github.com/CycloneDX/sbom-utility@v0.16.0/examples/cyclonedx/VEX/CISA-Use-Cases/Case-8/vex.json (about) 1 { 2 "bomFormat": "CycloneDX", 3 "specVersion": "1.4", 4 "version": 1, 5 "vulnerabilities": [ 6 { 7 "id": "CVE-2021-44228", 8 "source": { 9 "name": "NVD", 10 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" 11 }, 12 "ratings": [ 13 { 14 "source": { 15 "name": "NVD", 16 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1" 17 }, 18 "score": 10.0, 19 "severity": "critical", 20 "method": "CVSSv31", 21 "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" 22 } 23 ], 24 "analysis": { 25 "state": "exploitable", 26 "response": ["will_not_fix", "update"], 27 "detail": "Versions of Products ABC and JKL are affected by the vulnerability. Customers are advised to upgrade to the latest releases." 28 }, 29 "affects": [ 30 { 31 "ref": "urn:cdx:cbb2cd68-2857-43b8-a10b-e8c03d277d18/1#product-ABC", 32 "versions": [ 33 { 34 "version": "2.4", 35 "status": "affected" 36 }, 37 { 38 "version": "2.6", 39 "status": "affected" 40 }, 41 { 42 "range": "vers:generic/>=2.9|<=4.1", 43 "status": "affected" 44 } 45 ] 46 }, 47 { 48 "ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL", 49 "versions": [ 50 { 51 "range": "vers:generic/>=4.5|<=5.0", 52 "status": "affected" 53 } 54 ] 55 } 56 ] 57 }, 58 { 59 "id": "CVE-2021-44228", 60 "source": { 61 "name": "NVD", 62 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" 63 }, 64 "ratings": [ 65 { 66 "source": { 67 "name": "NVD", 68 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1" 69 }, 70 "score": 0.0, 71 "severity": "none", 72 "method": "CVSSv31", 73 "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N" 74 } 75 ], 76 "analysis": { 77 "state": "not_affected", 78 "justification": "code_not_present", 79 "response": ["will_not_fix"], 80 "detail": "These versions of Product ABC are not affected by the vulnerability. Class with vulnerable code was removed before shipping." 81 }, 82 "affects": [ 83 { 84 "ref": "urn:cdx:cbb2cd68-2857-43b8-a10b-e8c03d277d18/1#product-ABC", 85 "versions": [ 86 { 87 "range": "vers:generic/>=1.0|<=2.3", 88 "status": "unaffected" 89 }, 90 { 91 "version": "2.5", 92 "status": "unaffected" 93 }, 94 { 95 "range": "vers:generic/>=2.7|<=2.8", 96 "status": "unaffected" 97 }, 98 { 99 "version": "4.2", 100 "status": "unaffected" 101 } 102 ] 103 } 104 ] 105 }, 106 { 107 "id": "CVE-2021-44228", 108 "source": { 109 "name": "NVD", 110 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" 111 }, 112 "ratings": [ 113 { 114 "source": { 115 "name": "NVD", 116 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1" 117 }, 118 "score": 0.0, 119 "severity": "none", 120 "method": "CVSSv31", 121 "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N" 122 } 123 ], 124 "analysis": { 125 "state": "not_affected", 126 "justification": "code_not_present", 127 "response": ["will_not_fix"], 128 "detail": "These versions of Product JKL are not affected by the vulnerability. Log4j was not included in those versions at all." 129 }, 130 "affects": [ 131 { 132 "ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL", 133 "versions": [ 134 { 135 "range": "vers:generic/>=1.0|<=4.4", 136 "status": "unaffected" 137 } 138 ] 139 } 140 ] 141 }, 142 { 143 "id": "CVE-2021-44228", 144 "source": { 145 "name": "NVD", 146 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" 147 }, 148 "ratings": [ 149 { 150 "source": { 151 "name": "NVD", 152 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1" 153 }, 154 "score": 0.0, 155 "severity": "none", 156 "method": "CVSSv31", 157 "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N" 158 } 159 ], 160 "analysis": { 161 "state": "resolved", 162 "detail": "This version of Product JKL has been fixed." 163 }, 164 "affects": [ 165 { 166 "ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL", 167 "versions": [ 168 { 169 "version": "5.1" 170 }, 171 { 172 "version": "5.2" 173 } 174 ] 175 } 176 ] 177 }, 178 { 179 "id": "CVE-2021-45105", 180 "source": { 181 "name": "NVD", 182 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" 183 }, 184 "ratings": [ 185 { 186 "source": { 187 "name": "NVD", 188 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1" 189 }, 190 "score": 5.9, 191 "severity": "medium", 192 "method": "CVSSv31", 193 "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" 194 } 195 ], 196 "analysis": { 197 "state": "exploitable", 198 "response": ["will_not_fix", "update"], 199 "detail": "Versions of Products ABC and JKL are affected by the vulnerability. Customers are advised to upgrade to the latest releases." 200 }, 201 "affects": [ 202 { 203 "ref": "urn:cdx:cbb2cd68-2857-43b8-a10b-e8c03d277d18/1#product-ABC", 204 "versions": [ 205 { 206 "version": "2.4", 207 "status": "affected" 208 }, 209 { 210 "version": "2.6", 211 "status": "affected" 212 }, 213 { 214 "range": "vers:generic/>=2.9|<=4.1", 215 "status": "affected" 216 } 217 ] 218 }, 219 { 220 "ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL", 221 "versions": [ 222 { 223 "range": "vers:generic/>=4.5|<=5.0", 224 "status": "affected" 225 }, 226 { 227 "version": "5.1", 228 "status": "affected" 229 } 230 ] 231 } 232 ] 233 }, 234 { 235 "id": "CVE-2021-45105", 236 "source": { 237 "name": "NVD", 238 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" 239 }, 240 "ratings": [ 241 { 242 "source": { 243 "name": "NVD", 244 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1" 245 }, 246 "score": 0.0, 247 "severity": "none", 248 "method": "CVSSv31", 249 "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N" 250 } 251 ], 252 "analysis": { 253 "state": "not_affected", 254 "justification": "code_not_present", 255 "response": ["will_not_fix"], 256 "detail": "These versions of Product ABC are not affected by the vulnerability. Class with vulnerable code was removed before shipping." 257 }, 258 "affects": [ 259 { 260 "ref": "urn:cdx:cbb2cd68-2857-43b8-a10b-e8c03d277d18/1#product-ABC", 261 "versions": [ 262 { 263 "range": "vers:generic/>=1.0|<=2.3", 264 "status": "unaffected" 265 }, 266 { 267 "version": "2.5", 268 "status": "unaffected" 269 }, 270 { 271 "range": "vers:generic/>=2.7|<=2.8", 272 "status": "unaffected" 273 }, 274 { 275 "version": "4.2", 276 "status": "unaffected" 277 } 278 ] 279 }, 280 { 281 "ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL", 282 "versions": [ 283 { 284 "range": "vers:generic/>=1.0|<=4.4", 285 "status": "unaffected" 286 }, 287 { 288 "version": "5.2", 289 "status": "unaffected" 290 } 291 ] 292 } 293 ] 294 }, 295 { 296 "id": "CVE-2021-45105", 297 "source": { 298 "name": "NVD", 299 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" 300 }, 301 "ratings": [ 302 { 303 "source": { 304 "name": "NVD", 305 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1" 306 }, 307 "score": 0.0, 308 "severity": "none", 309 "method": "CVSSv31", 310 "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N" 311 } 312 ], 313 "analysis": { 314 "state": "not_affected", 315 "justification": "code_not_present", 316 "response": ["will_not_fix"], 317 "detail": "These versions of Product JKL are not affected by the vulnerability. Log4j was not included in those versions at all." 318 }, 319 "affects": [ 320 { 321 "ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL", 322 "versions": [ 323 { 324 "range": "vers:generic/>=1.0|<=4.4", 325 "status": "unaffected" 326 } 327 ] 328 } 329 ] 330 }, 331 { 332 "id": "CVE-2021-45105", 333 "source": { 334 "name": "NVD", 335 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" 336 }, 337 "ratings": [ 338 { 339 "source": { 340 "name": "NVD", 341 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1" 342 }, 343 "score": 0.0, 344 "severity": "none", 345 "method": "CVSSv31", 346 "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N" 347 } 348 ], 349 "analysis": { 350 "state": "resolved", 351 "detail": "This version of Product JKL has been fixed." 352 }, 353 "affects": [ 354 { 355 "ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL", 356 "versions": [ 357 { 358 "version": "5.2" 359 } 360 ] 361 } 362 ] 363 } 364 ] 365 }