github.com/CycloneDX/sbom-utility@v0.16.0/examples/cyclonedx/VEX/CISA-Use-Cases/Case-7/vex.json (about) 1 { 2 "bomFormat": "CycloneDX", 3 "specVersion": "1.4", 4 "version": 1, 5 "vulnerabilities": [ 6 { 7 "id": "CVE-2021-44228", 8 "source": { 9 "name": "NVD", 10 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" 11 }, 12 "ratings": [ 13 { 14 "source": { 15 "name": "NVD", 16 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1" 17 }, 18 "score": 10.0, 19 "severity": "critical", 20 "method": "CVSSv31", 21 "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" 22 } 23 ], 24 "analysis": { 25 "state": "exploitable", 26 "response": ["will_not_fix", "update"], 27 "detail": "Versions of Products ABC and JKL are affected by the vulnerability. Customers are advised to upgrade to the latest releases." 28 }, 29 "affects": [ 30 { 31 "ref": "urn:cdx:cbb2cd68-2857-43b8-a10b-e8c03d277d18/1#product-ABC", 32 "versions": [ 33 { 34 "version": "2.4", 35 "status": "affected" 36 }, 37 { 38 "version": "2.6", 39 "status": "affected" 40 }, 41 { 42 "range": "vers:generic/>=2.9|<=4.1", 43 "status": "affected" 44 } 45 ] 46 }, 47 { 48 "ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL", 49 "versions": [ 50 { 51 "range": "vers:generic/>=4.5|<=5.0", 52 "status": "affected" 53 } 54 ] 55 } 56 ] 57 }, 58 { 59 "id": "CVE-2021-44228", 60 "source": { 61 "name": "NVD", 62 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" 63 }, 64 "ratings": [ 65 { 66 "source": { 67 "name": "NVD", 68 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1" 69 }, 70 "score": 0.0, 71 "severity": "none", 72 "method": "CVSSv31", 73 "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N" 74 } 75 ], 76 "analysis": { 77 "state": "not_affected", 78 "justification": "code_not_present", 79 "response": ["will_not_fix"], 80 "detail": "These versions of Product ABC are not affected by the vulnerability. Class with vulnerable code was removed before shipping." 81 }, 82 "affects": [ 83 { 84 "ref": "urn:cdx:cbb2cd68-2857-43b8-a10b-e8c03d277d18/1#product-ABC", 85 "versions": [ 86 { 87 "range": "vers:generic/>=1.0|<=2.3", 88 "status": "unaffected" 89 }, 90 { 91 "version": "2.5", 92 "status": "unaffected" 93 }, 94 { 95 "range": "vers:generic/>=2.7|<=2.8", 96 "status": "unaffected" 97 }, 98 { 99 "version": "4.2", 100 "status": "unaffected" 101 } 102 ] 103 } 104 ] 105 }, 106 { 107 "id": "CVE-2021-44228", 108 "source": { 109 "name": "NVD", 110 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" 111 }, 112 "ratings": [ 113 { 114 "source": { 115 "name": "NVD", 116 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1" 117 }, 118 "score": 0.0, 119 "severity": "none", 120 "method": "CVSSv31", 121 "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N" 122 } 123 ], 124 "analysis": { 125 "state": "not_affected", 126 "justification": "code_not_present", 127 "response": ["will_not_fix"], 128 "detail": "These versions of Product JKL are not affected by the vulnerability. Log4j was not included in those versions at all." 129 }, 130 "affects": [ 131 { 132 "ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL", 133 "versions": [ 134 { 135 "range": "vers:generic/>=1.0|<=4.4", 136 "status": "unaffected" 137 } 138 ] 139 } 140 ] 141 }, 142 { 143 "id": "CVE-2021-44228", 144 "source": { 145 "name": "NVD", 146 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" 147 }, 148 "ratings": [ 149 { 150 "source": { 151 "name": "NVD", 152 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1" 153 }, 154 "score": 0.0, 155 "severity": "none", 156 "method": "CVSSv31", 157 "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N" 158 } 159 ], 160 "analysis": { 161 "state": "resolved", 162 "detail": "This version of Product JKL has been fixed." 163 }, 164 "affects": [ 165 { 166 "ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL", 167 "versions": [ 168 { 169 "version": "5.1" 170 } 171 ] 172 } 173 ] 174 } 175 ] 176 }