github.com/CycloneDX/sbom-utility@v0.16.0/examples/cyclonedx/VEX/Use-Cases/Case-12/vex.json (about)

     1  {
     2    "bomFormat": "CycloneDX",
     3    "specVersion": "1.4",
     4    "version": 1,
     5    "metadata" : {
     6      "timestamp" : "2022-01-13T00:00:00Z",
     7      "component" : {
     8        "name" : "Acme Product",
     9        "version": "2.2.0",
    10        "type" : "application",
    11        "bom-ref" : "acme-product"
    12      }
    13    },
    14    "vulnerabilities": [
    15      {
    16        "id": "CVE-2020-25649",
    17        "source": {
    18          "name": "NVD",
    19          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649"
    20        },
    21        "analysis": {
    22          "state": "not_affected",
    23          "justification": "code_not_reachable",
    24          "response": ["will_not_fix", "update"],
    25          "detail": "Automated dataflow analysis and manual code review indicates that the vulnerable code is not reachable, either directly or indirectly."
    26        },
    27        "affects": [
    28          {
    29            "ref": "acme-product"
    30          }
    31        ]
    32      },
    33      {
    34        "id": "CVE-2020-35491",
    35        "source": {
    36          "name": "NVD",
    37          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35491"
    38        },
    39        "analysis": {
    40          "state": "exploitable",
    41          "response": ["will_not_fix", "update"],
    42          "detail": "Update to Acme Product v2.4.0 or higher"
    43        },
    44        "affects": [
    45          {
    46            "ref": "acme-product"
    47          }
    48        ]
    49      },
    50      {
    51        "id": "CVE-2020-14195",
    52        "source": {
    53          "name": "NVD",
    54          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14195"
    55        },
    56        "analysis": {
    57          "state": "not_affected",
    58          "justification": "protected_by_mitigating_control",
    59          "response": ["will_not_fix", "update"],
    60          "detail": "Vulnerability is not exploitable due to existing mitigating controls that prevent user-controlled input from being passed to JNDI."
    61        },
    62        "affects": [
    63          {
    64            "ref": "acme-product"
    65          }
    66        ]
    67      }
    68    ]
    69  }