github.com/CycloneDX/sbom-utility@v0.16.0/examples/cyclonedx/VEX/Use-Cases/Case-5/vex.json (about) 1 { 2 "bomFormat": "CycloneDX", 3 "specVersion": "1.4", 4 "version": 1, 5 "metadata" : { 6 "timestamp" : "2022-01-13T00:00:00Z", 7 "component" : { 8 "name" : "Acme Product", 9 "type" : "application", 10 "bom-ref" : "acme-product" 11 } 12 }, 13 "vulnerabilities": [ 14 { 15 "id": "CVE-2020-25649", 16 "source": { 17 "name": "NVD", 18 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649" 19 }, 20 "ratings": [ 21 { 22 "source": { 23 "name": "NVD", 24 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N&version=3.1" 25 }, 26 "score": 7.5, 27 "severity": "high", 28 "method": "CVSSv31", 29 "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" 30 } 31 ], 32 "analysis": { 33 "state": "exploitable" 34 }, 35 "affects": [ 36 { 37 "ref": "acme-product", 38 "versions": [ 39 { 40 "range": "vers:semver/<7.0.0|>=1.5.0", 41 "status": "affected" 42 } 43 ] 44 } 45 ] 46 }, 47 { 48 "id": "CVE-2020-25649", 49 "source": { 50 "name": "NVD", 51 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649" 52 }, 53 "ratings": [ 54 { 55 "source": { 56 "name": "Acme Inc", 57 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1" 58 }, 59 "score": 0.0, 60 "severity": "none", 61 "method": "CVSSv31", 62 "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N" 63 } 64 ], 65 "analysis": { 66 "state": "not_affected", 67 "justification": "code_not_reachable", 68 "response": ["will_not_fix", "update"], 69 "detail": "Automated dataflow analysis and manual code review indicates that the vulnerable code is not reachable, either directly or indirectly." 70 }, 71 "affects": [ 72 { 73 "ref": "acme-product", 74 "versions": [ 75 { 76 "range": "vers:semver/<1.5.0|>=7.0.0", 77 "status": "unaffected" 78 } 79 ] 80 } 81 ] 82 } 83 ] 84 }