Open Source SBOM Vulnerability Disclosure Report listing known vulnerabilities for each SBOM component along with a Fix Status, Exploitable Flag and a Description instructing the software consumer in the handling of each reported vulnerability. Root element of the open source SBOM Vulnerability Disclosure Report (VDR) Identifier assigned by an authorized party i.e. Software producer using CVE-private-nnnn or a public CVE-YYYY-NNNNN to identify a CVE Vulnerability Score calculated by an authorized entity Description of the vulnerability including any information regarding availability of known exploits A flag containing one of the following: Y: known to exploitable with live exploits in the wild N: known to not be exploitable U: Unsure if a vulnerability is exploitable A flag containing one of the following: Y: listed in the CISA KEV catalog N: not listed in the CISA KEV catalog U: Unsure if a vulnerability is exploitable An enumerated set of statuses, see constraints for list of possible values: Fix Status meaning for certain, not so obvious values: N/A: means that a Fix is not needed, see AnalysisFindings for further details Unknown: Vendor has not made a determination as to their plans; should be replaced when vendor completes investigation Vendor provided information containing their analysis and findings regarding the vulnerability, Instructions of mitigating measures are provided in this material along with any other information that will assist a customer with their risk management actions. Party that authored the specific SBOM to which this vulnerability disclsoure report pertains Timestamp when the specific SBOM to which this vulnerability disclsoure report pertains Location of the specific SBOM to which this vulnerability disclsoure report pertains NTIA supported SBOM format (spdx or cycloneDX) the specific SBOM to which this vulnerability disclsoure report pertains Particular format (see constraints) the specific SBOM to which this vulnerability disclsoure report pertains Total number of components listed in the specific SBOM to which this vulnerability disclsoure report pertains Identifies the specific CVE repository tht was searched to produce the CVE results Authorized licensor of the software product SBOM to which this vulnerability disclsoure report pertains Product Name as assigned by the authorized Licensor for the specific SBOM to which this vulnerability disclsoure report pertains Version identifier assigned by teh authorized licensor of the software product SBOM to which this vulnerability disclsoure report pertains URL showing download location for the product installation package which the specific SBOM vulnerability disclsoure report pertains Results of NIST NVD search, Success or Aborted High level flag used to inform consumers that a known, unresolved vulnerability is present: Y: indicates the presence of unresolved vulnerabilities in the VDR, where FixStatus is not equal "Fix Available" and Exploitable equals "Y" N: indicates there are no unresolved vulnerabilities in the VDR, where Expolitable equals "N" and FixStatus is not equal "Unknown" U: Unsure - some vulnerabilities may still be under investigation and have not been decided Timestamp when this vulnerability disclosure report was created by the authoirzed party, i.e. Licensor Legal Name of Software Supplier - this is the authorized Licensor of the software object Name of the component, assigned by the authorized Licensor Componet Version assigned by the authorized Licensor Could be a purl URI or some other identifier Keyword search string submitted to NIST NVD that produced the CVE's Listed. Total number of vulnerabilities reported by NIST NVD for teh search string supplied.