github.com/CycloneDX/sbom-utility@v0.16.0/schema/cyclonedx_vulnerability.go

// SPDX-License-Identifier: Apache-2.0
/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package schema

// v1.4: created "vulnerability" defn.
// v1.5: added "workaround", "proofOfConcept", "rejected"
// Note: "bom-ref" is a "ref-type" which is a constrained `string`
// Note: "cwes" is a array of "cwe" which is a constrained `int`
// NOTE: CDXRefType is a named `string` type as of v1.5
type CDXVulnerability struct {
	Id             string                       `json:"id,omitempty"`             // v1.4
	Source         *CDXVulnerabilitySource      `json:"source,omitempty"`         // v1.4
	BOMRef         *CDXRefType                  `json:"bom-ref,omitempty"`        // v1.4
	References     *[]CDXVulnerabilityReference `json:"references"`               // v1.4: anon. type
	Ratings        *[]CDXRating                 `json:"ratings,omitempty"`        // v1.4
	Cwes           *[]int                       `json:"cwes,omitempty"`           // v1.4
	Description    string                       `json:"description,omitempty"`    // v1.4
	Detail         string                       `json:"detail,omitempty"`         // v1.4
	Recommendation string                       `json:"recommendation,omitempty"` // v1.4
	Advisories     *[]CDXAdvisory               `json:"advisories,omitempty"`     // v1.4
	Created        string                       `json:"created,omitempty"`        // v1.4
	Published      string                       `json:"published,omitempty"`      // v1.4
	Updated        string                       `json:"updated,omitempty"`        // v1.4
	Credits        *CDXCredit                   `json:"credits,omitempty"`        // v1.4: anon. type
	Tools          interface{}                  `json:"tools,omitempty"`          // v1.4: added; v1.5: changed to interface{}
	Analysis       *CDXAnalysis                 `json:"analysis,omitempty"`       // v1.4: anon. type
	Affects        *[]CDXAffect                 `json:"affects,omitempty"`        // v1.4: anon. type
	Properties     *[]CDXProperty               `json:"properties,omitempty"`     // v1.4: added
	Workaround     string                       `json:"workaround,omitempty"`     // v1.5: added
	ProofOfConcept *CDXProofOfConcept           `json:"proofOfConcept,omitempty"` // v1.5: added
	Rejected       string                       `json:"rejected,omitempty"`       // v1.5: added
}

// v1.4 This is an anonymous type used in CDXVulnerability
type CDXVulnerabilityReference struct {
	Id     string                  `json:"id,omitempty"`     // v1.4
	Source *CDXVulnerabilitySource `json:"source,omitempty"` // v1.4
}

// v1.4: created "vulnerabilitySource" defn.
// Note: "url" is of type "string" (and not an "iri-reference")
// TODO: "url" SHOULD be an "iri-reference"
type CDXVulnerabilitySource struct {
	Url  string `json:"url,omitempty"`  // v1.4
	Name string `json:"name,omitempty"` // v1.4
}

// v1.4: created "rating" defn.
// Note: "score" is of type "number" which should map to `float64`
// Note: "severity" is of type "severity" which is a constrained `string`
// Note: "method" is of type "scoreMethod" which is a constrained `string`
type CDXRating struct {
	Source        *CDXVulnerabilitySource `json:"source,omitempty"`        // v1.4
	Score         float64                 `json:"score,omitempty"`         // v1.4
	Severity      string                  `json:"severity,omitempty"`      // v1.4
	Method        string                  `json:"method,omitempty"`        // v1.4
	Vector        string                  `json:"vector,omitempty"`        // v1.4
	Justification string                  `json:"justification,omitempty"` // v1.4
}

// v1.4: created "releaseNotes" defn.
// Note: "url" is of type "iri-reference"
type CDXAdvisory struct {
	Title string `json:"title,omitempty"` // v1.4
	Url   string `json:"url,omitempty"`   // v1.4
}

// v1.4: created "credit" defn. to represent the in-line, anon. type
// found in the "vulnerability" type defn.
type CDXCredit struct {
	Organizations *[]CDXOrganizationalEntity  `json:"organizations,omitempty"` // v1.4
	Individuals   *[]CDXOrganizationalContact `json:"individuals,omitempty"`   // v1.4
}

// v1.4: created "analysis" def. to represent an in-line, anon. type defined in the "vulnerability" object defn.
// v1.5: added "firstIssued", "lastUpdated"
// Note: "state" is an "impactAnalysisState" type which is a constrained enum. of type `string`
// Note: "justification" is an "impactAnalysisJustification" type which is a constrained enum. of type `string`
// TODO: "response" is also "in-lined" as a constrained enum. of `string`, but SHOULD be declared at top-level
type CDXAnalysis struct {
	State         string    `json:"state,omitempty"`         // v1.4
	Justification string    `json:"justification,omitempty"` // v1.4
	Response      *[]string `json:"response,omitempty"`      // v1.4: anon. type
	Detail        string    `json:"detail,omitempty"`        // v1.4
	FirstIssued   string    `json:"firstIssued,omitempty"`   // v1.5: added
	LastUpdated   string    `json:"lastUpdated,omitempty"`   // v1.5: added
}

// v1.4: created "analysis" def. to represent an in-line, anon. type
// v1.5: Note: "ref" is a constrained "string" which can be "anyOf": ["#/definitions/refLinkType", "#/definitions/bomLinkElementType"]
// Note: This anon. "type" ONLY includes a single array of another in-line type
// TODO: create top-level defn. for "affect" anon. type
type CDXAffect struct {
	Versions *[]CDXVersionRange `json:"versions,omitempty"` // v1.4: anon. type
	Ref      *CDXRefLinkType    `json:"ref,omitempty"`      // v1.5: added
}

// v1.4: created "version" def. to represent an in-line, anon. type
// Note "version" is a top-level defn. that is a constrained `string` type
// Note "affectedStatus" is a top-level defn. that is an enum. of `string` type
// Note: Both "version" constrains strings to a min/mac (1, 1024) length
// this concept SHOULD APPLY to all free-form text entries (e.g., descriptive text)
// TODO: create top-level defn. for "versions" (a.k.a. "versionRange") anon. type (name TBD)
type CDXVersionRange struct {
	Version string `json:"version,omitempty"` // v1.4
	Range   string `json:"range,omitempty"`   // v1.4
	Status  string `json:"status,omitempty"`  // v1.4
}

// v1.5: created ("reproductionSteps", "environment", "supportingMaterial")
// TODO: "supportingMaterial" should be plural as it is an "array"
type CDXProofOfConcept struct {
	ReproductionSteps  string                   `json:"reproductionSteps,omitempty"`  // v1.5: added
	Environment        string                   `json:"environment,omitempty"`        // v1.5: added
	SupportingMaterial *[]CDXSupportingMaterial `json:"supportingMaterial,omitempty"` // v1.5: added
}

// v1.5: created ("contentType", "encoding", "content")
type CDXSupportingMaterial struct {
	ContentType string `json:"contentType,omitempty"` // v1.5: added
	Encoding    string `json:"encoding,omitempty"`    // v1.5: added
	Content     string `json:"content,omitempty"`     // v1.5: added
}