github.com/CycloneDX/sbom-utility@v0.16.0/examples/cyclonedx/VEX/Use-Cases/Case-13/vex.json (about) 1 { 2 "bomFormat": "CycloneDX", 3 "specVersion": "1.4", 4 "version": 1, 5 "vulnerabilities": [ 6 { 7 "id": "CVE-2020-25649", 8 "source": { 9 "name": "NVD", 10 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649" 11 }, 12 "ratings": [ 13 { 14 "source": { 15 "name": "NVD", 16 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N&version=3.1" 17 }, 18 "score": 7.5, 19 "severity": "high", 20 "method": "CVSSv31", 21 "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" 22 }, 23 { 24 "source": { 25 "name": "Acme Inc", 26 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1" 27 }, 28 "score": 0.0, 29 "severity": "none", 30 "method": "CVSSv31", 31 "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N" 32 } 33 ], 34 "analysis": { 35 "state": "not_affected", 36 "justification": "code_not_reachable", 37 "response": ["will_not_fix", "update"], 38 "detail": "Automated dataflow analysis and manual code review indicates that the vulnerable code is not reachable, either directly or indirectly." 39 }, 40 "affects": [ 41 { 42 "ref": "urn:cdx:2c385cf7-e1ee-46e9-a51c-13de1ecb380a/1#acme-product-1" 43 }, 44 { 45 "ref": "urn:cdx:6ffac0b2-5246-4fb9-a6fe-7993041856a0/1#acme-product-2" 46 } 47 ] 48 }, 49 { 50 "id": "CVE-2020-25649", 51 "source": { 52 "name": "NVD", 53 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649" 54 }, 55 "analysis": { 56 "state": "exploitable", 57 "detail": "Automated dataflow analysis and manual code review indicates that the vulnerable code is not reachable, either directly or indirectly." 58 }, 59 "affects": [ 60 { 61 "ref": "urn:cdx:240b5b0b-917d-4f48-816c-97e1944d8079/1#acme-product-3" 62 } 63 ] 64 } 65 ] 66 }