The vulnerability is an unintended characteristic of a computing component or system configuration that multiplies the risk of an adverse event or a loss occurring either due to accidental exposure, deliberate attack, or conflict with new system components.
Attributes
Section titled “Attributes”cve
- Type:
cve - Requirement: recommended
Describes the Common Vulnerabilities and Exposures (CVE) details related to the vulnerability.
cwe
- Type:
cwe - Requirement: recommended
Describes the Common Weakness Enumeration (CWE) details related to the vulnerability.
references
- Type:
string_t - Requirement: recommended
A list of reference URLs with additional information about the vulnerability.
advisory
- Type:
advisory - Requirement: optional
Detail about the security advisory, that is used to publicly disclose cybersecurity vulnerabilities by a vendor.
affected_code
- Type:
affected_code - Requirement: optional
List of Affected Code objects that describe details about code blocks identified as vulnerable.
affected_packages
- Type:
affected_package - Requirement: optional
List of software packages identified as affected by a vulnerability/vulnerabilities.
category
- Type:
string_t - Requirement: optional
The category of a vulnerability or weakness, as reported by the source tool, such as Container Security or Open Source Security.
dependency_chain
- Type:
string_t - Requirement: optional
Information about the chain of dependencies related to the issue as reported by an Application Security or Vulnerability Management tool. E.g., serverless-offline -> @serverless/utils -> memoizee -> es5-ext.
desc
- Type:
string_t - Requirement: optional
The description of the vulnerability.
exploit_last_seen_time
- Type:
timestamp_t - Requirement: optional
The time when the exploit was most recently observed.
exploit_last_seen_time_dt
- Type:
datetime_t - Requirement: optional
The time when the exploit was most recently observed.
exploit_ref_url
- Type:
url_t - Requirement: optional
The URL of the exploit code or Proof-of-Concept (PoC).
exploit_requirement
- Type:
string_t - Requirement: optional
The requirement description related to any constraints around exploit execution.
exploit_type
- Type:
string_t - Requirement: optional
The categorization or type of Exploit. E.g., Network or Physical.
first_seen_time
- Type:
timestamp_t - Requirement: optional
The time when the vulnerability was first observed.
first_seen_time_dt
- Type:
datetime_t - Requirement: optional
The time when the vulnerability was first observed.
fix_available
- Type:
boolean_t - Requirement: optional
Indicates if a fix is available for the reported vulnerability.
fix_coverage
- Type:
string_t - Requirement: optional
The fix coverage, normalized to the caption of the fix_coverage_id value.
fix_coverage_id
- Type:
integer_t - Requirement: optional
- Values:
0-Unknown: The fix coverage is unknown.1-Complete: All affected packages and components have available fixes or patches to remediate the vulnerability.2-Partial: Only some of the affected packages and components have available fixes or patches, while others remain vulnerable.3-None: No fixes or patches are currently available for any of the affected packages and components.99-Other: The fix coverage is not mapped. See thefix_coverageattribute, which contains a data source specific value.
The normalized identifier for fix coverage, applicable to this vulnerability. Typically useful, when there are multiple affected packages but only a subset have available fixes.
is_exploit_available
- Type:
boolean_t - Requirement: optional
Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability.
is_fix_available
- Type:
boolean_t - Requirement: optional
Indicates if a fix is available for the reported vulnerability.
kb_article_list
- Type:
kb_article - Requirement: optional
A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.
kb_articles
- Type:
string_t - Requirement: optional
The KB article/s related to the entity. A KB Article contains metadata that describes the patch or an update.
last_seen_time
- Type:
timestamp_t - Requirement: optional
The time when the vulnerability was most recently observed.
last_seen_time_dt
- Type:
datetime_t - Requirement: optional
The time when the vulnerability was most recently observed.
packages
- Type:
package - Requirement: optional
List of vulnerable packages as identified by the security product
related_vulnerabilities
- Type:
string_t - Requirement: optional
List of vulnerability IDs (e.g. CVE ID) that are related to this vulnerability.
remediation
- Type:
remediation - Requirement: optional
The remediation recommendations on how to mitigate the identified vulnerability.
severity
- Type:
string_t - Requirement: optional
The vendor assigned severity of the vulnerability.
title
- Type:
string_t - Requirement: optional
A title or a brief phrase summarizing the discovered vulnerability.
vendor_name
- Type:
string_t - Requirement: optional
The name of the vendor that identified the vulnerability.