diff --git a/apiserver/src/main/java/org/dependencytrack/model/Analysis.java b/apiserver/src/main/java/org/dependencytrack/model/Analysis.java
index c772e979c2..fe88c7db44 100644
--- a/apiserver/src/main/java/org/dependencytrack/model/Analysis.java
+++ b/apiserver/src/main/java/org/dependencytrack/model/Analysis.java
@@ -152,6 +152,18 @@ public class Analysis implements Serializable {
     @JsonProperty(value = "owaspScore")
     private BigDecimal owaspScore;
 
+    /**
+     * The source that owns this analysis.
+     * Tracks whether the analysis was set by POLICY, VEX, MANUAL, or NVD.
+     * Higher-precedence sources prevent lower-precedence sources from overwriting.
+     *
+     * @since 5.8.0
+     */
+    @Persistent(defaultFetchGroup = "true")
+    @Column(name = "SOURCE", jdbcType = "VARCHAR", allowsNull = "true")
+    @JsonProperty(value = "source")
+    private RatingSource source;
+
     @Persistent
     @Column(name = "VULNERABILITY_POLICY_ID", allowsNull = "true")
     @JsonIgnore
@@ -306,6 +318,14 @@ public void setOwaspScore(BigDecimal owaspScore) {
         this.owaspScore = owaspScore;
     }
 
+    public RatingSource getSource() {
+        return source;
+    }
+
+    public void setSource(RatingSource source) {
+        this.source = source;
+    }
+
     public Long getVulnerabilityPolicyId() {
         return vulnerabilityPolicyId;
     }
diff --git a/apiserver/src/main/java/org/dependencytrack/model/RatingSource.java b/apiserver/src/main/java/org/dependencytrack/model/RatingSource.java
new file mode 100644
index 0000000000..9da2587382
--- /dev/null
+++ b/apiserver/src/main/java/org/dependencytrack/model/RatingSource.java
@@ -0,0 +1,46 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.model;
+
+/**
+ * Defines the source of an analysis. Precedence: POLICY > VEX > MANUAL > NVD.
+ *
+ * @since 5.8.0
+ */
+public enum RatingSource {
+
+    POLICY(4),
+    VEX(3),
+    MANUAL(2),
+    NVD(1);
+
+    private final int precedence;
+
+    RatingSource(int precedence) {
+        this.precedence = precedence;
+    }
+
+    public int getPrecedence() {
+        return precedence;
+    }
+
+    public boolean canOverwrite(RatingSource other) {
+        return other == null || this.precedence >= other.precedence;
+    }
+}
diff --git a/apiserver/src/main/java/org/dependencytrack/model/Vulnerability.java b/apiserver/src/main/java/org/dependencytrack/model/Vulnerability.java
index c8aeb118c8..94349adb0e 100644
--- a/apiserver/src/main/java/org/dependencytrack/model/Vulnerability.java
+++ b/apiserver/src/main/java/org/dependencytrack/model/Vulnerability.java
@@ -130,7 +130,8 @@ public enum Source {
         RETIREJS, // Retire.js
         INTERNAL,  // Internally-managed (and manually entered) vulnerability
         OSV, // Google OSV Advisories
-        SNYK;    // Snyk Purl Vulnerability
+        SNYK,    // Snyk Purl Vulnerability
+        UNKNOWN; // Unknown or unrecognized vulnerability source
 
         public static boolean isKnownSource(String source) {
             return Arrays.stream(values()).anyMatch(enumSource -> enumSource.name().equalsIgnoreCase(source));
diff --git a/apiserver/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDXVexImporter.java b/apiserver/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDXVexImporter.java
index 8590f85249..49fef7ae7d 100644
--- a/apiserver/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDXVexImporter.java
+++ b/apiserver/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDXVexImporter.java
@@ -28,6 +28,7 @@
 import org.dependencytrack.model.Component;
 import org.dependencytrack.model.ComponentIdentity;
 import org.dependencytrack.model.Project;
+import org.dependencytrack.model.RatingSource;
 import org.dependencytrack.model.Vulnerability;
 import org.dependencytrack.parser.cyclonedx.util.ModelConverter;
 import org.dependencytrack.persistence.QueryManager;
@@ -130,8 +131,9 @@ private static List<org.cyclonedx.model.vulnerability.Vulnerability> getApplicab
                         .formatted(vexVulnSource, vexVulnId, vexVulnPos));
                 continue;
             }
-            if (vexVuln.getAnalysis() == null) {
-                LOGGER.debug("VEX vulnerability %s/%s at position #%d does not have an analysis; Skipping it"
+            // Allow VEX entries with either analysis or ratings (or both)
+            if (vexVuln.getAnalysis() == null && CollectionUtils.isEmpty(vexVuln.getRatings())) {
+                LOGGER.debug("VEX vulnerability %s/%s at position #%d does not have an analysis or ratings; Skipping it"
                         .formatted(vexVulnSource, vexVulnId, vexVulnPos));
                 continue;
             }
@@ -145,30 +147,6 @@ private static List<org.cyclonedx.model.vulnerability.Vulnerability> getApplicab
     private static void updateAnalysis(final QueryManager qm, final Component component, final Vulnerability vuln,
                                        final org.cyclonedx.model.vulnerability.Vulnerability cdxVuln) {
         qm.runInTransaction(() -> {
-            final AnalysisState state =
-                    convertCdxVulnAnalysisStateToDtAnalysisState(cdxVuln.getAnalysis().getState());
-            final AnalysisJustification justification =
-                    convertCdxVulnAnalysisJustificationToDtAnalysisJustification(cdxVuln.getAnalysis().getJustification());
-
-            // CycloneDX supports multiple responses, DT only one.
-            // The decision to effectively pick the last one is legacy behavior,
-            // there's no other particular reason for doing it.
-            final AnalysisResponse response;
-            if (cdxVuln.getAnalysis().getResponses() != null
-                    && !cdxVuln.getAnalysis().getResponses().isEmpty()) {
-                response = cdxVuln.getAnalysis().getResponses().stream()
-                        .map(ModelConverter::convertCdxVulnAnalysisResponseToDtAnalysisResponse)
-                        .toList()
-                        .getLast();
-            } else {
-                response = null;
-            }
-
-            final boolean isSuppressed =
-                    state == AnalysisState.FALSE_POSITIVE
-                            || state == AnalysisState.NOT_AFFECTED
-                            || state == AnalysisState.RESOLVED;
-
             final Component persistentComponent = !isPersistent(component)
                     ? qm.getObjectById(Component.class, component.getId())
                     : component;
@@ -176,14 +154,58 @@ private static void updateAnalysis(final QueryManager qm, final Component compon
                     ? qm.getObjectById(Vulnerability.class, vuln.getId())
                     : vuln;
 
-            qm.makeAnalysis(
-                    new MakeAnalysisCommand(persistentComponent, persistentVuln)
-                            .withState(state)
-                            .withJustification(justification)
-                            .withResponse(response)
-                            .withDetails(cdxVuln.getAnalysis().getDetail())
-                            .withCommenter(COMMENTER)
-                            .withSuppress(isSuppressed));
+            MakeAnalysisCommand command = new MakeAnalysisCommand(persistentComponent, persistentVuln)
+                    .withCommenter(COMMENTER)
+                    .withSource(RatingSource.VEX);
+
+            if (cdxVuln.getAnalysis() != null) {
+                final AnalysisState state = convertCdxVulnAnalysisStateToDtAnalysisState(cdxVuln.getAnalysis().getState());
+                final AnalysisJustification justification = convertCdxVulnAnalysisJustificationToDtAnalysisJustification(cdxVuln.getAnalysis().getJustification());
+
+                // CycloneDX supports multiple responses, DT only one.
+                // The decision to effectively pick the last one is legacy behavior,
+                // there's no other particular reason for doing it.
+                final AnalysisResponse response;
+                if (cdxVuln.getAnalysis().getResponses() != null
+                        && !cdxVuln.getAnalysis().getResponses().isEmpty()) {
+                    response = cdxVuln.getAnalysis().getResponses().stream()
+                            .map(ModelConverter::convertCdxVulnAnalysisResponseToDtAnalysisResponse)
+                            .toList()
+                            .getLast();
+                } else {
+                    response = null;
+                }
+
+                final boolean isSuppressed = state == AnalysisState.FALSE_POSITIVE
+                        || state == AnalysisState.NOT_AFFECTED
+                        || state == AnalysisState.RESOLVED;
+
+                command = command
+                        .withState(state)
+                        .withJustification(justification)
+                        .withResponse(response)
+                        .withDetails(cdxVuln.getAnalysis().getDetail())
+                        .withSuppress(isSuppressed);
+            }
+
+            if (cdxVuln.getRatings() != null && !cdxVuln.getRatings().isEmpty()) {
+                for (final org.cyclonedx.model.vulnerability.Vulnerability.Rating rating : cdxVuln.getRatings()) {
+                    if (rating.getMethod() == org.cyclonedx.model.vulnerability.Vulnerability.Rating.Method.OWASP) {
+                        if (rating.getVector() == null && rating.getScore() == null) {
+                            LOGGER.warn("VEX OWASP rating has neither vector nor score - skipping");
+                            continue;
+                        }
+
+                        final java.math.BigDecimal score = rating.getScore() != null
+                                ? java.math.BigDecimal.valueOf(rating.getScore())
+                                : null;
+                        command = command.withOwasp(rating.getVector(), score);
+                        break;
+                    }
+                }
+            }
+
+            qm.makeAnalysis(command);
         });
     }
 }
\ No newline at end of file
diff --git a/apiserver/src/main/java/org/dependencytrack/persistence/AnalysisQueryManager.java b/apiserver/src/main/java/org/dependencytrack/persistence/AnalysisQueryManager.java
index 3c27656c78..e5f69f48f1 100644
--- a/apiserver/src/main/java/org/dependencytrack/persistence/AnalysisQueryManager.java
+++ b/apiserver/src/main/java/org/dependencytrack/persistence/AnalysisQueryManager.java
@@ -27,6 +27,7 @@
 import org.dependencytrack.model.AnalysisResponse;
 import org.dependencytrack.model.AnalysisState;
 import org.dependencytrack.model.Component;
+import org.dependencytrack.model.RatingSource;
 import org.dependencytrack.model.Vulnerability;
 import org.dependencytrack.notification.JdoNotificationEmitter;
 import org.dependencytrack.notification.NotificationModelConverter;
@@ -102,27 +103,49 @@ public long makeAnalysis(final MakeAnalysisCommand command) {
             boolean stateChanged = false;
             boolean suppressionChanged = false;
 
-            if (command.state() != null && command.state() != analysis.getAnalysisState()) {
-                auditTrailComments.add("Analysis: %s → %s".formatted(analysis.getAnalysisState(), command.state()));
-                analysis.setAnalysisState(command.state());
-                stateChanged = true;
-            }
-            if (command.justification() != null && command.justification() != analysis.getAnalysisJustification()) {
-                auditTrailComments.add("Justification: %s → %s".formatted(analysis.getAnalysisJustification(), command.justification()));
-                analysis.setAnalysisJustification(command.justification());
-            }
-            if (command.response() != null && command.response() != analysis.getAnalysisResponse()) {
-                auditTrailComments.add("Vendor Response: %s → %s".formatted(analysis.getAnalysisResponse(), command.response()));
-                analysis.setAnalysisResponse(command.response());
-            }
-            if (command.details() != null && !command.details().equals(analysis.getAnalysisDetails())) {
-                auditTrailComments.add("Details: %s".formatted(command.details()));
-                analysis.setAnalysisDetails(command.details());
-            }
-            if (command.suppress() != null && command.suppress() != analysis.isSuppressed()) {
-                auditTrailComments.add(command.suppress() ? "Suppressed" : "Unsuppressed");
-                analysis.setSuppressed(command.suppress());
-                suppressionChanged = true;
+            final boolean canUpdate = canUpdateAnalysis(analysis.getSource(), command.source());
+
+            if (canUpdate) {
+                if (command.state() != null && command.state() != analysis.getAnalysisState()) {
+                    auditTrailComments.add("Analysis: %s → %s".formatted(analysis.getAnalysisState(), command.state()));
+                    analysis.setAnalysisState(command.state());
+                    stateChanged = true;
+                }
+                if (command.justification() != null && command.justification() != analysis.getAnalysisJustification()) {
+                    auditTrailComments.add("Justification: %s → %s".formatted(analysis.getAnalysisJustification(), command.justification()));
+                    analysis.setAnalysisJustification(command.justification());
+                }
+                if (command.response() != null && command.response() != analysis.getAnalysisResponse()) {
+                    auditTrailComments.add("Vendor Response: %s → %s".formatted(analysis.getAnalysisResponse(), command.response()));
+                    analysis.setAnalysisResponse(command.response());
+                }
+                if (command.details() != null && !command.details().equals(analysis.getAnalysisDetails())) {
+                    auditTrailComments.add("Details: %s".formatted(command.details()));
+                    analysis.setAnalysisDetails(command.details());
+                }
+                if (command.suppress() != null && command.suppress() != analysis.isSuppressed()) {
+                    auditTrailComments.add(command.suppress() ? "Suppressed" : "Unsuppressed");
+                    analysis.setSuppressed(command.suppress());
+                    suppressionChanged = true;
+                }
+
+                if (command.owaspVector() != null && !command.owaspVector().equals(analysis.getOwaspVector())) {
+                    auditTrailComments.add("OWASP RR Vector: %s → %s".formatted(
+                            analysis.getOwaspVector(), command.owaspVector()));
+                    analysis.setOwaspVector(command.owaspVector());
+                }
+                if (command.owaspScore() != null && !command.owaspScore().equals(analysis.getOwaspScore())) {
+                    auditTrailComments.add("OWASP RR Score: %s → %s".formatted(
+                            analysis.getOwaspScore(), command.owaspScore()));
+                    analysis.setOwaspScore(command.owaspScore());
+                }
+
+                if (command.source() != null && analysis.getSource() != command.source()) {
+                    if (analysis.getSource() != null) {
+                        auditTrailComments.add("Source: %s → %s".formatted(analysis.getSource(), command.source()));
+                    }
+                    analysis.setSource(command.source());
+                }
             }
 
             final List<String> comments =
@@ -198,4 +221,11 @@ private void createAnalysisComments(
         });
     }
 
+    private boolean canUpdateAnalysis(final RatingSource existingSource, final RatingSource newSource) {
+        if (newSource == null || existingSource == null) {
+            return true;
+        }
+        return newSource.canOverwrite(existingSource);
+    }
+
 }
diff --git a/apiserver/src/main/java/org/dependencytrack/persistence/command/MakeAnalysisCommand.java b/apiserver/src/main/java/org/dependencytrack/persistence/command/MakeAnalysisCommand.java
index 956d3b21a1..b8eb371f39 100644
--- a/apiserver/src/main/java/org/dependencytrack/persistence/command/MakeAnalysisCommand.java
+++ b/apiserver/src/main/java/org/dependencytrack/persistence/command/MakeAnalysisCommand.java
@@ -22,9 +22,11 @@
 import org.dependencytrack.model.AnalysisResponse;
 import org.dependencytrack.model.AnalysisState;
 import org.dependencytrack.model.Component;
+import org.dependencytrack.model.RatingSource;
 import org.dependencytrack.model.Vulnerability;
 import org.dependencytrack.notification.proto.v1.Group;
 
+import java.math.BigDecimal;
 import java.util.Collections;
 import java.util.Set;
 
@@ -38,8 +40,11 @@
  * @param response      The vendor response to set
  * @param details       The details to set
  * @param suppress      Whether to suppress the finding
+ * @param source        The source that owns this analysis (POLICY, VEX, MANUAL, NVD)
  * @param commenter     Name of the principal on which behalf audit trail entries will be created
  * @param comment       The comment to add to the audit trail
+ * @param owaspVector   OWASP RR vector to set
+ * @param owaspScore    OWASP RR score to set
  * @param options       Additional options
  * @since 5.0.0
  */
@@ -51,8 +56,11 @@ public record MakeAnalysisCommand(
         AnalysisResponse response,
         String details,
         Boolean suppress,
+        RatingSource source,
         String commenter,
         String comment,
+        String owaspVector,
+        BigDecimal owaspScore,
         Set<Option> options) {
 
     public enum Option {
@@ -77,39 +85,48 @@ public enum Option {
     }
 
     public MakeAnalysisCommand(final Component component, final Vulnerability vulnerability) {
-        this(component, vulnerability, null, null, null, null, null, null, null, Collections.emptySet());
+        this(component, vulnerability, null, null, null, null, null, null, null, null,
+             null, null, Collections.emptySet());
     }
 
     public MakeAnalysisCommand withState(final AnalysisState state) {
-        return new MakeAnalysisCommand(this.component, this.vulnerability, state, this.justification, this.response, this.details, this.suppress, this.commenter, this.comment, this.options);
+        return new MakeAnalysisCommand(this.component, this.vulnerability, state, this.justification, this.response, this.details, this.suppress, this.source, this.commenter, this.comment, this.owaspVector, this.owaspScore, this.options);
     }
 
     public MakeAnalysisCommand withJustification(final AnalysisJustification justification) {
-        return new MakeAnalysisCommand(this.component, this.vulnerability, this.state, justification, this.response, this.details, this.suppress, this.commenter, this.comment, this.options);
+        return new MakeAnalysisCommand(this.component, this.vulnerability, this.state, justification, this.response, this.details, this.suppress, this.source, this.commenter, this.comment, this.owaspVector, this.owaspScore, this.options);
     }
 
     public MakeAnalysisCommand withResponse(final AnalysisResponse response) {
-        return new MakeAnalysisCommand(this.component, this.vulnerability, this.state, this.justification, response, this.details, this.suppress, this.commenter, this.comment, this.options);
+        return new MakeAnalysisCommand(this.component, this.vulnerability, this.state, this.justification, response, this.details, this.suppress, this.source, this.commenter, this.comment, this.owaspVector, this.owaspScore, this.options);
     }
 
     public MakeAnalysisCommand withDetails(final String detail) {
-        return new MakeAnalysisCommand(this.component, this.vulnerability, this.state, this.justification, this.response, detail, this.suppress, this.commenter, this.comment, this.options);
+        return new MakeAnalysisCommand(this.component, this.vulnerability, this.state, this.justification, this.response, detail, this.suppress, this.source, this.commenter, this.comment, this.owaspVector, this.owaspScore, this.options);
     }
 
     public MakeAnalysisCommand withSuppress(final Boolean suppress) {
-        return new MakeAnalysisCommand(this.component, this.vulnerability, this.state, this.justification, this.response, this.details, suppress, this.commenter, this.comment, this.options);
+        return new MakeAnalysisCommand(this.component, this.vulnerability, this.state, this.justification, this.response, this.details, suppress, this.source, this.commenter, this.comment, this.owaspVector, this.owaspScore, this.options);
+    }
+
+    public MakeAnalysisCommand withSource(final RatingSource source) {
+        return new MakeAnalysisCommand(this.component, this.vulnerability, this.state, this.justification, this.response, this.details, this.suppress, source, this.commenter, this.comment, this.owaspVector, this.owaspScore, this.options);
     }
 
     public MakeAnalysisCommand withCommenter(final String commenter) {
-        return new MakeAnalysisCommand(this.component, this.vulnerability, this.state, this.justification, this.response, this.details, this.suppress, commenter, this.comment, this.options);
+        return new MakeAnalysisCommand(this.component, this.vulnerability, this.state, this.justification, this.response, this.details, this.suppress, this.source, commenter, this.comment, this.owaspVector, this.owaspScore, this.options);
     }
 
     public MakeAnalysisCommand withComment(final String comment) {
-        return new MakeAnalysisCommand(this.component, this.vulnerability, this.state, this.justification, this.response, this.details, this.suppress, this.commenter, comment, this.options);
+        return new MakeAnalysisCommand(this.component, this.vulnerability, this.state, this.justification, this.response, this.details, this.suppress, this.source, this.commenter, comment, this.owaspVector, this.owaspScore, this.options);
+    }
+
+    public MakeAnalysisCommand withOwasp(final String vector, final BigDecimal score) {
+        return new MakeAnalysisCommand(this.component, this.vulnerability, this.state, this.justification, this.response, this.details, this.suppress, this.source, this.commenter, this.comment, vector, score, this.options);
     }
 
     public MakeAnalysisCommand withOptions(final Set<Option> options) {
-        return new MakeAnalysisCommand(this.component, this.vulnerability, this.state, this.justification, this.response, this.details, this.suppress, this.commenter, this.comment, options);
+        return new MakeAnalysisCommand(this.component, this.vulnerability, this.state, this.justification, this.response, this.details, this.suppress, this.source, this.commenter, this.comment, this.owaspVector, this.owaspScore, options);
     }
 
 }
diff --git a/apiserver/src/main/java/org/dependencytrack/persistence/jdbi/AnalysisDao.java b/apiserver/src/main/java/org/dependencytrack/persistence/jdbi/AnalysisDao.java
index 478cf55d63..80d3fdf518 100644
--- a/apiserver/src/main/java/org/dependencytrack/persistence/jdbi/AnalysisDao.java
+++ b/apiserver/src/main/java/org/dependencytrack/persistence/jdbi/AnalysisDao.java
@@ -284,6 +284,7 @@ WITH cte_vuln_policy AS (
                         , "CVSSV4SCORE"
                         , "OWASPVECTOR"
                         , "OWASPSCORE"
+                        , "SOURCE"
                         )
                         SELECT project_id
                              , component_id
@@ -303,6 +304,7 @@ WITH cte_vuln_policy AS (
                              , cvss_v4_score
                              , owasp_vector
                              , owasp_score
+                             , 'POLICY'
                           FROM UNNEST (
                             :projectIds
                           , :componentIds
@@ -363,6 +365,7 @@ ON CONFLICT ("PROJECT_ID", "COMPONENT_ID", "VULNERABILITY_ID") DO UPDATE
                           , "CVSSV4SCORE" = EXCLUDED."CVSSV4SCORE"
                           , "OWASPVECTOR" = EXCLUDED."OWASPVECTOR"
                           , "OWASPSCORE" = EXCLUDED."OWASPSCORE"
+                          , "SOURCE" = EXCLUDED."SOURCE"
                         WHERE (
                             a."VULNERABILITY_POLICY_ID"
                           , a."STATE"
@@ -379,6 +382,7 @@ ON CONFLICT ("PROJECT_ID", "COMPONENT_ID", "VULNERABILITY_ID") DO UPDATE
                           , a."CVSSV4SCORE"
                           , a."OWASPVECTOR"
                           , a."OWASPSCORE"
+                          , a."SOURCE"
                           ) IS DISTINCT FROM (
                             EXCLUDED."VULNERABILITY_POLICY_ID"
                           , EXCLUDED."STATE"
@@ -395,6 +399,7 @@ ON CONFLICT ("PROJECT_ID", "COMPONENT_ID", "VULNERABILITY_ID") DO UPDATE
                           , EXCLUDED."CVSSV4SCORE"
                           , EXCLUDED."OWASPVECTOR"
                           , EXCLUDED."OWASPSCORE"
+                          , EXCLUDED."SOURCE"
                           )
                         RETURNING "ID"
                                 , "COMPONENT_ID"
diff --git a/apiserver/src/main/java/org/dependencytrack/persistence/jdbi/VulnerabilityPolicyDao.java b/apiserver/src/main/java/org/dependencytrack/persistence/jdbi/VulnerabilityPolicyDao.java
index b781fbf825..301b7f57d5 100644
--- a/apiserver/src/main/java/org/dependencytrack/persistence/jdbi/VulnerabilityPolicyDao.java
+++ b/apiserver/src/main/java/org/dependencytrack/persistence/jdbi/VulnerabilityPolicyDao.java
@@ -277,6 +277,7 @@ record AnalysisWithPolicyNameRow(
                  , "CVSSV4SCORE" = NULL
                  , "OWASPVECTOR" = NULL
                  , "OWASPSCORE" = NULL
+                 , "SOURCE" = NULL
                  , "VULNERABILITY_POLICY_ID" = NULL
               FROM "ANALYSIS" AS old
              WHERE new."ID" = old."ID"
@@ -307,6 +308,7 @@ record AnalysisWithPolicyNameRow(
                  , "CVSSV4SCORE" = NULL
                  , "OWASPVECTOR" = NULL
                  , "OWASPSCORE" = NULL
+                 , "SOURCE" = NULL
                  , "VULNERABILITY_POLICY_ID" = NULL
               FROM "ANALYSIS" AS old
              WHERE new."ID" = old."ID"
@@ -340,6 +342,7 @@ private List<AnalysisWithPolicyNameRow> unassignFromAnalysesByBundleId(long bund
                              , "CVSSV4SCORE" = NULL
                              , "OWASPVECTOR" = NULL
                              , "OWASPSCORE" = NULL
+                             , "SOURCE" = NULL
                              , "VULNERABILITY_POLICY_ID" = NULL
                           FROM "ANALYSIS" AS old
                          INNER JOIN "VULNERABILITY_POLICY" AS vp
diff --git a/apiserver/src/main/java/org/dependencytrack/persistence/jdbi/mapping/AnalysisRowMapper.java b/apiserver/src/main/java/org/dependencytrack/persistence/jdbi/mapping/AnalysisRowMapper.java
index e90350f95a..6aa1e84ee7 100644
--- a/apiserver/src/main/java/org/dependencytrack/persistence/jdbi/mapping/AnalysisRowMapper.java
+++ b/apiserver/src/main/java/org/dependencytrack/persistence/jdbi/mapping/AnalysisRowMapper.java
@@ -23,6 +23,7 @@
 import org.dependencytrack.model.AnalysisResponse;
 import org.dependencytrack.model.AnalysisState;
 import org.dependencytrack.model.Component;
+import org.dependencytrack.model.RatingSource;
 import org.dependencytrack.model.Severity;
 import org.dependencytrack.model.Vulnerability;
 import org.jdbi.v3.core.mapper.RowMapper;
@@ -63,6 +64,7 @@ public Analysis map(final ResultSet rs, final StatementContext ctx) throws SQLEx
         maybeSet(rs, "CVSSV4SCORE", ResultSet::getBigDecimal, analysis::setCvssV4Score);
         maybeSet(rs, "OWASPVECTOR", ResultSet::getString, analysis::setOwaspVector);
         maybeSet(rs, "OWASPSCORE", ResultSet::getBigDecimal, analysis::setOwaspScore);
+        maybeSet(rs, "SOURCE", ResultSet::getString, value -> analysis.setSource(RatingSource.valueOf(value)));
         return analysis;
     }
 
diff --git a/apiserver/src/main/java/org/dependencytrack/resources/v1/AnalysisResource.java b/apiserver/src/main/java/org/dependencytrack/resources/v1/AnalysisResource.java
index 1088c90d12..5e064d8414 100644
--- a/apiserver/src/main/java/org/dependencytrack/resources/v1/AnalysisResource.java
+++ b/apiserver/src/main/java/org/dependencytrack/resources/v1/AnalysisResource.java
@@ -44,6 +44,7 @@
 import org.dependencytrack.model.Analysis;
 import org.dependencytrack.model.Component;
 import org.dependencytrack.model.Project;
+import org.dependencytrack.model.RatingSource;
 import org.dependencytrack.model.Vulnerability;
 import org.dependencytrack.model.validation.ValidUuid;
 import org.dependencytrack.persistence.QueryManager;
@@ -152,7 +153,8 @@ public Response updateAnalysis(AnalysisRequest request) {
                 validator.validateProperty(request, "analysisJustification"),
                 validator.validateProperty(request, "analysisResponse"),
                 validator.validateProperty(request, "analysisDetails"),
-                validator.validateProperty(request, "comment")
+                validator.validateProperty(request, "comment"),
+                validator.validateProperty(request, "owaspVector")
         );
         try (final var qm = new QueryManager(getAlpineRequest())) {
             return qm.callInTransaction(() -> {
@@ -174,14 +176,20 @@ public Response updateAnalysis(AnalysisRequest request) {
                             .build();
                 }
 
-                final long analysisId = qm.makeAnalysis(
-                        new MakeAnalysisCommand(component, vulnerability)
-                                .withState(request.getAnalysisState())
-                                .withJustification(request.getAnalysisJustification())
-                                .withResponse(request.getAnalysisResponse())
-                                .withDetails(request.getAnalysisDetails())
-                                .withSuppress(request.isSuppressed())
-                                .withComment(request.getComment()));
+                var command = new MakeAnalysisCommand(component, vulnerability)
+                        .withState(request.getAnalysisState())
+                        .withJustification(request.getAnalysisJustification())
+                        .withResponse(request.getAnalysisResponse())
+                        .withDetails(request.getAnalysisDetails())
+                        .withSuppress(request.isSuppressed())
+                        .withComment(request.getComment())
+                        .withSource(RatingSource.MANUAL);
+
+                if (request.getOwaspVector() != null || request.getOwaspScore() != null) {
+                    command = command.withOwasp(request.getOwaspVector(), request.getOwaspScore());
+                }
+
+                final long analysisId = qm.makeAnalysis(command);
 
                 return Response.ok(qm.getObjectById(Analysis.class, analysisId)).build();
             });
diff --git a/apiserver/src/main/java/org/dependencytrack/resources/v1/vo/AnalysisRequest.java b/apiserver/src/main/java/org/dependencytrack/resources/v1/vo/AnalysisRequest.java
index 79ae0985f8..f81d8a532e 100644
--- a/apiserver/src/main/java/org/dependencytrack/resources/v1/vo/AnalysisRequest.java
+++ b/apiserver/src/main/java/org/dependencytrack/resources/v1/vo/AnalysisRequest.java
@@ -29,6 +29,8 @@
 import org.dependencytrack.model.AnalysisResponse;
 import org.dependencytrack.model.AnalysisState;
 
+import java.math.BigDecimal;
+
 /**
  * Defines a custom request object used when updating analysis decisions.
  *
@@ -68,6 +70,12 @@ public class AnalysisRequest {
 
     private final Boolean suppressed; // Optional. If not specified, we do not want to set value to false, thus using Boolean object rather than primitive.
 
+    @JsonDeserialize(using = TrimmedStringDeserializer.class)
+    @Pattern(regexp = RegexSequence.Definition.PRINTABLE_CHARS_PLUS, message = "The OWASP vector may only contain printable characters")
+    private final String owaspVector;
+
+    private final BigDecimal owaspScore;
+
     @JsonCreator
     public AnalysisRequest(@JsonProperty(value = "project") String project,
                            @JsonProperty(value = "component", required = true) String component,
@@ -77,7 +85,9 @@ public AnalysisRequest(@JsonProperty(value = "project") String project,
                            @JsonProperty(value = "analysisResponse") AnalysisResponse analysisResponse,
                            @JsonProperty(value = "analysisDetails") String analysisDetails,
                            @JsonProperty(value = "comment") String comment,
-                           @JsonProperty(value = "isSuppressed") Boolean suppressed) {
+                           @JsonProperty(value = "isSuppressed") Boolean suppressed,
+                           @JsonProperty(value = "owaspVector") String owaspVector,
+                           @JsonProperty(value = "owaspScore") BigDecimal owaspScore) {
         this.project = project;
         this.component = component;
         this.vulnerability = vulnerability;
@@ -87,6 +97,8 @@ public AnalysisRequest(@JsonProperty(value = "project") String project,
         this.analysisDetails = analysisDetails;
         this.comment = comment;
         this.suppressed = suppressed;
+        this.owaspVector = owaspVector;
+        this.owaspScore = owaspScore;
     }
 
     public String getProject() {
@@ -136,4 +148,13 @@ public String getComment() {
     public Boolean isSuppressed() {
         return suppressed;
     }
+
+    public String getOwaspVector() {
+        return owaspVector;
+    }
+
+    public BigDecimal getOwaspScore() {
+        return owaspScore;
+    }
+
 }
diff --git a/apiserver/src/test/java/org/dependencytrack/model/RatingSourceTest.java b/apiserver/src/test/java/org/dependencytrack/model/RatingSourceTest.java
new file mode 100644
index 0000000000..b68e3da026
--- /dev/null
+++ b/apiserver/src/test/java/org/dependencytrack/model/RatingSourceTest.java
@@ -0,0 +1,139 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.model;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+/**
+ * Tests for {@link RatingSource} precedence and overwrite logic.
+ * Precedence order: POLICY > VEX > MANUAL > NVD
+ */
+class RatingSourceTest {
+
+    @Test
+    void testPrecedenceOrder() {
+        // Verify precedence values are correctly ordered: POLICY > VEX > MANUAL > NVD
+        assertTrue(RatingSource.POLICY.getPrecedence() > RatingSource.VEX.getPrecedence());
+        assertTrue(RatingSource.VEX.getPrecedence() > RatingSource.MANUAL.getPrecedence());
+        assertTrue(RatingSource.MANUAL.getPrecedence() > RatingSource.NVD.getPrecedence());
+    }
+
+    @Test
+    void testCanOverwrite_PolicyOverwritesAll() {
+        // POLICY should be able to overwrite everything (highest precedence)
+        assertTrue(RatingSource.POLICY.canOverwrite(RatingSource.POLICY));
+        assertTrue(RatingSource.POLICY.canOverwrite(RatingSource.VEX));
+        assertTrue(RatingSource.POLICY.canOverwrite(RatingSource.MANUAL));
+        assertTrue(RatingSource.POLICY.canOverwrite(RatingSource.NVD));
+        assertTrue(RatingSource.POLICY.canOverwrite(null));
+    }
+
+    @Test
+    void testCanOverwrite_VexOverwritesManualAndNvd() {
+        // VEX should be able to overwrite itself, MANUAL, and NVD
+        assertTrue(RatingSource.VEX.canOverwrite(RatingSource.VEX));
+        assertTrue(RatingSource.VEX.canOverwrite(RatingSource.MANUAL));
+        assertTrue(RatingSource.VEX.canOverwrite(RatingSource.NVD));
+        assertTrue(RatingSource.VEX.canOverwrite(null));
+
+        // VEX should NOT be able to overwrite POLICY
+        assertFalse(RatingSource.VEX.canOverwrite(RatingSource.POLICY));
+    }
+
+    @Test
+    void testCanOverwrite_ManualOverwritesOnlyNvd() {
+        // MANUAL should be able to overwrite itself and NVD
+        assertTrue(RatingSource.MANUAL.canOverwrite(RatingSource.MANUAL));
+        assertTrue(RatingSource.MANUAL.canOverwrite(RatingSource.NVD));
+        assertTrue(RatingSource.MANUAL.canOverwrite(null));
+
+        // MANUAL should NOT be able to overwrite POLICY or VEX
+        assertFalse(RatingSource.MANUAL.canOverwrite(RatingSource.POLICY));
+        assertFalse(RatingSource.MANUAL.canOverwrite(RatingSource.VEX));
+    }
+
+    @Test
+    void testCanOverwrite_NvdOverwritesOnlyItself() {
+        // NVD should be able to overwrite itself and null
+        assertTrue(RatingSource.NVD.canOverwrite(RatingSource.NVD));
+        assertTrue(RatingSource.NVD.canOverwrite(null));
+
+        // NVD should NOT be able to overwrite any higher precedence source
+        assertFalse(RatingSource.NVD.canOverwrite(RatingSource.POLICY));
+        assertFalse(RatingSource.NVD.canOverwrite(RatingSource.VEX));
+        assertFalse(RatingSource.NVD.canOverwrite(RatingSource.MANUAL));
+    }
+
+    @Test
+    void testCanOverwrite_NullSource() {
+        // All sources should be able to overwrite null (no existing rating)
+        assertTrue(RatingSource.POLICY.canOverwrite(null));
+        assertTrue(RatingSource.VEX.canOverwrite(null));
+        assertTrue(RatingSource.MANUAL.canOverwrite(null));
+        assertTrue(RatingSource.NVD.canOverwrite(null));
+    }
+
+    @Test
+    void testRealWorldScenario_PolicyEnforcesStandards() {
+        // Scenario: Analyst manually sets score to 5.0
+        // Later, organizational policy requires minimum 8.0 for this vulnerability type
+        // POLICY should overwrite MANUAL to enforce security standards
+        assertTrue(RatingSource.POLICY.canOverwrite(RatingSource.MANUAL),
+                "POLICY should enforce organizational security standards over manual assessments");
+    }
+
+    @Test
+    void testRealWorldScenario_VexOverridesManual() {
+        // Scenario: Analyst manually sets score to 9.0
+        // Later, authoritative VEX document provides context-aware score of 7.2
+        // VEX should overwrite MANUAL as it represents authoritative assessment
+        assertTrue(RatingSource.VEX.canOverwrite(RatingSource.MANUAL),
+                "Authoritative VEX ratings should overwrite manual assessments");
+    }
+
+    @Test
+    void testRealWorldScenario_PolicyNotOverwritableByManual() {
+        // Scenario: Policy sets minimum score 8.0
+        // Analyst tries to manually lower it to 5.0
+        // MANUAL should NOT be able to overwrite POLICY (policy enforcement)
+        assertFalse(RatingSource.MANUAL.canOverwrite(RatingSource.POLICY),
+                "Manual assessments should not override organizational policies");
+    }
+
+    @Test
+    void testRealWorldScenario_VexUpdatesVex() {
+        // Scenario: First VEX import sets score to 7.2
+        // Later, an updated VEX document with revised score 8.5 is imported
+        // The new VEX rating should overwrite the old one
+        assertTrue(RatingSource.VEX.canOverwrite(RatingSource.VEX),
+                "Updated VEX ratings should overwrite previous VEX ratings");
+    }
+
+    @Test
+    void testRealWorldScenario_PolicyCanBeUpdated() {
+        // Scenario: Policy sets score to 8.0
+        // Later, policy is updated to require score 9.0
+        // POLICY should be able to update itself
+        assertTrue(RatingSource.POLICY.canOverwrite(RatingSource.POLICY),
+                "Policies should be updatable by newer policy versions");
+    }
+}
diff --git a/apiserver/src/test/java/org/dependencytrack/notification/ProcessScheduledNotificationRuleActivityTest.java b/apiserver/src/test/java/org/dependencytrack/notification/ProcessScheduledNotificationRuleActivityTest.java
index a022716e01..98d4ca182f 100644
--- a/apiserver/src/test/java/org/dependencytrack/notification/ProcessScheduledNotificationRuleActivityTest.java
+++ b/apiserver/src/test/java/org/dependencytrack/notification/ProcessScheduledNotificationRuleActivityTest.java
@@ -100,9 +100,10 @@ void shouldDispatchNewVulnNotification() throws InvalidProtocolBufferException {
                 null, null, Date.from(afterRuleLastFiredAt));
         qm.addVulnerability(vulnB, parentProjectComponent, "internal",
                 null, null, Date.from(afterRuleLastFiredAt));
-        qm.makeAnalysis(new MakeAnalysisCommand(
-                parentProjectComponent, vulnB, AnalysisState.FALSE_POSITIVE,
-                null, null, null, true, null, null, Set.of()));
+        qm.makeAnalysis(new MakeAnalysisCommand(parentProjectComponent, vulnB)
+                .withState(AnalysisState.FALSE_POSITIVE)
+                .withSuppress(true)
+                .withOptions(Set.of()));
 
         // Child project affected by vulnA (BEFORE) and vulnB (AFTER).
         final var childProject = new Project();
diff --git a/apiserver/src/test/java/org/dependencytrack/resources/v1/AnalysisResourceTest.java b/apiserver/src/test/java/org/dependencytrack/resources/v1/AnalysisResourceTest.java
index 4d9665d71b..cfedf33d67 100644
--- a/apiserver/src/test/java/org/dependencytrack/resources/v1/AnalysisResourceTest.java
+++ b/apiserver/src/test/java/org/dependencytrack/resources/v1/AnalysisResourceTest.java
@@ -371,7 +371,7 @@ void updateAnalysisCreateNewTest() {
 
         final var analysisRequest = new AnalysisRequest(project.getUuid().toString(), component.getUuid().toString(),
                 vulnerability.getUuid().toString(), AnalysisState.NOT_AFFECTED, AnalysisJustification.CODE_NOT_REACHABLE,
-                AnalysisResponse.WILL_NOT_FIX, "Analysis details here", "Analysis comment here", true);
+                AnalysisResponse.WILL_NOT_FIX, "Analysis details here", "Analysis comment here", true, null, null);
 
         final Response response = jersey.target(V1_ANALYSIS)
                 .request()
@@ -443,7 +443,7 @@ void updateAnalysisCreateNewWithUserTest() {
 
         final var analysisRequest = new AnalysisRequest(project.getUuid().toString(), component.getUuid().toString(),
                 vulnerability.getUuid().toString(), AnalysisState.NOT_AFFECTED, AnalysisJustification.CODE_NOT_REACHABLE,
-                AnalysisResponse.WILL_NOT_FIX, "Analysis details here", "Analysis comment here", true);
+                AnalysisResponse.WILL_NOT_FIX, "Analysis details here", "Analysis comment here", true, null, null);
 
         final Response response = jersey.target(V1_ANALYSIS)
                 .request()
@@ -508,7 +508,7 @@ void updateAnalysisCreateNewWithEmptyRequestTest() {
         vulnerability = qm.createVulnerability(vulnerability);
 
         final var analysisRequest = new AnalysisRequest(project.getUuid().toString(), component.getUuid().toString(),
-                vulnerability.getUuid().toString(), null, null, null, null, null, null);
+                vulnerability.getUuid().toString(), null, null, null, null, null, null, null, null);
 
         final Response response = jersey.target(V1_ANALYSIS)
                 .request()
@@ -565,7 +565,7 @@ void updateAnalysisUpdateExistingTest() {
 
         final var analysisRequest = new AnalysisRequest(project.getUuid().toString(), component.getUuid().toString(),
                 vulnerability.getUuid().toString(), AnalysisState.EXPLOITABLE, AnalysisJustification.NOT_SET,
-                AnalysisResponse.UPDATE, "New analysis details here", "New analysis comment here", false);
+                AnalysisResponse.UPDATE, "New analysis details here", "New analysis comment here", false, null, null);
 
         final Response response = jersey.target(V1_ANALYSIS)
                 .request()
@@ -649,7 +649,7 @@ void updateAnalysisWithNoChangesTest() {
 
         final var analysisRequest = new AnalysisRequest(project.getUuid().toString(), component.getUuid().toString(),
                 vulnerability.getUuid().toString(), AnalysisState.NOT_AFFECTED, AnalysisJustification.CODE_NOT_REACHABLE,
-                AnalysisResponse.WILL_NOT_FIX, "Analysis details here", null, true);
+                AnalysisResponse.WILL_NOT_FIX, "Analysis details here", null, true, null, null);
 
         final Response response = jersey.target(V1_ANALYSIS)
                 .request()
@@ -709,7 +709,7 @@ void updateAnalysisUpdateExistingWithEmptyRequestTest() {
                                 MakeAnalysisCommand.Option.OMIT_NOTIFICATION)));
 
         final var analysisRequest = new AnalysisRequest(project.getUuid().toString(), component.getUuid().toString(),
-                vulnerability.getUuid().toString(), null, null, null, null, null, null);
+                vulnerability.getUuid().toString(), null, null, null, null, null, null, null, null);
 
         final Response response = jersey.target(V1_ANALYSIS)
                 .request()
@@ -770,7 +770,7 @@ void updateAnalysisWithComponentNotFoundTest() {
 
         final var analysisRequest = new AnalysisRequest(project.getUuid().toString(), UUID.randomUUID().toString(),
                 vulnerability.getUuid().toString(), AnalysisState.NOT_AFFECTED, AnalysisJustification.CODE_NOT_REACHABLE,
-                AnalysisResponse.WILL_NOT_FIX, "Analysis details here", "Analysis comment here", true);
+                AnalysisResponse.WILL_NOT_FIX, "Analysis details here", "Analysis comment here", true, null, null);
 
         final Response response = jersey.target(V1_ANALYSIS)
                 .request()
@@ -802,7 +802,7 @@ void updateAnalysisWithVulnerabilityNotFoundTest() {
 
         final var analysisRequest = new AnalysisRequest(project.getUuid().toString(), component.getUuid().toString(),
                 UUID.randomUUID().toString(), AnalysisState.NOT_AFFECTED, AnalysisJustification.CODE_NOT_REACHABLE,
-                AnalysisResponse.WILL_NOT_FIX, "Analysis details here", "Analysis comment here", true);
+                AnalysisResponse.WILL_NOT_FIX, "Analysis details here", "Analysis comment here", true, null, null);
 
         final Response response = jersey.target(V1_ANALYSIS)
                 .request()
@@ -847,7 +847,7 @@ void updateAnalysisIssue1409Test() {
 
         final var analysisRequest = new AnalysisRequest(project.getUuid().toString(), component.getUuid().toString(),
                 vulnerability.getUuid().toString(), AnalysisState.NOT_AFFECTED, AnalysisJustification.PROTECTED_BY_MITIGATING_CONTROL,
-                AnalysisResponse.UPDATE, "New analysis details here", "New analysis comment here", false);
+                AnalysisResponse.UPDATE, "New analysis details here", "New analysis comment here", false, null, null);
 
         final Response response = jersey.target(V1_ANALYSIS)
                 .request()
@@ -895,7 +895,7 @@ void updateAnalysisIssue1409Test() {
     void updateAnalysisUnauthorizedTest() {
         final var analysisRequest = new AnalysisRequest(UUID.randomUUID().toString(), UUID.randomUUID().toString(),
                 UUID.randomUUID().toString(), AnalysisState.NOT_AFFECTED, AnalysisJustification.PROTECTED_BY_MITIGATING_CONTROL,
-                AnalysisResponse.UPDATE, "Analysis details here", "Analysis comment here", false);
+                AnalysisResponse.UPDATE, "Analysis details here", "Analysis comment here", false, null, null);
 
         final Response response = jersey.target(V1_ANALYSIS)
                 .request()
diff --git a/migration/src/main/resources/org/dependencytrack/migration/V202605121000__add_source_column_to_analysis.sql b/migration/src/main/resources/org/dependencytrack/migration/V202605121000__add_source_column_to_analysis.sql
new file mode 100644
index 0000000000..5dcb33fb72
--- /dev/null
+++ b/migration/src/main/resources/org/dependencytrack/migration/V202605121000__add_source_column_to_analysis.sql
@@ -0,0 +1,24 @@
+ALTER TABLE "ANALYSIS" ADD COLUMN IF NOT EXISTS "SOURCE" VARCHAR(50);
+
+CREATE INDEX IF NOT EXISTS "ANALYSIS_SOURCE_IDX" ON "ANALYSIS" ("SOURCE");
+
+-- Backfill: analyses linked to vulnerability policies get POLICY source
+UPDATE "ANALYSIS"
+SET "SOURCE" = 'POLICY'
+WHERE "VULNERABILITY_POLICY_ID" IS NOT NULL
+  AND "SOURCE" IS NULL;
+
+-- Backfill: other analyses with meaningful data get MANUAL source
+UPDATE "ANALYSIS"
+SET "SOURCE" = 'MANUAL'
+WHERE "SOURCE" IS NULL
+  AND (
+      ("STATE" IS NOT NULL AND "STATE" != 'NOT_SET')
+      OR ("JUSTIFICATION" IS NOT NULL AND "JUSTIFICATION" != 'NOT_SET')
+      OR ("RESPONSE" IS NOT NULL AND "RESPONSE" != 'NOT_SET')
+      OR "SEVERITY" IS NOT NULL
+      OR "CVSSV2VECTOR" IS NOT NULL
+      OR "CVSSV3VECTOR" IS NOT NULL
+      OR "CVSSV4VECTOR" IS NOT NULL
+      OR "OWASPVECTOR" IS NOT NULL
+  );