VEX Checker

A CLI tool that works with the Red Hat CSAF VEX feed to check the security status of Hummingbird packages, filtering out all other Red Hat products.

Subcommands

Subcommand	Purpose
`check`	Look up a single CVE and show Hummingbird product statuses
`reconcile`	Cross-reference Jira CVE tickets with the VEX feed

Prerequisites

Python 3.11+
Internet access to security.access.redhat.com (no VPN required)
JIRA_EMAIL Atlassian account email — required for reconcile
JIRA_TOKEN Jira API token — required for reconcile

`check` — Single CVE lookup

Fetches the CSAF VEX document for a given CVE and prints the status of all Hummingbird products, filtering out all other RHEL/OpenShift/etc. entries.

check: usage

./check_vex.py check CVE-YYYY-NNNNN [--json]

check: options

Option	Description
`CVE-ID`	CVE to look up
`--json, -j`	Output results as JSON

check: examples

$ ./check_vex.py check CVE-2014-8090

CVE-2014-8090 — CVE-2014-8090 ruby: REXML billion laughs attack (Moderate)
  hummingbird-1:ruby.src      known_affected  none_available
  hummingbird-1:ruby3.3.src   known_affected  none_available
  hummingbird-1:ruby3.4.src   known_affected  none_available
  hummingbird-1:ruby4.0.src   known_affected  none_available

$ ./check_vex.py check CVE-2014-8090 --json
{
  "cve": "CVE-2014-8090",
  "title": "...",
  "severity": "Moderate",
  "hummingbird": [
    { "product_id": "hummingbird-1:ruby.src", "status": "known_affected", "remediation": "none_available" },
    ...
  ]
}

check: exit codes

Code	Meaning
`0`	No VEX document found, no Hummingbird products listed, or no `known_affected` status
`1`	One or more Hummingbird products are `known_affected`
`2`	Invalid CVE ID format

`reconcile` — Jira/VEX sync check

Queries the Jira HUM project (Security component) for all CVE tickets, then checks each CVE in the VEX feed. Reports two types of mismatches:

Open in Jira but not known_affected in VEX — VEX says the issue is resolved but the Jira ticket is still open.
Closed in Jira but known_affected in VEX — the Jira ticket was closed but Red Hat’s advisory still marks Hummingbird as affected.

Jira tickets are considered closed when their status is one of: Done, Closed, Won't Fix, Not a Bug.

VEX documents are fetched in parallel (--workers, default 20) so the command is fast even with hundreds of CVE tickets.

reconcile: usage

export JIRA_EMAIL=you@redhat.com
export JIRA_TOKEN=<your-api-token>
./check_vex.py reconcile [--workers N] [--json]

Credentials are read exclusively from environment variables to avoid exposing them in process listings.

reconcile: options

Option	Description
`--jira-url`	Jira base URL (default: `https://redhat.atlassian.net`)
`--workers`	Parallel VEX fetch workers (default: 20)
`--json, -j`	Output results as JSON

reconcile: example

$ ./check_vex.py reconcile

Fetching Jira tickets... 142 ticket(s)
Fetching VEX statuses for 89 unique CVE(s)...
  89/89
2 mismatch(es) found:

  HUM-1234  CVE-2025-1234  closed → known_affected  (VEX still open)
    Jira: https://redhat.atlassian.net/browse/HUM-1234
    VEX:  https://security.access.redhat.com/data/csaf/v2/vex-feed/2025/cve-2025-1234.json

  HUM-5678  CVE-2024-5678  open → fixed  (VEX not affected)
    Jira: https://redhat.atlassian.net/browse/HUM-5678
    VEX:  https://security.access.redhat.com/data/csaf/v2/vex-feed/2024/cve-2024-5678.json

reconcile: exit codes

Code	Meaning
`0`	No mismatches found
`1`	One or more mismatches detected
`2`	Missing `JIRA_EMAIL` or `JIRA_TOKEN`

Development

# Run tests
cd vex-checker && python3 -m unittest discover tests -v

# Run linter (from repo root)
ruff check vex-checker

License

This project is licensed under the GNU General Public License v3.0 or later - see the LICENSE file for details.