cyclonedx.model.vulnerability
=============================

.. py:module:: cyclonedx.model.vulnerability

.. autoapi-nested-parse::

   This set of classes represents the data that is possible about known Vulnerabilities.

   Prior to CycloneDX schema version 1.4, vulnerabilities were possible in XML versions ONLY of the standard through
   a schema extension: https://cyclonedx.org/ext/vulnerability.

   Since CycloneDX schema version 1.4, this has become part of the core schema.

   .. note::
       See the CycloneDX Schema extension definition https://cyclonedx.org/docs/1.7/xml/#type_vulnerabilitiesType



Classes
-------

.. autoapisummary::

   cyclonedx.model.vulnerability.BomTargetVersionRange
   cyclonedx.model.vulnerability.BomTarget
   cyclonedx.model.vulnerability.VulnerabilityAnalysis
   cyclonedx.model.vulnerability.VulnerabilityAdvisory
   cyclonedx.model.vulnerability.VulnerabilitySource
   cyclonedx.model.vulnerability.VulnerabilityReference
   cyclonedx.model.vulnerability.VulnerabilityScoreSource
   cyclonedx.model.vulnerability.VulnerabilitySeverity
   cyclonedx.model.vulnerability.VulnerabilityRating
   cyclonedx.model.vulnerability.VulnerabilityCredits
   cyclonedx.model.vulnerability.Vulnerability


Module Contents
---------------

.. py:class:: BomTargetVersionRange(*, version: Optional[str] = None, range: Optional[str] = None, status: Optional[cyclonedx.model.impact_analysis.ImpactAnalysisAffectedStatus] = None)

   Class that represents either a version or version range and its affected status.

   `version` and `version_range` are mutually exclusive.

   .. note::
       See the CycloneDX schema:
       https://cyclonedx.org/docs/1.7/json/#tab-pane_vulnerabilities_items_affects_items_versions_items_oneOf_i0


   .. py:property:: version
      :type: Optional[str]


      A single version of a component or service.



   .. py:property:: range
      :type: Optional[str]


      A version range specified in Package URL Version Range syntax (vers) which is defined at
      https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst

      .. note::
          The VERSION-RANGE-SPEC from Package URL is not a formalised standard at the time of writing and this no
          validation of conformance with this draft standard is performed.



   .. py:property:: status
      :type: Optional[cyclonedx.model.impact_analysis.ImpactAnalysisAffectedStatus]


      The vulnerability status for the version or range of versions.



.. py:class:: BomTarget(*, ref: str, versions: Optional[collections.abc.Iterable[BomTargetVersionRange]] = None)

   Class that represents referencing a Component or Service in a BOM.

   Aims to represent the sub-element `target` of the complex type `vulnerabilityType`.

   You can either create a `cyclonedx.model.bom.Bom` yourself programmatically, or generate a `cyclonedx.model.bom.Bom`
   from a `cyclonedx.parser.BaseParser` implementation.

   .. note::
       See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_affects


   .. py:property:: ref
      :type: str


      Reference to a component or service by the objects `bom-ref`.



   .. py:property:: versions
      :type: SortedSet[BomTargetVersionRange]


      Zero or more individual versions or range of versions.

      Returns:
          Set of `BomTargetVersionRange`



.. py:class:: VulnerabilityAnalysis(*, state: Optional[cyclonedx.model.impact_analysis.ImpactAnalysisState] = None, justification: Optional[cyclonedx.model.impact_analysis.ImpactAnalysisJustification] = None, responses: Optional[collections.abc.Iterable[cyclonedx.model.impact_analysis.ImpactAnalysisResponse]] = None, detail: Optional[str] = None, first_issued: Optional[datetime.datetime] = None, last_updated: Optional[datetime.datetime] = None)

   Class that models the `analysis` sub-element of the `vulnerabilityType` complex type.

   .. note::
       See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_analysis


   .. py:property:: state
      :type: Optional[cyclonedx.model.impact_analysis.ImpactAnalysisState]


      The declared current state of an occurrence of a vulnerability, after automated or manual analysis.

      Returns:
          `ImpactAnalysisState` if set else `None`



   .. py:property:: justification
      :type: Optional[cyclonedx.model.impact_analysis.ImpactAnalysisJustification]


      The rationale of why the impact analysis state was asserted.

      Returns:
          `ImpactAnalysisJustification` if set else `None`



   .. py:property:: responses
      :type: SortedSet[ImpactAnalysisResponse]


      A list of responses to the vulnerability by the manufacturer, supplier, or project responsible for the
      affected component or service. More than one response is allowed. Responses are strongly encouraged for
      vulnerabilities where the analysis state is exploitable.

      Returns:
          Set of `ImpactAnalysisResponse`



   .. py:property:: detail
      :type: Optional[str]


      A detailed description of the impact including methods used during assessment. If a vulnerability is not
      exploitable, this field should include specific details on why the component or service is not impacted by this
      vulnerability.

      Returns:
          `str` if set else `None`



   .. py:property:: first_issued
      :type: Optional[datetime.datetime]



   .. py:property:: last_updated
      :type: Optional[datetime.datetime]



.. py:class:: VulnerabilityAdvisory(*, url: cyclonedx.model.XsUri, title: Optional[str] = None)

   Class that models the `advisoryType` complex type.

   .. note::
       See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_advisories


   .. py:property:: title
      :type: Optional[str]


      The title of this advisory.



   .. py:property:: url
      :type: cyclonedx.model.XsUri


      The url of this advisory.



.. py:class:: VulnerabilitySource(*, name: Optional[str] = None, url: Optional[cyclonedx.model.XsUri] = None)

   Class that models the `vulnerabilitySourceType` complex type.

   This type is used for multiple purposes in the CycloneDX schema.

   .. note::
       See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_source


   .. py:property:: name
      :type: Optional[str]


      Name of this Source.



   .. py:property:: url
      :type: Optional[cyclonedx.model.XsUri]


      The url of this Source.



.. py:class:: VulnerabilityReference(*, id: str, source: VulnerabilitySource)

   Class that models the nested `reference` within the `vulnerabilityType` complex type.

   Vulnerabilities may benefit from pointers to vulnerabilities that are the equivalent of the vulnerability specified.
   Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different
   identifiers. These references provide a way to correlate vulnerabilities across multiple sources of vulnerability
   intelligence.

   .. note::
       See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_references

   .. note::
       Properties ``id`` and ``source`` are mandatory.

       History:
       * In v1.4 JSON scheme, both properties were mandatory
         https://github.com/CycloneDX/specification/blob/d570ffb8956d796585b9574e57598c42ee9de770/schema/bom-1.4.schema.json#L1455-L1474
       * In v1.4 XML schema, both properties were optional
         https://github.com/CycloneDX/specification/blob/d570ffb8956d796585b9574e57598c42ee9de770/schema/bom-1.4.xsd#L1788-L1797
       * In v1.5 XML schema, both were mandatory
         https://github.com/CycloneDX/specification/blob/d570ffb8956d796585b9574e57598c42ee9de770/schema/bom-1.5.xsd#L3364-L3374

       Decision:
       Since CycloneDXCoreWorkingGroup chose JSON schema as the dominant schema, the one that serves as first spec
       implementation, and since XML schema was "fixed" to work same as JSON schema, we'd consider it canon/spec that
       both properties were always mandatory.


   .. py:property:: id
      :type: str


      The identifier that uniquely identifies the vulnerability in the associated Source. For example: CVE-2021-39182.



   .. py:property:: source
      :type: VulnerabilitySource


      The source that published the vulnerability.



.. py:class:: VulnerabilityScoreSource

   Bases: :py:obj:`str`, :py:obj:`enum.Enum`


   Enum object that defines the permissible source types for a Vulnerability's score.

   .. note::
       See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_scoreSourceType

   .. note::
       No explicit carry-over from the former schema extension:
        https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd


   .. py:attribute:: CVSS_V2
      :value: 'CVSSv2'



   .. py:attribute:: CVSS_V3
      :value: 'CVSSv3'



   .. py:attribute:: CVSS_V3_1
      :value: 'CVSSv31'



   .. py:attribute:: CVSS_V4
      :value: 'CVSSv4'



   .. py:attribute:: OWASP
      :value: 'OWASP'



   .. py:attribute:: SSVC
      :value: 'SSVC'



   .. py:attribute:: OTHER
      :value: 'other'



   .. py:method:: get_from_vector(vector: str) -> VulnerabilityScoreSource
      :staticmethod:


      Attempt to derive the correct SourceType from an attack vector.

      For example, often attack vector strings are prefixed with the scheme in question - such
      that __CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N__ would be the vector
      __AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N__ under the __CVSS 3__ scheme.

      Returns:
          Always returns an instance of `VulnerabilityScoreSource`. `VulnerabilityScoreSource.OTHER` is
          returned if the scheme is not obvious or known to us.



   .. py:method:: get_localised_vector(vector: str) -> str

      This method will remove any Source Scheme type from the supplied vector, returning just the vector.

      .. Note::
          Currently supports CVSS 3.x, CVSS 2.x and OWASP schemes.

      Returns:
          The vector without any scheme prefix as a `str`.



   .. py:method:: get_value_pre_1_4() -> str

      Some of the enum values changed in 1.4 of the CycloneDX spec. This method allows us to
      backport some of the changes for pre-1.4.

      Returns:
          `str`



.. py:class:: VulnerabilitySeverity

   Bases: :py:obj:`str`, :py:obj:`enum.Enum`


   Class that defines the permissible severities for a Vulnerability.

   .. note::
       See the CycloneDX schema: https://cyclonedx.org/docs/1.7/xml/#type_severityType


   .. py:attribute:: NONE
      :value: 'none'



   .. py:attribute:: INFO
      :value: 'info'



   .. py:attribute:: LOW
      :value: 'low'



   .. py:attribute:: MEDIUM
      :value: 'medium'



   .. py:attribute:: HIGH
      :value: 'high'



   .. py:attribute:: CRITICAL
      :value: 'critical'



   .. py:attribute:: UNKNOWN
      :value: 'unknown'



   .. py:method:: get_from_cvss_scores(scores: Union[tuple[float, Ellipsis], float, None]) -> VulnerabilitySeverity
      :staticmethod:


      Deprecated — Alias of :func:`cyclonedx.contrib.vulnerability.cvss.vs_from_cvss_scores()`.

      Derives the Severity of a Vulnerability from it's declared CVSS scores.

      .. deprecated:: next
          Use ``cyclonedx.contrib.vulnerability.cvss.vs_from_cvss_scores()`` instead.



.. py:class:: VulnerabilityRating(*, source: Optional[VulnerabilitySource] = None, score: Optional[decimal.Decimal] = None, severity: Optional[VulnerabilitySeverity] = None, method: Optional[VulnerabilityScoreSource] = None, vector: Optional[str] = None, justification: Optional[str] = None)

   Class that models the `ratingType` complex element CycloneDX core schema.

   This class previously modelled the `scoreType` complexe type in the schema extension used prior to schema version
   1.4 - see https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd.

   .. note::
       See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_ratingType

   .. warning::
       As part of implementing support for CycloneDX schema version 1.4, the three score types defined in the schema
       extension used prior to 1.4 have been deprecated. The deprecated `score_base` should loosely be equivalent to
       the new `score` in 1.4 schema. Both `score_impact` and `score_exploitability` are deprecated and removed as
       they are redundant if you have the vector (the vector allows you to calculate the scores).


   .. py:property:: source
      :type: Optional[VulnerabilitySource]


      The source that published the vulnerability.



   .. py:property:: score
      :type: Optional[decimal.Decimal]


      The numerical score of the rating.



   .. py:property:: severity
      :type: Optional[VulnerabilitySeverity]


      The textual representation of the severity that corresponds to the numerical score of the rating.



   .. py:property:: method
      :type: Optional[VulnerabilityScoreSource]


      The risk scoring methodology/standard used.



   .. py:property:: vector
      :type: Optional[str]


      The textual representation of the metric values used to score the vulnerability - also known as the vector.



   .. py:property:: justification
      :type: Optional[str]


      An optional reason for rating the vulnerability as it was.



.. py:class:: VulnerabilityCredits(*, organizations: Optional[collections.abc.Iterable[cyclonedx.model.contact.OrganizationalEntity]] = None, individuals: Optional[collections.abc.Iterable[cyclonedx.model.contact.OrganizationalContact]] = None)

   Class that models the `credits` of `vulnerabilityType` complex type in the CycloneDX schema (version >= 1.4).

   This class also provides data support for schema versions < 1.4 where Vulnerabilites were possible through a schema
   extension (in XML only).

   .. note::
       See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_credits


   .. py:property:: organizations
      :type: SortedSet[OrganizationalEntity]


      The organizations credited with vulnerability discovery.

      Returns:
           Set of `OrganizationalEntity`



   .. py:property:: individuals
      :type: SortedSet[OrganizationalContact]


      The individuals, not associated with organizations, that are credited with vulnerability discovery.

      Returns:
          Set of `OrganizationalContact`



.. py:class:: Vulnerability(*, bom_ref: Optional[Union[str, cyclonedx.model.bom_ref.BomRef]] = None, id: Optional[str] = None, source: Optional[VulnerabilitySource] = None, references: Optional[collections.abc.Iterable[VulnerabilityReference]] = None, ratings: Optional[collections.abc.Iterable[VulnerabilityRating]] = None, cwes: Optional[collections.abc.Iterable[int]] = None, description: Optional[str] = None, detail: Optional[str] = None, recommendation: Optional[str] = None, workaround: Optional[str] = None, advisories: Optional[collections.abc.Iterable[VulnerabilityAdvisory]] = None, created: Optional[datetime.datetime] = None, published: Optional[datetime.datetime] = None, updated: Optional[datetime.datetime] = None, credits: Optional[VulnerabilityCredits] = None, tools: Optional[Union[collections.abc.Iterable[cyclonedx.model.tool.Tool], cyclonedx.model.tool.ToolRepository]] = None, analysis: Optional[VulnerabilityAnalysis] = None, affects: Optional[collections.abc.Iterable[BomTarget]] = None, properties: Optional[collections.abc.Iterable[cyclonedx.model.Property]] = None)

   Class that models the `vulnerabilityType` complex type in the CycloneDX schema (version >= 1.4).

   This class also provides data support for schema versions < 1.4 where Vulnerabilites were possible through a schema
   extension (in XML only).

   .. note::
       See the CycloneDX schema: https://cyclonedx.org/docs/1.7/xml/#type_vulnerabilityType


   .. py:property:: id
      :type: Optional[str]


      The identifier that uniquely identifies the vulnerability. For example: CVE-2021-39182.

      Returns:
          `str` if set else `None`



   .. py:property:: source
      :type: Optional[VulnerabilitySource]


      The source that published the vulnerability.

      Returns:
          `VulnerabilitySource` if set else `None`



   .. py:property:: references
      :type: SortedSet[VulnerabilityReference]


      Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times,
      the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different
      identifiers. References provides a way to correlate vulnerabilities across multiple sources of vulnerability
      intelligence.

      Returns:
          Set of `VulnerabilityReference`



   .. py:property:: ratings
      :type: SortedSet[VulnerabilityRating]


      List of vulnerability ratings.

      Returns:
          Set of `VulnerabilityRating`



   .. py:property:: cwes
      :type: SortedSet[int]


      A list of CWE (Common Weakness Enumeration) identifiers.

      .. note::
          See https://cwe.mitre.org/

      Returns:
          Set of `int`



   .. py:property:: description
      :type: Optional[str]


      A description of the vulnerability as provided by the source.

      Returns:
          `str` if set else `None`



   .. py:property:: detail
      :type: Optional[str]


      If available, an in-depth description of the vulnerability as provided by the source organization. Details
      often include examples, proof-of-concepts, and other information useful in understanding root cause.

      Returns:
          `str` if set else `None`



   .. py:property:: recommendation
      :type: Optional[str]


      Recommendations of how the vulnerability can be remediated or mitigated.

      Returns:
          `str` if set else `None`



   .. py:property:: workaround
      :type: Optional[str]


      A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact.
      Workarounds often involve changes to configuration or deployments.

      Returns:
          `str` if set else `None`



   .. py:property:: advisories
      :type: SortedSet[VulnerabilityAdvisory]


      Advisories relating to the Vulnerability.

      Returns:
          Set of `VulnerabilityAdvisory`



   .. py:property:: created
      :type: Optional[datetime.datetime]


      The date and time (timestamp) when the vulnerability record was created in the vulnerability database.

      Returns:
          `datetime` if set else `None`



   .. py:property:: published
      :type: Optional[datetime.datetime]


      The date and time (timestamp) when the vulnerability record was first published.

      Returns:
          `datetime` if set else `None`



   .. py:property:: updated
      :type: Optional[datetime.datetime]


      The date and time (timestamp) when the vulnerability record was last updated.

      Returns:
          `datetime` if set else `None`



   .. py:property:: credits
      :type: Optional[VulnerabilityCredits]


      Individuals or organizations credited with the discovery of the vulnerability.

      Returns:
          `VulnerabilityCredits` if set else `None`



   .. py:property:: tools
      :type: cyclonedx.model.tool.ToolRepository


      Tools used to create this BOM.

      Returns:
          :class:`ToolRepository` object.



   .. py:property:: analysis
      :type: Optional[VulnerabilityAnalysis]


      Analysis of the Vulnerability in your context.

      Returns:
          `VulnerabilityAnalysis` if set else `None`



   .. py:property:: affects
      :type: SortedSet[BomTarget]


      The components or services that are affected by the vulnerability.

      Returns:
          Set of `BomTarget`



   .. py:property:: properties
      :type: SortedSet[Property]


      Provides the ability to document properties in a key/value store. This provides flexibility to include data not
      officially supported in the standard without having to use additional namespaces or create extensions.

      Return:
          Set of `Property`



   .. py:property:: bom_ref
      :type: cyclonedx.model.bom_ref.BomRef


      Get the unique reference for this Vulnerability in this BOM.

      Returns:
         `BomRef`



