Release Notes: v0.3.0¶
Release Date: 2026-05-09
This is the initial public release of graphize-appsec.
Highlights¶
- 16 Reachability Tests - Comprehensive test framework across Reachable (7), Exploitable (6), and Damage (3) categories
- VEX Generation - CycloneDX VEX support for SBOM enrichment and vulnerability communication
- MkDocs Documentation - Full documentation site with PlexusOne theme
Features¶
Reachability Analysis¶
- 16-test framework evaluating vulnerability exploitability
- Three test categories with weighted scoring:
- Reachable (40%) - Is the vulnerable code reachable from entry points?
- Exploitable (35%) - Are there known exploits or exploitation indicators?
- Damage (25%) - What's the potential business impact?
- Confidence-weighted results with evidence trails
VEX Generation¶
- CycloneDX VEX format support
- Automatic justification mapping from test results
- SBOM enrichment via
vex enrichcommand - Standalone VEX document generation
CLI Commands¶
| Command | Description |
|---|---|
assess <CVE> |
Assess single vulnerability reachability |
vex generate |
Generate standalone VEX document |
vex enrich |
Enrich SBOM with VEX analysis |
test list |
List available reachability tests |
doctor |
Verify environment prerequisites |
Documentation¶
- Getting Started - Installation and quick workflow
- CLI Reference - Complete command documentation
- Reachability Tests - All 16 tests explained
- VEX Output Format - CycloneDX VEX reference
- Grafana Example - End-to-end walkthrough
Installation¶
Dependencies¶
- graphize - Code knowledge graph
- graphfs - Graph storage and traversal
- structured-evaluation - Report framework