Extension: Vulnerability

The Vulnerability extension provides the ability to represent component vulnerabilities in a BOM. This extension relies on a components bom-ref to associate the component to vulnerability elements. The only requirement for bom-ref is that it is unique within the BOM. The Package URL (PURL) is an ideal choice for bom-ref as it will be both unique and readable. If PURL is not an option or not all components represented in the BOM contain a PURL, then UUID is recommended.

Vulnerabilities may be added to the component nodes or included at the end of the bom node. Either is valid.

Credit: This schema was developed and contributed by Sonatype in collaboration with CycloneDX.

VersionNamespace
1.0http://cyclonedx.org/schema/ext/vulnerability/1.0

Example Usage (Component Node)

In this example, the vulnerabilities are grouped with the components they reference.

<?xml version="1.0"?>
<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
     xmlns="http://cyclonedx.org/schema/bom/1.1"
     xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0">
  <components>
    <component type="library" bom-ref="pkg:maven/com.fasterxml.jackson.core/[email protected]">
      <group>com.fasterxml.jackson.core</group>
      <name>jackson-databind</name>
      <version>2.9.9</version>
      <purl>pkg:maven/com.fasterxml.jackson.core/[email protected]</purl>
      <v:vulnerabilities>
        <v:vulnerability ref="pkg:maven/com.fasterxml.jackson.core/[email protected]">
          <v:id>CVE-2018-7489</v:id>
          <v:source name="NVD">
            <v:url>https://nvd.nist.gov/vuln/detail/CVE-2018-7489</v:url>
          </v:source>
          <v:ratings>
            <v:rating>
              <v:score>
                <v:base>9.8</v:base>
                <v:impact>5.9</v:impact>
                <v:exploitability>3.0</v:exploitability>
              </v:score>
              <v:severity>Critical</v:severity>
              <v:method>CVSSv3</v:method>
              <v:vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</v:vector>
            </v:rating>
          </v:ratings>
          <v:cwes>
            <v:cwe>184</v:cwe>
            <v:cwe>502</v:cwe>
          </v:cwes>
          <v:description>FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.</v:description>
          <v:recommendations>
            <v:recommendation>Upgrade</v:recommendation>
          </v:recommendations>
          <v:advisories>
            <v:advisory>https://github.com/FasterXML/jackson-databind/issues/1931</v:advisory>
            <v:advisory>http://www.securityfocus.com/bid/103203</v:advisory>
            <v:advisory>http://www.securitytracker.com/id/1040693</v:advisory>
            <v:advisory>http://www.securitytracker.com/id/1041890</v:advisory>
          </v:advisories>
        </v:vulnerability>
      </v:vulnerabilities>
    </component>
  </components>
</bom>

Example Usage (BOM Node)

In this example, the vulnerabilities are separate from the components they reference.

<?xml version="1.0"?>
<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
     xmlns="http://cyclonedx.org/schema/bom/1.1"
     xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0">
  <components>
    <component type="library" bom-ref="pkg:maven/com.fasterxml.jackson.core/[email protected]">
      <group>com.fasterxml.jackson.core</group>
      <name>jackson-databind</name>
      <version>2.9.9</version>
      <purl>pkg:maven/com.fasterxml.jackson.core/[email protected]</purl>
    </component>
  </components>
  <v:vulnerabilities>
    <v:vulnerability ref="pkg:maven/com.fasterxml.jackson.core/[email protected]">
      <v:id>CVE-2018-7489</v:id>
      <v:source name="NVD">
        <v:url>https://nvd.nist.gov/vuln/detail/CVE-2018-7489</v:url>
      </v:source>
      <v:ratings>
        <v:rating>
          <v:score>
            <v:base>9.8</v:base>
            <v:impact>5.9</v:impact>
            <v:exploitability>3.0</v:exploitability>
          </v:score>
          <v:severity>Critical</v:severity>
          <v:method>CVSSv3</v:method>
          <v:vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</v:vector>
        </v:rating>
      </v:ratings>
      <v:cwes>
        <v:cwe>184</v:cwe>
        <v:cwe>502</v:cwe>
      </v:cwes>
      <v:description>FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.</v:description>
      <v:recommendations>
        <v:recommendation>Upgrade</v:recommendation>
      </v:recommendations>
      <v:advisories>
        <v:advisory>https://github.com/FasterXML/jackson-databind/issues/1931</v:advisory>
        <v:advisory>http://www.securityfocus.com/bid/103203</v:advisory>
        <v:advisory>http://www.securitytracker.com/id/1040693</v:advisory>
        <v:advisory>http://www.securitytracker.com/id/1041890</v:advisory>
      </v:advisories>
    </v:vulnerability>
  </v:vulnerabilities>
</bom>