diff --git a/schema/bom-1.4-SNAPSHOT.proto b/schema/bom-1.4-SNAPSHOT.proto
index d1512aa4..d4dee08a 100644
--- a/schema/bom-1.4-SNAPSHOT.proto
+++ b/schema/bom-1.4-SNAPSHOT.proto
@@ -31,6 +31,8 @@ message Bom {
repeated Dependency dependencies = 8;
// Provides the ability to document aggregate completeness
repeated Composition compositions = 9;
+ // Vulnerabilities identified in components or services.
+ repeated Vulnerability vulnerabilities = 10;
}
enum Classification {
@@ -450,3 +452,186 @@ message Evidence {
repeated LicenseChoice licenses = 1;
repeated EvidenceCopyright copyright = 2;
}
+
+message Vulnerability {
+ // An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
+ optional string bom_ref = 1;
+ // The identifier that uniquely identifies the vulnerability.
+ optional string id = 2;
+ // The source that published the vulnerability.
+ optional Source source = 3;
+ // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.
+ repeated VulnerabilityReference references = 4;
+ // List of vulnerability ratings
+ repeated VulnerabilityRating ratings = 5;
+ // List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html)
+ repeated int32 cwes = 6;
+ // A description of the vulnerability as provided by the source.
+ optional string description = 7;
+ // If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause.
+ optional string detail = 8;
+ // Recommendations of how the vulnerability can be remediated or mitigated.
+ optional string recommendation = 9;
+ // Published advisories of the vulnerability if provided.
+ repeated Advisory advisories = 10;
+ // The date and time (timestamp) when the vulnerability record was created in the vulnerability database.
+ optional google.protobuf.Timestamp created = 11;
+ // The date and time (timestamp) when the vulnerability record was first published.
+ optional google.protobuf.Timestamp published = 12;
+ // The date and time (timestamp) when the vulnerability record was last updated.
+ optional google.protobuf.Timestamp updated = 13;
+ // Individuals or organizations credited with the discovery of the vulnerability.
+ optional VulnerabilityCredits credits = 14;
+ // The tool(s) used to identify, confirm, or score the vulnerability.
+ repeated Tool tools = 15;
+ // An assessment of the impact and exploitability of the vulnerability.
+ optional VulnerabilityAnalysis analysis = 16;
+ // affects
+ repeated VulnerabilityAffects affects = 17;
+}
+
+message VulnerabilityReference {
+ // An identifier that uniquely identifies the vulnerability.
+ optional string id = 1;
+ // The source that published the vulnerability.
+ optional Source source = 2;
+}
+
+message VulnerabilityRating {
+ // The source that calculated the severity or risk rating of the vulnerability.
+ optional Source source = 1;
+ // The numerical score of the rating.
+ optional double score = 2;
+ // Textual representation of the severity that corresponds to the numerical score of the rating.
+ optional Severity severity = 3;
+ // Specifies the severity or risk scoring methodology or standard used.
+ optional ScoreMethod method = 4;
+ // Textual representation of the metric values used to score the vulnerability.
+ optional string vector = 5;
+ // An optional reason for rating the vulnerability as it was.
+ optional string justification = 6;
+}
+
+enum Severity {
+ SEVERITY_UNKNOWN = 0;
+ SEVERITY_CRITICAL = 1;
+ SEVERITY_HIGH = 2;
+ SEVERITY_MEDIUM = 3;
+ SEVERITY_LOW = 4;
+ SEVERITY_INFO = 5;
+ SEVERITY_NONE = 6;
+}
+
+enum ScoreMethod {
+ // An undefined score method
+ SCORE_METHOD_NULL = 0;
+ // Common Vulnerability Scoring System v2 - https://www.first.org/cvss/v2/
+ SCORE_METHOD_CVSSV2 = 1;
+ // Common Vulnerability Scoring System v3 - https://www.first.org/cvss/v3-0/
+ SCORE_METHOD_CVSSV3 = 2;
+ // Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v3-1/
+ SCORE_METHOD_CVSSV31 = 3;
+ // OWASP Risk Rating Methodology - https://owasp.org/www-community/OWASP_Risk_Rating_Methodology
+ SCORE_METHOD_OWASP = 4;
+ // Other scoring method
+ SCORE_METHOD_OTHER = 5;
+}
+
+message Advisory {
+ // An optional name of the advisory.
+ optional string title = 1;
+ // Location where the advisory can be obtained.
+ string url = 2;
+}
+
+message VulnerabilityCredits {
+ // The organizations credited with vulnerability discovery.
+ repeated OrganizationalEntity organizations = 1;
+ // The individuals, not associated with organizations, that are credited with vulnerability discovery.
+ repeated OrganizationalContact individuals = 2;
+}
+
+message VulnerabilityAnalysis {
+ // Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.
+ optional ImpactAnalysisState state = 1;
+ // The rationale of why the impact analysis state was asserted.
+ optional ImpactAnalysisJustification justification = 2;
+ // A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.
+ repeated VulnerabilityResponse response = 3;
+ // Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability.
+ optional string detail = 4;
+}
+
+enum ImpactAnalysisState {
+ // An undefined impact analysis state
+ IMPACT_ANALYSIS_STATE_NULL = 0;
+ // The vulnerability has been remediated.
+ IMPACT_ANALYSIS_STATE_RESOLVED = 1;
+ // The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).
+ IMPACT_ANALYSIS_STATE_RESOLVED_WITH_PEDIGREE = 2;
+ // The vulnerability may be directly or indirectly exploitable.
+ IMPACT_ANALYSIS_STATE_EXPLOITABLE = 3;
+ // The vulnerability is being investigated.
+ IMPACT_ANALYSIS_STATE_IN_TRIAGE = 4;
+ // The vulnerability is not specific to the component or service and was falsely identified or associated.
+ IMPACT_ANALYSIS_STATE_FALSE_POSITIVE = 5;
+ // The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases.
+ IMPACT_ANALYSIS_STATE_NOT_AFFECTED = 6;
+}
+
+enum ImpactAnalysisJustification {
+ // An undefined impact analysis justification
+ IMPACT_ANALYSIS_JUSTIFICATION_NULL = 0;
+ // The code has been removed or tree-shaked.
+ IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_PRESENT = 1;
+ // The vulnerable code is not invoked at runtime.
+ IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE = 2;
+ // Exploitability requires a configurable option to be set/unset.
+ IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_CONFIGURATION = 3;
+ // Exploitability requires a dependency that is not present.
+ IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_DEPENDENCY = 4;
+ // Exploitability requires a certain environment which is not present.
+ IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_ENVIRONMENT = 5;
+ // Exploitability requires a compiler flag to be set/unset.
+ IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_COMPILER = 6;
+ // Exploits are prevented at runtime.
+ IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_RUNTIME = 7;
+ // Attacks are blocked at physical, logical, or network perimeter.
+ IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_PERIMETER = 8;
+ // Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.
+ IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_MITIGATING_CONTROL = 9;
+}
+
+enum VulnerabilityResponse {
+ VULNERABILITY_RESPONSE_NULL = 0;
+ VULNERABILITY_RESPONSE_CAN_NOT_FIX = 1;
+ VULNERABILITY_RESPONSE_WILL_NOT_FIX = 2;
+ VULNERABILITY_RESPONSE_UPDATE = 3;
+ VULNERABILITY_RESPONSE_ROLLBACK = 4;
+ VULNERABILITY_RESPONSE_WORKAROUND_AVAILABLE = 5;
+}
+
+message VulnerabilityAffects {
+ // References a component or service by the objects bom-ref
+ string ref = 1;
+ // Zero or more individual versions or range of versions.
+ repeated VulnerabilityAffectedVersions versions = 2;
+}
+
+message VulnerabilityAffectedVersions {
+ oneof choice {
+ // A single version of a component or service.
+ string version = 1;
+ // A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst
+ string range = 2;
+ }
+ // The vulnerability status for the version or range of versions.
+ optional VulnerabilityAffectedStatus status = 3;
+}
+
+enum VulnerabilityAffectedStatus {
+ // The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.
+ VULNERABILITY_AFFECTED_STATUS_UNKNOWN = 0;
+ VULNERABILITY_AFFECTED_STATUS_AFFECTED = 1;
+ VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED = 2;
+}
diff --git a/schema/bom-1.4-SNAPSHOT.xsd b/schema/bom-1.4-SNAPSHOT.xsd
index c5ffebb7..e3bb7f9a 100644
--- a/schema/bom-1.4-SNAPSHOT.xsd
+++ b/schema/bom-1.4-SNAPSHOT.xsd
@@ -138,22 +138,22 @@ limitations under the License.
- Specifies a tool (manual or automated).
+ Information about the automated or manual tool used
- The vendor of the tool used to create the BOM.
+ The name of the vendor who created the tool
- The name of the tool used to create the BOM.
+ The name of the tool
- The version of the tool used to create the BOM.
+ The version of the tool
@@ -1549,6 +1549,595 @@ limitations under the License.
+
+
+
+
+ Defines a weakness in an component or service that could be exploited or triggered by a threat source.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+ The identifier that uniquely identifies the vulnerability. For example:
+ CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876.
+
+
+
+
+ The source that published the vulnerability.
+
+
+
+
+ Zero or more pointers to vulnerabilities that are the equivalent of the
+ vulnerability specified. Often times, the same vulnerability may exist in multiple sources of
+ vulnerability intelligence, but have different identifiers. References provide a way to
+ correlate vulnerabilities across multiple sources of vulnerability intelligence.
+
+
+
+
+
+ A pointer to a vulnerability that is the equivalent of the
+ vulnerability specified.
+
+
+
+
+
+ The identifier that uniquely identifies the vulnerability. For example:
+ CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876.
+
+
+
+
+ The source that published the vulnerability.
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+ List of vulnerability ratings.
+
+
+
+
+
+
+
+
+
+
+
+ List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.
+ For example 399 (of https://cwe.mitre.org/data/definitions/399.html)
+
+
+
+
+
+
+
+
+
+ A description of the vulnerability as provided by the source.
+
+
+
+
+ If available, an in-depth description of the vulnerability as provided by the
+ source organization. Details often include examples, proof-of-concepts, and other information
+ useful in understanding root cause.
+
+
+
+
+ Recommendations of how the vulnerability can be remediated or mitigated.
+
+
+
+
+
+
+ Published advisories of the vulnerability if provided.
+
+
+
+
+
+
+
+
+
+ The date and time (timestamp) when the vulnerability record was created in the vulnerability database.
+
+
+
+
+ The date and time (timestamp) when the vulnerability record was first published.
+
+
+
+
+ The date and time (timestamp) when the vulnerability record was last updated.
+
+
+
+
+ Individuals or organizations credited with the discovery of the vulnerability.
+
+
+
+
+
+ The organizations credited with vulnerability discovery.
+
+
+
+
+
+
+
+
+
+ The individuals, not associated with organizations, that are credited with vulnerability discovery.
+
+
+
+
+
+
+
+
+
+
+
+
+ The tool(s) used to identify, confirm, or score the vulnerability.
+
+
+
+
+
+
+
+
+
+
+
+ An assessment of the impact and exploitability of the vulnerability.
+
+
+
+
+
+
+ Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.
+
+
+
+
+
+
+ The rationale of why the impact analysis state was asserted.
+
+
+
+
+
+ A response to the vulnerability by the manufacturer, supplier, or
+ project responsible for the affected component or service. More than one response
+ is allowed. Responses are strongly encouraged for vulnerabilities where the analysis
+ state is exploitable.
+
+
+
+
+
+
+
+
+
+
+ Detailed description of the impact including methods used during assessment.
+ If a vulnerability is not exploitable, this field should include specific details
+ on why the component or service is not impacted by this vulnerability.
+
+
+
+
+
+
+
+
+ The components or services that are affected by the vulnerability.
+
+
+
+
+
+
+
+
+ References a component or service by the objects bom-ref.
+
+
+
+
+ Zero or more individual versions or range of versions.
+
+
+
+
+
+
+
+
+
+ A single version of a component or service.
+
+
+
+
+ A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst
+
+
+
+
+
+
+ The vulnerability status for the version or range of versions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ An optional identifier which can be used to reference the vulnerability elsewhere in the BOM.
+ Uniqueness is enforced within all elements and children of the root-level bom element.
+
+
+
+
+
+
+
+
+
+ The name of the source.
+ For example: NVD, National Vulnerability Database, OSS Index, VulnDB, and GitHub Advisories
+
+
+
+
+
+ The url of the vulnerability documentation as provided by the source.
+ For example: https://nvd.nist.gov/vuln/detail/CVE-2021-39182
+
+
+
+
+
+
+
+
+
+ The source that calculated the severity or risk rating of the vulnerability.
+
+
+
+
+ The numerical score of the rating.
+
+
+
+
+ Textual representation of the severity that corresponds to the numerical score of the rating.
+
+
+
+
+ The risk scoring methodology/standard used.
+
+
+
+
+ Textual representation of the metric values used to score the vulnerability.
+
+
+
+
+ An optional reason for rating the vulnerability as it was.
+
+
+
+
+
+
+
+
+
+ An optional name of the advisory.
+
+
+
+
+ Location where the advisory can be obtained.
+
+
+
+
+
+
+
+
+ Textual representation of the severity of the vulnerability adopted by the analysis method. If the
+ analysis method uses values other than what is provided, the user is expected to translate appropriately.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.
+
+
+
+
+
+
+ The vulnerability has been remediated.
+
+
+
+
+
+
+ The vulnerability has been remediated and evidence of the changes are provided in the affected
+ components pedigree containing verifiable commit history and/or diff(s).
+
+
+
+
+
+
+ The vulnerability may be directly or indirectly exploitable.
+
+
+
+
+
+
+ The vulnerability is being investigated.
+
+
+
+
+
+
+ The vulnerability is not specific to the component or service and was falsely identified or associated.
+
+
+
+
+
+
+ The component or service is not affected by the vulnerability. Justification should be specified
+ for all not_affected cases.
+
+
+
+
+
+
+
+
+
+ The rationale of why the impact analysis state was asserted.
+
+
+
+
+
+
+ The code has been removed or tree-shaked.
+
+
+
+
+
+
+ The vulnerable code is not invoked at runtime.
+
+
+
+
+
+
+ Exploitability requires a configurable option to be set/unset.
+
+
+
+
+
+
+ Exploitability requires a dependency that is not present.
+
+
+
+
+
+
+ Exploitability requires a certain environment which is not present.
+
+
+
+
+
+
+ Exploitability requires a compiler flag to be set/unset.
+
+
+
+
+
+
+ Exploits are prevented at runtime.
+
+
+
+
+
+
+ Attacks are blocked at physical, logical, or network perimeter.
+
+
+
+
+
+
+ Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.
+
+
+
+
+
+
+
+
+
+ Specifies the severity or risk scoring methodology or standard used.
+
+
+
+
+
+
+ The rating is based on CVSS v2 standard
+ https://www.first.org/cvss/v2/
+
+
+
+
+
+
+ The rating is based on CVSS v3.0 standard
+ https://www.first.org/cvss/v3-0/
+
+
+
+
+
+
+ The rating is based on CVSS v3.1 standard
+ https://www.first.org/cvss/v3-1/
+
+
+
+
+
+
+ The rating is based on OWASP Risk Rating
+ https://owasp.org/www-community/OWASP_Risk_Rating_Methodology
+
+
+
+
+
+
+ Use this if the risk scoring methodology is not based on any of the options above
+
+
+
+
+
+
+
+
+
+ The rationale of why the impact analysis state was asserted.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The vulnerability status of a given version or range of versions of a product. The statuses
+ 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability.
+ The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected.
+ There can be many reasons for an 'unknown' status, including that an investigation has not been
+ undertaken or that a vendor has not disclosed the status.
+
+
+
+
+
+
+
+
+
+
@@ -1591,6 +2180,11 @@ limitations under the License.
stores, properties support duplicate names, each potentially having different values.
+
+
+ Vulnerabilities identified in components or services.
+
+
diff --git a/schema/bom-1.4-strict-SNAPSHOT.schema.json b/schema/bom-1.4-strict-SNAPSHOT.schema.json
index 9c77d9c9..80770426 100644
--- a/schema/bom-1.4-strict-SNAPSHOT.schema.json
+++ b/schema/bom-1.4-strict-SNAPSHOT.schema.json
@@ -85,6 +85,14 @@
"uniqueItems": true,
"title": "Compositions",
"description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness."
+ },
+ "vulnerabilities": {
+ "$id": "#/properties/vulnerabilities",
+ "type": "array",
+ "items": {"$ref": "#/definitions/vulnerability"},
+ "uniqueItems": true,
+ "title": "Vulnerabilities",
+ "description": "Vulnerabilities identified in components or services."
}
},
"definitions": {
@@ -142,23 +150,23 @@
"tool": {
"type": "object",
"title": "Tool",
- "description": "The tool used to create the BOM.",
+ "description": "Information about the automated or manual tool used",
"additionalProperties": false,
"properties": {
"vendor": {
"type": "string",
"title": "Tool Vendor",
- "description": "The date and time (timestamp) when the document was created."
+ "description": "The name of the vendor who created the tool"
},
"name": {
"type": "string",
"title": "Tool Name",
- "description": "The date and time (timestamp) when the document was created."
+ "description": "The name of the tool"
},
"version": {
"type": "string",
"title": "Tool Version",
- "description": "The date and time (timestamp) when the document was created."
+ "description": "The version of the tool"
},
"hashes": {
"$id": "#/properties/hashes",
@@ -263,7 +271,7 @@
"bom-ref": {
"type": "string",
"title": "BOM Reference",
- "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref should be unique."
+ "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be unique within the BOM."
},
"supplier": {
"title": "Component Supplier",
@@ -872,7 +880,7 @@
"bom-ref": {
"type": "string",
"title": "BOM Reference",
- "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref should be unique."
+ "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref MUST be unique within the BOM."
},
"provider": {
"title": "Provider",
@@ -1074,6 +1082,410 @@
"description": "The value of the property."
}
}
+ },
+ "advisory": {
+ "type": "object",
+ "title": "Advisory",
+ "description": "Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.",
+ "required": ["url"],
+ "additionalProperties": false,
+ "properties": {
+ "title": {
+ "type": "string",
+ "title": "Title",
+ "description": "An optional name of the advisory."
+ },
+ "url": {
+ "type": "string",
+ "title": "URL",
+ "format": "iri-reference",
+ "description": "Location where the advisory can be obtained."
+ }
+ }
+ },
+ "cwe": {
+ "type": "integer",
+ "minimum": 1,
+ "title": "CWE",
+ "description": "Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)"
+ },
+ "severity": {
+ "type": "string",
+ "title": "Severity",
+ "description": "Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.",
+ "enum": [
+ "critical",
+ "high",
+ "medium",
+ "low",
+ "info",
+ "none",
+ "unknown"
+ ]
+ },
+ "scoreMethod": {
+ "type": "string",
+ "title": "Method",
+ "description": "Specifies the severity or risk scoring methodology or standard used.\n\n* CVSSv2 - [Common Vulnerability Scoring System v2](https://www.first.org/cvss/v2/)\n* CVSSv3 - [Common Vulnerability Scoring System v3](https://www.first.org/cvss/v3-0/)\n* CVSSv31 - [Common Vulnerability Scoring System v3.1](https://www.first.org/cvss/v3-1/)\n* OWASP - [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology)",
+ "enum": [
+ "CVSSv2",
+ "CVSSv3",
+ "CVSSv31",
+ "OWASP",
+ "other"
+ ]
+ },
+ "impactAnalysisState": {
+ "type": "string",
+ "title": "Impact Analysis State",
+ "description": "Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. \n\n* __resolved__ = the vulnerability has been remediated. \n* __resolved\\_with\\_pedigree__ = the vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s). \n* __exploitable__ = the vulnerability may be directly or indirectly exploitable. \n* __in\\_triage__ = the vulnerability is being investigated. \n* __false\\_positive__ = the vulnerability is not specific to the component or service and was falsely identified or associated. \n* __not\\_affected__ = the component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases.",
+ "enum": [
+ "resolved",
+ "resolved_with_pedigree",
+ "exploitable",
+ "in_triage",
+ "false_positive",
+ "not_affected"
+ ]
+ },
+ "impactAnalysisJustification": {
+ "type": "string",
+ "title": "Impact Analysis Justification",
+ "description": "The rationale of why the impact analysis state was asserted. \n\n* __code\\_not\\_present__ = the code has been removed or tree-shaked. \n* __code\\_not\\_reachable__ = the vulnerable code is not invoked at runtime. \n* __requires\\_configuration__ = exploitability requires a configurable option to be set/unset. \n* __requires\\_dependency__ = exploitability requires a dependency that is not present. \n* __requires\\_environment__ = exploitability requires a certain environment which is not present. \n* __protected\\_by\\_compiler__ = exploitability requires a compiler flag to be set/unset. \n* __protected\\_at\\_runtime__ = exploits are prevented at runtime. \n* __protected\\_at\\_perimeter__ = attacks are blocked at physical, logical, or network perimeter. \n* __protected\\_by\\_mitigating\\_control__ = preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.",
+ "enum": [
+ "code_not_present",
+ "code_not_reachable",
+ "requires_configuration",
+ "requires_dependency",
+ "requires_environment",
+ "protected_by_compiler",
+ "protected_at_runtime",
+ "protected_at_perimeter",
+ "protected_by_mitigating_control"
+ ]
+ },
+ "rating": {
+ "type": "object",
+ "title": "Rating",
+ "description": "Defines the severity or risk ratings of a vulnerability.",
+ "additionalProperties": false,
+ "properties": {
+ "source": {
+ "$ref": "#/definitions/vulnerabilitySource",
+ "description": "The source that calculated the severity or risk rating of the vulnerability."
+ },
+ "score": {
+ "type": "number",
+ "title": "Score",
+ "description": "The numerical score of the rating."
+ },
+ "severity": {
+ "$ref": "#/definitions/severity",
+ "description": "Textual representation of the severity that corresponds to the numerical score of the rating."
+ },
+ "method": {
+ "$ref": "#/definitions/scoreMethod"
+ },
+ "vector": {
+ "type": "string",
+ "title": "Vector",
+ "description": "Textual representation of the metric values used to score the vulnerability"
+ },
+ "justification": {
+ "type": "string",
+ "title": "Justification",
+ "description": "An optional reason for rating the vulnerability as it was"
+ }
+ }
+ },
+ "vulnerabilitySource": {
+ "type": "object",
+ "title": "Source",
+ "description": "The source of vulnerability information. This is often the organization that published the vulnerability.",
+ "additionalProperties": false,
+ "properties": {
+ "url": {
+ "type": "string",
+ "title": "URL",
+ "description": "The url of the vulnerability documentation as provided by the source.",
+ "examples": [
+ "https://nvd.nist.gov/vuln/detail/CVE-2021-39182"
+ ]
+ },
+ "name": {
+ "type": "string",
+ "title": "Name",
+ "description": "The name of the source.",
+ "examples": [
+ "NVD",
+ "National Vulnerability Database",
+ "OSS Index",
+ "VulnDB",
+ "GitHub Advisories"
+ ]
+ }
+ }
+ },
+ "vulnerability": {
+ "type": "object",
+ "title": "Vulnerability",
+ "description": "Defines a weakness in an component or service that could be exploited or triggered by a threat source.",
+ "additionalProperties": false,
+ "properties": {
+ "bom-ref": {
+ "type": "string",
+ "title": "BOM Reference",
+ "description": "An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Every bom-ref MUST be unique within the BOM."
+ },
+ "id": {
+ "type": "string",
+ "title": "ID",
+ "description": "The identifier that uniquely identifies the vulnerability.",
+ "examples": [
+ "CVE-2021-39182",
+ "GHSA-35m5-8cvj-8783",
+ "SNYK-PYTHON-ENROCRYPT-1912876"
+ ]
+ },
+ "source": {
+ "$ref": "#/definitions/vulnerabilitySource",
+ "description": "The source that published the vulnerability."
+ },
+ "references": {
+ "type": "array",
+ "title": "References",
+ "description": "Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.",
+ "additionalItems": false,
+ "items": {
+ "required": [
+ "id",
+ "source"
+ ],
+ "additionalProperties": false,
+ "properties": {
+ "id": {
+ "type": "string",
+ "title": "ID",
+ "description": "An identifier that uniquely identifies the vulnerability.",
+ "examples": [
+ "CVE-2021-39182",
+ "GHSA-35m5-8cvj-8783",
+ "SNYK-PYTHON-ENROCRYPT-1912876"
+ ]
+ },
+ "source": {
+ "$ref": "#/definitions/vulnerabilitySource",
+ "description": "The source that published the vulnerability."
+ }
+ }
+ }
+ },
+ "ratings": {
+ "type": "array",
+ "title": "Ratings",
+ "description": "List of vulnerability ratings",
+ "items": {
+ "$ref": "#/definitions/rating"
+ }
+ },
+ "cwes": {
+ "type": "array",
+ "title": "CWEs",
+ "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html)",
+ "examples": ["399"],
+ "items": {
+ "$ref": "#/definitions/cwe"
+ }
+ },
+ "description": {
+ "type": "string",
+ "title": "Description",
+ "description": "A description of the vulnerability as provided by the source."
+ },
+ "detail": {
+ "type": "string",
+ "title": "Details",
+ "description": "If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause."
+ },
+ "recommendation": {
+ "type": "string",
+ "title": "Details",
+ "description": "Recommendations of how the vulnerability can be remediated or mitigated."
+ },
+ "advisories": {
+ "type": "array",
+ "title": "Advisories",
+ "description": "Published advisories of the vulnerability if provided.",
+ "items": {
+ "$ref": "#/definitions/advisory"
+ }
+ },
+ "created": {
+ "type": "string",
+ "format": "date-time",
+ "title": "Created",
+ "description": "The date and time (timestamp) when the vulnerability record was created in the vulnerability database."
+ },
+ "published": {
+ "type": "string",
+ "format": "date-time",
+ "title": "Published",
+ "description": "The date and time (timestamp) when the vulnerability record was first published."
+ },
+ "updated": {
+ "type": "string",
+ "format": "date-time",
+ "title": "Updated",
+ "description": "The date and time (timestamp) when the vulnerability record was last updated."
+ },
+ "credits": {
+ "type": "object",
+ "title": "Credits",
+ "description": "Individuals or organizations credited with the discovery of the vulnerability.",
+ "additionalProperties": false,
+ "properties": {
+ "organizations": {
+ "type": "array",
+ "title": "Organizations",
+ "description": "The organizations credited with vulnerability discovery.",
+ "additionalItems": false,
+ "items": {
+ "$ref": "#/definitions/organizationalEntity"
+ }
+ },
+ "individuals": {
+ "type": "array",
+ "title": "Individuals",
+ "description": "The individuals, not associated with organizations, that are credited with vulnerability discovery.",
+ "additionalItems": false,
+ "items": {
+ "$ref": "#/definitions/organizationalContact"
+ }
+ }
+ }
+ },
+ "tools": {
+ "type": "array",
+ "title": "Creation Tools",
+ "description": "The tool(s) used to identify, confirm, or score the vulnerability.",
+ "items": {"$ref": "#/definitions/tool"}
+ },
+ "analysis": {
+ "type": "object",
+ "title": "Impact Analysis",
+ "description": "An assessment of the impact and exploitability of the vulnerability.",
+ "additionalProperties": false,
+ "properties": {
+ "state": {
+ "$ref": "#/definitions/impactAnalysisState"
+ },
+ "justification": {
+ "$ref": "#/definitions/impactAnalysisJustification"
+ },
+ "response": {
+ "type": "array",
+ "title": "Response",
+ "description": "A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.",
+ "items": {
+ "type": "string",
+ "enum": [
+ "can_not_fix",
+ "will_not_fix",
+ "update",
+ "rollback",
+ "workaround_available"
+ ]
+ }
+ },
+ "detail": {
+ "type": "string",
+ "title": "Detail",
+ "description": "Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."
+ }
+ }
+ },
+ "affects": {
+ "type": "array",
+ "uniqueItems": true,
+ "additionalItems": false,
+ "items": {
+ "required": [
+ "ref"
+ ],
+ "additionalProperties": false,
+ "properties": {
+ "ref": {
+ "type": "string",
+ "title": "Reference",
+ "description": "References a component or service by the objects bom-ref"
+ },
+ "versions": {
+ "type": "array",
+ "title": "Versions",
+ "description": "Zero or more individual versions or range of versions.",
+ "additionalItems": false,
+ "items": {
+ "oneOf": [
+ {
+ "required": ["version"]
+ },
+ {
+ "required": ["range"]
+ }
+ ],
+ "additionalProperties": false,
+ "properties": {
+ "version": {
+ "description": "A single version of a component or service.",
+ "$ref": "#/definitions/version"
+ },
+ "range": {
+ "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst",
+ "$ref": "#/definitions/version"
+ },
+ "status": {
+ "description": "The vulnerability status for the version or range of versions.",
+ "$ref": "#/definitions/affectedStatus",
+ "default": "affected"
+ }
+ }
+ }
+ }
+ }
+ },
+ "title": "Affects",
+ "description": "The components or services that are affected by the vulnerability."
+ },
+ "properties": {
+ "type": "array",
+ "title": "Properties",
+ "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values.",
+ "items": {
+ "$ref": "#/definitions/property"
+ }
+ }
+ }
+ },
+ "affectedStatus": {
+ "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.",
+ "type": "string",
+ "enum": [
+ "affected",
+ "unaffected",
+ "unknown"
+ ]
+ },
+ "version": {
+ "description": "A single version of a component or service.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 1024
+ },
+ "range": {
+ "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 1024
}
}
}
diff --git a/tools/src/test/resources/1.4/valid-vulnerability-1.4.json b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json
new file mode 100644
index 00000000..c4065f6c
--- /dev/null
+++ b/tools/src/test/resources/1.4/valid-vulnerability-1.4.json
@@ -0,0 +1,122 @@
+{
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.4",
+ "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+ "version": 1,
+ "components": [
+ {
+ "bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4",
+ "type": "library",
+ "group": "com.fasterxml.jackson.core",
+ "name": "jackson-databind",
+ "version": "2.9.4",
+ "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4"
+ }
+ ],
+ "vulnerabilities": [
+ {
+ "bom-ref": "6eee14da-8f42-4cc4-bb65-203235f02415",
+ "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111",
+ "source": {
+ "name": "Snyk",
+ "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111"
+ },
+ "references": [
+ {
+ "id": "CVE-2018-7489",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997"
+ }
+ }
+ ],
+ "ratings": [
+ {
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0"
+ },
+ "score": 9.8,
+ "severity": "critical",
+ "method": "CVSSv3",
+ "vector": "AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "justification": "An optional reason for rating the vulnerability as it was"
+ }
+ ],
+ "cwes": [
+ 184,
+ 502
+ ],
+ "description": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.",
+ "detail": "",
+ "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.",
+ "advisories": [
+ {
+ "title": "GitHub Commit",
+ "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2"
+ },
+ {
+ "title": "GitHub Issue",
+ "url": "https://github.com/FasterXML/jackson-databind/issues/1931"
+ }
+ ],
+ "created": "2021-01-01T00:00:00.000Z",
+ "published": "2021-01-01T00:00:00.000Z",
+ "updated": "2021-01-01T00:00:00.000Z",
+ "credits": {
+ "organizations": [
+ {
+ "name": "Acme, Inc.",
+ "url": [
+ "https://example.com"
+ ]
+ }
+ ],
+ "individuals": [
+ {
+ "name": "Jane Doe",
+ "email": "jane.doe@example.com"
+ }
+ ]
+ },
+ "tools": [
+ {
+ "vendor": "Snyk",
+ "name": "Snyk CLI (Linux)",
+ "version": "1.729.0",
+ "hashes": [
+ {
+ "alg": "SHA-256",
+ "content": "2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d"
+ }
+ ]
+ }
+ ],
+ "analysis": {
+ "state": "not_affected",
+ "justification": "code_not_reachable",
+ "response": ["will_not_fix", "update"],
+ "detail": "An optional explanation of why the application is not affected by the vulnerable component."
+ },
+ "affects": [
+ {
+ "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9",
+ "versions": [
+ {
+ "range": "vers:semver/<2.6.7.5",
+ "status": "affected"
+ },
+ {
+ "range": "vers:semver/2.7.0|<2.8.11.1",
+ "status": "affected"
+ },
+ {
+ "range": "vers:semver/2.9.0|<2.9.5",
+ "status": "affected"
+ }
+ ]
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/tools/src/test/resources/1.4/valid-vulnerability-1.4.textproto b/tools/src/test/resources/1.4/valid-vulnerability-1.4.textproto
new file mode 100644
index 00000000..bcc70e57
--- /dev/null
+++ b/tools/src/test/resources/1.4/valid-vulnerability-1.4.textproto
@@ -0,0 +1,103 @@
+spec_version: "1.4"
+version: 1
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+components {
+ type: CLASSIFICATION_LIBRARY
+ bom_ref: "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4"
+ group: "com.fasterxml.jackson.core"
+ name: "jackson-databind"
+ version: "2.9.4"
+ purl: "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4"
+}
+vulnerabilities {
+ bom_ref: "6eee14da-8f42-4cc4-bb65-203235f02415"
+ id: "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111"
+ source: {
+ name: "Snyk"
+ url: "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111"
+ }
+ references: {
+ id: "CVE-2018-7489"
+ source: {
+ name: "NVD",
+ url: "https://nvd.nist.gov/vuln/detail/CVE-2019-9997"
+ }
+ }
+ ratings: {
+ source: {
+ name: "NVD"
+ url: "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0"
+ }
+ score: 9.8
+ severity: SEVERITY_CRITICAL
+ method: SCORE_METHOD_CVSSV3
+ vector: "AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ justification: "An optional reason for rating the vulnerability as it was"
+ }
+ cwes: 184
+ cwes: 502
+ description: "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath."
+ detail: ""
+ recommendation: "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher."
+ advisories: {
+ title: "GitHub Commit"
+ url: "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2"
+ }
+ advisories: {
+ title: "GitHub Issue"
+ url: "https://github.com/FasterXML/jackson-databind/issues/1931"
+ }
+ created: {
+ seconds: 3173618478
+ nanos: 3
+ }
+ published: {
+ seconds: 3173618478
+ nanos: 3
+ }
+ updated: {
+ seconds: 3173618478
+ nanos: 3
+ }
+ credits: {
+ organizations: {
+ name: "Acme, Inc."
+ url: "https://example.com"
+ }
+ individuals: {
+ name: "Jane Doe"
+ email: "jane.doe@example.com"
+ }
+ }
+ tools: {
+ vendor: "Snyk"
+ name: "Snyk CLI (Linux)"
+ version: "1.729.0"
+ hashes: {
+ alg: HASH_ALG_SHA_256
+ value: "2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d"
+ }
+ }
+ analysis: {
+ state: IMPACT_ANALYSIS_STATE_NOT_AFFECTED
+ justification: IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE
+ response: VULNERABILITY_RESPONSE_WILL_NOT_FIX
+ response: VULNERABILITY_RESPONSE_UPDATE
+ detail: "An optional explanation of why the application is not affected by the vulnerable component."
+ }
+ affects: {
+ ref: "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9"
+ versions: {
+ range: "vers:semver/<2.6.7.5"
+ status: VULNERABILITY_AFFECTED_STATUS_AFFECTED
+ }
+ versions: {
+ range: "vers:semver/2.7.0|<2.8.11.1"
+ status: VULNERABILITY_AFFECTED_STATUS_AFFECTED
+ }
+ versions: {
+ range: "vers:semver/2.9.0|<2.9.5"
+ status: VULNERABILITY_AFFECTED_STATUS_AFFECTED
+ }
+ }
+}
diff --git a/tools/src/test/resources/1.4/valid-vulnerability-1.4.xml b/tools/src/test/resources/1.4/valid-vulnerability-1.4.xml
new file mode 100644
index 00000000..46b4448a
--- /dev/null
+++ b/tools/src/test/resources/1.4/valid-vulnerability-1.4.xml
@@ -0,0 +1,121 @@
+
+
+
+
+ com.fasterxml.jackson.core
+ jackson-databind
+ 2.9.4
+ pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4
+
+
+
+
+ SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111
+
+ Snyk
+ https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111
+
+
+
+ CVE-2018-7489
+
+ NVD
+ https://nvd.nist.gov/vuln/detail/CVE-2019-9997
+
+
+
+ CVE-2018-7489
+
+ NVD
+ https://nvd.nist.gov/vuln/detail/CVE-2019-9997
+
+
+
+
+
+
+ NVD
+ https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0
+
+ 9.8
+ critical
+ CVSSv3
+ AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ An optional reason for rating the vulnerability as it was
+
+
+
+ 184
+ 502
+
+ FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
+
+ Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.
+
+
+ GitHub Commit
+ https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2
+
+
+ GitHub Issue
+ https://github.com/FasterXML/jackson-databind/issues/1931
+
+
+ 2021-01-01T00:00:00.000Z
+ 2021-01-01T00:00:00.000Z
+ 2021-01-01T00:00:00.000Z
+
+
+
+ Acme, Inc.
+ https://example.com
+
+
+
+
+ Jane Doe
+ jane.doe@example.com
+
+
+
+
+
+ Snyk
+ Snyk CLI (Linux)
+ 1.729.0
+
+ 2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d
+
+
+
+
+ not_affected
+ code_not_reachable
+
+ will_not_fix
+ update
+
+ An optional explanation of why the application is not affected by the vulnerable component.
+
+
+
+ pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9
+
+
+ vers:semver/<2.6.7.5
+ affected
+
+
+ vers:semver/2.7.0|<2.8.11.1
+ affected
+
+
+ vers:semver/2.9.0|<2.9.5
+ affected
+
+
+
+
+
+
+