{ "$schema": "http://json-schema.org/draft-07/schema#", "$id": "#Finding", "description": "A security finding, which may be a vulnerability or just an informative issue. A single finding may impact one or more resources. The `IMPACTS` relationship between the Vulnerability and the resource entity that was impacted serves as the record of the finding. The `IMPACTS` relationship carries properties such as 'identifiedOn', 'remediatedOn', 'remediationDueOn', 'issueLink', etc.", "type": "object", "allOf": [ { "$ref": "#RecordEntity" }, { "properties": { "category": { "description": "The category of the finding.", "anyOf": [ { "type": "string" }, { "type": "array", "items": { "type": "string" }, "examples": [ "data", "application", "host", "network", "endpoint", "malware", "event" ] }, { "type": "null" } ] }, "assessment": { "description": "The name/id of the assessment that produced this finding.", "anyOf": [{ "type": "string" }, { "type": "null" }] }, "status": { "description": "Status of the vulnerability", "anyOf": [{ "type": "string" }, { "type": "null" }] }, "severity": { "description": "Severity rating based on impact and exploitability.", "anyOf": [ { "type": "string", "examples": [ "none", "informational", "low", "medium", "high", "critical" ] }, { "type": "null" } ] }, "numericSeverity": { "description": "Severity rating based on impact and exploitability.", "anyOf": [ { "type": "number", "examples": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10] }, { "type": "null" } ] }, "priority": { "description": "Priority level mapping to Severity rating. Can be a string such as 'critical', 'high', 'medium', 'low', 'info'. Or an integer usually between 0-5.", "anyOf": [{ "type": "string" }, { "type": "null" }] }, "score": { "description": "The overall vulnerability score, e.g. CVSSv3.", "anyOf": [{ "type": "number" }, { "type": "null" }] }, "impact": { "description": "The impact description or rating.", "anyOf": [{ "type": "number" }, { "type": "null" }] }, "exploitability": { "description": "The exploitability score/rating.", "anyOf": [{ "type": "number" }, { "type": "null" }] }, "vector": { "description": "The vulnerability attack vector. (e.g. a CVSSv3 vector looks like this - 'AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N')", "anyOf": [{ "type": "string" }, { "type": "null" }] }, "stepsToReproduce": { "description": "Steps to reproduce this finding.", "anyOf": [ { "type": "array", "items": { "type": "string" } }, { "type": "null" } ] }, "recommendation": { "deprecated": true, "description": "Recommendation on how to remediate/fix this finding. Use 'remediationActions' field instead.", "anyOf": [{ "type": "string" }, { "type": "null" }] }, "remediationActions": { "description": "Recommended remediation actions or steps to address a finding, vulnerability or weakness. This field supports markdown formatting for rich text content including links, code blocks, and structured lists. Markdown-formatted text describing remediation steps is preferred.", "anyOf": [{ "type": "string" }, { "type": "null" }] }, "targets": { "description": "The target listing of projects, applications, repos or systems this vulnerability impacts. Specifying either the project/repo name or the application URL here will auto-map this Vulnerability to the corresponding Project/CodeRepo/Application entity if a match is found.", "anyOf": [ { "type": "array", "items": { "type": "string" } }, { "type": "null" } ] }, "targetDetails": { "description": "Additional details about the targets. Can be a string or an array.", "anyOf": [ { "type": "array", "items": { "type": "string" } }, { "type": "null" } ] }, "remediationSLA": { "description": "The number of days that the Vulnerability must be remediated within, based on SLA set by the organization's internal vulnerability management program policy. The actually due date is set by 'remediationDueOn' property on the `IMPACTS` relationship between the Vulnerability and its impacted resource entity.", "anyOf": [{ "type": "integer" }, { "type": "null" }] }, "blocksProduction": { "description": "Indicates whether this vulnerability finding is a blocking issue. If true, it should block a production deploy. Defaults to false.", "anyOf": [ { "type": "boolean", "default": false }, { "type": "null" } ] }, "open": { "description": "Indicates if this is an open vulnerability.", "anyOf": [{ "type": "boolean" }, { "type": "null" }] }, "production": { "description": "Indicates if this vulnerability is in production.", "anyOf": [{ "type": "boolean" }, { "type": "null" }] }, "public": { "description": "Indicates if this is a publicly disclosed vulnerability. If yes, this is usually a CVE and the 'webLink' should be set to 'https://nvd.nist.gov/vuln/detail/${CVE-Number}' or to a vendor URL. If not, it is most likely a custom application vulnerability.", "anyOf": [{ "type": "boolean" }, { "type": "null" }] }, "validated": { "description": "Indicates if this Vulnerability finding has been validated by the security team.", "anyOf": [{ "type": "boolean" }, { "type": "null" }] }, "references": { "description": "The array of links to references.", "anyOf": [ { "type": "array", "items": { "type": "string" } }, { "type": "null" } ] } }, "required": ["category", "severity", "numericSeverity", "open"] } ] }