cyclonedx.model.vulnerability
Module Contents
Classes
Class that represents either a version or version range and its affected status. |
|
Class that represents referencing a Component or Service in a BOM. |
|
Class that models the analysis sub-element of the vulnerabilityType complex type. |
|
Class that models the advisoryType complex type. |
|
Class that models the vulnerabilitySourceType complex type. |
|
Class that models the nested reference within the vulnerabilityType complex type. |
|
Enum object that defines the permissible source types for a Vulnerability's score. |
|
Class that defines the permissible severities for a Vulnerability. |
|
Class that models the ratingType complex element CycloneDX core schema. |
|
Class that models the credits of vulnerabilityType complex type in the CycloneDX schema (version >= 1.4). |
|
Class that models the vulnerabilityType complex type in the CycloneDX schema (version >= 1.4). |
- class cyclonedx.model.vulnerability.BomTargetVersionRange(*, version: str | None = None, range: str | None = None, status: cyclonedx.model.impact_analysis.ImpactAnalysisAffectedStatus | None = None)[source]
Class that represents either a version or version range and its affected status.
version and version_range are mutually exclusive.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType
- property range: str | None[source]
A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst
Note
The VERSION-RANGE-SPEC from Package URL is not a formalised standard at the time of writing and this no validation of conformance with this draft standard is performed.
- property status: cyclonedx.model.impact_analysis.ImpactAnalysisAffectedStatus | None[source]
The vulnerability status for the version or range of versions.
- class cyclonedx.model.vulnerability.BomTarget(*, ref: str, versions: Iterable[BomTargetVersionRange] | None = None)[source]
Class that represents referencing a Component or Service in a BOM.
Aims to represent the sub-element target of the complex type vulnerabilityType.
You can either create a cyclonedx.model.bom.Bom yourself programmatically, or generate a cyclonedx.model.bom.Bom from a cyclonedx.parser.BaseParser implementation.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType
- property versions: SortedSet[BomTargetVersionRange][source]
Zero or more individual versions or range of versions.
- Returns:
Set of BomTargetVersionRange
- class cyclonedx.model.vulnerability.VulnerabilityAnalysis(*, state: cyclonedx.model.impact_analysis.ImpactAnalysisState | None = None, justification: cyclonedx.model.impact_analysis.ImpactAnalysisJustification | None = None, responses: Iterable[cyclonedx.model.impact_analysis.ImpactAnalysisResponse] | None = None, detail: str | None = None)[source]
Class that models the analysis sub-element of the vulnerabilityType complex type.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType
- property state: cyclonedx.model.impact_analysis.ImpactAnalysisState | None[source]
The declared current state of an occurrence of a vulnerability, after automated or manual analysis.
- Returns:
ImpactAnalysisState if set else None
- property justification: cyclonedx.model.impact_analysis.ImpactAnalysisJustification | None[source]
The rationale of why the impact analysis state was asserted.
- Returns:
ImpactAnalysisJustification if set else None
- property responses: SortedSet[ImpactAnalysisResponse][source]
A list of responses to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.
- Returns:
Set of ImpactAnalysisResponse
- class cyclonedx.model.vulnerability.VulnerabilityAdvisory(*, url: cyclonedx.model.XsUri, title: str | None = None)[source]
Class that models the advisoryType complex type.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_advisoryType
- property url: cyclonedx.model.XsUri[source]
The url of this advisory.
- class cyclonedx.model.vulnerability.VulnerabilitySource(*, name: str | None = None, url: cyclonedx.model.XsUri | None = None)[source]
Class that models the vulnerabilitySourceType complex type.
This type is used for multiple purposes in the CycloneDX schema.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilitySourceType
- property url: cyclonedx.model.XsUri | None[source]
The url of this Source.
- class cyclonedx.model.vulnerability.VulnerabilityReference(*, id: str | None = None, source: VulnerabilitySource | None = None)[source]
Class that models the nested reference within the vulnerabilityType complex type.
Vulnerabilities may benefit from pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. These references provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType
- property id: str | None[source]
The identifier that uniquely identifies the vulnerability in the associated Source. For example: CVE-2021-39182.
- property source: VulnerabilitySource | None[source]
The source that published the vulnerability.
- class cyclonedx.model.vulnerability.VulnerabilityScoreSource[source]
Bases:
str,enum.EnumEnum object that defines the permissible source types for a Vulnerability’s score.
Note
See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.4/#type_scoreSourceType
- static get_from_vector(vector: str) VulnerabilityScoreSource[source]
Attempt to derive the correct SourceType from an attack vector.
For example, often attack vector strings are prefixed with the scheme in question - such that __CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N__ would be the vector __AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N__ under the __CVSS 3__ scheme.
- Returns:
Always returns an instance of VulnerabilityScoreSource. VulnerabilityScoreSource.OTHER is returned if the scheme is not obvious or known to us.
- class cyclonedx.model.vulnerability.VulnerabilitySeverity[source]
Bases:
str,enum.EnumClass that defines the permissible severities for a Vulnerability.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_severityType
- static get_from_cvss_scores(scores: Tuple[float] | float | None) VulnerabilitySeverity[source]
Derives the Severity of a Vulnerability from it’s declared CVSS scores.
- Args:
scores: A tuple of CVSS scores. CVSS scoring system allows for up to three separate scores.
- Returns:
Always returns an instance of VulnerabilitySeverity.
- class cyclonedx.model.vulnerability.VulnerabilityRating(*, source: VulnerabilitySource | None = None, score: decimal.Decimal | None = None, severity: VulnerabilitySeverity | None = None, method: VulnerabilityScoreSource | None = None, vector: str | None = None, justification: str | None = None, score_base: float | None = None)[source]
Class that models the ratingType complex element CycloneDX core schema.
This class previously modelled the scoreType complexe type in the schema extension used prior to schema version 1.4 - see https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd.
Note
See ratingType in https://cyclonedx.org/docs/1.4/#ratingType
Warning
As part of implementing support for CycloneDX schema version 1.4, the three score types defined in the schema externsion used prior to 1.4 have been deprecated. The deprecated score_base should loosely be equivalent to the new score in 1.4 schema. Both score_impact and score_exploitability are deprecated and removed as they are redundant if you have the vector (the vector allows you to calculate the scores).
- property source: VulnerabilitySource | None[source]
The source that published the vulnerability.
- property severity: VulnerabilitySeverity | None[source]
The textual representation of the severity that corresponds to the numerical score of the rating.
- property method: VulnerabilityScoreSource | None[source]
The risk scoring methodology/standard used.
- property vector: str | None[source]
The textual representation of the metric values used to score the vulnerability - also known as the vector.
- class cyclonedx.model.vulnerability.VulnerabilityCredits(*, organizations: Iterable[cyclonedx.model.OrganizationalEntity] | None = None, individuals: Iterable[cyclonedx.model.OrganizationalContact] | None = None)[source]
Class that models the credits of vulnerabilityType complex type in the CycloneDX schema (version >= 1.4).
This class also provides data support for schema versions < 1.4 where Vulnerabilites were possible through a schema extension (in XML only).
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType
- property organizations: SortedSet[OrganizationalEntity][source]
The organizations credited with vulnerability discovery.
- Returns:
Set of OrganizationalEntity
- property individuals: SortedSet[OrganizationalContact][source]
The individuals, not associated with organizations, that are credited with vulnerability discovery.
- Returns:
Set of OrganizationalContact
- class cyclonedx.model.vulnerability.Vulnerability(*, bom_ref: str | cyclonedx.model.bom_ref.BomRef | None = None, id: str | None = None, source: VulnerabilitySource | None = None, references: Iterable[VulnerabilityReference] | None = None, ratings: Iterable[VulnerabilityRating] | None = None, cwes: Iterable[int] | None = None, description: str | None = None, detail: str | None = None, recommendation: str | None = None, advisories: Iterable[VulnerabilityAdvisory] | None = None, created: datetime.datetime | None = None, published: datetime.datetime | None = None, updated: datetime.datetime | None = None, credits: VulnerabilityCredits | None = None, tools: Iterable[cyclonedx.model.Tool] | None = None, analysis: VulnerabilityAnalysis | None = None, affects: Iterable[BomTarget] | None = None, properties: Iterable[cyclonedx.model.Property] | None = None, source_name: str | None = None, source_url: str | None = None, recommendations: Iterable[str] | None = None)[source]
Class that models the vulnerabilityType complex type in the CycloneDX schema (version >= 1.4).
This class also provides data support for schema versions < 1.4 where Vulnerabilites were possible through a schema extension (in XML only).
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType
- property bom_ref: cyclonedx.model.bom_ref.BomRef[source]
Get the unique reference for this Vulnerability in this BOM.
If a value was not provided in the constructor, a UUIDv4 will have been assigned.
- Returns:
BomRef
- property id: str | None[source]
The identifier that uniquely identifies the vulnerability. For example: CVE-2021-39182.
- Returns:
str if set else None
- property source: VulnerabilitySource | None[source]
The source that published the vulnerability.
- Returns:
VulnerabilitySource if set else None
- property references: SortedSet[VulnerabilityReference][source]
Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provides a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.
- Returns:
Set of VulnerabilityReference
- property ratings: SortedSet[VulnerabilityRating][source]
List of vulnerability ratings.
- Returns:
Set of VulnerabilityRating
- property cwes: SortedSet[int][source]
A list of CWE (Common Weakness Enumeration) identifiers.
Note
- Returns:
Set of int
- property description: str | None[source]
A description of the vulnerability as provided by the source.
- Returns:
str if set else None
- property detail: str | None[source]
If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause.
- Returns:
str if set else None
- property recommendation: str | None[source]
Recommendations of how the vulnerability can be remediated or mitigated.
- Returns:
str if set else None
- property advisories: SortedSet[VulnerabilityAdvisory][source]
Advisories relating to the Vulnerability.
- Returns:
Set of VulnerabilityAdvisory
- property created: datetime.datetime | None[source]
The date and time (timestamp) when the vulnerability record was created in the vulnerability database.
- Returns:
datetime if set else None
- property published: datetime.datetime | None[source]
The date and time (timestamp) when the vulnerability record was first published.
- Returns:
datetime if set else None
- property updated: datetime.datetime | None[source]
The date and time (timestamp) when the vulnerability record was last updated.
- Returns:
datetime if set else None
- property credits: VulnerabilityCredits | None[source]
Individuals or organizations credited with the discovery of the vulnerability.
- Returns:
VulnerabilityCredits if set else None
- property tools: SortedSet[Tool][source]
The tool(s) used to identify, confirm, or score the vulnerability.
- Returns:
Set of Tool
- property analysis: VulnerabilityAnalysis | None[source]
Analysis of the Vulnerability in your context.
- Returns:
VulnerabilityAnalysis if set else None
- property affects: SortedSet[BomTarget][source]
The components or services that are affected by the vulnerability.
- Returns:
Set of BomTarget