Core Verification
Vein
Every dependency. Every CVE. Formally proven.
Formal supply chain analysis for software bills of materials. Vein parses CycloneDX and SPDX SBOMs, cross-references every component against live CVE databases, and applies Z3 formal analysis to fetched source code. Every finding is a proven constraint violation — not a scanner heuristic.
SBOM
CycloneDX + SPDX
OSV
CVE Database
Z3
Source Proof
§ SPECIFICATION
Input
- CycloneDX or SPDX SBOM (JSON)
- Optional: source URLs per component
- Optional: private advisory feed
Constraints Verified
- Component version vs. known CVE ranges (OSV API)
- Integer overflow in C dependencies
- Null pointer dereference paths
- Format string injection in transitive deps
Output
- CVE findings per component with severity + fix version
- Z3 proof artifacts on fetched source
- Wick-compatible artifact JSON per component
- Aggregated supply chain risk report
§ SAMPLE PROOF ARTIFACT
ARTIFACT // VEIN-OPENSSL-01FAILURE DETECTED
// SAMPLE PROOF — VEIN ENGINE
OpenSSL 3.0.7 — CVE-2022-3786 detected in SBOM scan
TargetCycloneDX SBOM — openssl@3.0.7
Condition
version = 3.0.7 → CVE-2022-3786 (CRITICAL) unfixedVerdictSAT
SummaryCritical stack overflow in X.509 certificate verification. Fixed in 3.0.8. SBOM scan flagged before deployment.
StatusReview-ready
§ FIELD VALIDATION
| # | Target | Vulnerability Class | Status |
|---|---|---|---|
| 01 | OpenSSL 3.0.x Critical CVE | Critical CVE | Detected + Fixed |
| 02 | libcurl SBOM Integer Overflow | Integer Overflow | Z3 Proof |
Run Vein on your system.
Formal engagement starts with a technical intake. We scope, configure, and deliver a proof artifact within the agreed SLA.