{ "$schema": "http://json-schema.org/draft-07/schema#", "$id": "#Vulnerability", "description": "A security vulnerability identified by a Common Vulnerabilities and Exposures (CVE) identifier. A single vulnerability may relate to multiple findings and impact multiple resources. The IMPACTS relationship between the Vulnerability and the resource entity that was impacted serves as the record of the finding. The IMPACTS relationship carries properties such as 'identifiedOn', 'remediatedOn', 'remediationDueOn', 'issueLink', etc.", "type": "object", "allOf": [ { "$ref": "#RecordEntity" }, { "properties": { "category": { "description": "The category of the vulnerability finding", "type": ["string", "null"], "examples": ["application", "system", "infrastructure", "other"] }, "status": { "description": "Status of the vulnerability", "anyOf": [ { "type": "string" }, { "type": "null" } ] }, "severity": { "description": "Severity rating based on impact and exploitability. Can be a string such as 'critical', 'high', 'medium', 'low', 'info'. Or an integer usually between 0-5.", "type": ["string", "null"] }, "priority": { "description": "Priority level mapping to Severity rating. Can be a string such as 'critical', 'high', 'medium', 'low', 'info'. Or an integer usually between 0-5.", "anyOf": [ { "type": "string" }, { "type": "null" } ] }, "score": { "description": "The overall vulnerability score, e.g. CVSSv3.", "anyOf": [ { "type": "number" }, { "type": "null" } ] }, "impact": { "description": "The impact score/rating.", "anyOf": [ { "type": "number" }, { "type": "null" } ] }, "exploitability": { "description": "The exploitability score/rating.", "anyOf": [ { "type": "number" }, { "type": "null" } ] }, "vector": { "description": "The vulnerability attack vector. (e.g. a CVSSv3 vector looks like this - 'AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N')", "anyOf": [ { "type": "string" }, { "type": "null" } ] }, "impacts": { "description": "The target listing of projects, applications, repos or systems this vulnerability impacts. Specifying either the project/repo name or the application URL here will auto-map this Vulnerability to the corresponding Project/CodeRepo/Application entity if a match is found.", "anyOf": [ { "type": "array", "items": { "type": "string" } }, { "type": "null" } ] }, "remediationSLA": { "description": "The number of days that the Vulnerability must be remediated within, based on SLA set by the organization's internal vulnerability management program policy. The actually due date is set by 'remediationDueOn' property on the `IMPACTS` relationship between the Vulnerability and its impacted resource entity.", "anyOf": [ { "type": "integer" }, { "type": "null" } ] }, "blocking": { "description": "Indicates whether this vulnerability finding is a blocking issue. If true, it should block a production deploy. Defaults to false.", "type": ["boolean", "null"], "default": false }, "open": { "description": "Indicates whether the CVE vulnerability is currently open (unresolved) against the entity. This boolean field is true when the vulnerability is active and false when it is resolved or no longer applicable. If the open status is not provided, it defaults to true.", "type": ["boolean", "null"], "default": true }, "production": { "description": "Indicates if this vulnerability is in production.", "type": ["boolean", "null"] }, "public": { "description": "Indicates if this is a publicly disclosed vulnerability. If yes, this is usually a CVE and the 'webLink' should be set to 'https://nvd.nist.gov/vuln/detail/${CVE-Number}' or to a vendor URL. If not, it is most likely a custom application vulnerability.", "type": ["boolean", "null"] }, "validated": { "description": "Indicates if this Vulnerability finding has been validated by the security team.", "anyOf": [ { "type": "boolean" }, { "type": "null" } ] }, "references": { "description": "The array of links to references.", "anyOf": [ { "type": "array", "items": { "type": "string" } }, { "type": "null" } ] }, "cveId": { "description": "The Common Vulnerabilities and Exposures (CVE) identifier of the vulnerability as a string, formatted exactly as CVE-YYYY-NNNN (where YYYY is the 4-digit year and NNNN is a sequence of at least 4 digits). This field must contain only the CVE ID with no additional text or details. For example, CVE-2021-44228 is valid, but CVE-2021-44228 (YOKOGAWA) is invalid.", "oneOf": [ { "type": "string", "pattern": "^CVE-\\d{4}-\\d{4,}$" }, { "type": "null" } ] } }, "required": [ "open", "cveId" ] } ] }