CycloneDX enhances vulnerability remediation by providing structured, actionable data for both first-party code and third-party dependencies. By integrating CycloneDX data into defect tracking systems, development teams can automate the flow of vulnerability information reported by internal security teams or external sources. The specification includes all critical details—such as affected components, severity, exploitability, and remediation steps—ensuring teams have the context they need to address issues effectively.
This capability bridges the gap between security and development workflows, enabling teams to prioritize and remediate vulnerabilities efficiently. Whether tackling issues in proprietary code or managing risks from third-party dependencies, CycloneDX ensures that every reported vulnerability is traceable, actionable, and verifiable. Developers can validate fixes confidently, while organizations benefit from a streamlined process that reduces time-to-resolution and enhances collaboration across teams.
| Property | Usage Description |
|---|---|
| ratings | Combines metrics such as CVSS (severity) and OWASP Risk Rating (likelihood and impact) to help prioritize vulnerabilities effectively. Severity indicates the potential damage, while risk considers context, ensuring that teams focus on issues with the greatest overall threat. |
| detail | Provides a clear description of the vulnerability, ensuring developers fully understand its nature and impact. This clarity reduces confusion and aligns all stakeholders on the scope of the issue. |
| recommendation | Offers actionable guidance on resolving the vulnerability, such as upgrading to a specific version or applying a patch. This accelerates remediation by eliminating guesswork. |
| workaround | Suggests temporary measures to mitigate risk when immediate fixes are not feasible. This helps maintain system security while long-term solutions are developed. |
| proofOfConcept | Demonstrates how the vulnerability can be exploited, adding context and urgency. By linking to detailed examples, this property helps developers validate fixes and assess potential impacts. |
{
"$schema": "https://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"metadata": {
"timestamp": "2025-01-21T12:00:00Z",
"component": {
"bom-ref": "internal-web-app",
"manufacturer": {
"name": "Acme Inc"
},
"type": "application",
"name": "Internal Web App",
"version": "2.4.1",
"description": "This is an example and serves as the affected first-party application in this example."
}
},
"vulnerabilities": [
{
"id": "INT-2025-002",
"source": {
"name": "AcmeSecurityDB",
"url": "https://security-db.example.com/vulnerabilities/INT-2025-002"
},
"ratings": [
{
"source": {
"name": "Acme Product Security"
},
"score": 6.3,
"severity": "medium",
"method": "CVSSv31",
"vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"
},
{
"severity": "high",
"method": "OWASP",
"vector": "SL:6/M:1/O:7/S:6/ED:7/EE:5/A:4/ID:8/LC:6/LI:5/LAV:5/LAC:7/FD:7/RD:5/NC:7/PV:9"
}
],
"cwes": [ 285 ],
"description": "Authentication bypass vulnerability in the Internal Web App due to improper role validation logic.",
"detail": "An authentication bypass vulnerability in the Internal Web App allows users with restricted roles to perform administrative actions. The issue stems from improper role validation in the application’s authentication logic, specifically within the 'verifyRole' function. When a crafted HTTP request is sent to endpoints requiring admin privileges, the system incorrectly assigns elevated access to non-admin users. This vulnerability is most impactful in instances where additional access controls are not in place, as it could lead to unauthorized changes to critical system settings, data exposure, and operational disruptions.",
"recommendation": "Update the authentication logic to include strict role validation checks. Deploy version 2.4.2, which addresses the issue by correcting the role validation logic in the 'verifyRole' function.",
"workaround": "Restrict access to the application by implementing IP allowlisting or disabling administrative endpoints temporarily.",
"proofOfConcept": {
"reproductionSteps": "1: Log in with a user account that has restricted privileges (e.g., 'viewer' role). 2: Intercept the authentication token using a proxy tool such as Burp Suite. 3: Modify the HTTP request to include the 'admin=true' parameter in the body or query string. 4: Send the modified request to an administrative endpoint, such as '/admin/settings'. 5: Observe that the response allows unauthorized access to administrative functionality.",
"environment": "Prod and subprod",
"supportingMaterial": [
{
"contentType": "image/jpeg",
"encoding": "base64",
"content": "/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAABAAEDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD3+iiigD//2Q=="
}
]
},
"analysis": {
"state": "exploitable"
},
"affects": [
{
"ref": "internal-web-app",
"versions": [
{
"version": "2.4.1",
"status": "affected"
}
]
}
]
}
]
}