github.com/CycloneDX/sbom-utility@v0.16.0/examples/cyclonedx/VEX/Use-Cases/Case-1/vex.json (about) 1 { 2 "bomFormat": "CycloneDX", 3 "specVersion": "1.4", 4 "version": 1, 5 "metadata" : { 6 "timestamp" : "2022-01-13T00:00:00Z", 7 "component" : { 8 "name" : "Acme Product", 9 "version": "2.4.0", 10 "type" : "application", 11 "bom-ref" : "acme-product" 12 } 13 }, 14 "vulnerabilities": [ 15 { 16 "id": "CVE-2020-25649", 17 "source": { 18 "name": "NVD", 19 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649" 20 }, 21 "ratings": [ 22 { 23 "source": { 24 "name": "NVD", 25 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N&version=3.1" 26 }, 27 "score": 7.5, 28 "severity": "high", 29 "method": "CVSSv31", 30 "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" 31 }, 32 { 33 "source": { 34 "name": "Acme Inc", 35 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1" 36 }, 37 "score": 0.0, 38 "severity": "none", 39 "method": "CVSSv31", 40 "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N" 41 } 42 ], 43 "analysis": { 44 "state": "not_affected", 45 "justification": "code_not_reachable", 46 "response": ["will_not_fix", "update"], 47 "detail": "Automated dataflow analysis and manual code review indicates that the vulnerable code is not reachable, either directly or indirectly." 48 }, 49 "affects": [ 50 { 51 "ref": "acme-product" 52 } 53 ] 54 } 55 ] 56 }