specification.jsonschema.vulnerability-status.json Maven / Gradle / Ivy
The newest version!
{
"$schema": "https://json-schema.org/draft/2019-09/schema",
"$id": "https://www.metaeffekt.com/schema/artifact-analysis/latest/vulnerability-status.json",
"type": "object",
"title": "Vulnerability Status Object schema documentation",
"additionalProperties": false,
"additionalItems": false,
"properties": {
"validation": {
"$ref": "vulnerability-status-validation.json"
},
"affects": {
"type": "object",
"title": "Vulnerabilities/CPE affected by file",
"description": "Specifies what vulnerabilities or CPE should be affected by this status file. If more than one file applies to the same vulnerability, a random one will be selected.",
"additionalProperties": false,
"additionalItems": false,
"minProperties": 1,
"maxProperties": 3,
"properties": {
"cve": {
"type": "array",
"title": "Affected Vulnerability-IDs",
"description": "All Vulnerabilities contained in this list will have this status file applied. If custom vulnerabilities are defined, their IDs can be used as well.",
"items": {
"type": "string",
"title": "A Vulnerability-ID"
}
},
"cpe": {
"type": "array",
"title": "Affected CPEs",
"description": "All Vulnerabilities with CPE version 2.0 or 3.x contained in this list will have this status file applied.",
"items": {
"type": "string",
"title": "A CPE 2.0 or 3.x string"
}
},
"cwe": {
"type": "array",
"title": "Affected CWEs",
"description": "All Vulnerabilities with a CWE from this list will have this status file applied.",
"items": {
"type": "string",
"title": "A CPE 2.0 or 3.x string"
}
},
"condition": {
"type": "string",
"title": "Vulnerability Filter",
"description": "A vulnerability filter string as used in the vulnerabilityFilterEnrichment. If specified, the list of matching vulnerabilities from the other properties in the affects section will be further filtered using this filter. If no other condition is given, this filter will be applied to all vulnerabilities in the inventory."
}
}
},
"title": {
"type": "string",
"title": "Vulnerability Title",
"description": "This title will be displayed in the Vulnerability Assessment Dashboard and the Vulnerability Report."
},
"scope": {
"type": "string",
"title": "Vulnerability Scope",
"enum": [
"artifact",
"inventory"
],
"description": "Default value: 'artifact'. If set to 'inventory', the status is applied to all vulnerabilities in the inventory. A note with the status will also be included in the 'Info' sheet."
},
"cvssV2": {
"oneOf": [
{
"$ref": "#/$defs/cvssV2"
},
{
"type": "object",
"additionalProperties": false,
"properties": {
"all": {
"$ref": "#/$defs/cvssV2"
},
"higher": {
"$ref": "#/$defs/cvssV2"
},
"lower": {
"$ref": "#/$defs/cvssV2"
}
}
}
]
},
"cvssV3": {
"oneOf": [
{
"$ref": "#/$defs/cvssV3"
},
{
"type": "object",
"additionalProperties": false,
"properties": {
"all": {
"$ref": "#/$defs/cvssV3"
},
"higher": {
"$ref": "#/$defs/cvssV3"
},
"lower": {
"$ref": "#/$defs/cvssV3"
}
}
}
]
},
"cvssV4": {
"oneOf": [
{
"$ref": "#/$defs/cvssV4"
},
{
"type": "object",
"additionalProperties": false,
"properties": {
"all": {
"$ref": "#/$defs/cvssV4"
},
"higher": {
"$ref": "#/$defs/cvssV4"
},
"lower": {
"$ref": "#/$defs/cvssV4"
}
}
}
]
},
"reported": {
"type": "object",
"title": "Reported by",
"description": "Specifies the timestamp and person that requested this file to be accepted.",
"additionalProperties": false,
"additionalItems": false,
"minProperties": 1,
"properties": {
"by": {
"type": "string",
"title": "Reporter"
},
"date": {
"type": "string",
"title": "Report date"
}
}
},
"accepted": {
"type": "object",
"title": "Accepted by",
"description": "Specifies the timestamp and person that accepted this file.",
"additionalProperties": false,
"additionalItems": false,
"minProperties": 1,
"properties": {
"by": {
"type": "string",
"title": "Accepter"
},
"date": {
"type": "string",
"title": "Accept date"
}
}
},
"history": {
"type": "array",
"title": "Status history",
"description": "A list of status entries, each specifying a step in the escalation or resolution of the affected vulnerabilities.",
"items": {
"type": "object",
"title": "Status History entry",
"additionalProperties": false,
"additionalItems": false,
"minProperties": 1,
"properties": {
"status": {
"type": "string",
"title": "Vulnerability Status",
"oneOf": [
{
"enum": [
"applicable",
"not applicable",
"insignificant",
"void"
]
}
]
},
"rationale": {
"type": "string",
"title": "Rationale"
},
"risk": {
"type": "string",
"title": "Risk"
},
"measures": {
"type": "string",
"title": "Measures"
},
"score": {
"type": [
"number",
"integer"
],
"title": "Context Score",
"description": "Used as context score in the Vulnerability Assessment Dashboard."
},
"author": {
"type": "string",
"title": "Author",
"description": "The author of the status history entry."
},
"date": {
"type": "string",
"title": "Last updated"
},
"priority": {
"type": "integer",
"title": "Entry Priority",
"description": "Use a priority value to overwrite the sorting criteria of the status entries. Entries with a higher priority value will be sorted before entries with a lower priority value. The default priority is 0.",
"default": 0
},
"labels": {
"type": "object",
"title": "Feature Labels",
"description": "Used to exclude specific status entries. Feature Labels can be provided when executing the build step. If include labels are provided, at least one must be set. None of the exclude labels may be set.",
"additionalProperties": false,
"additionalItems": false,
"minProperties": 1,
"properties": {
"includes": {
"type": "array",
"title": "Include Labels",
"description": "At least one include label must be set.",
"items": {
"type": "string",
"title": "Include Labels"
}
},
"excludes": {
"type": "array",
"title": "The excludes Schema",
"description": "None of the exclude label must be set.",
"items": {
"type": "string",
"title": "Exclude Labels"
}
}
}
}
}
}
},
"reviewed": {
"type": "array",
"title": "Reviewed Advisories",
"description": "Reviewed advisory identifiers can be provided to mark them as reviewed. A description can be provided.",
"items": {
"anyOf": [
{
"type": "string",
"description": "An advisory ID optionally followed by a description in brackets.",
"pattern": "^[^()]+(?:\\([^)]+\\))?$"
},
{
"type": "object",
"description": "An id and optionally a comment field.",
"additionalProperties": false,
"additionalItems": false,
"required": [
"id"
],
"properties": {
"id": {
"type": "string",
"title": "Advisory ID"
},
"comment": {
"type": "string",
"title": "Comment"
}
}
}
]
}
},
"active": {
"type": "boolean",
"title": "Status file active flag",
"description": "Whether to use or skip this file during enrichment."
}
},
"$defs": {
"cvssV2": {
"type": "string",
"title": "CVSS 2.0 vector",
"description": "Stores a CVSS 2.0 vector that can be applied to another CVSS vector or vulnerability.",
"pattern": "^(CVSS:2\\.\\d/)?((AV|AC|Au|C|I|A|E|RL|RC|CDP|TD|CR|IR|AR):[^/]+(/|$))+$"
},
"cvssV3": {
"type": "string",
"title": "CVSS 3.x vector",
"description": "Stores a CVSS 3.x vector that can be applied to another CVSS vector or vulnerability.",
"pattern": "^(CVSS:3\\.\\d/)?((AV|AC|PR|UI|S|C|I|A|E|RL|RC|MAV|MAC|MPR|MUI|MS|MC|MI|MA|CR|IR|AR):[^/]+(/|$))+$"
},
"cvssV4": {
"type": "string",
"title": "CVSS 4.0 vector",
"description": "Stores a CVSS 4.0 vector that can be applied to another CVSS vector or vulnerability.",
"pattern": "^(CVSS:4\\.\\d/)?((AV|AC|AT|PR|UI|VC|VI|VA|SC|SI|SA|S|AU|R|V|RE|U|MAV|MAC|MAT|MPR|MUI|MVC|MVI|MVA|MSC|MSI|MSA|CR|IR|AR|E):[^/]+(/|$))+$"
}
}
}© 2015 - 2025 Weber Informatics LLC | Privacy Policy