cyclonedx.model.vulnerability
This set of classes represents the data that is possible about known Vulnerabilities.
Prior to CycloneDX schema version 1.4, vulnerabilities were possible in XML versions ONLY of the standard through a schema extension: https://cyclonedx.org/ext/vulnerability.
Since CycloneDX schema version 1.4, this has become part of the core schema.
Note
See the CycloneDX Schema extension definition https://cyclonedx.org/docs/1.4/#type_vulnerabilitiesType
Module Contents
Classes
Class that represents either a version or version range and its affected status. |
|
Class that represents referencing a Component or Service in a BOM. |
|
Class that models the analysis sub-element of the vulnerabilityType complex type. |
|
Class that models the advisoryType complex type. |
|
Class that models the vulnerabilitySourceType complex type. |
|
Class that models the nested reference within the vulnerabilityType complex type. |
|
Enum object that defines the permissible source types for a Vulnerability's score. |
|
Class that defines the permissible severities for a Vulnerability. |
|
Class that models the ratingType complex element CycloneDX core schema. |
|
Class that models the credits of vulnerabilityType complex type in the CycloneDX schema (version >= 1.4). |
|
Class that models the vulnerabilityType complex type in the CycloneDX schema (version >= 1.4). |
- class cyclonedx.model.vulnerability.BomTargetVersionRange(*, version: str | None = None, range: str | None = None, status: cyclonedx.model.impact_analysis.ImpactAnalysisAffectedStatus | None = None)
Class that represents either a version or version range and its affected status.
version and version_range are mutually exclusive.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType
- property version: str | None
A single version of a component or service.
- property range: str | None
A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst
Note
The VERSION-RANGE-SPEC from Package URL is not a formalised standard at the time of writing and this no validation of conformance with this draft standard is performed.
- property status: cyclonedx.model.impact_analysis.ImpactAnalysisAffectedStatus | None
The vulnerability status for the version or range of versions.
- class cyclonedx.model.vulnerability.BomTarget(*, ref: str, versions: Iterable[BomTargetVersionRange] | None = None)
Class that represents referencing a Component or Service in a BOM.
Aims to represent the sub-element target of the complex type vulnerabilityType.
You can either create a cyclonedx.model.bom.Bom yourself programmatically, or generate a cyclonedx.model.bom.Bom from a cyclonedx.parser.BaseParser implementation.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType
- property ref: str
Reference to a component or service by the objects bom-ref.
- property versions: SortedSet[BomTargetVersionRange]
Zero or more individual versions or range of versions.
- Returns:
Set of BomTargetVersionRange
- class cyclonedx.model.vulnerability.VulnerabilityAnalysis(*, state: cyclonedx.model.impact_analysis.ImpactAnalysisState | None = None, justification: cyclonedx.model.impact_analysis.ImpactAnalysisJustification | None = None, responses: Iterable[cyclonedx.model.impact_analysis.ImpactAnalysisResponse] | None = None, detail: str | None = None)
Class that models the analysis sub-element of the vulnerabilityType complex type.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType
- property state: cyclonedx.model.impact_analysis.ImpactAnalysisState | None
The declared current state of an occurrence of a vulnerability, after automated or manual analysis.
- Returns:
ImpactAnalysisState if set else None
- property justification: cyclonedx.model.impact_analysis.ImpactAnalysisJustification | None
The rationale of why the impact analysis state was asserted.
- Returns:
ImpactAnalysisJustification if set else None
- property responses: SortedSet[ImpactAnalysisResponse]
A list of responses to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.
- Returns:
Set of ImpactAnalysisResponse
- property detail: str | None
A detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability.
- Returns:
str if set else None
- class cyclonedx.model.vulnerability.VulnerabilityAdvisory(*, url: cyclonedx.model.XsUri, title: str | None = None)
Class that models the advisoryType complex type.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_advisoryType
- property title: str | None
The title of this advisory.
- property url: cyclonedx.model.XsUri
The url of this advisory.
- class cyclonedx.model.vulnerability.VulnerabilitySource(*, name: str | None = None, url: cyclonedx.model.XsUri | None = None)
Class that models the vulnerabilitySourceType complex type.
This type is used for multiple purposes in the CycloneDX schema.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilitySourceType
- property name: str | None
Name of this Source.
- property url: cyclonedx.model.XsUri | None
The url of this Source.
- class cyclonedx.model.vulnerability.VulnerabilityReference(*, id: str | None = None, source: VulnerabilitySource | None = None)
Class that models the nested reference within the vulnerabilityType complex type.
Vulnerabilities may benefit from pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. These references provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType
- property id: str | None
The identifier that uniquely identifies the vulnerability in the associated Source. For example: CVE-2021-39182.
- property source: VulnerabilitySource | None
The source that published the vulnerability.
- class cyclonedx.model.vulnerability.VulnerabilityScoreSource
Bases:
str,enum.EnumEnum object that defines the permissible source types for a Vulnerability’s score.
Note
See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.4/#type_scoreSourceType
Note
- No explicit carry-over from the former schema extension:
https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd
- CVSS_V2 = 'CVSSv2'
- CVSS_V3 = 'CVSSv3'
- CVSS_V3_1 = 'CVSSv31'
- CVSS_V4 = 'CVSSv4'
- OWASP = 'OWASP'
- SSVC = 'SSVC'
- OTHER = 'other'
- static get_from_vector(vector: str) VulnerabilityScoreSource
Attempt to derive the correct SourceType from an attack vector.
For example, often attack vector strings are prefixed with the scheme in question - such that __CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N__ would be the vector __AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N__ under the __CVSS 3__ scheme.
- Returns:
Always returns an instance of VulnerabilityScoreSource. VulnerabilityScoreSource.OTHER is returned if the scheme is not obvious or known to us.
- get_localised_vector(vector: str) str
This method will remove any Source Scheme type from the supplied vector, returning just the vector.
Note
Currently supports CVSS 3.x, CVSS 2.x and OWASP schemes.
- Returns:
The vector without any scheme prefix as a str.
- get_value_pre_1_4() str
Some of the enum values changed in 1.4 of the CycloneDX spec. This method allows us to backport some of the changes for pre-1.4.
- Returns:
str
- capitalize()
Return a capitalized version of the string.
More specifically, make the first character have upper case and the rest lower case.
- casefold()
Return a version of the string suitable for caseless comparisons.
- center()
Return a centered string of length width.
Padding is done using the specified fill character (default is a space).
- count()
S.count(sub[, start[, end]]) -> int
Return the number of non-overlapping occurrences of substring sub in string S[start:end]. Optional arguments start and end are interpreted as in slice notation.
- encode()
Encode the string using the codec registered for encoding.
- encoding
The encoding in which to encode the string.
- errors
The error handling scheme to use for encoding errors. The default is ‘strict’ meaning that encoding errors raise a UnicodeEncodeError. Other possible values are ‘ignore’, ‘replace’ and ‘xmlcharrefreplace’ as well as any other name registered with codecs.register_error that can handle UnicodeEncodeErrors.
- endswith()
S.endswith(suffix[, start[, end]]) -> bool
Return True if S ends with the specified suffix, False otherwise. With optional start, test S beginning at that position. With optional end, stop comparing S at that position. suffix can also be a tuple of strings to try.
- expandtabs()
Return a copy where all tab characters are expanded using spaces.
If tabsize is not given, a tab size of 8 characters is assumed.
- find()
S.find(sub[, start[, end]]) -> int
Return the lowest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.
Return -1 on failure.
- format()
S.format(*args, **kwargs) -> str
Return a formatted version of S, using substitutions from args and kwargs. The substitutions are identified by braces (‘{’ and ‘}’).
- format_map()
S.format_map(mapping) -> str
Return a formatted version of S, using substitutions from mapping. The substitutions are identified by braces (‘{’ and ‘}’).
- index()
S.index(sub[, start[, end]]) -> int
Return the lowest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.
Raises ValueError when the substring is not found.
- isalnum()
Return True if the string is an alpha-numeric string, False otherwise.
A string is alpha-numeric if all characters in the string are alpha-numeric and there is at least one character in the string.
- isalpha()
Return True if the string is an alphabetic string, False otherwise.
A string is alphabetic if all characters in the string are alphabetic and there is at least one character in the string.
- isascii()
Return True if all characters in the string are ASCII, False otherwise.
ASCII characters have code points in the range U+0000-U+007F. Empty string is ASCII too.
- isdecimal()
Return True if the string is a decimal string, False otherwise.
A string is a decimal string if all characters in the string are decimal and there is at least one character in the string.
- isdigit()
Return True if the string is a digit string, False otherwise.
A string is a digit string if all characters in the string are digits and there is at least one character in the string.
- isidentifier()
Return True if the string is a valid Python identifier, False otherwise.
Call keyword.iskeyword(s) to test whether string s is a reserved identifier, such as “def” or “class”.
- islower()
Return True if the string is a lowercase string, False otherwise.
A string is lowercase if all cased characters in the string are lowercase and there is at least one cased character in the string.
- isnumeric()
Return True if the string is a numeric string, False otherwise.
A string is numeric if all characters in the string are numeric and there is at least one character in the string.
- isprintable()
Return True if the string is printable, False otherwise.
A string is printable if all of its characters are considered printable in repr() or if it is empty.
- isspace()
Return True if the string is a whitespace string, False otherwise.
A string is whitespace if all characters in the string are whitespace and there is at least one character in the string.
- istitle()
Return True if the string is a title-cased string, False otherwise.
In a title-cased string, upper- and title-case characters may only follow uncased characters and lowercase characters only cased ones.
- isupper()
Return True if the string is an uppercase string, False otherwise.
A string is uppercase if all cased characters in the string are uppercase and there is at least one cased character in the string.
- join()
Concatenate any number of strings.
The string whose method is called is inserted in between each given string. The result is returned as a new string.
Example: ‘.’.join([‘ab’, ‘pq’, ‘rs’]) -> ‘ab.pq.rs’
- ljust()
Return a left-justified string of length width.
Padding is done using the specified fill character (default is a space).
- lower()
Return a copy of the string converted to lowercase.
- lstrip()
Return a copy of the string with leading whitespace removed.
If chars is given and not None, remove characters in chars instead.
- partition()
Partition the string into three parts using the given separator.
This will search for the separator in the string. If the separator is found, returns a 3-tuple containing the part before the separator, the separator itself, and the part after it.
If the separator is not found, returns a 3-tuple containing the original string and two empty strings.
- removeprefix()
Return a str with the given prefix string removed if present.
If the string starts with the prefix string, return string[len(prefix):]. Otherwise, return a copy of the original string.
- removesuffix()
Return a str with the given suffix string removed if present.
If the string ends with the suffix string and that suffix is not empty, return string[:-len(suffix)]. Otherwise, return a copy of the original string.
- replace()
Return a copy with all occurrences of substring old replaced by new.
- count
Maximum number of occurrences to replace. -1 (the default value) means replace all occurrences.
If the optional argument count is given, only the first count occurrences are replaced.
- rfind()
S.rfind(sub[, start[, end]]) -> int
Return the highest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.
Return -1 on failure.
- rindex()
S.rindex(sub[, start[, end]]) -> int
Return the highest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.
Raises ValueError when the substring is not found.
- rjust()
Return a right-justified string of length width.
Padding is done using the specified fill character (default is a space).
- rpartition()
Partition the string into three parts using the given separator.
This will search for the separator in the string, starting at the end. If the separator is found, returns a 3-tuple containing the part before the separator, the separator itself, and the part after it.
If the separator is not found, returns a 3-tuple containing two empty strings and the original string.
- rsplit()
Return a list of the substrings in the string, using sep as the separator string.
- sep
The separator used to split the string.
When set to None (the default value), will split on any whitespace character (including n r t f and spaces) and will discard empty strings from the result.
- maxsplit
Maximum number of splits (starting from the left). -1 (the default value) means no limit.
Splitting starts at the end of the string and works to the front.
- rstrip()
Return a copy of the string with trailing whitespace removed.
If chars is given and not None, remove characters in chars instead.
- split()
Return a list of the substrings in the string, using sep as the separator string.
- sep
The separator used to split the string.
When set to None (the default value), will split on any whitespace character (including n r t f and spaces) and will discard empty strings from the result.
- maxsplit
Maximum number of splits (starting from the left). -1 (the default value) means no limit.
Note, str.split() is mainly useful for data that has been intentionally delimited. With natural text that includes punctuation, consider using the regular expression module.
- splitlines()
Return a list of the lines in the string, breaking at line boundaries.
Line breaks are not included in the resulting list unless keepends is given and true.
- startswith()
S.startswith(prefix[, start[, end]]) -> bool
Return True if S starts with the specified prefix, False otherwise. With optional start, test S beginning at that position. With optional end, stop comparing S at that position. prefix can also be a tuple of strings to try.
- strip()
Return a copy of the string with leading and trailing whitespace removed.
If chars is given and not None, remove characters in chars instead.
- swapcase()
Convert uppercase characters to lowercase and lowercase characters to uppercase.
- title()
Return a version of the string where each word is titlecased.
More specifically, words start with uppercased characters and all remaining cased characters have lower case.
- translate()
Replace each character in the string using the given translation table.
- table
Translation table, which must be a mapping of Unicode ordinals to Unicode ordinals, strings, or None.
The table must implement lookup/indexing via __getitem__, for instance a dictionary or list. If this operation raises LookupError, the character is left untouched. Characters mapped to None are deleted.
- upper()
Return a copy of the string converted to uppercase.
- zfill()
Pad a numeric string with zeros on the left, to fill a field of the given width.
The string is never truncated.
- name()
The name of the Enum member.
- value()
The value of the Enum member.
- class cyclonedx.model.vulnerability.VulnerabilitySeverity
Bases:
str,enum.EnumClass that defines the permissible severities for a Vulnerability.
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_severityType
- NONE = 'none'
- INFO = 'info'
- LOW = 'low'
- MEDIUM = 'medium'
- HIGH = 'high'
- CRITICAL = 'critical'
- UNKNOWN = 'unknown'
- static get_from_cvss_scores(scores: Tuple[float, Ellipsis] | float | None) VulnerabilitySeverity
Derives the Severity of a Vulnerability from it’s declared CVSS scores.
- Args:
scores: A tuple of CVSS scores. CVSS scoring system allows for up to three separate scores.
- Returns:
Always returns an instance of VulnerabilitySeverity.
- capitalize()
Return a capitalized version of the string.
More specifically, make the first character have upper case and the rest lower case.
- casefold()
Return a version of the string suitable for caseless comparisons.
- center()
Return a centered string of length width.
Padding is done using the specified fill character (default is a space).
- count()
S.count(sub[, start[, end]]) -> int
Return the number of non-overlapping occurrences of substring sub in string S[start:end]. Optional arguments start and end are interpreted as in slice notation.
- encode()
Encode the string using the codec registered for encoding.
- encoding
The encoding in which to encode the string.
- errors
The error handling scheme to use for encoding errors. The default is ‘strict’ meaning that encoding errors raise a UnicodeEncodeError. Other possible values are ‘ignore’, ‘replace’ and ‘xmlcharrefreplace’ as well as any other name registered with codecs.register_error that can handle UnicodeEncodeErrors.
- endswith()
S.endswith(suffix[, start[, end]]) -> bool
Return True if S ends with the specified suffix, False otherwise. With optional start, test S beginning at that position. With optional end, stop comparing S at that position. suffix can also be a tuple of strings to try.
- expandtabs()
Return a copy where all tab characters are expanded using spaces.
If tabsize is not given, a tab size of 8 characters is assumed.
- find()
S.find(sub[, start[, end]]) -> int
Return the lowest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.
Return -1 on failure.
- format()
S.format(*args, **kwargs) -> str
Return a formatted version of S, using substitutions from args and kwargs. The substitutions are identified by braces (‘{’ and ‘}’).
- format_map()
S.format_map(mapping) -> str
Return a formatted version of S, using substitutions from mapping. The substitutions are identified by braces (‘{’ and ‘}’).
- index()
S.index(sub[, start[, end]]) -> int
Return the lowest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.
Raises ValueError when the substring is not found.
- isalnum()
Return True if the string is an alpha-numeric string, False otherwise.
A string is alpha-numeric if all characters in the string are alpha-numeric and there is at least one character in the string.
- isalpha()
Return True if the string is an alphabetic string, False otherwise.
A string is alphabetic if all characters in the string are alphabetic and there is at least one character in the string.
- isascii()
Return True if all characters in the string are ASCII, False otherwise.
ASCII characters have code points in the range U+0000-U+007F. Empty string is ASCII too.
- isdecimal()
Return True if the string is a decimal string, False otherwise.
A string is a decimal string if all characters in the string are decimal and there is at least one character in the string.
- isdigit()
Return True if the string is a digit string, False otherwise.
A string is a digit string if all characters in the string are digits and there is at least one character in the string.
- isidentifier()
Return True if the string is a valid Python identifier, False otherwise.
Call keyword.iskeyword(s) to test whether string s is a reserved identifier, such as “def” or “class”.
- islower()
Return True if the string is a lowercase string, False otherwise.
A string is lowercase if all cased characters in the string are lowercase and there is at least one cased character in the string.
- isnumeric()
Return True if the string is a numeric string, False otherwise.
A string is numeric if all characters in the string are numeric and there is at least one character in the string.
- isprintable()
Return True if the string is printable, False otherwise.
A string is printable if all of its characters are considered printable in repr() or if it is empty.
- isspace()
Return True if the string is a whitespace string, False otherwise.
A string is whitespace if all characters in the string are whitespace and there is at least one character in the string.
- istitle()
Return True if the string is a title-cased string, False otherwise.
In a title-cased string, upper- and title-case characters may only follow uncased characters and lowercase characters only cased ones.
- isupper()
Return True if the string is an uppercase string, False otherwise.
A string is uppercase if all cased characters in the string are uppercase and there is at least one cased character in the string.
- join()
Concatenate any number of strings.
The string whose method is called is inserted in between each given string. The result is returned as a new string.
Example: ‘.’.join([‘ab’, ‘pq’, ‘rs’]) -> ‘ab.pq.rs’
- ljust()
Return a left-justified string of length width.
Padding is done using the specified fill character (default is a space).
- lower()
Return a copy of the string converted to lowercase.
- lstrip()
Return a copy of the string with leading whitespace removed.
If chars is given and not None, remove characters in chars instead.
- partition()
Partition the string into three parts using the given separator.
This will search for the separator in the string. If the separator is found, returns a 3-tuple containing the part before the separator, the separator itself, and the part after it.
If the separator is not found, returns a 3-tuple containing the original string and two empty strings.
- removeprefix()
Return a str with the given prefix string removed if present.
If the string starts with the prefix string, return string[len(prefix):]. Otherwise, return a copy of the original string.
- removesuffix()
Return a str with the given suffix string removed if present.
If the string ends with the suffix string and that suffix is not empty, return string[:-len(suffix)]. Otherwise, return a copy of the original string.
- replace()
Return a copy with all occurrences of substring old replaced by new.
- count
Maximum number of occurrences to replace. -1 (the default value) means replace all occurrences.
If the optional argument count is given, only the first count occurrences are replaced.
- rfind()
S.rfind(sub[, start[, end]]) -> int
Return the highest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.
Return -1 on failure.
- rindex()
S.rindex(sub[, start[, end]]) -> int
Return the highest index in S where substring sub is found, such that sub is contained within S[start:end]. Optional arguments start and end are interpreted as in slice notation.
Raises ValueError when the substring is not found.
- rjust()
Return a right-justified string of length width.
Padding is done using the specified fill character (default is a space).
- rpartition()
Partition the string into three parts using the given separator.
This will search for the separator in the string, starting at the end. If the separator is found, returns a 3-tuple containing the part before the separator, the separator itself, and the part after it.
If the separator is not found, returns a 3-tuple containing two empty strings and the original string.
- rsplit()
Return a list of the substrings in the string, using sep as the separator string.
- sep
The separator used to split the string.
When set to None (the default value), will split on any whitespace character (including n r t f and spaces) and will discard empty strings from the result.
- maxsplit
Maximum number of splits (starting from the left). -1 (the default value) means no limit.
Splitting starts at the end of the string and works to the front.
- rstrip()
Return a copy of the string with trailing whitespace removed.
If chars is given and not None, remove characters in chars instead.
- split()
Return a list of the substrings in the string, using sep as the separator string.
- sep
The separator used to split the string.
When set to None (the default value), will split on any whitespace character (including n r t f and spaces) and will discard empty strings from the result.
- maxsplit
Maximum number of splits (starting from the left). -1 (the default value) means no limit.
Note, str.split() is mainly useful for data that has been intentionally delimited. With natural text that includes punctuation, consider using the regular expression module.
- splitlines()
Return a list of the lines in the string, breaking at line boundaries.
Line breaks are not included in the resulting list unless keepends is given and true.
- startswith()
S.startswith(prefix[, start[, end]]) -> bool
Return True if S starts with the specified prefix, False otherwise. With optional start, test S beginning at that position. With optional end, stop comparing S at that position. prefix can also be a tuple of strings to try.
- strip()
Return a copy of the string with leading and trailing whitespace removed.
If chars is given and not None, remove characters in chars instead.
- swapcase()
Convert uppercase characters to lowercase and lowercase characters to uppercase.
- title()
Return a version of the string where each word is titlecased.
More specifically, words start with uppercased characters and all remaining cased characters have lower case.
- translate()
Replace each character in the string using the given translation table.
- table
Translation table, which must be a mapping of Unicode ordinals to Unicode ordinals, strings, or None.
The table must implement lookup/indexing via __getitem__, for instance a dictionary or list. If this operation raises LookupError, the character is left untouched. Characters mapped to None are deleted.
- upper()
Return a copy of the string converted to uppercase.
- zfill()
Pad a numeric string with zeros on the left, to fill a field of the given width.
The string is never truncated.
- name()
The name of the Enum member.
- value()
The value of the Enum member.
- class cyclonedx.model.vulnerability.VulnerabilityRating(*, source: VulnerabilitySource | None = None, score: decimal.Decimal | None = None, severity: VulnerabilitySeverity | None = None, method: VulnerabilityScoreSource | None = None, vector: str | None = None, justification: str | None = None)
Class that models the ratingType complex element CycloneDX core schema.
This class previously modelled the scoreType complexe type in the schema extension used prior to schema version 1.4 - see https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd.
Note
See ratingType in https://cyclonedx.org/docs/1.4/#ratingType
Warning
As part of implementing support for CycloneDX schema version 1.4, the three score types defined in the schema extension used prior to 1.4 have been deprecated. The deprecated score_base should loosely be equivalent to the new score in 1.4 schema. Both score_impact and score_exploitability are deprecated and removed as they are redundant if you have the vector (the vector allows you to calculate the scores).
- property source: VulnerabilitySource | None
The source that published the vulnerability.
- property score: decimal.Decimal | None
The numerical score of the rating.
- property severity: VulnerabilitySeverity | None
The textual representation of the severity that corresponds to the numerical score of the rating.
- property method: VulnerabilityScoreSource | None
The risk scoring methodology/standard used.
- property vector: str | None
The textual representation of the metric values used to score the vulnerability - also known as the vector.
- property justification: str | None
An optional reason for rating the vulnerability as it was.
- class cyclonedx.model.vulnerability.VulnerabilityCredits(*, organizations: Iterable[cyclonedx.model.contact.OrganizationalEntity] | None = None, individuals: Iterable[cyclonedx.model.contact.OrganizationalContact] | None = None)
Class that models the credits of vulnerabilityType complex type in the CycloneDX schema (version >= 1.4).
This class also provides data support for schema versions < 1.4 where Vulnerabilites were possible through a schema extension (in XML only).
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType
- property organizations: SortedSet[OrganizationalEntity]
The organizations credited with vulnerability discovery.
- Returns:
Set of OrganizationalEntity
- property individuals: SortedSet[OrganizationalContact]
The individuals, not associated with organizations, that are credited with vulnerability discovery.
- Returns:
Set of OrganizationalContact
- class cyclonedx.model.vulnerability.Vulnerability(*, bom_ref: str | cyclonedx.model.bom_ref.BomRef | None = None, id: str | None = None, source: VulnerabilitySource | None = None, references: Iterable[VulnerabilityReference] | None = None, ratings: Iterable[VulnerabilityRating] | None = None, cwes: Iterable[int] | None = None, description: str | None = None, detail: str | None = None, recommendation: str | None = None, advisories: Iterable[VulnerabilityAdvisory] | None = None, created: datetime.datetime | None = None, published: datetime.datetime | None = None, updated: datetime.datetime | None = None, credits: VulnerabilityCredits | None = None, tools: Iterable[cyclonedx.model.Tool] | None = None, analysis: VulnerabilityAnalysis | None = None, affects: Iterable[BomTarget] | None = None, properties: Iterable[cyclonedx.model.Property] | None = None)
Class that models the vulnerabilityType complex type in the CycloneDX schema (version >= 1.4).
This class also provides data support for schema versions < 1.4 where Vulnerabilites were possible through a schema extension (in XML only).
Note
See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType
- property bom_ref: cyclonedx.model.bom_ref.BomRef
Get the unique reference for this Vulnerability in this BOM.
If a value was not provided in the constructor, a UUIDv4 will have been assigned.
- Returns:
BomRef
- property id: str | None
The identifier that uniquely identifies the vulnerability. For example: CVE-2021-39182.
- Returns:
str if set else None
- property source: VulnerabilitySource | None
The source that published the vulnerability.
- Returns:
VulnerabilitySource if set else None
- property references: SortedSet[VulnerabilityReference]
Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provides a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.
- Returns:
Set of VulnerabilityReference
- property ratings: SortedSet[VulnerabilityRating]
List of vulnerability ratings.
- Returns:
Set of VulnerabilityRating
- property cwes: SortedSet[int]
A list of CWE (Common Weakness Enumeration) identifiers.
Note
- Returns:
Set of int
- property description: str | None
A description of the vulnerability as provided by the source.
- Returns:
str if set else None
- property detail: str | None
If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause.
- Returns:
str if set else None
- property recommendation: str | None
Recommendations of how the vulnerability can be remediated or mitigated.
- Returns:
str if set else None
- property advisories: SortedSet[VulnerabilityAdvisory]
Advisories relating to the Vulnerability.
- Returns:
Set of VulnerabilityAdvisory
- property created: datetime.datetime | None
The date and time (timestamp) when the vulnerability record was created in the vulnerability database.
- Returns:
datetime if set else None
- property published: datetime.datetime | None
The date and time (timestamp) when the vulnerability record was first published.
- Returns:
datetime if set else None
- property updated: datetime.datetime | None
The date and time (timestamp) when the vulnerability record was last updated.
- Returns:
datetime if set else None
- property credits: VulnerabilityCredits | None
Individuals or organizations credited with the discovery of the vulnerability.
- Returns:
VulnerabilityCredits if set else None
- property tools: SortedSet[Tool]
The tool(s) used to identify, confirm, or score the vulnerability.
- Returns:
Set of Tool
- property analysis: VulnerabilityAnalysis | None
Analysis of the Vulnerability in your context.
- Returns:
VulnerabilityAnalysis if set else None