cyclonedx.model.vulnerability ============================= .. py:module:: cyclonedx.model.vulnerability .. autoapi-nested-parse:: This set of classes represents the data that is possible about known Vulnerabilities. Prior to CycloneDX schema version 1.4, vulnerabilities were possible in XML versions ONLY of the standard through a schema extension: https://cyclonedx.org/ext/vulnerability. Since CycloneDX schema version 1.4, this has become part of the core schema. .. note:: See the CycloneDX Schema extension definition https://cyclonedx.org/docs/1.7/xml/#type_vulnerabilitiesType Classes ------- .. autoapisummary:: cyclonedx.model.vulnerability.BomTargetVersionRange cyclonedx.model.vulnerability.BomTarget cyclonedx.model.vulnerability.VulnerabilityAnalysis cyclonedx.model.vulnerability.VulnerabilityAdvisory cyclonedx.model.vulnerability.VulnerabilitySource cyclonedx.model.vulnerability.VulnerabilityReference cyclonedx.model.vulnerability.VulnerabilityScoreSource cyclonedx.model.vulnerability.VulnerabilitySeverity cyclonedx.model.vulnerability.VulnerabilityRating cyclonedx.model.vulnerability.VulnerabilityCredits cyclonedx.model.vulnerability.Vulnerability Module Contents --------------- .. py:class:: BomTargetVersionRange(*, version: Optional[str] = None, range: Optional[str] = None, status: Optional[cyclonedx.model.impact_analysis.ImpactAnalysisAffectedStatus] = None) Class that represents either a version or version range and its affected status. `version` and `version_range` are mutually exclusive. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#tab-pane_vulnerabilities_items_affects_items_versions_items_oneOf_i0 .. py:property:: version :type: Optional[str] A single version of a component or service. .. py:property:: range :type: Optional[str] A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst .. note:: The VERSION-RANGE-SPEC from Package URL is not a formalised standard at the time of writing and this no validation of conformance with this draft standard is performed. .. py:property:: status :type: Optional[cyclonedx.model.impact_analysis.ImpactAnalysisAffectedStatus] The vulnerability status for the version or range of versions. .. py:class:: BomTarget(*, ref: str, versions: Optional[collections.abc.Iterable[BomTargetVersionRange]] = None) Class that represents referencing a Component or Service in a BOM. Aims to represent the sub-element `target` of the complex type `vulnerabilityType`. You can either create a `cyclonedx.model.bom.Bom` yourself programmatically, or generate a `cyclonedx.model.bom.Bom` from a `cyclonedx.parser.BaseParser` implementation. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_affects .. py:property:: ref :type: str Reference to a component or service by the objects `bom-ref`. .. py:property:: versions :type: SortedSet[BomTargetVersionRange] Zero or more individual versions or range of versions. Returns: Set of `BomTargetVersionRange` .. py:class:: VulnerabilityAnalysis(*, state: Optional[cyclonedx.model.impact_analysis.ImpactAnalysisState] = None, justification: Optional[cyclonedx.model.impact_analysis.ImpactAnalysisJustification] = None, responses: Optional[collections.abc.Iterable[cyclonedx.model.impact_analysis.ImpactAnalysisResponse]] = None, detail: Optional[str] = None, first_issued: Optional[datetime.datetime] = None, last_updated: Optional[datetime.datetime] = None) Class that models the `analysis` sub-element of the `vulnerabilityType` complex type. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_analysis .. py:property:: state :type: Optional[cyclonedx.model.impact_analysis.ImpactAnalysisState] The declared current state of an occurrence of a vulnerability, after automated or manual analysis. Returns: `ImpactAnalysisState` if set else `None` .. py:property:: justification :type: Optional[cyclonedx.model.impact_analysis.ImpactAnalysisJustification] The rationale of why the impact analysis state was asserted. Returns: `ImpactAnalysisJustification` if set else `None` .. py:property:: responses :type: SortedSet[ImpactAnalysisResponse] A list of responses to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable. Returns: Set of `ImpactAnalysisResponse` .. py:property:: detail :type: Optional[str] A detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability. Returns: `str` if set else `None` .. py:property:: first_issued :type: Optional[datetime.datetime] .. py:property:: last_updated :type: Optional[datetime.datetime] .. py:class:: VulnerabilityAdvisory(*, url: cyclonedx.model.XsUri, title: Optional[str] = None) Class that models the `advisoryType` complex type. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_advisories .. py:property:: title :type: Optional[str] The title of this advisory. .. py:property:: url :type: cyclonedx.model.XsUri The url of this advisory. .. py:class:: VulnerabilitySource(*, name: Optional[str] = None, url: Optional[cyclonedx.model.XsUri] = None) Class that models the `vulnerabilitySourceType` complex type. This type is used for multiple purposes in the CycloneDX schema. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_source .. py:property:: name :type: Optional[str] Name of this Source. .. py:property:: url :type: Optional[cyclonedx.model.XsUri] The url of this Source. .. py:class:: VulnerabilityReference(*, id: str, source: VulnerabilitySource) Class that models the nested `reference` within the `vulnerabilityType` complex type. Vulnerabilities may benefit from pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. These references provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_references .. note:: Properties ``id`` and ``source`` are mandatory. History: * In v1.4 JSON scheme, both properties were mandatory https://github.com/CycloneDX/specification/blob/d570ffb8956d796585b9574e57598c42ee9de770/schema/bom-1.4.schema.json#L1455-L1474 * In v1.4 XML schema, both properties were optional https://github.com/CycloneDX/specification/blob/d570ffb8956d796585b9574e57598c42ee9de770/schema/bom-1.4.xsd#L1788-L1797 * In v1.5 XML schema, both were mandatory https://github.com/CycloneDX/specification/blob/d570ffb8956d796585b9574e57598c42ee9de770/schema/bom-1.5.xsd#L3364-L3374 Decision: Since CycloneDXCoreWorkingGroup chose JSON schema as the dominant schema, the one that serves as first spec implementation, and since XML schema was "fixed" to work same as JSON schema, we'd consider it canon/spec that both properties were always mandatory. .. py:property:: id :type: str The identifier that uniquely identifies the vulnerability in the associated Source. For example: CVE-2021-39182. .. py:property:: source :type: VulnerabilitySource The source that published the vulnerability. .. py:class:: VulnerabilityScoreSource Bases: :py:obj:`str`, :py:obj:`enum.Enum` Enum object that defines the permissible source types for a Vulnerability's score. .. note:: See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_scoreSourceType .. note:: No explicit carry-over from the former schema extension: https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd .. py:attribute:: CVSS_V2 :value: 'CVSSv2' .. py:attribute:: CVSS_V3 :value: 'CVSSv3' .. py:attribute:: CVSS_V3_1 :value: 'CVSSv31' .. py:attribute:: CVSS_V4 :value: 'CVSSv4' .. py:attribute:: OWASP :value: 'OWASP' .. py:attribute:: SSVC :value: 'SSVC' .. py:attribute:: OTHER :value: 'other' .. py:method:: get_from_vector(vector: str) -> VulnerabilityScoreSource :staticmethod: Attempt to derive the correct SourceType from an attack vector. For example, often attack vector strings are prefixed with the scheme in question - such that __CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N__ would be the vector __AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N__ under the __CVSS 3__ scheme. Returns: Always returns an instance of `VulnerabilityScoreSource`. `VulnerabilityScoreSource.OTHER` is returned if the scheme is not obvious or known to us. .. py:method:: get_localised_vector(vector: str) -> str This method will remove any Source Scheme type from the supplied vector, returning just the vector. .. Note:: Currently supports CVSS 3.x, CVSS 2.x and OWASP schemes. Returns: The vector without any scheme prefix as a `str`. .. py:method:: get_value_pre_1_4() -> str Some of the enum values changed in 1.4 of the CycloneDX spec. This method allows us to backport some of the changes for pre-1.4. Returns: `str` .. py:class:: VulnerabilitySeverity Bases: :py:obj:`str`, :py:obj:`enum.Enum` Class that defines the permissible severities for a Vulnerability. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/xml/#type_severityType .. py:attribute:: NONE :value: 'none' .. py:attribute:: INFO :value: 'info' .. py:attribute:: LOW :value: 'low' .. py:attribute:: MEDIUM :value: 'medium' .. py:attribute:: HIGH :value: 'high' .. py:attribute:: CRITICAL :value: 'critical' .. py:attribute:: UNKNOWN :value: 'unknown' .. py:method:: get_from_cvss_scores(scores: Union[tuple[float, Ellipsis], float, None]) -> VulnerabilitySeverity :staticmethod: Deprecated — Alias of :func:`cyclonedx.contrib.vulnerability.cvss.vs_from_cvss_scores()`. Derives the Severity of a Vulnerability from it's declared CVSS scores. .. deprecated:: next Use ``cyclonedx.contrib.vulnerability.cvss.VulnerabilitySeverity_from_cvss_scores()`` instead. .. py:class:: VulnerabilityRating(*, source: Optional[VulnerabilitySource] = None, score: Optional[decimal.Decimal] = None, severity: Optional[VulnerabilitySeverity] = None, method: Optional[VulnerabilityScoreSource] = None, vector: Optional[str] = None, justification: Optional[str] = None) Class that models the `ratingType` complex element CycloneDX core schema. This class previously modelled the `scoreType` complexe type in the schema extension used prior to schema version 1.4 - see https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd. .. note:: See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_ratingType .. warning:: As part of implementing support for CycloneDX schema version 1.4, the three score types defined in the schema extension used prior to 1.4 have been deprecated. The deprecated `score_base` should loosely be equivalent to the new `score` in 1.4 schema. Both `score_impact` and `score_exploitability` are deprecated and removed as they are redundant if you have the vector (the vector allows you to calculate the scores). .. py:property:: source :type: Optional[VulnerabilitySource] The source that published the vulnerability. .. py:property:: score :type: Optional[decimal.Decimal] The numerical score of the rating. .. py:property:: severity :type: Optional[VulnerabilitySeverity] The textual representation of the severity that corresponds to the numerical score of the rating. .. py:property:: method :type: Optional[VulnerabilityScoreSource] The risk scoring methodology/standard used. .. py:property:: vector :type: Optional[str] The textual representation of the metric values used to score the vulnerability - also known as the vector. .. py:property:: justification :type: Optional[str] An optional reason for rating the vulnerability as it was. .. py:class:: VulnerabilityCredits(*, organizations: Optional[collections.abc.Iterable[cyclonedx.model.contact.OrganizationalEntity]] = None, individuals: Optional[collections.abc.Iterable[cyclonedx.model.contact.OrganizationalContact]] = None) Class that models the `credits` of `vulnerabilityType` complex type in the CycloneDX schema (version >= 1.4). This class also provides data support for schema versions < 1.4 where Vulnerabilites were possible through a schema extension (in XML only). .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_credits .. py:property:: organizations :type: SortedSet[OrganizationalEntity] The organizations credited with vulnerability discovery. Returns: Set of `OrganizationalEntity` .. py:property:: individuals :type: SortedSet[OrganizationalContact] The individuals, not associated with organizations, that are credited with vulnerability discovery. Returns: Set of `OrganizationalContact` .. py:class:: Vulnerability(*, bom_ref: Optional[Union[str, cyclonedx.model.bom_ref.BomRef]] = None, id: Optional[str] = None, source: Optional[VulnerabilitySource] = None, references: Optional[collections.abc.Iterable[VulnerabilityReference]] = None, ratings: Optional[collections.abc.Iterable[VulnerabilityRating]] = None, cwes: Optional[collections.abc.Iterable[int]] = None, description: Optional[str] = None, detail: Optional[str] = None, recommendation: Optional[str] = None, workaround: Optional[str] = None, advisories: Optional[collections.abc.Iterable[VulnerabilityAdvisory]] = None, created: Optional[datetime.datetime] = None, published: Optional[datetime.datetime] = None, updated: Optional[datetime.datetime] = None, credits: Optional[VulnerabilityCredits] = None, tools: Optional[Union[collections.abc.Iterable[cyclonedx.model.tool.Tool], cyclonedx.model.tool.ToolRepository]] = None, analysis: Optional[VulnerabilityAnalysis] = None, affects: Optional[collections.abc.Iterable[BomTarget]] = None, properties: Optional[collections.abc.Iterable[cyclonedx.model.Property]] = None) Class that models the `vulnerabilityType` complex type in the CycloneDX schema (version >= 1.4). This class also provides data support for schema versions < 1.4 where Vulnerabilites were possible through a schema extension (in XML only). .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/xml/#type_vulnerabilityType .. py:property:: id :type: Optional[str] The identifier that uniquely identifies the vulnerability. For example: CVE-2021-39182. Returns: `str` if set else `None` .. py:property:: source :type: Optional[VulnerabilitySource] The source that published the vulnerability. Returns: `VulnerabilitySource` if set else `None` .. py:property:: references :type: SortedSet[VulnerabilityReference] Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provides a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. Returns: Set of `VulnerabilityReference` .. py:property:: ratings :type: SortedSet[VulnerabilityRating] List of vulnerability ratings. Returns: Set of `VulnerabilityRating` .. py:property:: cwes :type: SortedSet[int] A list of CWE (Common Weakness Enumeration) identifiers. .. note:: See https://cwe.mitre.org/ Returns: Set of `int` .. py:property:: description :type: Optional[str] A description of the vulnerability as provided by the source. Returns: `str` if set else `None` .. py:property:: detail :type: Optional[str] If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause. Returns: `str` if set else `None` .. py:property:: recommendation :type: Optional[str] Recommendations of how the vulnerability can be remediated or mitigated. Returns: `str` if set else `None` .. py:property:: workaround :type: Optional[str] A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments. Returns: `str` if set else `None` .. py:property:: advisories :type: SortedSet[VulnerabilityAdvisory] Advisories relating to the Vulnerability. Returns: Set of `VulnerabilityAdvisory` .. py:property:: created :type: Optional[datetime.datetime] The date and time (timestamp) when the vulnerability record was created in the vulnerability database. Returns: `datetime` if set else `None` .. py:property:: published :type: Optional[datetime.datetime] The date and time (timestamp) when the vulnerability record was first published. Returns: `datetime` if set else `None` .. py:property:: updated :type: Optional[datetime.datetime] The date and time (timestamp) when the vulnerability record was last updated. Returns: `datetime` if set else `None` .. py:property:: credits :type: Optional[VulnerabilityCredits] Individuals or organizations credited with the discovery of the vulnerability. Returns: `VulnerabilityCredits` if set else `None` .. py:property:: tools :type: cyclonedx.model.tool.ToolRepository Tools used to create this BOM. Returns: :class:`ToolRepository` object. .. py:property:: analysis :type: Optional[VulnerabilityAnalysis] Analysis of the Vulnerability in your context. Returns: `VulnerabilityAnalysis` if set else `None` .. py:property:: affects :type: SortedSet[BomTarget] The components or services that are affected by the vulnerability. Returns: Set of `BomTarget` .. py:property:: properties :type: SortedSet[Property] Provides the ability to document properties in a key/value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Return: Set of `Property` .. py:property:: bom_ref :type: cyclonedx.model.bom_ref.BomRef Get the unique reference for this Vulnerability in this BOM. Returns: `BomRef`