Skip to main content
Version: v0.6.x



Experimental: This feature might change without preserving backwards compatibility.

Copa optionally outputs a Vulnerability Exploitability eXchange (VEX) file as a result of the patching process to surface the vulnerabilities and packages that were patched.

Currently, Copa supports the OpenVEX format, but it can be extended to support other formats.


OpenVEX is an implementation of Vulnerability Exploitability eXchange (VEX) format. For more information, see OpenVEX specification.

  • Use COPA_VEX_AUTHOR environment variable to set the author of the VEX document. If it's not set, the author will default to Project Copacetic.

  • A VEX document must contain at least one VEX statement. If there are no fixed vulnerabilities, Copa will not generate a VEX document.

To generate a VEX document using OpenVEX, use --format="openvex" flag, and use --output to specify a file path. For example:

copa patch -i -r nginx.1.21.6.json -t 1.21.6-patched --format="openvex" --output "nginx.1.21.6-vex.json"

This will generate a VEX Document that looks like:

"@context": "",
"@id": "",
"author": "Project Copacetic",
"timestamp": "2023-10-11T00:15:00.114768055Z",
"version": 1,
"tooling": "Project Copacetic",
"statements": [
"vulnerability": {
"@id": "CVE-2021-22945"
"products": [
"@id": "pkg:oci/",
"subcomponents": [
"@id": "pkg:deb/debian/curl@7.74.0-1.3+deb11u2?arch=amd64"
"@id": "pkg:deb/debian/libcurl4@7.74.0-1.3+deb11u2?arch=amd64"
"status": "fixed"