stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
b9f71fc7e9e1fb9b1c366ebd75f92483b2f94b67
git.stella-ops.org/docs/schemas/openvex-0.2.0.schema.json
StellaOps Bot b9f71fc7e9 sprints work
2025-12-24 21:46:08 +02:00

318 lines
12 KiB
JSON
Raw Blame History

{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://github.com/openvex/spec/openvex_json_schema_0.2.0.json",
"title": "OpenVEX",
"description": "OpenVEX is an implementation of the Vulnerability Exploitability Exchange (VEX for short) that is designed to be minimal, compliant, interoperable, and embeddable.",
"type": "object",
"$defs": {
"vulnerability": {
"type": "object",
"properties": {
"@id": {
"type": "string",
"format": "iri",
"description": "An Internationalized Resource Identifier (IRI) identifying the struct."
},
"name": {
"type": "string",
"description": "A string with the main identifier used to name the vulnerability."
},
"description": {
"type": "string",
"description": "Optional free form text describing the vulnerability."
},
"aliases": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
},
"description": "A list of strings enumerating other names under which the vulnerability may be known."
}
},
"required": [
"name"
],
"additionalProperties": false
},
"identifiers": {
"type": "object",
"properties": {
"purl": {
"type": "string",
"description": "Package URL"
},
"cpe22": {
"type": "string",
"description": "Common Platform Enumeration v2.2"
},
"cpe23": {
"type": "string",
"description": "Common Platform Enumeration v2.3"
}
},
"additionalProperties": false,
"anyOf": [
{ "required": ["purl"] },
{ "required": ["cpe22"] },
{ "required": ["cpe23"] }
]
},
"hashes": {
"type": "object",
"properties": {
"md5": {
"type": "string"
},
"sha1": {
"type": "string"
},
"sha-256": {
"type": "string"
},
"sha-384": {
"type": "string"
},
"sha-512": {
"type": "string"
},
"sha3-224": {
"type": "string"
},
"sha3-256": {
"type": "string"
},
"sha3-384": {
"type": "string"
},
"sha3-512": {
"type": "string"
},
"blake2s-256": {
"type": "string"
},
"blake2b-256": {
"type": "string"
},
"blake2b-512": {
"type": "string"
}
},
"additionalProperties": false
},
"subcomponent": {
"type": "object",
"properties": {
"@id": {
"type": "string",
"format": "iri",
"description": "Optional IRI identifying the component to make it externally referenceable."
},
"identifiers": {
"$ref": "#/$defs/identifiers",
"description": "Optional IRI identifying the component to make it externally referenceable."
},
"hashes": {
"$ref": "#/$defs/hashes",
"description": "Map of cryptographic hashes of the component."
}
},
"additionalProperties": false,
"anyOf": [
{ "required": ["@id"] },
{ "required": ["identifiers"] }
]
},
"component": {
"type": "object",
"properties": {
"@id": {
"type": "string",
"format": "iri",
"description": "Optional IRI identifying the component to make it externally referenceable."
},
"identifiers": {
"$ref": "#/$defs/identifiers",
"description": "A map of software identifiers where the key is the type and the value the identifier."
},
"hashes": {
"$ref": "#/$defs/hashes",
"description": "Map of cryptographic hashes of the component."
},
"subcomponents": {
"type": "array",
"uniqueItems": true,
"description": "List of subcomponent structs describing the subcomponents subject of the VEX statement.",
"items": {
"$ref": "#/$defs/subcomponent"
}
}
},
"additionalProperties": false,
"anyOf": [
{ "required": ["@id"] },
{ "required": ["identifiers"] }
]
}
},
"properties": {
"@context": {
"type": "string",
"format": "uri",
"description": "The URL linking to the OpenVEX context definition."
},
"@id": {
"type": "string",
"format": "iri",
"description": "The IRI identifying the VEX document."
},
"author": {
"type": "string",
"description": "Author is the identifier for the author of the VEX statement."
},
"role": {
"type": "string",
"description": "Role describes the role of the document author."
},
"timestamp": {
"type": "string",
"format": "date-time",
"description": "Timestamp defines the time at which the document was issued."
},
"last_updated": {
"type": "string",
"format": "date-time",
"description": "Date of last modification to the document."
},
"version": {
"type": "integer",
"minimum": 1,
"description": "Version is the document version."
},
"tooling": {
"type": "string",
"description": "Tooling expresses how the VEX document and contained VEX statements were generated."
},
"statements": {
"type": "array",
"uniqueItems": true,
"minItems": 1,
"description": "A statement is an assertion made by the document's author about the impact a vulnerability has on one or more software 'products'.",
"items": {
"type": "object",
"properties": {
"@id": {
"type": "string",
"format": "iri",
"description": "Optional IRI identifying the statement to make it externally referenceable."
},
"version": {
"type": "integer",
"minimum": 1,
"description": "Optional integer representing the statement's version number."
},
"vulnerability": {
"$ref": "#/$defs/vulnerability",
"description": "A struct identifying the vulnerability."
},
"timestamp": {
"type": "string",
"format": "date-time",
"description": "Timestamp is the time at which the information expressed in the statement was known to be true."
},
"last_updated": {
"type": "string",
"format": "date-time",
"description": "Timestamp when the statement was last updated."
},
"products": {
"type": "array",
"uniqueItems": true,
"description": "List of product structs that the statement applies to.",
"items": {
"$ref": "#/$defs/component"
}
},
"status": {
"type": "string",
"enum": [
"not_affected",
"affected",
"fixed",
"under_investigation"
],
"description": "A VEX statement MUST provide the status of the vulnerabilities with respect to the products and components listed in the statement."
},
"supplier": {
"type": "string",
"description": "Supplier of the product or subcomponent."
},
"status_notes": {
"type": "string",
"description": "A statement MAY convey information about how status was determined and MAY reference other VEX information."
},
"justification": {
"type": "string",
"enum": [
"component_not_present",
"vulnerable_code_not_present",
"vulnerable_code_not_in_execute_path",
"vulnerable_code_cannot_be_controlled_by_adversary",
"inline_mitigations_already_exist"
],
"description": "For statements conveying a not_affected status, a VEX statement MUST include either a status justification or an impact_statement informing why the product is not affected by the vulnerability."
},
"impact_statement": {
"type": "string",
"description": "For statements conveying a not_affected status, a VEX statement MUST include either a status justification or an impact_statement informing why the product is not affected by the vulnerability."
},
"action_statement": {
"type": "string",
"description": "For a statement with affected status, a VEX statement MUST include a statement that SHOULD describe actions to remediate or mitigate the vulnerability."
},
"action_statement_timestamp": {
"type": "string",
"format": "date-time",
"description": "The timestamp when the action statement was issued."
}
},
"required": [
"vulnerability",
"status"
],
"additionalProperties": false,
"allOf": [
{
"if": {
"properties": { "status": { "const": "not_affected" }}
},
"then": {
"anyOf": [
{ "required": ["justification"]},
{ "required": ["impact_statement"]}
]
}
},
{
"if": {
"properties": { "status": { "const": "affected" }}
},
"then": {
"required": ["action_statement"]
}
}
]
}
}
},
"required": [
"@context",
"@id",
"author",
"timestamp",
"version",
"statements"
],
"additionalProperties": false
}
Reference in New Issue View Git Blame Copy Permalink