cyclonedx.model.vulnerability
This set of classes represents the data that is possible about known Vulnerabilities.
Prior to CycloneDX schema version 1.4, vulnerabilities were possible in XML versions ONLY of the standard through a schema extension: https://cyclonedx.org/ext/vulnerability.
Since CycloneDX schema version 1.4, this has become part of the core schema.
Note
See the CycloneDX Schema extension definition https://cyclonedx.org/docs/1.7/xml/#type_vulnerabilitiesType
Attributes
Classes
Class that represents either a version or version range and its affected status. |
|
Class that represents referencing a Component or Service in a BOM. |
|
Class that models the analysis sub-element of the vulnerabilityType complex type. |
|
Class that models the advisoryType complex type. |
|
Class that models the vulnerabilitySourceType complex type. |
|
Class that models the nested reference within the vulnerabilityType complex type. |
|
Enum object that defines the permissible source types for a Vulnerability's score. |
|
Class that defines the permissible severities for a Vulnerability. |
|
Class that models the ratingType complex element CycloneDX core schema. |
|
Class that models the credits of vulnerabilityType complex type in the CycloneDX schema. |
|
Class that models the vulnerabilityType complex type in the CycloneDX schema (version >= 1.4). |
Module Contents
- class cyclonedx.model.vulnerability.BomTargetVersionRange
Class that represents either a version or version range and its affected status.
version and version_range are mutually exclusive.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#tab-pane_vulnerabilities_items_affects_items_versions_items_oneOf_i0
- version: str | None
A single version of a component or service.
- range: str | None
A version range specified in Package URL Version Range syntax (vers).
- status: cyclonedx.model.impact_analysis.ImpactAnalysisAffectedStatus | None
The vulnerability status for the version or range of versions.
- class cyclonedx.model.vulnerability.BomTarget
Class that represents referencing a Component or Service in a BOM.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_affects
- ref: str
Reference to a component or service by the objects bom-ref.
- property versions: SortedSet[BomTargetVersionRange]
Zero or more individual versions or range of versions.
- class cyclonedx.model.vulnerability.VulnerabilityAnalysis
Class that models the analysis sub-element of the vulnerabilityType complex type.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_analysis
- state: cyclonedx.model.impact_analysis.ImpactAnalysisState | None
The declared current state of an occurrence of a vulnerability.
- justification: cyclonedx.model.impact_analysis.ImpactAnalysisJustification | None
The rationale of why the impact analysis state was asserted.
- detail: str | None
A detailed description of the impact.
- first_issued: datetime.datetime | None
The timestamp when the analysis was first issued.
- last_updated: datetime.datetime | None
The timestamp when the analysis was last updated.
- property responses: SortedSet[ImpactAnalysisResponse]
A list of responses to the vulnerability.
- class cyclonedx.model.vulnerability.VulnerabilityAdvisory
Class that models the advisoryType complex type.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_advisories
- url: cyclonedx.model.XsUri
The url of this advisory.
- title: str | None
The title of this advisory.
- class cyclonedx.model.vulnerability.VulnerabilitySource
Class that models the vulnerabilitySourceType complex type.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_source
- name: str | None
Name of this Source.
- url: cyclonedx.model.XsUri | None
The url of this Source.
- class cyclonedx.model.vulnerability.VulnerabilityReference
Class that models the nested reference within the vulnerabilityType complex type.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_references
- id: str
The identifier that uniquely identifies the vulnerability in the associated Source.
- source: VulnerabilitySource
The source that published the vulnerability.
- class cyclonedx.model.vulnerability.VulnerabilityScoreSource
Bases:
str,enum.EnumEnum object that defines the permissible source types for a Vulnerability’s score.
Note
See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_scoreSourceType
- CVSS_V2 = 'CVSSv2'
- CVSS_V3 = 'CVSSv3'
- CVSS_V3_1 = 'CVSSv31'
- CVSS_V4 = 'CVSSv4'
- OWASP = 'OWASP'
- SSVC = 'SSVC'
- OTHER = 'other'
- static get_from_vector(vector: str) VulnerabilityScoreSource
Attempt to derive the correct SourceType from an attack vector.
- get_localised_vector(vector: str) str
This method will remove any Source Scheme type from the supplied vector, returning just the vector.
- get_value_pre_1_4() str
Some of the enum values changed in 1.4 of the CycloneDX spec.
- cyclonedx.model.vulnerability.VULNERABILITY_SCORE_SOURCE_VERSIONS: dict[VulnerabilityScoreSource, set[cyclonedx.schema.SchemaVersion]]
- class cyclonedx.model.vulnerability.VulnerabilitySeverity
Bases:
str,enum.EnumClass that defines the permissible severities for a Vulnerability.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.7/xml/#type_severityType
- NONE = 'none'
- INFO = 'info'
- LOW = 'low'
- MEDIUM = 'medium'
- HIGH = 'high'
- CRITICAL = 'critical'
- UNKNOWN = 'unknown'
- static get_from_cvss_scores(scores: tuple[float, Ellipsis] | float | None) VulnerabilitySeverity
Deprecated — Alias of
cyclonedx.contrib.vulnerability.cvss.vs_from_cvss_scores().
- class cyclonedx.model.vulnerability.VulnerabilityRating
Class that models the ratingType complex element CycloneDX core schema.
Note
See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_ratingType
- source: VulnerabilitySource | None
The source that published the vulnerability.
- score: decimal.Decimal | None
The numerical score of the rating.
- severity: VulnerabilitySeverity | None
The textual representation of the severity.
- method: VulnerabilityScoreSource | None
The risk scoring methodology/standard used.
- vector: str | None
The textual representation of the metric values used to score the vulnerability.
- justification: str | None
An optional reason for rating the vulnerability as it was.
- class cyclonedx.model.vulnerability.VulnerabilityCredits
Class that models the credits of vulnerabilityType complex type in the CycloneDX schema.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_credits
- property organizations: SortedSet[OrganizationalEntity]
The organizations credited with vulnerability discovery.
- property individuals: SortedSet[OrganizationalContact]
The individuals credited with vulnerability discovery.
- class cyclonedx.model.vulnerability.Vulnerability
Class that models the vulnerabilityType complex type in the CycloneDX schema (version >= 1.4).
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.7/xml/#type_vulnerabilityType
- id: str | None
The identifier that uniquely identifies the vulnerability.
- source: VulnerabilitySource | None
The source that published the vulnerability.
- description: str | None
A description of the vulnerability as provided by the source.
- detail: str | None
If available, an in-depth description of the vulnerability.
- recommendation: str | None
Recommendations of how the vulnerability can be remediated or mitigated.
- workaround: str | None
A bypass, usually temporary, of the vulnerability.
- created: datetime.datetime | None
The date and time when the vulnerability record was created.
- published: datetime.datetime | None
The date and time when the vulnerability record was first published.
- updated: datetime.datetime | None
The date and time when the vulnerability record was last updated.
- credits: VulnerabilityCredits | None
Individuals or organizations credited with the discovery of the vulnerability.
- analysis: VulnerabilityAnalysis | None
Analysis of the Vulnerability in your context.
- property bom_ref: cyclonedx.model.bom_ref.BomRef
Get the unique reference for this Vulnerability in this BOM.
- property references: SortedSet[VulnerabilityReference]
References to equivalent vulnerabilities in other sources.
- property ratings: SortedSet[VulnerabilityRating]
List of vulnerability ratings.
- property cwes: SortedSet[int]
A list of CWE (Common Weakness Enumeration) identifiers.
- property advisories: SortedSet[VulnerabilityAdvisory]
Advisories relating to the Vulnerability.
- property tools: cyclonedx.model.tool.ToolRepository
Tools used to create this BOM.