.cyclonedx-core-java.9.0.5.source-code.bom-1.4.proto Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of cyclonedx-core-java Show documentation
Show all versions of cyclonedx-core-java Show documentation
The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.
syntax = "proto3";
package cyclonedx.v1_4;
import "google/protobuf/timestamp.proto";
// Specifies attributes of the text
message AttachedText {
// Specifies the content type of the text. Defaults to text/plain if not specified.
optional string content_type = 1;
// Specifies the optional encoding the text is represented in
optional string encoding = 2;
// SimpleContent value of element. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text.
string value = 3;
}
message Bom {
// The version of the CycloneDX specification a BOM is written to (starting at version 1.3)
string spec_version = 1;
// The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.
optional int32 version = 2;
// Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated.
optional string serial_number = 3;
// Provides additional information about a BOM.
optional Metadata metadata = 4;
// Provides the ability to document a list of components.
repeated Component components = 5;
// Provides the ability to document a list of external services.
repeated Service services = 6;
// Provides the ability to document external references related to the BOM or to the project the BOM describes.
repeated ExternalReference external_references = 7;
// Provides the ability to document dependency relationships.
repeated Dependency dependencies = 8;
// Provides the ability to document aggregate completeness
repeated Composition compositions = 9;
// Vulnerabilities identified in components or services.
repeated Vulnerability vulnerabilities = 10;
}
enum Classification {
CLASSIFICATION_NULL = 0;
// A software application. Refer to https://en.wikipedia.org/wiki/Application_software for information about applications.
CLASSIFICATION_APPLICATION = 1;
// A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework for information on how frameworks vary slightly from libraries.
CLASSIFICATION_FRAMEWORK = 2;
// A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.
CLASSIFICATION_LIBRARY = 3;
// A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to https://en.wikipedia.org/wiki/Operating_system
CLASSIFICATION_OPERATING_SYSTEM = 4;
// A hardware device such as a processor, or chip-set. A hardware device containing firmware should include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device.
CLASSIFICATION_DEVICE = 5;
// A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file for information about files.
CLASSIFICATION_FILE = 6;
// A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization
CLASSIFICATION_CONTAINER = 7;
// A special type of software that provides low-level control over a devices hardware. Refer to https://en.wikipedia.org/wiki/Firmware
CLASSIFICATION_FIRMWARE = 8;
}
message Commit {
// A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes.
optional string uid = 1;
// The URL to the commit. This URL will typically point to a commit in a version control system.
optional string url = 2;
// The author who created the changes in the commit
optional IdentifiableAction author = 3;
// The person who committed or pushed the commit
optional IdentifiableAction committer = 4;
// The text description of the contents of the commit
optional string message = 5;
}
message Component {
// Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.
Classification type = 1;
// The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.
optional string mime_type = 2;
// An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
optional string bom_ref = 3;
// The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager.
optional OrganizationalEntity supplier = 4;
// The person(s) or organization(s) that authored the component
optional string author = 5;
// The person(s) or organization(s) that published the component
optional string publisher = 6;
// The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.
optional string group = 7;
// The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery
string name = 8;
// The component version. The version should ideally comply with semantic versioning but is not enforced. Version was made optional in v1.4 of the spec. For backward compatibility, it is RECOMMENDED to use an empty string to represent components without version information.
string version = 9;
// Specifies a description for the component
optional string description = 10;
// Specifies the scope of the component. If scope is not specified, 'runtime' scope should be assumed by the consumer of the BOM
optional Scope scope = 11;
repeated Hash hashes = 12;
repeated LicenseChoice licenses = 13;
// An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.
optional string copyright = 14;
// DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe
optional string cpe = 15;
// Specifies the package-url (PURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec
optional string purl = 16;
// Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.
optional Swid swid = 17;
// DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original.
optional bool modified = 18;
// Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc.
optional Pedigree pedigree = 19;
// Provides the ability to document external references related to the component or to the project the component describes.
repeated ExternalReference external_references = 20;
// Specifies optional sub-components. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains.
repeated Component components = 21;
// Specifies optional, custom, properties
repeated Property properties = 22;
// Specifies optional license and copyright evidence
repeated Evidence evidence = 23;
// Specifies optional release notes.
optional ReleaseNotes releaseNotes = 24;
}
// Specifies the data classification.
message DataClassification {
// Specifies the flow direction of the data.
DataFlow flow = 1;
// SimpleContent value of element
string value = 2;
}
// Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known.
enum DataFlow {
DATA_FLOW_NULL = 0;
DATA_FLOW_INBOUND = 1;
DATA_FLOW_OUTBOUND = 2;
DATA_FLOW_BI_DIRECTIONAL = 3;
DATA_FLOW_UNKNOWN = 4;
}
message Dependency {
// References a component or service by the its bom-ref attribute
string ref = 1;
repeated Dependency dependencies = 2;
}
message Diff {
// Specifies the optional text of the diff
optional AttachedText text = 1;
// Specifies the URL to the diff
optional string url = 2;
}
message ExternalReference {
// Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type.
ExternalReferenceType type = 1;
// The URL to the external reference
string url = 2;
// An optional comment describing the external reference
optional string comment = 3;
// Optional integrity hashes for the external resource content
repeated Hash hashes = 4;
}
enum ExternalReferenceType {
// Use this if no other types accurately describe the purpose of the external reference
EXTERNAL_REFERENCE_TYPE_OTHER = 0;
// Version Control System
EXTERNAL_REFERENCE_TYPE_VCS = 1;
// Issue or defect tracking system, or an Application Lifecycle Management (ALM) system
EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER = 2;
// Website
EXTERNAL_REFERENCE_TYPE_WEBSITE = 3;
// Security advisories
EXTERNAL_REFERENCE_TYPE_ADVISORIES = 4;
// Bill-of-material document (CycloneDX, SPDX, SWID, etc)
EXTERNAL_REFERENCE_TYPE_BOM = 5;
// Mailing list or discussion group
EXTERNAL_REFERENCE_TYPE_MAILING_LIST = 6;
// Social media account
EXTERNAL_REFERENCE_TYPE_SOCIAL = 7;
// Real-time chat platform
EXTERNAL_REFERENCE_TYPE_CHAT = 8;
// Documentation, guides, or how-to instructions
EXTERNAL_REFERENCE_TYPE_DOCUMENTATION = 9;
// Community or commercial support
EXTERNAL_REFERENCE_TYPE_SUPPORT = 10;
// Direct or repository download location
EXTERNAL_REFERENCE_TYPE_DISTRIBUTION = 11;
// The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness
EXTERNAL_REFERENCE_TYPE_LICENSE = 12;
// Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)
EXTERNAL_REFERENCE_TYPE_BUILD_META = 13;
// URL to an automated build system
EXTERNAL_REFERENCE_TYPE_BUILD_SYSTEM = 14;
}
enum HashAlg {
HASH_ALG_NULL = 0;
HASH_ALG_MD_5 = 1;
HASH_ALG_SHA_1 = 2;
HASH_ALG_SHA_256 = 3;
HASH_ALG_SHA_384 = 4;
HASH_ALG_SHA_512 = 5;
HASH_ALG_SHA_3_256 = 6;
HASH_ALG_SHA_3_384 = 7;
HASH_ALG_SHA_3_512 = 8;
HASH_ALG_BLAKE_2_B_256 = 9;
HASH_ALG_BLAKE_2_B_384 = 10;
HASH_ALG_BLAKE_2_B_512 = 11;
HASH_ALG_BLAKE_3 = 12;
}
// Specifies the file hash of the component
message Hash {
// Specifies the algorithm used to create the hash
HashAlg alg = 1;
// SimpleContent value of element
string value = 2;
}
message IdentifiableAction {
// The timestamp in which the action occurred
optional google.protobuf.Timestamp timestamp = 1;
// The name of the individual who performed the action
optional string name = 2;
// The email address of the individual who performed the action
optional string email = 3;
}
enum IssueClassification {
ISSUE_CLASSIFICATION_NULL = 0;
// A fault, flaw, or bug in software
ISSUE_CLASSIFICATION_DEFECT = 1;
// A new feature or behavior in software
ISSUE_CLASSIFICATION_ENHANCEMENT = 2;
// A special type of defect which impacts security
ISSUE_CLASSIFICATION_SECURITY = 3;
}
message Issue {
// Specifies the type of issue
IssueClassification type = 1;
// The identifier of the issue assigned by the source of the issue
optional string id = 2;
// The name of the issue
optional string name = 3;
// A description of the issue
optional string description = 4;
optional Source source = 5;
repeated string references = 6;
}
// The source of the issue where it is documented.
message Source {
// The name of the source. For example "National Vulnerability Database", "NVD", and "Apache"
optional string name = 1;
// The url of the issue documentation as provided by the source
optional string url = 2;
}
message LicenseChoice {
oneof choice {
License license = 1;
string expression = 2;
}
}
message License {
oneof license {
// A valid SPDX license ID
string id = 1;
// If SPDX does not define the license used, this field may be used to provide the license name
string name = 2;
}
// Specifies the optional full text of the attachment
optional AttachedText text = 3;
// The URL to the attachment file. If the attachment is a license or BOM, an externalReference should also be specified for completeness.
optional string url = 4;
}
message Metadata {
// The date and time (timestamp) when the document was created.
optional google.protobuf.Timestamp timestamp = 1;
// The tool(s) used in the creation of the BOM.
repeated Tool tools = 2;
// The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.
repeated OrganizationalContact authors = 3;
// The component that the BOM describes.
optional Component component = 4;
// The organization that manufactured the component that the BOM describes.
optional OrganizationalEntity manufacture = 5;
// The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.
optional OrganizationalEntity supplier = 6;
// The license information for the BOM document
optional LicenseChoice licenses = 7;
// Specifies optional, custom, properties
repeated Property properties = 8;
}
message OrganizationalContact {
// The name of the contact
optional string name = 1;
// The email address of the contact.
optional string email = 2;
// The phone number of the contact.
optional string phone = 3;
}
message OrganizationalEntity {
// The name of the organization
optional string name = 1;
// The URL of the organization. Multiple URLs are allowed.
repeated string url = 2;
// A contact person at the organization. Multiple contacts are allowed.
repeated OrganizationalContact contact = 3;
}
enum PatchClassification {
PATCH_CLASSIFICATION_NULL = 0;
// A patch which is not developed by the creators or maintainers of the software being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch
PATCH_CLASSIFICATION_UNOFFICIAL = 1;
// A patch which dynamically modifies runtime behavior. Refer to https://en.wikipedia.org/wiki/Monkey_patch
PATCH_CLASSIFICATION_MONKEY = 2;
// A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting
PATCH_CLASSIFICATION_BACKPORT = 3;
// A patch created by selectively applying commits from other versions or branches of the same software.
PATCH_CLASSIFICATION_CHERRY_PICK = 4;
}
message Patch {
// Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality
PatchClassification type = 1;
// The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff
optional Diff diff = 2;
repeated Issue resolves = 3;
}
// Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.
message Pedigree {
// Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.
repeated Component ancestors = 1;
// Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.
repeated Component descendants = 2;
// Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.
repeated Component variants = 3;
// A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.
repeated Commit commits = 4;
// A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.
repeated Patch patches = 5;
// Notes, observations, and other non-structured commentary describing the components pedigree.
optional string notes = 6;
}
enum Scope {
// Default
SCOPE_UNSPECIFIED = 0;
// The component is required for runtime
SCOPE_REQUIRED = 1;
// The component is optional at runtime. Optional components are components that are not capable of being called due to them not be installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'.
SCOPE_OPTIONAL = 2;
// Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime.
SCOPE_EXCLUDED = 3;
}
message Service {
// An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
optional string bom_ref = 1;
// The organization that provides the service.
optional OrganizationalEntity provider = 2;
// The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.
optional string group = 3;
// The name of the service. This will often be a shortened, single name of the service.
string name = 4;
// The service version.
optional string version = 5;
// Specifies a description for the service.
optional string description = 6;
repeated string endpoints = 7;
// A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication.
optional bool authenticated = 8;
// A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed.
optional bool x_trust_boundary = 9;
repeated DataClassification data = 10;
repeated LicenseChoice licenses = 11;
// Provides the ability to document external references related to the service.
repeated ExternalReference external_references = 12;
// Specifies optional sub-service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies, similar to system -> subsystem -> parts assembly in physical supply chains.
repeated Service services = 13;
// Specifies optional, custom, properties
repeated Property properties = 14;
// Specifies optional release notes.
optional ReleaseNotes releaseNotes = 15;
}
message Swid {
// Maps to the tagId of a SoftwareIdentity.
string tag_id = 1;
// Maps to the name of a SoftwareIdentity.
string name = 2;
// Maps to the version of a SoftwareIdentity.
optional string version = 3;
// Maps to the tagVersion of a SoftwareIdentity.
optional int32 tag_version = 4;
// Maps to the patch of a SoftwareIdentity.
optional bool patch = 5;
// Specifies the full content of the SWID tag.
optional AttachedText text = 6;
// The URL to the SWID file.
optional string url = 7;
}
// Specifies a tool (manual or automated).
message Tool {
// The vendor of the tool used to create the BOM.
optional string vendor = 1;
// The name of the tool used to create the BOM.
optional string name = 2;
// The version of the tool used to create the BOM.
optional string version = 3;
repeated Hash hashes = 4;
// Provides the ability to document external references related to the tool.
repeated ExternalReference external_references = 5;
}
// Specifies a property
message Property {
string name = 1;
optional string value = 2;
}
enum Aggregate {
// Default, no statement about the aggregate completeness is being made
AGGREGATE_NOT_SPECIFIED = 0;
// The aggregate composition is complete
AGGREGATE_COMPLETE = 1;
// The aggregate composition is incomplete
AGGREGATE_INCOMPLETE = 2;
// The aggregate composition is incomplete for first party components, complete for third party components
AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY = 3;
// The aggregate composition is incomplete for third party components, complete for first party components
AGGREGATE_INCOMPLETE_THIRD_PARTY_ONLY = 4;
// The aggregate composition completeness is unknown
AGGREGATE_UNKNOWN = 5;
}
message Composition {
// Indicates the aggregate completeness
Aggregate aggregate = 1;
// The assemblies the aggregate completeness applies to
repeated string assemblies = 2;
// The dependencies the aggregate completeness applies to
repeated string dependencies = 3;
}
message EvidenceCopyright {
// Copyright text
string text = 1;
}
message Evidence {
repeated LicenseChoice licenses = 1;
repeated EvidenceCopyright copyright = 2;
}
message Note {
// The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA".
optional string locale = 1;
// Specifies the full content of the release note.
optional AttachedText text = 2;
}
message ReleaseNotes {
// The software versioning type. It is RECOMMENDED that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.
string type = 1;
// The title of the release.
optional string title = 2;
// The URL to an image that may be prominently displayed with the release note.
optional string featuredImage = 3;
// The URL to an image that may be used in messaging on social media platforms.
optional string socialImage = 4;
// A short description of the release.
optional string description = 5;
// The date and time (timestamp) when the release note was created.
optional google.protobuf.Timestamp timestamp = 6;
// Optional alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names).
repeated string aliases = 7;
// Optional tags that may aid in search or retrieval of the release note.
repeated string tags = 8;
// A collection of issues that have been resolved.
repeated Issue resolves = 9;
// Zero or more release notes containing the locale and content. Multiple note messages may be specified to support release notes in a wide variety of languages.
repeated Note notes = 10;
// Specifies optional, custom, properties
repeated Property properties = 11;
}
message Vulnerability {
// An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
optional string bom_ref = 1;
// The identifier that uniquely identifies the vulnerability.
optional string id = 2;
// The source that published the vulnerability.
optional Source source = 3;
// Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.
repeated VulnerabilityReference references = 4;
// List of vulnerability ratings
repeated VulnerabilityRating ratings = 5;
// List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html)
repeated int32 cwes = 6;
// A description of the vulnerability as provided by the source.
optional string description = 7;
// If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause.
optional string detail = 8;
// Recommendations of how the vulnerability can be remediated or mitigated.
optional string recommendation = 9;
// Published advisories of the vulnerability if provided.
repeated Advisory advisories = 10;
// The date and time (timestamp) when the vulnerability record was created in the vulnerability database.
optional google.protobuf.Timestamp created = 11;
// The date and time (timestamp) when the vulnerability record was first published.
optional google.protobuf.Timestamp published = 12;
// The date and time (timestamp) when the vulnerability record was last updated.
optional google.protobuf.Timestamp updated = 13;
// Individuals or organizations credited with the discovery of the vulnerability.
optional VulnerabilityCredits credits = 14;
// The tool(s) used to identify, confirm, or score the vulnerability.
repeated Tool tools = 15;
// An assessment of the impact and exploitability of the vulnerability.
optional VulnerabilityAnalysis analysis = 16;
// affects
repeated VulnerabilityAffects affects = 17;
// Specifies optional, custom, properties
repeated Property properties = 18;
}
message VulnerabilityReference {
// An identifier that uniquely identifies the vulnerability.
optional string id = 1;
// The source that published the vulnerability.
optional Source source = 2;
}
message VulnerabilityRating {
// The source that calculated the severity or risk rating of the vulnerability.
optional Source source = 1;
// The numerical score of the rating.
optional double score = 2;
// Textual representation of the severity that corresponds to the numerical score of the rating.
optional Severity severity = 3;
// Specifies the severity or risk scoring methodology or standard used.
optional ScoreMethod method = 4;
// Textual representation of the metric values used to score the vulnerability.
optional string vector = 5;
// An optional reason for rating the vulnerability as it was.
optional string justification = 6;
}
enum Severity {
SEVERITY_UNKNOWN = 0;
SEVERITY_CRITICAL = 1;
SEVERITY_HIGH = 2;
SEVERITY_MEDIUM = 3;
SEVERITY_LOW = 4;
SEVERITY_INFO = 5;
SEVERITY_NONE = 6;
}
enum ScoreMethod {
// An undefined score method
SCORE_METHOD_NULL = 0;
// Common Vulnerability Scoring System v2 - https://www.first.org/cvss/v2/
SCORE_METHOD_CVSSV2 = 1;
// Common Vulnerability Scoring System v3 - https://www.first.org/cvss/v3-0/
SCORE_METHOD_CVSSV3 = 2;
// Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v3-1/
SCORE_METHOD_CVSSV31 = 3;
// OWASP Risk Rating Methodology - https://owasp.org/www-community/OWASP_Risk_Rating_Methodology
SCORE_METHOD_OWASP = 4;
// Other scoring method
SCORE_METHOD_OTHER = 5;
}
message Advisory {
// An optional name of the advisory.
optional string title = 1;
// Location where the advisory can be obtained.
string url = 2;
}
message VulnerabilityCredits {
// The organizations credited with vulnerability discovery.
repeated OrganizationalEntity organizations = 1;
// The individuals, not associated with organizations, that are credited with vulnerability discovery.
repeated OrganizationalContact individuals = 2;
}
message VulnerabilityAnalysis {
// Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.
optional ImpactAnalysisState state = 1;
// The rationale of why the impact analysis state was asserted.
optional ImpactAnalysisJustification justification = 2;
// A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.
repeated VulnerabilityResponse response = 3;
// Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability.
optional string detail = 4;
}
enum ImpactAnalysisState {
// An undefined impact analysis state
IMPACT_ANALYSIS_STATE_NULL = 0;
// The vulnerability has been remediated.
IMPACT_ANALYSIS_STATE_RESOLVED = 1;
// The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).
IMPACT_ANALYSIS_STATE_RESOLVED_WITH_PEDIGREE = 2;
// The vulnerability may be directly or indirectly exploitable.
IMPACT_ANALYSIS_STATE_EXPLOITABLE = 3;
// The vulnerability is being investigated.
IMPACT_ANALYSIS_STATE_IN_TRIAGE = 4;
// The vulnerability is not specific to the component or service and was falsely identified or associated.
IMPACT_ANALYSIS_STATE_FALSE_POSITIVE = 5;
// The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases.
IMPACT_ANALYSIS_STATE_NOT_AFFECTED = 6;
}
enum ImpactAnalysisJustification {
// An undefined impact analysis justification
IMPACT_ANALYSIS_JUSTIFICATION_NULL = 0;
// The code has been removed or tree-shaked.
IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_PRESENT = 1;
// The vulnerable code is not invoked at runtime.
IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE = 2;
// Exploitability requires a configurable option to be set/unset.
IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_CONFIGURATION = 3;
// Exploitability requires a dependency that is not present.
IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_DEPENDENCY = 4;
// Exploitability requires a certain environment which is not present.
IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_ENVIRONMENT = 5;
// Exploitability requires a compiler flag to be set/unset.
IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_COMPILER = 6;
// Exploits are prevented at runtime.
IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_RUNTIME = 7;
// Attacks are blocked at physical, logical, or network perimeter.
IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_PERIMETER = 8;
// Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.
IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_MITIGATING_CONTROL = 9;
}
enum VulnerabilityResponse {
VULNERABILITY_RESPONSE_NULL = 0;
VULNERABILITY_RESPONSE_CAN_NOT_FIX = 1;
VULNERABILITY_RESPONSE_WILL_NOT_FIX = 2;
VULNERABILITY_RESPONSE_UPDATE = 3;
VULNERABILITY_RESPONSE_ROLLBACK = 4;
VULNERABILITY_RESPONSE_WORKAROUND_AVAILABLE = 5;
}
message VulnerabilityAffects {
// References a component or service by the objects bom-ref
string ref = 1;
// Zero or more individual versions or range of versions.
repeated VulnerabilityAffectedVersions versions = 2;
}
message VulnerabilityAffectedVersions {
oneof choice {
// A single version of a component or service.
string version = 1;
// A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst
string range = 2;
}
// The vulnerability status for the version or range of versions.
optional VulnerabilityAffectedStatus status = 3;
}
enum VulnerabilityAffectedStatus {
// The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.
VULNERABILITY_AFFECTED_STATUS_UNKNOWN = 0;
VULNERABILITY_AFFECTED_STATUS_AFFECTED = 1;
VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED = 2;
}