CycloneDX v1.4 Protobuf Reference

Table of Contents

Package: cyclonedx.v1_4

Top

Advisory

FieldTypeLabelDescription
titlestringoptional

An optional name of the advisory.

urlstring

Location where the advisory can be obtained.

AttachedText

Specifies attributes of the text

FieldTypeLabelDescription
content_typestringoptional

Specifies the content type of the text. Defaults to text/plain if not specified.

encodingstringoptional

Specifies the optional encoding the text is represented in

valuestring

SimpleContent value of element. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text.

Bom

FieldTypeLabelDescription
spec_versionstring

The version of the CycloneDX specification a BOM is written to (starting at version 1.3)

versionint32optional

The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.

serial_numberstringoptional

Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated.

metadataMetadataoptional

Provides additional information about a BOM.

componentsComponentrepeated

Provides the ability to document a list of components.

servicesServicerepeated

Provides the ability to document a list of external services.

external_referencesExternalReferencerepeated

Provides the ability to document external references related to the BOM or to the project the BOM describes.

dependenciesDependencyrepeated

Provides the ability to document dependency relationships.

compositionsCompositionrepeated

Provides the ability to document aggregate completeness

vulnerabilitiesVulnerabilityrepeated

Vulnerabilities identified in components or services.

Commit

FieldTypeLabelDescription
uidstringoptional

A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes.

urlstringoptional

The URL to the commit. This URL will typically point to a commit in a version control system.

authorIdentifiableActionoptional

The author who created the changes in the commit

committerIdentifiableActionoptional

The person who committed or pushed the commit

messagestringoptional

The text description of the contents of the commit

Component

FieldTypeLabelDescription
typeClassification

Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.

mime_typestringoptional

The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.

bom_refstringoptional

An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.

supplierOrganizationalEntityoptional

The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager.

authorstringoptional

The person(s) or organization(s) that authored the component

publisherstringoptional

The person(s) or organization(s) that published the component

groupstringoptional

The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.

namestring

The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery

versionstring

The component version. The version should ideally comply with semantic versioning but is not enforced. Version was made optional in v1.4 of the spec. For backward compatibility, it is RECOMMENDED to use an empty string to represent components without version information.

descriptionstringoptional

Specifies a description for the component

scopeScopeoptional

Specifies the scope of the component. If scope is not specified, 'runtime' scope should be assumed by the consumer of the BOM

hashesHashrepeated

licensesLicenseChoicerepeated

copyrightstringoptional

An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.

cpestringoptional

DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe

purlstringoptional

Specifies the package-url (PURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec

swidSwidoptional

Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.

modifiedbooloptional

DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original.

pedigreePedigreeoptional

Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc.

external_referencesExternalReferencerepeated

Provides the ability to document external references related to the component or to the project the component describes.

componentsComponentrepeated

Specifies optional sub-components. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains.

propertiesPropertyrepeated

Specifies optional, custom, properties

evidenceEvidencerepeated

Specifies optional license and copyright evidence

releaseNotesReleaseNotesoptional

Specifies optional release notes.

Composition

FieldTypeLabelDescription
aggregateAggregate

Indicates the aggregate completeness

assembliesstringrepeated

The assemblies the aggregate completeness applies to

dependenciesstringrepeated

The dependencies the aggregate completeness applies to

DataClassification

Specifies the data classification.

FieldTypeLabelDescription
flowDataFlow

Specifies the flow direction of the data.

valuestring

SimpleContent value of element

Dependency

FieldTypeLabelDescription
refstring

References a component or service by the its bom-ref attribute

dependenciesDependencyrepeated

Diff

FieldTypeLabelDescription
textAttachedTextoptional

Specifies the optional text of the diff

urlstringoptional

Specifies the URL to the diff

Evidence

FieldTypeLabelDescription
licensesLicenseChoicerepeated

copyrightEvidenceCopyrightrepeated

EvidenceCopyright

FieldTypeLabelDescription
textstring

Copyright text

ExternalReference

FieldTypeLabelDescription
typeExternalReferenceType

Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type.

urlstring

The URL to the external reference

commentstringoptional

An optional comment describing the external reference

hashesHashrepeated

Optional integrity hashes for the external resource content

Hash

Specifies the file hash of the component

FieldTypeLabelDescription
algHashAlg

Specifies the algorithm used to create the hash

valuestring

SimpleContent value of element

IdentifiableAction

FieldTypeLabelDescription
timestampgoogle.protobuf.Timestampoptional

The timestamp in which the action occurred

namestringoptional

The name of the individual who performed the action

emailstringoptional

The email address of the individual who performed the action

Issue

FieldTypeLabelDescription
typeIssueClassification

Specifies the type of issue

idstringoptional

The identifier of the issue assigned by the source of the issue

namestringoptional

The name of the issue

descriptionstringoptional

A description of the issue

sourceSourceoptional

referencesstringrepeated

License

FieldTypeLabelDescription
idstring

A valid SPDX license ID

namestring

If SPDX does not define the license used, this field may be used to provide the license name

textAttachedTextoptional

Specifies the optional full text of the attachment

urlstringoptional

The URL to the attachment file. If the attachment is a license or BOM, an externalReference should also be specified for completeness.

LicenseChoice

FieldTypeLabelDescription
licenseLicense

expressionstring

Metadata

FieldTypeLabelDescription
timestampgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the document was created.

toolsToolrepeated

The tool(s) used in the creation of the BOM.

authorsOrganizationalContactrepeated

The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.

componentComponentoptional

The component that the BOM describes.

manufactureOrganizationalEntityoptional

The organization that manufactured the component that the BOM describes.

supplierOrganizationalEntityoptional

The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.

licensesLicenseChoiceoptional

The license information for the BOM document

propertiesPropertyrepeated

Specifies optional, custom, properties

Note

FieldTypeLabelDescription
localestringoptional

The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA".

textAttachedTextoptional

Specifies the full content of the release note.

OrganizationalContact

FieldTypeLabelDescription
namestringoptional

The name of the contact

emailstringoptional

The email address of the contact.

phonestringoptional

The phone number of the contact.

OrganizationalEntity

FieldTypeLabelDescription
namestringoptional

The name of the organization

urlstringrepeated

The URL of the organization. Multiple URLs are allowed.

contactOrganizationalContactrepeated

A contact person at the organization. Multiple contacts are allowed.

Patch

FieldTypeLabelDescription
typePatchClassification

Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality

diffDiffoptional

The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff

resolvesIssuerepeated

Pedigree

Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.

FieldTypeLabelDescription
ancestorsComponentrepeated

Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.

descendantsComponentrepeated

Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.

variantsComponentrepeated

Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.

commitsCommitrepeated

A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.

patchesPatchrepeated

A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.

notesstringoptional

Notes, observations, and other non-structured commentary describing the components pedigree.

Property

Specifies a property

FieldTypeLabelDescription
namestring

valuestringoptional

ReleaseNotes

FieldTypeLabelDescription
typestring

The software versioning type. It is RECOMMENDED that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.

titlestringoptional

The title of the release.

featuredImagestringoptional

The URL to an image that may be prominently displayed with the release note.

socialImagestringoptional

The URL to an image that may be used in messaging on social media platforms.

descriptionstringoptional

A short description of the release.

timestampgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the release note was created.

aliasesstringrepeated

Optional alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names).

tagsstringrepeated

Optional tags that may aid in search or retrieval of the release note.

resolvesIssuerepeated

A collection of issues that have been resolved.

notesNoterepeated

Zero or more release notes containing the locale and content. Multiple note messages may be specified to support release notes in a wide variety of languages.

propertiesPropertyrepeated

Specifies optional, custom, properties

Service

FieldTypeLabelDescription
bom_refstringoptional

An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.

providerOrganizationalEntityoptional

The organization that provides the service.

groupstringoptional

The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.

namestring

The name of the service. This will often be a shortened, single name of the service.

versionstringoptional

The service version.

descriptionstringoptional

Specifies a description for the service.

endpointsstringrepeated

authenticatedbooloptional

A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication.

x_trust_boundarybooloptional

A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed.

dataDataClassificationrepeated

licensesLicenseChoicerepeated

external_referencesExternalReferencerepeated

Provides the ability to document external references related to the service.

servicesServicerepeated

Specifies optional sub-service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies, similar to system -> subsystem -> parts assembly in physical supply chains.

propertiesPropertyrepeated

Specifies optional, custom, properties

releaseNotesReleaseNotesoptional

Specifies optional release notes.

Source

The source of the issue where it is documented.

FieldTypeLabelDescription
namestringoptional

The name of the source. For example "National Vulnerability Database", "NVD", and "Apache"

urlstringoptional

The url of the issue documentation as provided by the source

Swid

FieldTypeLabelDescription
tag_idstring

Maps to the tagId of a SoftwareIdentity.

namestring

Maps to the name of a SoftwareIdentity.

versionstringoptional

Maps to the version of a SoftwareIdentity.

tag_versionint32optional

Maps to the tagVersion of a SoftwareIdentity.

patchbooloptional

Maps to the patch of a SoftwareIdentity.

textAttachedTextoptional

Specifies the full content of the SWID tag.

urlstringoptional

The URL to the SWID file.

Tool

Specifies a tool (manual or automated).

FieldTypeLabelDescription
vendorstringoptional

The vendor of the tool used to create the BOM.

namestringoptional

The name of the tool used to create the BOM.

versionstringoptional

The version of the tool used to create the BOM.

hashesHashrepeated

external_referencesExternalReferencerepeated

Provides the ability to document external references related to the tool.

Vulnerability

FieldTypeLabelDescription
bom_refstringoptional

An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.

idstringoptional

The identifier that uniquely identifies the vulnerability.

sourceSourceoptional

The source that published the vulnerability.

referencesVulnerabilityReferencerepeated

Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.

ratingsVulnerabilityRatingrepeated

List of vulnerability ratings

cwesint32repeated

List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html)

descriptionstringoptional

A description of the vulnerability as provided by the source.

detailstringoptional

If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause.

recommendationstringoptional

Recommendations of how the vulnerability can be remediated or mitigated.

advisoriesAdvisoryrepeated

Published advisories of the vulnerability if provided.

createdgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the vulnerability record was created in the vulnerability database.

publishedgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the vulnerability record was first published.

updatedgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the vulnerability record was last updated.

creditsVulnerabilityCreditsoptional

Individuals or organizations credited with the discovery of the vulnerability.

toolsToolrepeated

The tool(s) used to identify, confirm, or score the vulnerability.

analysisVulnerabilityAnalysisoptional

An assessment of the impact and exploitability of the vulnerability.

affectsVulnerabilityAffectsrepeated

affects

propertiesPropertyrepeated

Specifies optional, custom, properties

VulnerabilityAffectedVersions

FieldTypeLabelDescription
versionstring

A single version of a component or service.

rangestring

A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst

statusVulnerabilityAffectedStatusoptional

The vulnerability status for the version or range of versions.

VulnerabilityAffects

FieldTypeLabelDescription
refstring

References a component or service by the objects bom-ref

versionsVulnerabilityAffectedVersionsrepeated

Zero or more individual versions or range of versions.

VulnerabilityAnalysis

FieldTypeLabelDescription
stateImpactAnalysisStateoptional

Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.

justificationImpactAnalysisJustificationoptional

The rationale of why the impact analysis state was asserted.

responseVulnerabilityResponserepeated

A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.

detailstringoptional

Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability.

VulnerabilityCredits

FieldTypeLabelDescription
organizationsOrganizationalEntityrepeated

The organizations credited with vulnerability discovery.

individualsOrganizationalContactrepeated

The individuals, not associated with organizations, that are credited with vulnerability discovery.

VulnerabilityRating

FieldTypeLabelDescription
sourceSourceoptional

The source that calculated the severity or risk rating of the vulnerability.

scoredoubleoptional

The numerical score of the rating.

severitySeverityoptional

Textual representation of the severity that corresponds to the numerical score of the rating.

methodScoreMethodoptional

Specifies the severity or risk scoring methodology or standard used.

vectorstringoptional

Textual representation of the metric values used to score the vulnerability.

justificationstringoptional

An optional reason for rating the vulnerability as it was.

VulnerabilityReference

FieldTypeLabelDescription
idstringoptional

An identifier that uniquely identifies the vulnerability.

sourceSourceoptional

The source that published the vulnerability.

Aggregate

NameNumberDescription
AGGREGATE_NOT_SPECIFIED0

Default, no statement about the aggregate completeness is being made

AGGREGATE_COMPLETE1

The aggregate composition is complete

AGGREGATE_INCOMPLETE2

The aggregate composition is incomplete

AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY3

The aggregate composition is incomplete for first party components, complete for third party components

AGGREGATE_INCOMPLETE_THIRD_PARTY_ONLY4

The aggregate composition is incomplete for third party components, complete for first party components

AGGREGATE_UNKNOWN5

The aggregate composition completeness is unknown

Classification

NameNumberDescription
CLASSIFICATION_NULL0

CLASSIFICATION_APPLICATION1

A software application. Refer to https://en.wikipedia.org/wiki/Application_software for information about applications.

CLASSIFICATION_FRAMEWORK2

A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework for information on how frameworks vary slightly from libraries.

CLASSIFICATION_LIBRARY3

A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.

CLASSIFICATION_OPERATING_SYSTEM4

A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to https://en.wikipedia.org/wiki/Operating_system

CLASSIFICATION_DEVICE5

A hardware device such as a processor, or chip-set. A hardware device containing firmware should include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of known device properties: https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md

CLASSIFICATION_FILE6

A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file for information about files.

CLASSIFICATION_CONTAINER7

A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization

CLASSIFICATION_FIRMWARE8

A special type of software that provides low-level control over a devices hardware. Refer to https://en.wikipedia.org/wiki/Firmware

DataFlow

Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known.

NameNumberDescription
DATA_FLOW_NULL0

DATA_FLOW_INBOUND1

DATA_FLOW_OUTBOUND2

DATA_FLOW_BI_DIRECTIONAL3

DATA_FLOW_UNKNOWN4

ExternalReferenceType

NameNumberDescription
EXTERNAL_REFERENCE_TYPE_OTHER0

Use this if no other types accurately describe the purpose of the external reference

EXTERNAL_REFERENCE_TYPE_VCS1

Version Control System

EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER2

Issue or defect tracking system, or an Application Lifecycle Management (ALM) system

EXTERNAL_REFERENCE_TYPE_WEBSITE3

Website

EXTERNAL_REFERENCE_TYPE_ADVISORIES4

Security advisories

EXTERNAL_REFERENCE_TYPE_BOM5

Bill-of-material document (CycloneDX, SPDX, SWID, etc)

EXTERNAL_REFERENCE_TYPE_MAILING_LIST6

Mailing list or discussion group

EXTERNAL_REFERENCE_TYPE_SOCIAL7

Social media account

EXTERNAL_REFERENCE_TYPE_CHAT8

Real-time chat platform

EXTERNAL_REFERENCE_TYPE_DOCUMENTATION9

Documentation, guides, or how-to instructions

EXTERNAL_REFERENCE_TYPE_SUPPORT10

Community or commercial support

EXTERNAL_REFERENCE_TYPE_DISTRIBUTION11

Direct or repository download location

EXTERNAL_REFERENCE_TYPE_LICENSE12

The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness

EXTERNAL_REFERENCE_TYPE_BUILD_META13

Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)

EXTERNAL_REFERENCE_TYPE_BUILD_SYSTEM14

URL to an automated build system

HashAlg

NameNumberDescription
HASH_ALG_NULL0

HASH_ALG_MD_51

HASH_ALG_SHA_12

HASH_ALG_SHA_2563

HASH_ALG_SHA_3844

HASH_ALG_SHA_5125

HASH_ALG_SHA_3_2566

HASH_ALG_SHA_3_3847

HASH_ALG_SHA_3_5128

HASH_ALG_BLAKE_2_B_2569

HASH_ALG_BLAKE_2_B_38410

HASH_ALG_BLAKE_2_B_51211

HASH_ALG_BLAKE_312

ImpactAnalysisJustification

NameNumberDescription
IMPACT_ANALYSIS_JUSTIFICATION_NULL0

An undefined impact analysis justification

IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_PRESENT1

The code has been removed or tree-shaked.

IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE2

The vulnerable code is not invoked at runtime.

IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_CONFIGURATION3

Exploitability requires a configurable option to be set/unset.

IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_DEPENDENCY4

Exploitability requires a dependency that is not present.

IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_ENVIRONMENT5

Exploitability requires a certain environment which is not present.

IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_COMPILER6

Exploitability requires a compiler flag to be set/unset.

IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_RUNTIME7

Exploits are prevented at runtime.

IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_PERIMETER8

Attacks are blocked at physical, logical, or network perimeter.

IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_MITIGATING_CONTROL9

Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.

ImpactAnalysisState

NameNumberDescription
IMPACT_ANALYSIS_STATE_NULL0

An undefined impact analysis state

IMPACT_ANALYSIS_STATE_RESOLVED1

The vulnerability has been remediated.

IMPACT_ANALYSIS_STATE_RESOLVED_WITH_PEDIGREE2

The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).

IMPACT_ANALYSIS_STATE_EXPLOITABLE3

The vulnerability may be directly or indirectly exploitable.

IMPACT_ANALYSIS_STATE_IN_TRIAGE4

The vulnerability is being investigated.

IMPACT_ANALYSIS_STATE_FALSE_POSITIVE5

The vulnerability is not specific to the component or service and was falsely identified or associated.

IMPACT_ANALYSIS_STATE_NOT_AFFECTED6

The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases.

IssueClassification

NameNumberDescription
ISSUE_CLASSIFICATION_NULL0

ISSUE_CLASSIFICATION_DEFECT1

A fault, flaw, or bug in software

ISSUE_CLASSIFICATION_ENHANCEMENT2

A new feature or behavior in software

ISSUE_CLASSIFICATION_SECURITY3

A special type of defect which impacts security

PatchClassification

NameNumberDescription
PATCH_CLASSIFICATION_NULL0

PATCH_CLASSIFICATION_UNOFFICIAL1

A patch which is not developed by the creators or maintainers of the software being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch

PATCH_CLASSIFICATION_MONKEY2

A patch which dynamically modifies runtime behavior. Refer to https://en.wikipedia.org/wiki/Monkey_patch

PATCH_CLASSIFICATION_BACKPORT3

A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting

PATCH_CLASSIFICATION_CHERRY_PICK4

A patch created by selectively applying commits from other versions or branches of the same software.

Scope

NameNumberDescription
SCOPE_UNSPECIFIED0

Default

SCOPE_REQUIRED1

The component is required for runtime

SCOPE_OPTIONAL2

The component is optional at runtime. Optional components are components that are not capable of being called due to them not be installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'.

SCOPE_EXCLUDED3

Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime.

ScoreMethod

NameNumberDescription
SCORE_METHOD_NULL0

An undefined score method

SCORE_METHOD_CVSSV21

Common Vulnerability Scoring System v2 - https://www.first.org/cvss/v2/

SCORE_METHOD_CVSSV32

Common Vulnerability Scoring System v3 - https://www.first.org/cvss/v3-0/

SCORE_METHOD_CVSSV313

Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v3-1/

SCORE_METHOD_OWASP4

OWASP Risk Rating Methodology - https://owasp.org/www-community/OWASP_Risk_Rating_Methodology

SCORE_METHOD_OTHER5

Other scoring method

Severity

NameNumberDescription
SEVERITY_UNKNOWN0

SEVERITY_CRITICAL1

SEVERITY_HIGH2

SEVERITY_MEDIUM3

SEVERITY_LOW4

SEVERITY_INFO5

SEVERITY_NONE6

VulnerabilityAffectedStatus

NameNumberDescription
VULNERABILITY_AFFECTED_STATUS_UNKNOWN0

The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.

VULNERABILITY_AFFECTED_STATUS_AFFECTED1

VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED2

VulnerabilityResponse

NameNumberDescription
VULNERABILITY_RESPONSE_NULL0

VULNERABILITY_RESPONSE_CAN_NOT_FIX1

VULNERABILITY_RESPONSE_WILL_NOT_FIX2

VULNERABILITY_RESPONSE_UPDATE3

VULNERABILITY_RESPONSE_ROLLBACK4

VULNERABILITY_RESPONSE_WORKAROUND_AVAILABLE5

Scalar Value Types

.proto TypeNotesC++JavaPythonGoC#PHPRuby
doubledoubledoublefloatfloat64doublefloatFloat
floatfloatfloatfloatfloat32floatfloatFloat
int32Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead.int32intintint32intintegerBignum or Fixnum (as required)
int64Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead.int64longint/longint64longinteger/stringBignum
uint32Uses variable-length encoding.uint32intint/longuint32uintintegerBignum or Fixnum (as required)
uint64Uses variable-length encoding.uint64longint/longuint64ulonginteger/stringBignum or Fixnum (as required)
sint32Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s.int32intintint32intintegerBignum or Fixnum (as required)
sint64Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s.int64longint/longint64longinteger/stringBignum
fixed32Always four bytes. More efficient than uint32 if values are often greater than 2^28.uint32intintuint32uintintegerBignum or Fixnum (as required)
fixed64Always eight bytes. More efficient than uint64 if values are often greater than 2^56.uint64longint/longuint64ulonginteger/stringBignum
sfixed32Always four bytes.int32intintint32intintegerBignum or Fixnum (as required)
sfixed64Always eight bytes.int64longint/longint64longinteger/stringBignum
boolboolbooleanbooleanboolboolbooleanTrueClass/FalseClass
stringA string must always contain UTF-8 encoded or 7-bit ASCII text.stringStringstr/unicodestringstringstringString (UTF-8)
bytesMay contain any arbitrary sequence of bytes.stringByteStringstr[]byteByteStringstringString (ASCII-8BIT)