github.com/CycloneDX/sbom-utility@v0.16.0/examples/cyclonedx/VEX/Use-Cases/Case-4/vex.json (about)

     1  {
     2    "bomFormat": "CycloneDX",
     3    "specVersion": "1.4",
     4    "version": 1,
     5    "metadata" : {
     6      "timestamp" : "2022-01-13T00:00:00Z",
     7      "component" : {
     8        "name" : "Acme Product",
     9        "type" : "application",
    10        "bom-ref" : "acme-product"
    11      }
    12    },
    13    "vulnerabilities": [
    14      {
    15        "id": "CVE-2020-25649",
    16        "source": {
    17          "name": "NVD",
    18          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649"
    19        },
    20        "ratings": [
    21          {
    22            "source": {
    23              "name": "NVD",
    24              "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N&version=3.1"
    25            },
    26            "score": 7.5,
    27            "severity": "high",
    28            "method": "CVSSv31",
    29            "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
    30          },
    31          {
    32            "source": {
    33              "name": "Acme Inc",
    34              "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1"
    35            },
    36            "score": 0.0,
    37            "severity": "none",
    38            "method": "CVSSv31",
    39            "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N"
    40          }
    41        ],
    42        "analysis": {
    43          "state": "not_affected",
    44          "justification": "code_not_reachable",
    45          "response": ["will_not_fix", "update"],
    46          "detail": "Automated dataflow analysis and manual code review indicates that the vulnerable code is not reachable, either directly or indirectly."
    47        },
    48        "affects": [
    49          {
    50            "ref": "acme-product",
    51            "versions": [
    52              {
    53                "range": "vers:semver/>=2.2.0|<=2.4.0",
    54                "status": "unaffected"
    55              }
    56            ]
    57          }
    58        ]
    59      }
    60    ]
    61  }