Vulnerability Compositions

Introduction

Vulnerability compositions in CycloneDX focus on the relationships between components or services and their associated vulnerabilities. Rather than addressing the inventory of components, these compositions capture the completeness or gaps in the known vulnerabilities tied to specific components. This ensures that stakeholders can assess the reliability of vulnerability data and determine whether it provides a comprehensive view of the risks. For example, a "complete" composition status indicates that all known vulnerabilities for a component have been accounted for, while an "unknown" status may reflect uncertainty or incomplete data.

Highlighted fields

PropertyUsage Description
aggregateDescribes the overall completeness of the inventory for the component, such as complete or incomplete.
vulnerabilitiesCaptures the known vulnerabilities linked to a component or service, highlighting their relationships and completeness.
This example demonstrates an ideal case where the "Internal Web App" component has no known vulnerabilities. The composition asserts this fact with a "complete" status for vulnerabilities, confirming that a thorough assessment has been conducted and no issues have been identified.

Examples

{
  "$schema": "https://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "metadata": {
    "component": {
      "bom-ref": "internal-web-app",
      "type": "application",
      "name": "Internal Web App",
      "version": "2.4.1"
    }
  },
  "compositions": [
    {
      "aggregate": "complete",
      "vulnerabilities": [ "internal-web-app" ]
    }
  ],
  "vulnerabilities": [
  ]
}