Skip to content

Analysis Profile, Copy assessment, or VEX Import?

Summary

ONEKEY has multiple features that let you apply a vulnerability assessment to more than one finding at a time. The three main ones are Analysis Profile, Copy assessment, and VEX Import. It's not always obvious which one fits a given task. This guide explains when to use each so you can avoid inefficient workflows.

All three features apply an assessment – a status, justification, vendor response, notes, and so on – without triaging every finding by hand. The difference is where the assessment comes from and whether it should affect findings that don't exist yet.

When to use Analysis Profile

Use Analysis Profile rules when you want a consistent, forward-looking decision for a component or class of vulnerabilities. A rule matches vulnerabilities with OQL and applies your assessment automatically after every analysis – including findings that appear in future firmware.

Reach for Analysis Profile when you want to:

  • Encode a company-wide triage policy or a product-specific threat model – for example, ignore all disputed CVEs or LOCAL attack vectors.
  • Apply the same decision to many firmware at once instead of assessing each one separately.
  • Target findings precisely – by component, CVSS severity, attack vector, EPSS score, CWE, and more.

Note

Rules work best at the component level or for a whole class of CVEs or issues. Writing a rule for an individual CVE is possible, but for a few specific, already-known CVEs it's usually more efficient to use Copy assessment or VEX Import.

Example

Your devices ship with no local console in the field, so CVEs that need LOCAL access aren't reachable; you write one rule – CVEs with the attack vector LOCAL get the Not affected status – and scope it to the entire product:

Analysis Profile example

From this point onward, every new upload applies the assessment automatically for the selected product.(1)

  1. To apply the rule to firmware you've already uploaded, use Apply analysis profile or reanalyze them.

When to use Copy assessment

Use Copy assessment when you have already triaged a firmware and want to carry that work forward to another analysis – typically a new version of a previously analyzed firmware.

It copies a complete assessment – status, justification, vendor response, notes, SSVC data, severity override, and CVSS Environmental scores – from a source firmware to the matching vulnerabilities in a target firmware. It is a one-time copy for the findings you select; it does not create a rule and does not affect vulnerabilities discovered later. You trigger it manually on the target firmware; it does not run automatically when you upload a new version.

Reach for Copy assessment when you want to:

  • Reuse your manual triage after uploading a new firmware version, instead of starting from scratch.
  • Apply assessments to specific vulnerabilities for a selected firmware without influencing future findings.
Example

You've already triaged Gateway-3.0 – marking CVEs Not affected, writing justifications, and recording vendor responses. When Gateway-4.0 ships with most of the same components, triaging it from scratch would repeat that work. Instead, you copy the assessment from Gateway-3.0 into the Gateway-4.0 analysis; the matching vulnerabilities inherit your earlier decisions, and you only review what genuinely changed between the two versions.

When to use VEX Import

Use VEX Import when the assessment comes from outside ONEKEY – a vendor, distributor, or supplier provides a machine-readable VEX file describing how vulnerabilities affect their product.

Importing the file updates the assessment fields of the matching CVEs with the supplied vendor responses. You choose which CVEs to update, and you can match in Strict or Relaxed mode depending on how closely the file's component identifiers align with what ONEKEY detected.

Reach for VEX Import when you want to:

  • Ingest a vendor's official OpenVEX, CSAF, or CycloneDX assessment.
  • Clear CVEs a supplier has marked Not affected to cut false-positive noise.
Example

A supplier sends you a VEX file for a component in your Gateway-4.0 firmware. It marks several flagged CVEs as Not affected and notes that the one that does apply is fixed in a newer version. You import the file, select those CVEs, and their assessment fields fill in automatically.

Quick reference

Analysis Profile rules Copy assessment VEX Import
Use it when You want a reusable, forward-looking decision for a component or vulnerability class You already triaged a firmware and want to carry that work to another (e.g. a new version) A vendor or supplier gives you a VEX file with their assessment
Assessment comes from A rule you define in OQL Your existing manual assessment An external VEX document
Scope Everything the query matches The specific findings you select The CVEs you select from the file
Affects future findings? Yes – runs automatically after every analysis No – one-time copy No – one-time import