github.com/CycloneDX/sbom-utility@v0.16.0/examples/cyclonedx/VEX/Use-Cases/Case-12/vex.json (about) 1 { 2 "bomFormat": "CycloneDX", 3 "specVersion": "1.4", 4 "version": 1, 5 "metadata" : { 6 "timestamp" : "2022-01-13T00:00:00Z", 7 "component" : { 8 "name" : "Acme Product", 9 "version": "2.2.0", 10 "type" : "application", 11 "bom-ref" : "acme-product" 12 } 13 }, 14 "vulnerabilities": [ 15 { 16 "id": "CVE-2020-25649", 17 "source": { 18 "name": "NVD", 19 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649" 20 }, 21 "analysis": { 22 "state": "not_affected", 23 "justification": "code_not_reachable", 24 "response": ["will_not_fix", "update"], 25 "detail": "Automated dataflow analysis and manual code review indicates that the vulnerable code is not reachable, either directly or indirectly." 26 }, 27 "affects": [ 28 { 29 "ref": "acme-product" 30 } 31 ] 32 }, 33 { 34 "id": "CVE-2020-35491", 35 "source": { 36 "name": "NVD", 37 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35491" 38 }, 39 "analysis": { 40 "state": "exploitable", 41 "response": ["will_not_fix", "update"], 42 "detail": "Update to Acme Product v2.4.0 or higher" 43 }, 44 "affects": [ 45 { 46 "ref": "acme-product" 47 } 48 ] 49 }, 50 { 51 "id": "CVE-2020-14195", 52 "source": { 53 "name": "NVD", 54 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14195" 55 }, 56 "analysis": { 57 "state": "not_affected", 58 "justification": "protected_by_mitigating_control", 59 "response": ["will_not_fix", "update"], 60 "detail": "Vulnerability is not exploitable due to existing mitigating controls that prevent user-controlled input from being passed to JNDI." 61 }, 62 "affects": [ 63 { 64 "ref": "acme-product" 65 } 66 ] 67 } 68 ] 69 }