s four-valued logic to compute the definitive state. Conflicts become visible, not hidden.
⊥
Unknown
No information yet. Default state before any VEX statement applies.
T
Affected
At least one issuer says this vulnerability affects you.
F
Not Affected
At least one issuer says you’re not affected.
⊤
Conflict
Multiple issuers disagree. Requires review or higher-authority override.
Vendor says “not affected” but your runtime probe saw the function called? Result: Conflict (⊤) — the disagreement is visible, not silently suppressed.
No silent suppression. No hidden assumptions. Uncertainty is tracked and surfaced.
Multi-source VEX aggregation (advanced)
Vendors, distributors, and your own security team may all publish VEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your context statements. Stella aggregates them with weighted consensus. Ingest VEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your context from software vendors, Linux distributors, and internal sources Sources are weighted by authority — your internal assessments can override external ones Conflicts trigger review workflows rather than being silently resolved One View of Truth Instead of juggling spreadsheets and emails, get a single authoritative view of which vulnerabilities actually affect your release.Read more
Multi-source VEX aggregation (advanced)
Vendors, distributors, and your own security team may all publish
Read moreVEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your context statements. Stella aggregates them with weighted consensus. Ingest VEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your context from software vendors, Linux distributors, and internal sources Sources are weighted by authority — your internal assessments can override external ones Conflicts trigger review workflows rather than being silently resolved One View of Truth Instead of juggling spreadsheets and emails, get a single authoritative view of which vulnerabilities actually affect your release.Vendors, distributors, and your own security team may all publish VEX statements. Stella aggregates them with weighted consensus.
- Ingest
VEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your contextfrom software vendors, Linux distributors, and internal sources - Sources are weighted by authority — your internal assessments can override external ones
- Conflicts trigger review workflows rather than being silently resolved
One View of Truth
Instead of juggling spreadsheets and emails, get a single authoritative view of which vulnerabilities actually affect your release.
Ready for practical SBOM compliance?
Install Stella Ops and start generating auditor-ready SBOMs with multi-source VEX support.