cyclonedx.model.vulnerability ============================= .. py:module:: cyclonedx.model.vulnerability .. autoapi-nested-parse:: This set of classes represents the data that is possible about known Vulnerabilities. Prior to CycloneDX schema version 1.4, vulnerabilities were possible in XML versions ONLY of the standard through a schema extension: https://cyclonedx.org/ext/vulnerability. Since CycloneDX schema version 1.4, this has become part of the core schema. .. note:: See the CycloneDX Schema extension definition https://cyclonedx.org/docs/1.7/xml/#type_vulnerabilitiesType Attributes ---------- .. autoapisummary:: cyclonedx.model.vulnerability.VULNERABILITY_SCORE_SOURCE_VERSIONS Classes ------- .. autoapisummary:: cyclonedx.model.vulnerability.BomTargetVersionRange cyclonedx.model.vulnerability.BomTarget cyclonedx.model.vulnerability.VulnerabilityAnalysis cyclonedx.model.vulnerability.VulnerabilityAdvisory cyclonedx.model.vulnerability.VulnerabilitySource cyclonedx.model.vulnerability.VulnerabilityReference cyclonedx.model.vulnerability.VulnerabilityScoreSource cyclonedx.model.vulnerability.VulnerabilitySeverity cyclonedx.model.vulnerability.VulnerabilityRating cyclonedx.model.vulnerability.VulnerabilityCredits cyclonedx.model.vulnerability.Vulnerability Module Contents --------------- .. py:class:: BomTargetVersionRange Class that represents either a version or version range and its affected status. `version` and `version_range` are mutually exclusive. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#tab-pane_vulnerabilities_items_affects_items_versions_items_oneOf_i0 .. py:attribute:: version :type: Optional[str] A single version of a component or service. .. py:attribute:: range :type: Optional[str] A version range specified in Package URL Version Range syntax (vers). .. py:attribute:: status :type: Optional[cyclonedx.model.impact_analysis.ImpactAnalysisAffectedStatus] The vulnerability status for the version or range of versions. .. py:class:: BomTarget Class that represents referencing a Component or Service in a BOM. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_affects .. py:attribute:: ref :type: str Reference to a component or service by the objects `bom-ref`. .. py:property:: versions :type: SortedSet[BomTargetVersionRange] Zero or more individual versions or range of versions. .. py:class:: VulnerabilityAnalysis Class that models the `analysis` sub-element of the `vulnerabilityType` complex type. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_analysis .. py:attribute:: state :type: Optional[cyclonedx.model.impact_analysis.ImpactAnalysisState] The declared current state of an occurrence of a vulnerability. .. py:attribute:: justification :type: Optional[cyclonedx.model.impact_analysis.ImpactAnalysisJustification] The rationale of why the impact analysis state was asserted. .. py:attribute:: detail :type: Optional[str] A detailed description of the impact. .. py:attribute:: first_issued :type: Optional[datetime.datetime] The timestamp when the analysis was first issued. .. py:attribute:: last_updated :type: Optional[datetime.datetime] The timestamp when the analysis was last updated. .. py:property:: responses :type: SortedSet[ImpactAnalysisResponse] A list of responses to the vulnerability. .. py:class:: VulnerabilityAdvisory Class that models the `advisoryType` complex type. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_advisories .. py:attribute:: url :type: cyclonedx.model.XsUri The url of this advisory. .. py:attribute:: title :type: Optional[str] The title of this advisory. .. py:class:: VulnerabilitySource Class that models the `vulnerabilitySourceType` complex type. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_source .. py:attribute:: name :type: Optional[str] Name of this Source. .. py:attribute:: url :type: Optional[cyclonedx.model.XsUri] The url of this Source. .. py:class:: VulnerabilityReference Class that models the nested `reference` within the `vulnerabilityType` complex type. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_references .. py:attribute:: id :type: str The identifier that uniquely identifies the vulnerability in the associated Source. .. py:attribute:: source :type: VulnerabilitySource The source that published the vulnerability. .. py:class:: VulnerabilityScoreSource Bases: :py:obj:`str`, :py:obj:`enum.Enum` Enum object that defines the permissible source types for a Vulnerability's score. .. note:: See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_scoreSourceType .. py:attribute:: CVSS_V2 :value: 'CVSSv2' .. py:attribute:: CVSS_V3 :value: 'CVSSv3' .. py:attribute:: CVSS_V3_1 :value: 'CVSSv31' .. py:attribute:: CVSS_V4 :value: 'CVSSv4' .. py:attribute:: OWASP :value: 'OWASP' .. py:attribute:: SSVC :value: 'SSVC' .. py:attribute:: OTHER :value: 'other' .. py:method:: get_from_vector(vector: str) -> VulnerabilityScoreSource :staticmethod: Attempt to derive the correct SourceType from an attack vector. .. py:method:: get_localised_vector(vector: str) -> str This method will remove any Source Scheme type from the supplied vector, returning just the vector. .. py:method:: get_value_pre_1_4() -> str Some of the enum values changed in 1.4 of the CycloneDX spec. .. py:data:: VULNERABILITY_SCORE_SOURCE_VERSIONS :type: dict[VulnerabilityScoreSource, set[cyclonedx.schema.SchemaVersion]] .. py:class:: VulnerabilitySeverity Bases: :py:obj:`str`, :py:obj:`enum.Enum` Class that defines the permissible severities for a Vulnerability. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/xml/#type_severityType .. py:attribute:: NONE :value: 'none' .. py:attribute:: INFO :value: 'info' .. py:attribute:: LOW :value: 'low' .. py:attribute:: MEDIUM :value: 'medium' .. py:attribute:: HIGH :value: 'high' .. py:attribute:: CRITICAL :value: 'critical' .. py:attribute:: UNKNOWN :value: 'unknown' .. py:method:: get_from_cvss_scores(scores: Union[tuple[float, Ellipsis], float, None]) -> VulnerabilitySeverity :staticmethod: Deprecated — Alias of :func:`cyclonedx.contrib.vulnerability.cvss.vs_from_cvss_scores()`. .. py:class:: VulnerabilityRating Class that models the `ratingType` complex element CycloneDX core schema. .. note:: See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_ratingType .. py:attribute:: source :type: Optional[VulnerabilitySource] The source that published the vulnerability. .. py:attribute:: score :type: Optional[decimal.Decimal] The numerical score of the rating. .. py:attribute:: severity :type: Optional[VulnerabilitySeverity] The textual representation of the severity. .. py:attribute:: method :type: Optional[VulnerabilityScoreSource] The risk scoring methodology/standard used. .. py:attribute:: vector :type: Optional[str] The textual representation of the metric values used to score the vulnerability. .. py:attribute:: justification :type: Optional[str] An optional reason for rating the vulnerability as it was. .. py:class:: VulnerabilityCredits Class that models the `credits` of `vulnerabilityType` complex type in the CycloneDX schema. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_credits .. py:property:: organizations :type: SortedSet[OrganizationalEntity] The organizations credited with vulnerability discovery. .. py:property:: individuals :type: SortedSet[OrganizationalContact] The individuals credited with vulnerability discovery. .. py:class:: Vulnerability Class that models the `vulnerabilityType` complex type in the CycloneDX schema (version >= 1.4). .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/xml/#type_vulnerabilityType .. py:attribute:: id :type: Optional[str] The identifier that uniquely identifies the vulnerability. .. py:attribute:: source :type: Optional[VulnerabilitySource] The source that published the vulnerability. .. py:attribute:: description :type: Optional[str] A description of the vulnerability as provided by the source. .. py:attribute:: detail :type: Optional[str] If available, an in-depth description of the vulnerability. .. py:attribute:: recommendation :type: Optional[str] Recommendations of how the vulnerability can be remediated or mitigated. .. py:attribute:: workaround :type: Optional[str] A bypass, usually temporary, of the vulnerability. .. py:attribute:: created :type: Optional[datetime.datetime] The date and time when the vulnerability record was created. .. py:attribute:: published :type: Optional[datetime.datetime] The date and time when the vulnerability record was first published. .. py:attribute:: updated :type: Optional[datetime.datetime] The date and time when the vulnerability record was last updated. .. py:attribute:: credits :type: Optional[VulnerabilityCredits] Individuals or organizations credited with the discovery of the vulnerability. .. py:attribute:: analysis :type: Optional[VulnerabilityAnalysis] Analysis of the Vulnerability in your context. .. py:property:: bom_ref :type: cyclonedx.model.bom_ref.BomRef Get the unique reference for this Vulnerability in this BOM. .. py:property:: references :type: SortedSet[VulnerabilityReference] References to equivalent vulnerabilities in other sources. .. py:property:: ratings :type: SortedSet[VulnerabilityRating] List of vulnerability ratings. .. py:property:: cwes :type: SortedSet[int] A list of CWE (Common Weakness Enumeration) identifiers. .. py:property:: advisories :type: SortedSet[VulnerabilityAdvisory] Advisories relating to the Vulnerability. .. py:property:: tools :type: cyclonedx.model.tool.ToolRepository Tools used to create this BOM. .. py:property:: affects :type: SortedSet[BomTarget] The components or services that are affected by the vulnerability. .. py:property:: properties :type: SortedSet[Property] Properties in a key/value store.