{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://checkmarx.com/schemas/checkmarx/vulnerability.json", "title": "Checkmarx Vulnerability", "description": "A security vulnerability identified by Checkmarx scanning, including CVE details, severity scoring, affected packages, and remediation guidance for application security findings.", "type": "object", "required": ["id", "severity"], "properties": { "id": { "type": "string", "description": "Vulnerability unique identifier" }, "cveName": { "type": "string", "pattern": "^CVE-\\d{4}-\\d{4,}$", "description": "Common Vulnerabilities and Exposures identifier" }, "cweId": { "type": "integer", "description": "Common Weakness Enumeration identifier" }, "cweName": { "type": "string", "description": "CWE name describing the weakness type" }, "description": { "type": "string", "description": "Detailed description of the vulnerability" }, "severity": { "type": "string", "enum": ["Critical", "High", "Medium", "Low", "Info"], "description": "Severity classification of the vulnerability" }, "cvssScore": { "type": "number", "format": "float", "minimum": 0, "maximum": 10, "description": "Common Vulnerability Scoring System v3 base score" }, "cvssVector": { "type": "string", "description": "CVSS v3 vector string detailing the scoring factors" }, "publishDate": { "type": "string", "format": "date-time", "description": "Date the vulnerability was publicly disclosed" }, "lastModifiedDate": { "type": "string", "format": "date-time", "description": "Date the vulnerability record was last updated" }, "affectedPackage": { "$ref": "#/$defs/AffectedPackage" }, "sourceLocation": { "$ref": "#/$defs/SourceLocation" }, "remediation": { "$ref": "#/$defs/Remediation" }, "exploitability": { "$ref": "#/$defs/Exploitability" }, "compliance": { "type": "array", "items": { "$ref": "#/$defs/ComplianceMapping" }, "description": "Compliance framework mappings for this vulnerability" }, "references": { "type": "array", "items": { "type": "string", "format": "uri" }, "description": "External reference URLs with additional information" }, "isIgnored": { "type": "boolean", "description": "Whether the vulnerability has been suppressed or ignored", "default": false }, "state": { "type": "string", "enum": ["TO_VERIFY", "NOT_EXPLOITABLE", "PROPOSED_NOT_EXPLOITABLE", "CONFIRMED", "URGENT"], "description": "Triage state of the vulnerability" } }, "$defs": { "AffectedPackage": { "type": "object", "description": "Open source package affected by the vulnerability (SCA findings)", "properties": { "packageName": { "type": "string", "description": "Package name" }, "packageVersion": { "type": "string", "description": "Affected version of the package" }, "packageRepository": { "type": "string", "enum": ["npm", "maven", "nuget", "pypi", "rubygems", "go", "packagist", "cargo"], "description": "Package ecosystem or registry" }, "isDirectDependency": { "type": "boolean", "description": "Whether this is a direct or transitive dependency" }, "fixedVersions": { "type": "array", "items": { "type": "string" }, "description": "Versions of the package where this vulnerability is fixed" } } }, "SourceLocation": { "type": "object", "description": "Source code location for SAST-detected vulnerabilities", "properties": { "fileName": { "type": "string", "description": "File path where the vulnerability was found" }, "line": { "type": "integer", "minimum": 1, "description": "Line number" }, "column": { "type": "integer", "minimum": 1, "description": "Column number" }, "methodName": { "type": "string", "description": "Name of the method or function containing the vulnerability" }, "className": { "type": "string", "description": "Name of the class containing the vulnerability" } } }, "Remediation": { "type": "object", "description": "Remediation guidance for addressing the vulnerability", "properties": { "recommendation": { "type": "string", "description": "Recommended action to fix the vulnerability" }, "fixedVersion": { "type": "string", "description": "Recommended package version that addresses the vulnerability" }, "effort": { "type": "string", "enum": ["Low", "Medium", "High"], "description": "Estimated effort required for remediation" }, "references": { "type": "array", "items": { "type": "string", "format": "uri" }, "description": "Links to remediation documentation" } } }, "Exploitability": { "type": "object", "description": "Exploitability assessment of the vulnerability", "properties": { "epssScore": { "type": "number", "format": "float", "minimum": 0, "maximum": 1, "description": "Exploit Prediction Scoring System score" }, "hasExploit": { "type": "boolean", "description": "Whether a known public exploit exists" }, "isExploitablePathConfirmed": { "type": "boolean", "description": "Whether the exploitable path from source to vulnerable package is confirmed" }, "attackVector": { "type": "string", "enum": ["Network", "Adjacent", "Local", "Physical"], "description": "CVSS attack vector" } } }, "ComplianceMapping": { "type": "object", "description": "Mapping to a compliance standard or framework", "properties": { "standard": { "type": "string", "description": "Compliance standard name (e.g., OWASP Top 10, PCI DSS, HIPAA)" }, "category": { "type": "string", "description": "Category within the standard" }, "requirement": { "type": "string", "description": "Specific requirement identifier" } } } } }