fix: N output formats generate N VEX files and N revisions in main VEX file

[QSchulz]

Description

If I call cve-bin-tool with --format csv,html --vex-output result.vex.json --revision-reason 'test', I get

• 1_result.vex.hson
• result.vex.json

with result.vex.json having two metadata.properties entries:

  "metadata": {
    "timestamp": "2026-04-10T12:02:53Z",
    "tools": {
      "components": [
        {
          "name": "lib4vex",
          "version": "0.2.3",
          "type": "application"
        }
      ]
    },
    "properties": [
      {
        "name": "Revision_1",
        "value": "Test"
      },
      {
        "name": "Revision_2",
        "value": "Test"
      }
    ],

To reproduce

Steps to reproduce the behaviour:

sbom.cdx.json:

{
  "bomFormat": "CycloneDX",
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "specVersion": "1.6",
  "components": [
    {
      "bom-ref": "avahi",
      "type": "library",
      "name": "avahi",
      "version": "0.8",
      "licenses": [
        {
          "license": {
            "id": "LGPL-2.1+"
          }
        }
      ],
      "cpe": "cpe:2.3:a:avahi:avahi:0.8:-:*:*:*:*:*:*"
    }
  ]
}

Run:

NO_EXIT_CVE_NUM=1 python3 -m cve_bin_tool.cli \
        --offline \
        --revision-reason 'Test' \
        --sbom cyclonedx \
        --sbom-file sbom.cdx.json \
        --vex-type cyclonedx \
        --vex-output result.vex.json \
        --vendor 'Me' \
        --product 'MyProduct' \
        --release '1.0.0' \
        --format csv,html \
        --output-file cve-check

Expected behaviour: only one VEX file generated, only one revision per call to cve-bin-tool, regardless of the number of output formats.

result.vex.json:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:e941d831-c5fb-4719-b632-9b969cfc254e",
  "version": 1,
  "metadata": {
    "timestamp": "2026-04-10T12:49:51Z",
    "tools": {
      "components": [
        {
          "name": "lib4vex",
          "version": "0.2.3",
          "type": "application"
        }
      ]
    },
    "properties": [
      {
        "name": "Revision_1",
        "value": "Test"
      }
    ],
    "component": {
      "type": "application",
      "supplier": {
        "name": "Me"
      },
      "version": "1.0.0",
      "bom-ref": "CDXRef-DOCUMENT",
      "name": "MyProduct"
    }
  },
[...]
}

Actual behaviour: N VEX files generated, the main VEX file contains N revisions, the Y_ VEX files contain Y revision(s).

result.vex.json:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:58f05ba4-44e3-4cd3-b027-7f1d49a40d0d",
  "version": 2,
  "metadata": {
    "timestamp": "2026-04-10T12:49:51Z",
    "tools": {
      "components": [
        {
          "name": "lib4vex",
          "version": "0.2.3",
          "type": "application"
        }
      ]
    },
    "properties": [
      {
        "name": "Revision_1",
        "value": "Test"
      },
      {
        "name": "Revision_2",
        "value": "Test"
      }
    ],
    "component": {
      "type": "application",
      "supplier": {
        "name": "Me"
      },
      "version": "1.0.0",
      "bom-ref": "CDXRef-DOCUMENT",
      "name": "MyProduct"
    }
  },
[...]
}

1_result.vex.json:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:e941d831-c5fb-4719-b632-9b969cfc254e",
  "version": 1,
  "metadata": {
    "timestamp": "2026-04-10T12:49:51Z",
    "tools": {
      "components": [
        {
          "name": "lib4vex",
          "version": "0.2.3",
          "type": "application"
        }
      ]
    },
    "properties": [
      {
        "name": "Revision_1",
        "value": "Test"
      }
    ],
    "component": {
      "type": "application",
      "supplier": {
        "name": "Me"
      },
      "version": "1.0.0",
      "bom-ref": "CDXRef-DOCUMENT",
      "name": "MyProduct"
    }
  },
[...]
}

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 14719d8
Installed from pypi or github? python3 -m pip install cve-bin-tool@git+https://github.com/ossf/cve-bin-tool@14719d855a42856fc7a36785a2d47e6e6415ffc3 from a venv without system packages
Operating system: Linux/Windows (other platforms are unsupported but feel free to report issues anyhow)

• On Linux (or Windows Subsystem for Linux) you can run uname -a: Linux fedora 6.19.10-200.fc43.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 25 16:09:19 UTC 2026 x86_64 GNU/Linux
• On Windows you can run systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
  Python version (e.g. python3 --version): Python 3.14.3
  Running in any particular CI environment we should know about? (e.g. Github Actions) venv with:

aiodns==4.0.0
aiohappyeyeballs==2.6.1
aiohttp==3.13.4
aiosignal==1.4.0
attrs==26.1.0
beautifulsoup4==4.14.3
brotli==1.2.0
certifi==2026.2.25
cffi==2.0.0
charset-normalizer==3.4.6
csaf-tool==0.3.2
cve-bin-tool @ git+https://github.com/ossf/cve-bin-tool@14719d855a42856fc7a36785a2d47e6e6415ffc3
cvss==3.6
defusedxml==0.7.1
distro==1.9.0
elementpath==5.1.1
fastjsonschema==2.21.2
filetype==1.2.0
frozenlist==1.8.0
idna==3.11
Jinja2==3.1.6
jsonschema==4.26.0
jsonschema-specifications==2025.9.1
lib4sbom==0.10.2
lib4vex==0.2.3
markdown-it-py==4.0.0
MarkupSafe==3.0.3
mdurl==0.1.2
multidict==6.7.1
narwhals==2.18.1
packageurl-python==0.17.6
packaging==26.0
pefile==2024.8.26
plotly==6.6.0
propcache==0.4.1
pycares==5.0.1
pycparser==3.0
Pygments==2.20.0
python-gnupg==0.5.6
PyYAML==6.0.3
referencing==0.37.0
requests==2.33.0
rich==14.3.3
rpds-py==0.30.0
rpmfile==2.1.0
semantic-version==2.10.0
setuptools==82.0.1
soupsieve==2.8.3
typing_extensions==4.15.0
urllib3==2.6.3
xmlschema==4.3.1
yarl==1.23.0
zipp==3.23.0
zstandard==0.25.0

[QSchulz]

My hunch is it should be as easy as:

diff --git a/cve_bin_tool/output_engine/__init__.py b/cve_bin_tool/output_engine/__init__.py
index 54932509..51f2357a 100644
--- a/cve_bin_tool/output_engine/__init__.py
+++ b/cve_bin_tool/output_engine/__init__.py
@@ -852,6 +852,11 @@ class OutputEngine:
                 self.no_scan,
             )
 
+    def output_file_wrapper(self, output_types=["console"]):
+        """Call output_file method for all output types."""
+        for output_type in output_types:
+            self.output_file(output_type)
+
         if isinstance(self.append, str):
             save_intermediate(
                 self.all_cve_data,
@@ -895,11 +900,6 @@ class OutputEngine:
             )
             sbomgen.generate_sbom()
 
-    def output_file_wrapper(self, output_types=["console"]):
-        """Call output_file method for all output types."""
-        for output_type in output_types:
-            self.output_file(output_type)
-
     def output_file(self, output_type="console"):
         """Generate a file for list of CVE"""

(that is, moving the generation of the SBOM, VEX and append files outside of the output_file() method which is called for each and every output formats and instead move it after the forloop on all output formats in output_file_wrapper())

However, maybe we do need to generate a VEX and SBOM and intermediate (--append) files for each kind of output? Maybe that's expected behavior, hence why I'm opening an issue before opening a Pull Request, maybe I'm missing some context.

[ffontaine]

Thanks for the report. Looping in @anthonyharrison for his input.

[anthonyharrison]

The VEX generator will add revisions to an existing VEX file. This was to show the history of the vulnerabilities over time. The original VEX file is preserved so it is possible to look back at the changes over time.

To prevent this, either use a unique filename or remove the file.

I have raised an issue adding an option to lib4vex to disable the revision management feature

[QSchulz]

That's not the issue. A single run of cve-bin-tool with multiple output formats and without any existing VEX file will generate multiple VEX files AND have multiple revisions in them (the number depends on the number of output formats and which VEX file it is). Revisions in a VEX file when you reuse it makes sense to me, I'm not trying to prevent that. I'm trying to prevent having multiple revisions added to a VEX file per run of the tool. So the question would be, should there be a revision per output format generated in a single run of cve-bin-tool. If the answer is no, then I can fix it with the suggested diff. If yes, then this issue can be closed.