// // Copyright (c) StellaOps. Licensed under the AGPL-3.0-or-later. // using System.Collections.Immutable; using System.ComponentModel.DataAnnotations; using System.Text.Json.Serialization; namespace StellaOps.Spdx3.Model.Security; ///

/// SPDX 3.0.1 Vulnerability element representing a security vulnerability. /// Sprint: SPRINT_20260107_004_004 Task SP-001 ///

public sealed record Spdx3Vulnerability : Spdx3Element { ///

/// Gets the JSON-LD type for Vulnerability elements. ///

public const string TypeName = "security_Vulnerability"; ///

/// Gets or sets the published date of the vulnerability. ///

[JsonPropertyName("security_publishedTime")] public DateTimeOffset? PublishedTime { get; init; } ///

/// Gets or sets the last modified date of the vulnerability. ///

[JsonPropertyName("security_modifiedTime")] public DateTimeOffset? ModifiedTime { get; init; } ///

/// Gets or sets the withdrawn date (if applicable). ///

[JsonPropertyName("security_withdrawnTime")] public DateTimeOffset? WithdrawnTime { get; init; } ///

/// Gets or sets external references (CVE, GHSA, etc.). ///

[JsonPropertyName("externalRef")] public ImmutableArray ExternalRefs { get; init; } = ImmutableArray.Empty; ///

/// Gets or sets external identifiers (CVE ID, etc.). ///

[JsonPropertyName("externalIdentifier")] public ImmutableArray ExternalIdentifiers { get; init; } = ImmutableArray.Empty; } ///

/// Base class for SPDX 3.0.1 vulnerability assessment relationships. /// Sprint: SPRINT_20260107_004_004 Task SP-001 ///

public abstract record Spdx3VulnAssessmentRelationship : Spdx3Relationship { ///

/// Gets or sets the element being assessed (Package, File, etc.). ///

[Required] [JsonPropertyName("security_assessedElement")] public required string AssessedElement { get; init; } ///

/// Gets or sets the agent that supplied this assessment. ///

[JsonPropertyName("security_suppliedBy")] public string? SuppliedBy { get; init; } ///

/// Gets or sets when the assessment was published. ///

[JsonPropertyName("security_publishedTime")] public DateTimeOffset? PublishedTime { get; init; } ///

/// Gets or sets when the assessment was last modified. ///

[JsonPropertyName("security_modifiedTime")] public DateTimeOffset? ModifiedTime { get; init; } ///

/// Gets or sets when the assessment was withdrawn (if applicable). ///

[JsonPropertyName("security_withdrawnTime")] public DateTimeOffset? WithdrawnTime { get; init; } } ///

/// SPDX 3.0.1 VEX Affected vulnerability assessment relationship. /// Sprint: SPRINT_20260107_004_004 Task SP-001 ///

public sealed record Spdx3VexAffectedVulnAssessmentRelationship : Spdx3VulnAssessmentRelationship { ///

/// Gets the JSON-LD type for VEX Affected assessment. ///

public const string TypeName = "security_VexAffectedVulnAssessmentRelationship"; ///

/// Gets or sets the VEX version. ///

[JsonPropertyName("security_vexVersion")] public string? VexVersion { get; init; } ///

/// Gets or sets the status notes. ///

[JsonPropertyName("security_statusNotes")] public string? StatusNotes { get; init; } ///

/// Gets or sets the action statement for remediation. ///

[JsonPropertyName("security_actionStatement")] public string? ActionStatement { get; init; } ///

/// Gets or sets the deadline for taking action. ///

[JsonPropertyName("security_actionStatementTime")] public DateTimeOffset? ActionStatementTime { get; init; } } ///

/// SPDX 3.0.1 VEX Not Affected vulnerability assessment relationship. /// Sprint: SPRINT_20260107_004_004 Task SP-001 ///

public sealed record Spdx3VexNotAffectedVulnAssessmentRelationship : Spdx3VulnAssessmentRelationship { ///

/// Gets the JSON-LD type for VEX Not Affected assessment. ///

public const string TypeName = "security_VexNotAffectedVulnAssessmentRelationship"; ///

/// Gets or sets the VEX version. ///

[JsonPropertyName("security_vexVersion")] public string? VexVersion { get; init; } ///

/// Gets or sets the status notes. ///

[JsonPropertyName("security_statusNotes")] public string? StatusNotes { get; init; } ///

/// Gets or sets the justification for not affected status. ///

[JsonPropertyName("security_justificationType")] public Spdx3VexJustificationType? JustificationType { get; init; } ///

/// Gets or sets the impact statement. ///

[JsonPropertyName("security_impactStatement")] public string? ImpactStatement { get; init; } ///

/// Gets or sets the impact statement time. ///

[JsonPropertyName("security_impactStatementTime")] public DateTimeOffset? ImpactStatementTime { get; init; } } ///

/// SPDX 3.0.1 VEX Fixed vulnerability assessment relationship. /// Sprint: SPRINT_20260107_004_004 Task SP-001 ///

public sealed record Spdx3VexFixedVulnAssessmentRelationship : Spdx3VulnAssessmentRelationship { ///

/// Gets the JSON-LD type for VEX Fixed assessment. ///

public const string TypeName = "security_VexFixedVulnAssessmentRelationship"; ///

/// Gets or sets the VEX version. ///

[JsonPropertyName("security_vexVersion")] public string? VexVersion { get; init; } ///

/// Gets or sets the status notes. ///

[JsonPropertyName("security_statusNotes")] public string? StatusNotes { get; init; } } ///

/// SPDX 3.0.1 VEX Under Investigation vulnerability assessment relationship. /// Sprint: SPRINT_20260107_004_004 Task SP-001 ///

public sealed record Spdx3VexUnderInvestigationVulnAssessmentRelationship : Spdx3VulnAssessmentRelationship { ///

/// Gets the JSON-LD type for VEX Under Investigation assessment. ///

public const string TypeName = "security_VexUnderInvestigationVulnAssessmentRelationship"; ///

/// Gets or sets the VEX version. ///

[JsonPropertyName("security_vexVersion")] public string? VexVersion { get; init; } ///

/// Gets or sets the status notes. ///

[JsonPropertyName("security_statusNotes")] public string? StatusNotes { get; init; } } ///

/// SPDX 3.0.1 VEX justification types (from spec). /// Sprint: SPRINT_20260107_004_004 Task SP-001 ///

[JsonConverter(typeof(JsonStringEnumConverter))] public enum Spdx3VexJustificationType { ///

Component is not present.

ComponentNotPresent, ///

Vulnerable code is not present.

VulnerableCodeNotPresent, ///

Vulnerable code cannot be controlled by adversary.

VulnerableCodeCannotBeControlledByAdversary, ///

Vulnerable code is not in execute path.

VulnerableCodeNotInExecutePath, ///

Inline mitigations already exist.

InlineMitigationsAlreadyExist }