github.com/CycloneDX/sbom-utility@v0.16.0/examples/cyclonedx/VEX/Use-Cases/Case-4/vex.json (about) 1 { 2 "bomFormat": "CycloneDX", 3 "specVersion": "1.4", 4 "version": 1, 5 "metadata" : { 6 "timestamp" : "2022-01-13T00:00:00Z", 7 "component" : { 8 "name" : "Acme Product", 9 "type" : "application", 10 "bom-ref" : "acme-product" 11 } 12 }, 13 "vulnerabilities": [ 14 { 15 "id": "CVE-2020-25649", 16 "source": { 17 "name": "NVD", 18 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649" 19 }, 20 "ratings": [ 21 { 22 "source": { 23 "name": "NVD", 24 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N&version=3.1" 25 }, 26 "score": 7.5, 27 "severity": "high", 28 "method": "CVSSv31", 29 "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" 30 }, 31 { 32 "source": { 33 "name": "Acme Inc", 34 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1" 35 }, 36 "score": 0.0, 37 "severity": "none", 38 "method": "CVSSv31", 39 "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N" 40 } 41 ], 42 "analysis": { 43 "state": "not_affected", 44 "justification": "code_not_reachable", 45 "response": ["will_not_fix", "update"], 46 "detail": "Automated dataflow analysis and manual code review indicates that the vulnerable code is not reachable, either directly or indirectly." 47 }, 48 "affects": [ 49 { 50 "ref": "acme-product", 51 "versions": [ 52 { 53 "range": "vers:semver/>=2.2.0|<=2.4.0", 54 "status": "unaffected" 55 } 56 ] 57 } 58 ] 59 } 60 ] 61 }