Open Source SBOM Vulnerability Disclosure Report listing known vulnerabilities for each SBOM component
along with a Fix Status, Exploitable Flag and a Description instructing the software consumer in the handling
of each reported vulnerability.
Root element of the open source SBOM Vulnerability Disclosure Report (VDR)
Identifier assigned by an authorized party i.e. CVE Numbering Authority to identify a CVE OR a private CVEID indicated by CVE-private-nnnnnnn
Vulnerability Score calculated by an authorized entity
Description of the vulnerability including any information regarding availability of known exploits
A flag containing one of the following:
Y: known to exploitable with live exploits in the wild
N: known to not be exploitable
U: Unsure if a vulnerability is exploitable
A flag containing one of the following:
Y: listed in the CISA KEV catalog
N: not listed in the CISA KEV catalog
U: Unsure if a vulnerability is exploitable
An enumerated set of statuses, see constraints for list of possible values:
Fix Status meaning for certain, not so obvious values:
N/A: means that a Fix is not needed, see AnalysisFindings for further details
Unknown: Vendor has not made a determination as to their plans; should be replaced when vendor completes investigation
Vendor provided information containing their analysis and findings regarding the vulnerability, Instructions of mitigating measures
are provided in this material along with any other information that will assist a customer with their risk management actions.
Party that authored the specific SBOM to which this
vulnerability disclsoure report pertains
Timestamp when the specific SBOM to which this
vulnerability disclsoure report pertains
Location of the specific SBOM to which this
vulnerability disclsoure report pertains
NTIA supported SBOM format (spdx or cycloneDX) the
specific SBOM to which this vulnerability disclsoure
report pertains
Particular format (see constraints) the specific
SBOM to which this vulnerability disclsoure report
pertains
Total number of components listed in the specific
SBOM to which this vulnerability disclsoure report
pertains
Identifies the specific CVE repository tht was
searched to produce the CVE results
Authorized licensor of the software product SBOM to
which this vulnerability disclsoure report pertains
Product Name as assigned by the authorized Licensor
for the specific SBOM to which this vulnerability
disclsoure report pertains
Version identifier assigned by teh authorized
licensor of the software product SBOM to which this
vulnerability disclsoure report pertains
URL showing download location for the product
installation package which the specific SBOM
vulnerability disclsoure report pertains
Results of NIST NVD search, Success or Aborted
High level flag used to inform consumers that a known, unresolved vulnerability is present:
Y: indicates the presence of unresolved vulnerabilities in the VDR, where FixStatus is not equal "Fix Available" and Exploitable equals "Y"
N: indicates there are no unresolved vulnerabilities in the VDR, where Expolitable equals "N" and FixStatus is not equal "Unknown"
U: Unsure - some vulnerabilities may still be under investigation and have not been decided
Timestamp when this vulnerability disclosure report
was created by the authoirzed party, i.e. Licensor
Legal Name of Software Supplier - this is the authorized Licensor of the software object
Name of the component, assigned by the authorized Licensor
Componet Version assigned by the authorized Licensor
Could be a purl URI or some other identifier
Keyword search string submitted to NIST NVD that produced the CVE's Listed OR a URL to a vendor proprietary security advisory if the CVEID is "private"
Total number of vulnerabilities reported by NIST NVD for teh search string supplied.