schemas.v1.1.1.external.cvrf_1.1.vuln.xsd Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of stix Show documentation
Show all versions of stix Show documentation
The Java bindings for STIX v.1.2.0.2
This is the XML schema for the Common Vulnerability Reporting Framework's Vulnerability model. For more information, see the CVRF whitepaper.
Brian Schafer <[email protected]>
Joe Clarke <[email protected]>
Joe Hemmerlein <[email protected]>
2012-05-07
CVRF Vulnerability Dictionary
1.1
Types enumerating a party's current engagement status for this vulnerability.
The party has acknowledged that they are aware of the vulnerability report.
The party disputes the vulnerability report in its entirety
Some hot-fixes, permanent fixes, or patches have been made available by the party, but more fixes or patches are going to be released in the future.
The party asserts that they have completed remediation of the vulnerability.
The party has been contacted, but was unresponsive or unavailable.
No contact has been attempted with the party.
String type to match CVE IDs
String type to match CWE IDs
String representing the components needed to compute the various CVSS scores
Types enumerating the affected statuses described by a vulnerability
The first version known to be affected by this vulnerability.
This version is the first fixed version for the vulnerability but may not be the recommended fixed version.
This version is contains a fix for the vulnerability but may not be the recommended fixed version.
This version is known to be affected by the vulnerability.
This version is known NOT to be affected by the vulnerability.
This is the last version in a train known to be affected. Versions released after this would contain a fix for this vulnerability.
This version has a fix for the vulnerability and is the vendor-recommended version for fixing the vulnerability.
Types enumerating the Threat type described by the vulnerability
Impact contains an assessment of the impact on the user or the target set if the vulnerability is successful exploited.
Exploit Status contains a description of the degree to which an exploit for the vulnerability is known.
Target Set contains a description of the currently known victim population in whatever terms are appropriate.
Types enumerating the Remedy type described by the vulnerability.
Workaround contains information about a configuration or specific deployment scenario that can be used to avoid exposure to the vulnerability.
Mitigation contains information about a configuration or deployment scenario that helps to reduce the risk of the vulnerability but that does not resolve the vulnerability on the affected product.
Vendor Fix contains information about an official fix that is issued by the original author of the affected product.
Currently there is no fix available.
There is no fix for the vulnerability and there never will be one.
Existing product ID from the product tree.
Existing product group ID from the product tree.
This is a meta-container for the aggregation of all fields that are related to a single vulnerability within the document.
Vulnerability Title gives the document producer the ability to apply a canonical name or title to the vulnerability.
Vulnerability ID gives the document producer a place to publish a unique label or tracking ID for the vulnerability (if such information exists).
System Name indicates the name of the vulnerability tracking or numbering system that this vulnerability ID comes from.
The Notes container holds all individual notes concerning this vulnerability.
The Notes text contains all of the content necessary to provide different types of low-level discussions of a given vulnerability to various audiences.
Title should be a concise description of what is contained in Vulnerability Notes.
Audience will indicate who is intended to read the note.
Type of content within this note.
Ordinal is a locally significant integral counter indexed from 1 used to track notes.
Date vulnerability was initially discovered by its original discoverer.
Date vulnerability was initially released to the public.
The Involvements container lists any number of vendor or third party interactions related to this vulnerability.
Involvement contains a specific set of interaction details.
The description of the Involvement.
Type of party with whom the involvement is taking place.
Status of the involvement with the specified party.
The CVE string refers to the MITRE standard Common Vulnerabilities Enumeration (CVE) tracking number for the vulnerability.
Detailed description of the referrenced Common Weakness Enumeration (CWE) identifier.
The MITRE-assigned CWE identifier.
The ProductStatuses container holds the list of all the products affected by the vulnerability in question.
The Status element holds an enumerated value based on available Product Name Entry items as constructed from the Product Tree container.
Affected status for the product or products defined in this container.
Contains all Threat containers
Threat contains the "kinetic" information associated with a vulnerability.
The description of the Threat.
The type of the Threat.
The date this Threat item was last updated; if omitted it is deemed to be unknown, irrelevant, or unimportant.
The CVSS Score Set meta-container holds one or more CVSS score sets to describe vulnerable products.
CVSS scores for a given product ID. If the ProductID attribute is omitted, the score applies to all vulnerable products.
The CVSS Base Score is the numeric value of the computed CVSS Base Score which should be a float from 0 – 10.0.
The CVSS Base Score is the numeric value of the computed CVSS Temporal Score which should be a float from 0 – 10.0.
The CVSS Base Score is the numeric value of the computed CVSS Environmental Score which should be a float from 0 – 10.0.
The CVSS Vector string is the official notation that contains all of the values used to compute the Base, Temporal, and Environmental scores.
The Remediation meta-container tag holds all related Workaround, Mitigation, Vendor Fix, and Entitlement entries that are associated with the specific vulnerability.
Holds all of the specific details on how to handle (and presumably, fix) the vulnerability, tied to Product ID.
Textual description of this remedy.
The Entitlement string will contain any possible vendor-defined constraints for obtaining fixed software or hardware that fully resolves the vulnerability.
URL from which the remedy can be obtained.
Specific type of remedy.
The date Remedy was last updated, if omitted it is deemed to be unknown, unimportant, or irrelevant.
This meta-container should include references to any conferences, papers, advisories, and other resources that are related to this vulnerability.
This meta-container contains an orthogonally related document, background info, whitepaper, etc. to the specific vulnerability.
The URL of the related document.
The description of the related document.
Enumerated type value of reference relative to this document.
The Acknowledgments container holds one or more Acknowledgement containers for vulnerability-level acknowledgements.
The Acknowledgment container holds recognition for external parties who were instrumental in the discovery of, reporting of, and response to the vulnerability.
The name (i.e., individual name) of the party being acknowledged.
The organization of the party being acknowledged or the organization itself being acknowledged.
The details of the acknowledgment that address the recognition of external parties who were instrumental in the discovery, reporting and response of this document.
The optional URL to the person, place, or thing being acknowledged.
Locally significant numeric value to track vulnerabilities within a CVRF document. This enables vulnerabilities to be referenced from elsewhere inside the document (often at the document-level)
This is to ensure that each product mentions a given ProductID only one.
This is to ensure that each CVSS score set mentions a given ProductID only one.
This is to ensure that each note has a unique ordinal value.