Vulnerability exploitability focuses on understanding whether specific vulnerabilities in software or systems can realistically be exploited within a given context. CycloneDX facilitates this through its Vulnerability Exploitability eXchange (VEX) support, which allows organizations to communicate whether identified vulnerabilities in third-party components are exploitable. By distinguishing between exploitable and non-exploitable vulnerabilities, VEX helps teams prioritize remediation efforts.
CycloneDX extends far beyond VEX, offering a comprehensive approach to vulnerability management. It captures key attributes like risk ratings, reproducibility, and detailed information about affected components. By integrating these elements, CycloneDX enables organizations to assess the actual risk posed by specific vulnerabilities and make informed decisions about mitigation. This contextual awareness empowers teams to manage vulnerabilities across first-party applications, third-party dependencies, and entire systems with precision.
| Property | Usage Description |
|---|---|
| ratings | Combines metrics such as CVSS (severity) and OWASP Risk Rating (likelihood and impact) to help prioritize vulnerabilities effectively. Severity indicates the potential damage, while risk considers context, ensuring that teams focus on issues with the greatest overall threat. |
| state | Describes the current status of the vulnerability in the specified context, such as whether it is exploitable or mitigated. For example, not_affected indicates that the vulnerability does not impact the application. |
| justification | Explains the rationale behind the vulnerability's state, such as protected_by_mitigating_control, which clarifies that controls are in place to prevent exploitation despite the presence of the vulnerability. |
| response | Lists actions taken or planned by the vendor in response to the vulnerability, such as will_not_fix or update, helping stakeholders understand how the issue is being addressed or why no action is needed. |
{
"$schema": "https://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"metadata": {
"timestamp": "2025-01-21T12:00:00Z",
"component": {
"bom-ref": "billing-app",
"manufacturer": {
"name": "Acme Inc"
},
"type": "application",
"name": "Billing App",
"description": "This is an example and serves as the first-party application that contains a vulnerable dependency."
}
},
"vulnerabilities": [
{
"id": "CVE-2021-44228",
"source": {
"name": "National Vulnerability Database",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
},
"ratings": [
{
"source": {
"name": "National Vulnerability Database"
},
"score": 10.0,
"severity": "critical",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
{
"source": {
"name": "Acme PSIRT"
},
"severity": "low",
"method": "OWASP",
"vector": "(SL:0/M:0/O:0/S:0/ED:0/EE:0/A:0/ID:3/LC:9/LI:9/LAV:1/LAC:1/FD:0/RD:0/NC:0/PV:0)"
}
],
"analysis": {
"state": "not_affected",
"justification": "protected_by_mitigating_control",
"response": [
"will_not_fix",
"update"
],
"detail": "Extensive input validation is performed on the endpoint that would otherwise have been vulnerable. This provides a mitigating control against this attack. Customers are encouraged to upgrade to the latest version of the Acme App which bundles a newer version of log4j.",
"firstIssued": "2021-12-11T19:00:00Z",
"lastUpdated": "2022-01-07T19:00:00Z"
},
"affects": [
{
"ref": "billing-app",
"versions": [
{
"range": "vers:semver/1.2.3|>=2.0.0|<5.0.0",
"status": "unaffected"
}
]
}
]
}
]
}