Extension: Vulnerability
The Vulnerability extension provides the ability to represent component vulnerabilities in a BOM.
This extension relies on a components bom-ref to associate the component to vulnerability elements. The only
requirement for bom-ref is that it is unique within the BOM. The Package URL (PURL) is an ideal choice for
bom-ref as it will be both unique and readable. If PURL is not an option or not all components represented in
the BOM contain a PURL, then UUID is recommended.
Vulnerabilities may be added to the component nodes or included at the end of the bom node. Either is valid.
Credit: This schema was developed and contributed by Sonatype in collaboration with CycloneDX.
| Version | Namespace |
|---|---|
| 1.0 | http://cyclonedx.org/schema/ext/vulnerability/1.0 |
Example Usage (Component Node)
In this example, the vulnerabilities are grouped with the components they reference.
<?xml version="1.0"?>
<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
xmlns="http://cyclonedx.org/schema/bom/1.1"
xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0">
<components>
<component type="library" bom-ref="pkg:maven/com.fasterxml.jackson.core/[email protected]">
<group>com.fasterxml.jackson.core</group>
<name>jackson-databind</name>
<version>2.9.9</version>
<purl>pkg:maven/com.fasterxml.jackson.core/[email protected]</purl>
<v:vulnerabilities>
<v:vulnerability ref="pkg:maven/com.fasterxml.jackson.core/[email protected]">
<v:id>CVE-2018-7489</v:id>
<v:source name="NVD">
<v:url>https://nvd.nist.gov/vuln/detail/CVE-2018-7489</v:url>
</v:source>
<v:ratings>
<v:rating>
<v:score>
<v:base>9.8</v:base>
<v:impact>5.9</v:impact>
<v:exploitability>3.0</v:exploitability>
</v:score>
<v:severity>Critical</v:severity>
<v:method>CVSSv3</v:method>
<v:vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</v:vector>
</v:rating>
</v:ratings>
<v:cwes>
<v:cwe>184</v:cwe>
<v:cwe>502</v:cwe>
</v:cwes>
<v:description>FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.</v:description>
<v:recommendations>
<v:recommendation>Upgrade</v:recommendation>
</v:recommendations>
<v:advisories>
<v:advisory>https://github.com/FasterXML/jackson-databind/issues/1931</v:advisory>
<v:advisory>http://www.securityfocus.com/bid/103203</v:advisory>
<v:advisory>http://www.securitytracker.com/id/1040693</v:advisory>
<v:advisory>http://www.securitytracker.com/id/1041890</v:advisory>
</v:advisories>
</v:vulnerability>
</v:vulnerabilities>
</component>
</components>
</bom>
Example Usage (BOM Node)
In this example, the vulnerabilities are separate from the components they reference.
<?xml version="1.0"?>
<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
xmlns="http://cyclonedx.org/schema/bom/1.1"
xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0">
<components>
<component type="library" bom-ref="pkg:maven/com.fasterxml.jackson.core/[email protected]">
<group>com.fasterxml.jackson.core</group>
<name>jackson-databind</name>
<version>2.9.9</version>
<purl>pkg:maven/com.fasterxml.jackson.core/[email protected]</purl>
</component>
</components>
<v:vulnerabilities>
<v:vulnerability ref="pkg:maven/com.fasterxml.jackson.core/[email protected]">
<v:id>CVE-2018-7489</v:id>
<v:source name="NVD">
<v:url>https://nvd.nist.gov/vuln/detail/CVE-2018-7489</v:url>
</v:source>
<v:ratings>
<v:rating>
<v:score>
<v:base>9.8</v:base>
<v:impact>5.9</v:impact>
<v:exploitability>3.0</v:exploitability>
</v:score>
<v:severity>Critical</v:severity>
<v:method>CVSSv3</v:method>
<v:vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</v:vector>
</v:rating>
</v:ratings>
<v:cwes>
<v:cwe>184</v:cwe>
<v:cwe>502</v:cwe>
</v:cwes>
<v:description>FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.</v:description>
<v:recommendations>
<v:recommendation>Upgrade</v:recommendation>
</v:recommendations>
<v:advisories>
<v:advisory>https://github.com/FasterXML/jackson-databind/issues/1931</v:advisory>
<v:advisory>http://www.securityfocus.com/bid/103203</v:advisory>
<v:advisory>http://www.securitytracker.com/id/1040693</v:advisory>
<v:advisory>http://www.securitytracker.com/id/1041890</v:advisory>
</v:advisories>
</v:vulnerability>
</v:vulnerabilities>
</bom>