github.com/CycloneDX/sbom-utility@v0.16.0/schema/cyclonedx_vulnerability.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * Licensed to the Apache Software Foundation (ASF) under one or more 4 * contributor license agreements. See the NOTICE file distributed with 5 * this work for additional information regarding copyright ownership. 6 * The ASF licenses this file to You under the Apache License, Version 2.0 7 * (the "License"); you may not use this file except in compliance with 8 * the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 */ 18 19 package schema 20 21 // v1.4: created "vulnerability" defn. 22 // v1.5: added "workaround", "proofOfConcept", "rejected" 23 // Note: "bom-ref" is a "ref-type" which is a constrained `string` 24 // Note: "cwes" is a array of "cwe" which is a constrained `int` 25 // NOTE: CDXRefType is a named `string` type as of v1.5 26 type CDXVulnerability struct { 27 Id string `json:"id,omitempty"` // v1.4 28 Source *CDXVulnerabilitySource `json:"source,omitempty"` // v1.4 29 BOMRef *CDXRefType `json:"bom-ref,omitempty"` // v1.4 30 References *[]CDXVulnerabilityReference `json:"references"` // v1.4: anon. type 31 Ratings *[]CDXRating `json:"ratings,omitempty"` // v1.4 32 Cwes *[]int `json:"cwes,omitempty"` // v1.4 33 Description string `json:"description,omitempty"` // v1.4 34 Detail string `json:"detail,omitempty"` // v1.4 35 Recommendation string `json:"recommendation,omitempty"` // v1.4 36 Advisories *[]CDXAdvisory `json:"advisories,omitempty"` // v1.4 37 Created string `json:"created,omitempty"` // v1.4 38 Published string `json:"published,omitempty"` // v1.4 39 Updated string `json:"updated,omitempty"` // v1.4 40 Credits *CDXCredit `json:"credits,omitempty"` // v1.4: anon. type 41 Tools interface{} `json:"tools,omitempty"` // v1.4: added; v1.5: changed to interface{} 42 Analysis *CDXAnalysis `json:"analysis,omitempty"` // v1.4: anon. type 43 Affects *[]CDXAffect `json:"affects,omitempty"` // v1.4: anon. type 44 Properties *[]CDXProperty `json:"properties,omitempty"` // v1.4: added 45 Workaround string `json:"workaround,omitempty"` // v1.5: added 46 ProofOfConcept *CDXProofOfConcept `json:"proofOfConcept,omitempty"` // v1.5: added 47 Rejected string `json:"rejected,omitempty"` // v1.5: added 48 } 49 50 // v1.4 This is an anonymous type used in CDXVulnerability 51 type CDXVulnerabilityReference struct { 52 Id string `json:"id,omitempty"` // v1.4 53 Source *CDXVulnerabilitySource `json:"source,omitempty"` // v1.4 54 } 55 56 // v1.4: created "vulnerabilitySource" defn. 57 // Note: "url" is of type "string" (and not an "iri-reference") 58 // TODO: "url" SHOULD be an "iri-reference" 59 type CDXVulnerabilitySource struct { 60 Url string `json:"url,omitempty"` // v1.4 61 Name string `json:"name,omitempty"` // v1.4 62 } 63 64 // v1.4: created "rating" defn. 65 // Note: "score" is of type "number" which should map to `float64` 66 // Note: "severity" is of type "severity" which is a constrained `string` 67 // Note: "method" is of type "scoreMethod" which is a constrained `string` 68 type CDXRating struct { 69 Source *CDXVulnerabilitySource `json:"source,omitempty"` // v1.4 70 Score float64 `json:"score,omitempty"` // v1.4 71 Severity string `json:"severity,omitempty"` // v1.4 72 Method string `json:"method,omitempty"` // v1.4 73 Vector string `json:"vector,omitempty"` // v1.4 74 Justification string `json:"justification,omitempty"` // v1.4 75 } 76 77 // v1.4: created "releaseNotes" defn. 78 // Note: "url" is of type "iri-reference" 79 type CDXAdvisory struct { 80 Title string `json:"title,omitempty"` // v1.4 81 Url string `json:"url,omitempty"` // v1.4 82 } 83 84 // v1.4: created "credit" defn. to represent the in-line, anon. type 85 // found in the "vulnerability" type defn. 86 type CDXCredit struct { 87 Organizations *[]CDXOrganizationalEntity `json:"organizations,omitempty"` // v1.4 88 Individuals *[]CDXOrganizationalContact `json:"individuals,omitempty"` // v1.4 89 } 90 91 // v1.4: created "analysis" def. to represent an in-line, anon. type defined in the "vulnerability" object defn. 92 // v1.5: added "firstIssued", "lastUpdated" 93 // Note: "state" is an "impactAnalysisState" type which is a constrained enum. of type `string` 94 // Note: "justification" is an "impactAnalysisJustification" type which is a constrained enum. of type `string` 95 // TODO: "response" is also "in-lined" as a constrained enum. of `string`, but SHOULD be declared at top-level 96 type CDXAnalysis struct { 97 State string `json:"state,omitempty"` // v1.4 98 Justification string `json:"justification,omitempty"` // v1.4 99 Response *[]string `json:"response,omitempty"` // v1.4: anon. type 100 Detail string `json:"detail,omitempty"` // v1.4 101 FirstIssued string `json:"firstIssued,omitempty"` // v1.5: added 102 LastUpdated string `json:"lastUpdated,omitempty"` // v1.5: added 103 } 104 105 // v1.4: created "analysis" def. to represent an in-line, anon. type 106 // v1.5: Note: "ref" is a constrained "string" which can be "anyOf": ["#/definitions/refLinkType", "#/definitions/bomLinkElementType"] 107 // Note: This anon. "type" ONLY includes a single array of another in-line type 108 // TODO: create top-level defn. for "affect" anon. type 109 type CDXAffect struct { 110 Versions *[]CDXVersionRange `json:"versions,omitempty"` // v1.4: anon. type 111 Ref *CDXRefLinkType `json:"ref,omitempty"` // v1.5: added 112 } 113 114 // v1.4: created "version" def. to represent an in-line, anon. type 115 // Note "version" is a top-level defn. that is a constrained `string` type 116 // Note "affectedStatus" is a top-level defn. that is an enum. of `string` type 117 // Note: Both "version" constrains strings to a min/mac (1, 1024) length 118 // this concept SHOULD APPLY to all free-form text entries (e.g., descriptive text) 119 // TODO: create top-level defn. for "versions" (a.k.a. "versionRange") anon. type (name TBD) 120 type CDXVersionRange struct { 121 Version string `json:"version,omitempty"` // v1.4 122 Range string `json:"range,omitempty"` // v1.4 123 Status string `json:"status,omitempty"` // v1.4 124 } 125 126 // v1.5: created ("reproductionSteps", "environment", "supportingMaterial") 127 // TODO: "supportingMaterial" should be plural as it is an "array" 128 type CDXProofOfConcept struct { 129 ReproductionSteps string `json:"reproductionSteps,omitempty"` // v1.5: added 130 Environment string `json:"environment,omitempty"` // v1.5: added 131 SupportingMaterial *[]CDXSupportingMaterial `json:"supportingMaterial,omitempty"` // v1.5: added 132 } 133 134 // v1.5: created ("contentType", "encoding", "content") 135 type CDXSupportingMaterial struct { 136 ContentType string `json:"contentType,omitempty"` // v1.5: added 137 Encoding string `json:"encoding,omitempty"` // v1.5: added 138 Content string `json:"content,omitempty"` // v1.5: added 139 }