> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.
## Submitting Feedback
If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:
POST https://docs.endorlabs.com/feedback
```json
{
"path": "/api-reference/queryvulnerabilityservice/createqueryvulnerability",
"feedback": "Description of the issue"
}
```
Only submit feedback when you have something specific and actionable to report.
# CreateQueryVulnerability
> Queries vulnerabilities for specific values.
Use this method to query vulnerabilities for a specific package version.
## OpenAPI
````yaml /api-reference/openapi.v3.json post /v1/namespaces/{tenant_meta.namespace}/queries/vulnerabilities
openapi: 3.0.3
info:
description: Integrate your application with Endor Labs using the REST API.
title: Endor Labs REST API Reference
version: '1.0'
servers:
- url: https://api.endorlabs.com/
security: []
tags:
- name: AISastCustomerContextService
- name: APIKeyService
- name: APIKeyValidatorService
- name: ArtifactSignatureService
- name: AuditLogService
- name: AuthenticationLogService
- name: AuthenticationService
- name: AuthorizationPolicyService
- name: BatchFileSegmentsService
- name: BatchNotificationService
- name: CallGraphDataService
- name: CodeOwnersService
- name: DependencyMetadataService
- name: EndorIgnoreEntryService
- name: ExporterService
- name: FindingLogService
- name: FindingService
- name: HuggingFaceModelService
- name: HuggingFaceOrganizationService
- name: IPAddressPolicyService
- name: IdentityProviderService
- name: InstallationService
- name: InvitationService
- name: LicenseDependencyService
- name: LicenseNoticesReportService
- name: LicenseSummaryService
- name: LinterResultService
- name: MalwareService
- name: MetricService
- name: NamespaceService
- name: NotificationService
- name: NotificationTargetService
- name: OnPremSchedulerService
- name: PRCommentConfigService
- name: PackageFirewallLogService
- name: PackageLicenseOverrideService
- name: PackageLicenseQueryService
- name: PackageLicenseService
- name: PackageManagerService
- name: PackageVersionService
- name: PluginBinaryService
- name: PolicyService
- name: PolicyTemplateService
- name: ProjectService
- name: ProvisioningResultService
- name: QueryMalwareService
- name: QueryService
- name: QuerySimilarPackagesService
- name: QueryVulnerabilityService
- name: RegistryIngestionCheckpointService
- name: RepositoryService
- name: RepositoryVersionService
- name: RuleSetImportService
- name: SBOMExportService
- name: SBOMImportService
- name: SCMCredentialService
- name: SavedQueryService
- name: ScanLogRequestService
- name: ScanProfileService
- name: ScanResultService
- name: ScanWorkflowResultService
- name: ScanWorkflowService
- name: SecretRuleService
- name: SemgrepRuleService
- name: SystemConfigService
- name: TenantService
- name: VEXExportService
- name: VectorStoreService
- name: VersionUpgradeService
- name: VulnerabilityService
paths:
/v1/namespaces/{tenant_meta.namespace}/queries/vulnerabilities:
post:
tags:
- QueryVulnerabilityService
summary: CreateQueryVulnerability
description: |-
Queries vulnerabilities for specific values.
Use this method to query vulnerabilities for a specific package version.
operationId: QueryVulnerabilityService_CreateQueryVulnerability
parameters:
- description: >-
Namespaces are a way to organize organizational units into virtual
groupings of resources. Namespaces must be a fully qualified name,
for example, the child namespace of namespace "endor.prod" called
"app"
is called "endor.prod.app".
in: path
name: tenant_meta.namespace
required: true
schema:
type: string
x-endor-name: Namespace
requestBody:
content:
application/json:
schema:
$ref: >-
#/components/schemas/QueryVulnerabilityServiceCreateQueryVulnerabilityBody
required: true
x-originalParamName: body
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/v1QueryVulnerability'
description: A successful response.
default:
content:
application/json:
schema:
$ref: '#/components/schemas/googlerpcStatus'
description: An unexpected error response.
components:
schemas:
QueryVulnerabilityServiceCreateQueryVulnerabilityBody:
description: >-
QueryVulnerability is used to do query request on vulnerabilities that
are
not supported by ListVulnerabilities and the filter. For instance, you
must
use this method to get a list of vulnerabilities based on a version.
properties:
meta:
$ref: '#/components/schemas/v1Meta'
response:
$ref: '#/components/schemas/v1ListVulnerabilitiesResponse'
responses:
$ref: '#/components/schemas/v1QueryVulnerabilityResponseMap'
spec:
$ref: '#/components/schemas/v1QueryVulnerabilitySpec'
tenant_meta:
description: Tenant related data for the tenant containing the resource.
type: object
uuid:
readOnly: true
type: string
type: object
v1QueryVulnerability:
description: >-
QueryVulnerability is used to do query request on vulnerabilities that
are
not supported by ListVulnerabilities and the filter. For instance, you
must
use this method to get a list of vulnerabilities based on a version.
properties:
meta:
$ref: '#/components/schemas/v1Meta'
response:
$ref: '#/components/schemas/v1ListVulnerabilitiesResponse'
responses:
$ref: '#/components/schemas/v1QueryVulnerabilityResponseMap'
spec:
$ref: '#/components/schemas/v1QueryVulnerabilitySpec'
tenant_meta:
$ref: '#/components/schemas/v1TenantMeta'
uuid:
readOnly: true
type: string
type: object
googlerpcStatus:
description: >-
The `Status` type defines a logical error model that is suitable for
different programming environments, including REST APIs and RPC APIs. It
is
used by [gRPC](https://github.com/grpc). Each `Status` message contains
three pieces of data: error code, error message, and error details.
You can find out more about this error model and how to work with it in
the
[API Design Guide](https://cloud.google.com/apis/design/errors).
properties:
code:
description: |-
The status code, which should be an enum value of
[google.rpc.Code][google.rpc.Code].
format: int32
type: integer
details:
description: >-
A list of messages that carry the error details. There is a common
set of
message types for APIs to use.
items:
$ref: '#/components/schemas/googleprotobufAny'
type: array
message:
description: >-
A developer-facing error message, which should be in English. Any
user-facing error message should be localized and sent in the
[google.rpc.Status.details][google.rpc.Status.details] field, or
localized
by the client.
type: string
type: object
v1Meta:
description: Common fields for all Endor Labs resources.
properties:
annotations:
additionalProperties:
type: string
description: >-
Annotations can be used to attach metadata to a resource message.
Annotation values can be small or large, structured or unstructured,
and may include characters not permitted by labels.
The keys may contain alphanumerics, underscores (_), dots (.) and
dashes
(-). The values of an annotation must be 16384 bytes or smaller.
type: object
create_time:
description: |-
Time the resource was created.
Format: 2017-01-15T01:30:15.01Z
RFC 3339: https://www.ietf.org/rfc/rfc3339.txt.
format: date-time
readOnly: true
type: string
created_by:
description: |-
Name and authentication source of the user who created the object,
for example, ewok@endor.ai@google@api-key.
readOnly: true
type: string
description:
description: Resource description. Must be less than 1024 bytes.
type: string
index_data:
$ref: '#/components/schemas/v1IndexData'
kind:
description: >-
Resource kind, for example, HelloResponse.
Auto-generated using the protobuf message
proto.MessageName().Name().
readOnly: true
type: string
name:
description: Resource name. Must be 63 characters or less.
type: string
parent_kind:
description: Parent object resource kind, for example, Project.
type: string
parent_uuid:
description: Parent object UUID.
type: string
references:
additionalProperties:
$ref: '#/components/schemas/googleprotobufAny'
description: Map of objects referenced in a query API.
readOnly: true
type: object
tags:
description: >-
List of tags attached to the resource.
Tags can be used to select objects and to find collections of
objects that
satisfy certain conditions. A tag must be 255 characters or less.
items:
type: string
type: array
update_time:
description: |-
Time the resource was last updated.
Note: Updated on all create/patch/delete operations.
Format: 2017-01-15T01:30:15.01Z
RFC 3339: https://www.ietf.org/rfc/rfc3339.txt.
format: date-time
readOnly: true
type: string
updated_by:
description: >-
Name and authentication source of the last user who updated the
object,
for example, vulnerabilityingestor@endor.ai@x509.
readOnly: true
type: string
upsert_time:
description: |-
Time the resource was last upserted.
Note:
create_time is only set the first time the resource is created.
upsert_time is set every time the resource is upseted.
Format: 2017-01-15T01:30:15.01Z
RFC 3339: https://www.ietf.org/rfc/rfc3339.txt.
format: date-time
readOnly: true
type: string
version:
description: Message version.
readOnly: true
type: string
required:
- name
type: object
v1ListVulnerabilitiesResponse:
description: Response to the request to list vulnerabilities.
properties:
count_response:
$ref: '#/components/schemas/v1CountResponse'
group_response:
$ref: '#/components/schemas/v1GroupResponse'
list:
$ref: '#/components/schemas/v1ListVulnerabilitiesResponseList'
type: object
v1QueryVulnerabilityResponseMap:
properties:
values:
additionalProperties:
$ref: '#/components/schemas/v1ListVulnerabilitiesResponse'
type: object
type: object
v1QueryVulnerabilitySpec:
properties:
mask:
description: |-
Mask specifies the list of fields to return with a request.
If no mask is given, all fields will be returned by the API.
type: string
package_version_name:
type: string
package_version_names:
$ref: '#/components/schemas/v1QueryVulnerabilityPackageVersionNames'
purls:
description: |-
a list of PURLs to lookup.
Using a PURL for the lookup allows the caller to provide additional
metadata.
items:
type: string
type: array
vulnerability_name_query:
$ref: '#/components/schemas/QueryVulnerabilityVulnerabilityNameQuery'
vulnerability_type:
$ref: '#/components/schemas/SpecVulnerabilityType'
type: object
v1TenantMeta:
description: Tenant related data for the tenant containing the resource.
properties:
namespace:
description: >-
Namespaces are a way to organize organizational units into virtual
groupings of resources. Namespaces must be a fully qualified name,
for example, the child namespace of namespace "endor.prod" called
"app"
is called "endor.prod.app".
type: string
required:
- namespace
type: object
googleprotobufAny:
additionalProperties: {}
description: >-
`Any` contains an arbitrary serialized protocol buffer message along
with a
URL that describes the type of the serialized message.
Protobuf library provides support to pack/unpack Any values in the form
of utility functions or additional generated methods of the Any type.
Example 1: Pack and unpack a message in C++.
Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
...
}
Example 2: Pack and unpack a message in Java.
Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
foo = any.unpack(Foo.getDefaultInstance());
}
Example 3: Pack and unpack a message in Python.
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
any.Unpack(foo)
...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
...
}
The pack methods provided by protobuf library will by default use
'type.googleapis.com/full.type.name' as the type URL and the unpack
methods only use the fully qualified type name after the last '/'
in the type URL, for example "foo.bar.com/x/y.z" will yield type
name "y.z".
JSON
====
The JSON representation of an `Any` value uses the regular
representation of the deserialized, embedded message, with an
additional field `@type` which contains the type URL. Example:
package google.profile;
message Person {
string first_name = 1;
string last_name = 2;
}
{
"@type": "type.googleapis.com/google.profile.Person",
"firstName": ,
"lastName":
}
If the embedded message type is well-known and has a custom JSON
representation, that representation will be embedded adding a field
`value` which holds the custom JSON in addition to the `@type`
field. Example (for message [google.protobuf.Duration][]):
{
"@type": "type.googleapis.com/google.protobuf.Duration",
"value": "1.212s"
}
properties:
'@type':
description: >-
A URL/resource name that uniquely identifies the type of the
serialized
protocol buffer message. This string must contain at least
one "/" character. The last segment of the URL's path must represent
the fully qualified name of the type (as in
`path/google.protobuf.Duration`). The name should be in a canonical
form
(e.g., leading "." is not accepted).
In practice, teams usually precompile into the binary all types that
they
expect it to use in the context of Any. However, for URLs which use
the
scheme `http`, `https`, or no scheme, one can optionally set up a
type
server that maps type URLs to message definitions as follows:
* If no scheme is provided, `https` is assumed.
* An HTTP GET on the URL must yield a [google.protobuf.Type][]
value in binary format, or produce an error.
* Applications are allowed to cache lookup results based on the
URL, or have them precompiled into a binary to avoid any
lookup. Therefore, binary compatibility needs to be preserved
on changes to types. (Use versioned type names to manage
breaking changes.)
Note: this functionality is not currently available in the official
protobuf release, and it is not used for type URLs beginning with
type.googleapis.com. As of May 2023, there are no widely used type
server
implementations and no plans to implement one.
Schemes other than `http`, `https` (or the empty scheme) might be
used with implementation specific semantics.
type: string
type: object
v1IndexData:
description: |-
IndexData is used to index the resource for search. It's an internal
object.
properties:
data:
items:
type: string
readOnly: true
type: array
search_score:
description: >-
search_score is the score of the resource for search. Internal use
only.
format: float
readOnly: true
type: number
tenant:
readOnly: true
type: string
will_be_deleted_at:
description: Time that the resource will be deleted.
format: date-time
readOnly: true
type: string
type: object
v1CountResponse:
description: Response to a list count request.
properties:
count:
description: Number of objects matching the given list parameters.
format: int32
type: integer
type: object
v1GroupResponse:
description: Response to a list group request.
properties:
groups:
additionalProperties:
$ref: '#/components/schemas/GroupResponseGroupData'
description: |-
Map indexed by values of the fields specified in aggregation_paths,
for example, {"[{"key":"meta.kind","value":"Project"}]": {
"aggregation_count": { "count": 1649 } } }.
type: object
type: object
v1ListVulnerabilitiesResponseList:
properties:
objects:
items:
$ref: '#/components/schemas/v1Vuln'
type: array
response:
$ref: '#/components/schemas/v1ListResponse'
type: object
v1QueryVulnerabilityPackageVersionNames:
properties:
names:
items:
type: string
type: array
type: object
QueryVulnerabilityVulnerabilityNameQuery:
properties:
name:
type: string
type: object
SpecVulnerabilityType:
default: VULNERABILITY_TYPE_UNSPECIFIED
description: Enum representing the type of vulnerability.
enum:
- VULNERABILITY_TYPE_UNSPECIFIED
- VULNERABILITY_TYPE_MALICIOUS
type: string
GroupResponseGroupData:
description: Information about objects matching the given key.
properties:
aggregation_count:
$ref: '#/components/schemas/v1CountResponse'
aggregation_uuids:
description: |-
List of UUIDs of the objects in the group.
Only populated if show_aggregation_uuids is set.
items:
type: string
type: array
aggregation_value:
$ref: '#/components/schemas/v1GroupAggregationValueResponse'
unique_counts:
additionalProperties:
$ref: '#/components/schemas/v1CountResponse'
description: |-
Map of counts for the given unique_count_paths fields.
Only populated if unique_count_paths is set.
type: object
unique_values:
additionalProperties:
items:
type: object
type: array
description: |-
Map of values for the given unique_value_paths fields.
Only populated if unique_value_paths is set.
type: object
type: object
v1Vuln:
description: Vuln represents an Endor Labs vulnerability in the system.
properties:
meta:
$ref: '#/components/schemas/v1Meta'
spec:
$ref: '#/components/schemas/v1VulnSpec'
tenant_meta:
$ref: '#/components/schemas/v1TenantMeta'
uuid:
description: The UUID of a vulnerability.
readOnly: true
type: string
required:
- meta
type: object
v1ListResponse:
description: Response to a list request.
properties:
next_page_id:
description: The UUID of last message retrieved.
type: string
next_page_token:
description: >-
Pagination token that can be used to retrieve the next page of
results.
format: int32
type: integer
type: object
v1GroupAggregationValueResponse:
description: |-
GroupAggregationValueResponse returns the value of the aggregation if
requested.
properties:
value:
format: float
type: number
type: object
v1VulnSpec:
properties:
additional_endor_notes:
description: Notes from the Endor Labs analysis of the vulnerability.
items:
type: string
type: array
additional_notes:
description: Notes by the person that processed the CVE.
items:
type: string
type: array
affected:
items:
$ref: '#/components/schemas/VulnSpecAffected'
type: array
aliases:
description: Optional. IDs for the same vulnerability in other databases.
items:
type: string
type: array
credits:
description: Optional. Credits for the vulnerability.
items:
$ref: '#/components/schemas/VulnSpecCredit'
type: array
cvss_v3_severity:
$ref: '#/components/schemas/SpecCVSSV3Severity'
cvss_v4_severity:
$ref: '#/components/schemas/SpecCVSSV4Severity'
database_specific:
description: >-
Optional. JSON object holding additional information about the
vulnerability as defined by the database for which the record
applies.
type: object
deepdive:
description: >-
Indicates whether the research team performed full analysis on
multiple
artifact_ids involved in CVE.
type: boolean
disputed:
description: >-
Indicates whether the research team considers a CVE should be
disputed
based on analysis.
type: boolean
epss_score:
$ref: '#/components/schemas/SpecEPSSScore'
malicious:
description: Indicates whether this item is classified as malicious or not.
type: boolean
modified:
description: The RFC3339 timestamp indicating when this entry was last modified.
format: date-time
type: string
published:
description: The RFC3339 timestamp indicating when this entry was published.
format: date-time
type: string
raw:
$ref: '#/components/schemas/SpecRaw'
references:
description: Reference URLs for the vulnerability.
items:
$ref: '#/components/schemas/VulnSpecReference'
type: array
related:
description: >-
Optional. List of IDs of closely related vulnerabilities, such as
the
same problem in alternate ecosystems.
items:
type: string
type: array
summary:
description: Long summary of the vulnerability.
type: string
withdrawn:
description: >-
Optional. The RFC3339 timestamp indicating when this entry is
considered
to be withdrawn.
format: date-time
type: string
type: object
VulnSpecAffected:
properties:
affected_callpath_uris:
description: >-
Affected function URIs in FastenURI format.
For example,
"/com.atlassian.connect.spring.internal.lifecycle/LifecycleController.installed(%2Fcom.atlassian.connect.spring.internal.lifecycle%2FLifecycleEvent,%2Fcom.atlassian.connect.spring%2FAtlassianHostUser)%2Forg.springframework.http%2FResponseEntity".
items:
type: string
type: array
affected_filepaths:
description: >-
Class name that this vulnerability affects in JVM notation.
For example,
"com/atlassian/connect/spring/internal/lifecycle/LifecycleController.class".
items:
type: string
type: array
database_specific:
description: >-
Optional. JSON object holding additional information about the
vulnerability as defined by the database for which the record
applies.
type: object
ecosystem_specific:
description: >-
Optional. JSON object holding additional information about the
vulnerability as defined by the ecosystem for which the record
applies.
type: object
fix_commits:
items:
type: string
title: Links to the commits that fix the vulnerability
type: array
has_been_fixed:
type: boolean
maintainer_cvss_level:
$ref: '#/components/schemas/SpecCVSSSeverityLevel'
maintainer_severity:
$ref: '#/components/schemas/CVSSV3SeverityLevel'
package:
$ref: '#/components/schemas/SpecAffectedPackage'
ranges:
items:
$ref: '#/components/schemas/SpecAffectedRange'
type: array
source:
$ref: '#/components/schemas/AffectedSource'
versions:
items:
type: string
type: array
type: object
VulnSpecCredit:
properties:
contact:
description: Contact methods (URLs).
items:
type: string
type: array
name:
description: The name to give the credit.
type: string
type: object
SpecCVSSV3Severity:
properties:
level:
$ref: '#/components/schemas/CVSSV3SeverityLevel'
score:
description: |-
The Common Vulnerability Scoring System (CVSS score) provides a
numerical (0-10) representation of the severity of an information
security vulnerability.
format: float
type: number
temporal_level:
$ref: '#/components/schemas/CVSSV3SeverityLevel'
temporal_score:
description: |-
The Common Vulnerability Scoring System (CVSS score) provides a
numerical (0-10) representation of the severity of an information
security vulnerability.
format: float
type: number
temporal_vector:
description: >-
A specially formatted vector indicating the attack surface and
severity
of the vulnerability. Format is here:
https://www.first.org/cvss/specification-document.
type: string
vector:
description: >-
A specially formatted vector indicating the attack surface and
severity
of the vulnerability. Format is here:
https://www.first.org/cvss/specification-document.
type: string
type: object
SpecCVSSV4Severity:
properties:
base_level:
$ref: '#/components/schemas/CVSSV4SeverityV4Level'
base_score:
description: |-
The Common Vulnerability Scoring System v4.0 base score provides a
numerical (0-10) representation of the severity of an information
security vulnerability.
format: float
type: number
environmental_level:
$ref: '#/components/schemas/CVSSV4SeverityV4Level'
environmental_score:
description: |-
The CVSS v4.0 environmental score provides context-specific scoring
based on the deployment environment.
format: float
type: number
threat_level:
$ref: '#/components/schemas/CVSSV4SeverityV4Level'
threat_score:
description: |-
The CVSS v4.0 threat score provides additional context about the
exploitability of the vulnerability.
format: float
type: number
vector:
description: >-
A specially formatted vector indicating the attack surface and
severity
of the vulnerability. Format is here:
https://www.first.org/cvss/v4.0/specification-document.
type: string
type: object
SpecEPSSScore:
properties:
percentile_score:
format: double
type: number
probability_score:
format: double
type: number
type: object
SpecRaw:
properties:
endor_vulnerability:
$ref: '#/components/schemas/endorv1Vulnerability'
epss_record:
$ref: '#/components/schemas/SpecEPSSRecord'
kev_record:
$ref: '#/components/schemas/SpecKEVRecord'
nvd_vulnerability:
$ref: '#/components/schemas/v1NVDVulnerability'
osv_vulnerability:
$ref: '#/components/schemas/osvVulnerability'
type: object
VulnSpecReference:
properties:
type:
$ref: '#/components/schemas/ReferenceReferenceType'
url:
description: The vulnerability URL.
type: string
required:
- type
- url
type: object
SpecCVSSSeverityLevel:
default: CVSS_SEVERITY_LEVEL_UNSPECIFIED
description: Common severity level enum used across different CVSS versions.
enum:
- CVSS_SEVERITY_LEVEL_UNSPECIFIED
- CVSS_SEVERITY_LEVEL_NONE
- CVSS_SEVERITY_LEVEL_LOW
- CVSS_SEVERITY_LEVEL_MEDIUM
- CVSS_SEVERITY_LEVEL_HIGH
- CVSS_SEVERITY_LEVEL_CRITICAL
type: string
CVSSV3SeverityLevel:
default: LEVEL_UNSPECIFIED
enum:
- LEVEL_UNSPECIFIED
- LEVEL_NONE
- LEVEL_LOW
- LEVEL_MEDIUM
- LEVEL_HIGH
- LEVEL_CRITICAL
type: string
SpecAffectedPackage:
description: Package information and version.
properties:
cpe:
type: string
cpes:
description: List of CPEs associated with the affected package.
items:
type: string
type: array
ecosystem:
$ref: '#/components/schemas/v1Ecosystem'
name:
type: string
purl:
type: string
required:
- name
- ecosystem
type: object
SpecAffectedRange:
description: Affected ranges.
properties:
fixed:
description: The version or commit in which this vulnerability was fixed.
type: string
introduced:
description: |-
The earliest version or commit in which this vulnerability was
introduced.
type: string
last_affected:
description: >-
The last version known to be affected. Versions strictly after this
are assumed to be fixed. Used when an explicit fixed version is
unavailable.
type: string
repo:
description: The repository URL.
type: string
type:
$ref: '#/components/schemas/RangeRangeType'
type: object
AffectedSource:
default: SOURCE_UNSPECIFIED
enum:
- SOURCE_UNSPECIFIED
- SOURCE_OSV
- SOURCE_ENDOR
- SOURCE_OVAL
type: string
CVSSV4SeverityV4Level:
default: V4_LEVEL_UNSPECIFIED
enum:
- V4_LEVEL_UNSPECIFIED
- V4_LEVEL_NONE
- V4_LEVEL_LOW
- V4_LEVEL_MEDIUM
- V4_LEVEL_HIGH
- V4_LEVEL_CRITICAL
type: string
endorv1Vulnerability:
description: >-
Vulnerability models information that can be extracted by analyzing
CVEs.
properties:
additional_notes:
description: Notes by the person that processed the CVE.
type: string
component:
description: |-
Information about affected artifacts, versions
and function identifiers.
items:
$ref: '#/components/schemas/VulnerabilityComponent'
type: array
cve_description:
description: A freeform textual summary of the vulnerability.
type: string
cve_id:
description: The CVE ID, as it appears in the NVD. For example, CVE-2021-36090.
type: string
cve_references:
items:
type: string
title: Web links containing extra information about the CVE
type: array
cvss_score:
description: >-
The Common Vulnerability Scoring System (CVSS score) provides a
numerical
(0-10) representation of the severity of an information security
vulnerability.
format: float
type: number
cvss_vector:
title: >-
A specially formatted vector indicating the attack surface and
severity of
the vulnerability. Format is here:
https://www.first.org/cvss/specification-document
type: string
cwe:
title: |-
The Common Weakness Enumeration field, if any.
See: https://cwe.mitre.org
type: string
deepdive:
description: >-
Indicates whether the research team performed full analysis on
multiple
artifact_ids involved in CVE.
type: boolean
disputed:
description: >-
Indicates whether the research team considers a CVE should be
disputed
based on analysis.
type: boolean
ecosystem:
title: A free form name of the ecosystem, e.g. Maven
type: string
fix_commit:
items:
type: string
title: Links to the commit(s) that fix the vulnerability
type: array
last_updated:
description: The timestamp when the vulnerability was last updated.
format: date-time
type: string
malicious:
description: Indicates whether this item is classified as malicious or not.
type: boolean
nofix:
description: >-
Indicates whether the fix is not released or not disclosed for a
CVE.
In such cases, the endor_uri string might not be available.
type: boolean
package_name:
title: |-
A free form name of the affected package / project, e.g. Apache
commons-compress
type: string
schema_version:
description: The schema version used for this vulnerability descriptor.
type: string
withdrawn:
description: Indicates whether the underlying vulnerability has been withdrawn.
format: date-time
type: string
required:
- cve_id
- cve_description
- package_name
- ecosystem
- schema_version
type: object
SpecEPSSRecord:
properties:
cve_id:
type: string
ingestion_time:
format: date-time
type: string
percentile:
format: double
type: number
probability:
format: double
type: number
type: object
SpecKEVRecord:
properties:
cve_id:
type: string
date_added:
format: date-time
type: string
due_date:
format: date-time
type: string
known_ransomware_campaign_use:
type: string
notes:
type: string
product:
type: string
required_action:
type: string
short_description:
type: string
vendor_project:
type: string
vulnerability_name:
type: string
type: object
v1NVDVulnerability:
description: >-
NVD Vulnerability.
Based on schema definition provided by NVD here.
https://csrc.nist.gov/schema/nvd/api/2.0/cve_api_json_2.0.schema.
properties:
cve:
$ref: '#/components/schemas/NVDVulnerabilityRootCve'
type: object
osvVulnerability:
description: >-
A vulnerability entry.
The protobuf representation is *NOT* stable and only used for
implementing
the JSON based API.
properties:
affected:
description: Required. Affected commit ranges and versions.
items:
$ref: '#/components/schemas/osvAffected'
type: array
aliases:
description: Optional. IDs for the same vulnerability in other databases.
items:
type: string
type: array
credits:
description: Optional. Credits for the vulnerability.
items:
$ref: '#/components/schemas/osvCredit'
type: array
database_specific:
description: >-
Optional. JSON object holding additional information about the
vulnerability as defined by the database for which the record
applies.
type: object
details:
description: >-
Required. Any additional human readable details for the
vulnerability.
type: string
id:
description: >-
The `id` field is a unique identifier for the vulnerability entry.
It is a
string of the format `-`, where `DB` names the database
and
`ENTRYID` is in the format used by the database. For example:
“OSV-2020-111”, “CVE-2021-3114”, or “GHSA-vp9c-fpxx-744v”.
type: string
modified:
description: The RFC3339 timestamp indicating when this entry was last modified.
format: date-time
type: string
package:
$ref: '#/components/schemas/osvPackage'
published:
description: The RFC3339 timestamp indicating when this entry was published.
format: date-time
type: string
references:
description: |-
Optional. URLs to more information/advisories (including the
scheme e.g "https://").
items:
$ref: '#/components/schemas/osvReference'
type: array
related:
description: >-
Optional. List of IDs of closely related vulnerabilities, such as
the same
problem in alternate ecosystems.
items:
type: string
type: array
schema_version:
description: The OSV schema version.
type: string
severity:
description: Optional. Severity of the vulnerability.
items:
$ref: '#/components/schemas/osvSeverity'
type: array
summary:
description: >-
Required. One line human readable summary for the vulnerability. It
is
recommended to keep this under 120 characters.
type: string
withdrawn:
description: >-
Optional. The RFC3339 timestamp indicating when this entry is
considered to
be withdrawn.
format: date-time
type: string
type: object
ReferenceReferenceType:
default: REFERENCE_TYPE_UNSPECIFIED
enum:
- REFERENCE_TYPE_UNSPECIFIED
- REFERENCE_TYPE_WEB
- REFERENCE_TYPE_ADVISORY
- REFERENCE_TYPE_REPORT
- REFERENCE_TYPE_FIX
- REFERENCE_TYPE_PACKAGE
- REFERENCE_TYPE_ARTICLE
type: string
v1Ecosystem:
default: ECOSYSTEM_UNSPECIFIED
description: >2-
- ECOSYSTEM_GO: GoLang.
- ECOSYSTEM_MAVEN: Maven.
- ECOSYSTEM_PYPI: Python.
- ECOSYSTEM_CARGO: Rust.
- ECOSYSTEM_NPM: Javascript.
- ECOSYSTEM_GEM: Ruby.
- ECOSYSTEM_NUGET: Dotnet.
- ECOSYSTEM_PACKAGIST: PHP.
- ECOSYSTEM_SBOM: SBOMs.
- ECOSYSTEM_RPM: RPM.
- ECOSYSTEM_DEBIAN: Debian.
- ECOSYSTEM_GITHUB_ACTION: GitHub Actions.
- ECOSYSTEM_COCOAPOD: Cocoapods.
- ECOSYSTEM_APK: APK (alpine et.al).
- ECOSYSTEM_CONTAINER: Containers.
- ECOSYSTEM_HUGGING_FACE: Hugging Face.
- ECOSYSTEM_C: C/C++.
- ECOSYSTEM_GIT: ecosystem GIT for GIT repository dependencies.
This can be used for package name of the resolved dependencies when a
given repository has dependencies to other GIT repositories. Currently
we
use this to represent vulnerabilities for the given GIT repository. ex:
git submodules, C/C++ dependencies.
- ECOSYSTEM_AI_MODEL: AI models.
- ECOSYSTEM_SWIFT: Ecosystem Swift consists of native Swift packages, which are defined
using the Package.swift manifest file and managed by the Swift Package
Manager. There is a separate ecosystem for Cocoapod packages called
ECOSYSTEM_COCOAPOD, which is an alternative package manager for Swift
packages.
- ECOSYSTEM_CONAN: Ecosystem Conan for C/C++ packages managed by the Conan 2.x package manager.
enum:
- ECOSYSTEM_UNSPECIFIED
- ECOSYSTEM_GO
- ECOSYSTEM_MAVEN
- ECOSYSTEM_PYPI
- ECOSYSTEM_CARGO
- ECOSYSTEM_NPM
- ECOSYSTEM_GEM
- ECOSYSTEM_NUGET
- ECOSYSTEM_PACKAGIST
- ECOSYSTEM_SBOM
- ECOSYSTEM_RPM
- ECOSYSTEM_DEBIAN
- ECOSYSTEM_GITHUB_ACTION
- ECOSYSTEM_COCOAPOD
- ECOSYSTEM_APK
- ECOSYSTEM_CONTAINER
- ECOSYSTEM_HUGGING_FACE
- ECOSYSTEM_C
- ECOSYSTEM_GIT
- ECOSYSTEM_AI_MODEL
- ECOSYSTEM_SWIFT
- ECOSYSTEM_CONAN
type: string
RangeRangeType:
default: RANGE_TYPE_UNSPECIFIED
description: Type of the version information.
enum:
- RANGE_TYPE_UNSPECIFIED
- RANGE_TYPE_GIT
- RANGE_TYPE_SEMVER
- RANGE_TYPE_ECOSYSTEM
type: string
VulnerabilityComponent:
properties:
artifact_id:
description: Indicates the artifact artifact_id that the CVE affects.
type: string
endor_uri:
description: >-
Affected function URIs in FastenURI format.
For example,
"/com.atlassian.connect.spring.internal.lifecycle/LifecycleController.installed(%2Fcom.atlassian.connect.spring.internal.lifecycle%2FLifecycleEvent,%2Fcom.atlassian.connect.spring%2FAtlassianHostUser)%2Forg.springframework.http%2FResponseEntity".
items:
type: string
type: array
fixed_versions:
description: >-
A list of all fixed versions.
Can be more than one if the fix is applied on multiple release
branches.
items:
type: string
type: array
group_id:
description: Indicates the artifact group id that the CVE affects.
type: string
versions_range:
description: >-
Vulnerable version range in Maven notation. For example,
"[1.1.0,2.1.3)".
items:
type: string
type: array
vulnerable_filepath:
description: >-
Class name that this vulnerability affects in JVM notation.
For example,
"com/atlassian/connect/spring/internal/lifecycle/LifecycleController.class".
items:
type: string
type: array
vulnerable_versions:
description: A list of all affected artifact versions.
items:
type: string
type: array
required:
- group_id
- artifact_id
type: object
NVDVulnerabilityRootCve:
properties:
cisa_action_due:
type: string
cisa_exploit_add:
type: string
cisa_required_action:
type: string
cisa_vulnerability_name:
type: string
configurations:
items:
$ref: '#/components/schemas/RootCveConfig'
type: array
descriptions:
items:
$ref: '#/components/schemas/RootCveLangString'
type: array
evaluator_comment:
type: string
evaluator_impact:
type: string
evaluator_solution:
type: string
id:
type: string
last_modified:
format: date-time
type: string
metrics:
$ref: '#/components/schemas/RootCveCVSSMetric'
published:
format: date-time
type: string
references:
items:
$ref: '#/components/schemas/NVDVulnerabilityRootCveReference'
type: array
source_identifier:
type: string
vendor_comments:
items:
$ref: '#/components/schemas/RootCveVendorComment'
type: array
vuln_status:
type: string
vuln_typed_status:
$ref: '#/components/schemas/v1NVDStatus'
weaknesses:
items:
$ref: '#/components/schemas/RootCveWeakness'
type: array
required:
- id
- published
- last_modified
- descriptions
- references
type: object
osvAffected:
description: Affected versions and commits.
properties:
database_specific:
description: >-
Optional. JSON object holding additional information about the
vulnerability as defined by the database for which the record
applies.
type: object
ecosystem_specific:
description: >-
Optional. JSON object holding additional information about the
vulnerability as defined by the ecosystem for which the record
applies.
type: object
package:
$ref: '#/components/schemas/osvPackage'
ranges:
description: Required. Range information.
items:
$ref: '#/components/schemas/osvRange'
type: array
versions:
description: Optional. List of affected versions.
items:
type: string
type: array
type: object
osvCredit:
properties:
contact:
description: Contact methods (URLs).
items:
type: string
type: array
name:
description: The name to give credit to.
type: string
type: object
osvPackage:
description: Package information and version.
properties:
ecosystem:
description: |-
Required. The ecosystem for this package.
For the complete list of valid ecosystem names, see
.
type: string
name:
description: >-
Required. Name of the package. Should match the name used in the
package
ecosystem (e.g. the npm package name). For C/C++ projects integrated
in
OSS-Fuzz, this is the name used for the integration.
type: string
purl:
description: Optional. The package URL for this package.
type: string
type: object
osvReference:
description: Reference URL.
properties:
type:
$ref: '#/components/schemas/osvReferenceType'
url:
description: Required. The URL.
type: string
type: object
osvSeverity:
properties:
score:
description: The quantitative score.
type: string
type:
$ref: '#/components/schemas/osvSeverityType'
type: object
RootCveConfig:
properties:
negate:
type: boolean
nodes:
items:
$ref: '#/components/schemas/ConfigCVSSNode'
type: array
operator:
$ref: '#/components/schemas/ConfigOperator'
type: object
RootCveLangString:
properties:
lang:
type: string
value:
type: string
required:
- lang
- value
type: object
RootCveCVSSMetric:
properties:
cvss_metric_v2:
items:
$ref: '#/components/schemas/NVDVulnerabilityCvssMetricV2'
type: array
cvss_metric_v30:
items:
$ref: '#/components/schemas/NVDVulnerabilityCvssMetricV30'
type: array
cvss_metric_v31:
items:
$ref: '#/components/schemas/NVDVulnerabilityCvssMetricV31'
type: array
cvss_metric_v40:
items:
$ref: '#/components/schemas/NVDVulnerabilityCvssMetricV40'
type: array
type: object
NVDVulnerabilityRootCveReference:
properties:
source:
type: string
tags:
items:
type: string
type: array
url:
type: string
required:
- url
type: object
RootCveVendorComment:
properties:
comment:
type: string
last_modified:
format: date-time
type: string
organization:
type: string
required:
- organization
- comment
- last_modified
type: object
v1NVDStatus:
default: NVD_STATUS_UNSPECIFIED
enum:
- NVD_STATUS_UNSPECIFIED
- NVD_STATUS_RECEIVED
- NVD_STATUS_AWAITING_ANALYSIS
- NVD_STATUS_UNDERGOING_ANALYSIS
- NVD_STATUS_ANALYZED
- NVD_STATUS_MODIFIED
- NVD_STATUS_DEFERRED
- NVD_STATUS_REJECTED
type: string
RootCveWeakness:
properties:
description:
items:
$ref: '#/components/schemas/RootCveLangString'
type: array
source:
type: string
type:
type: string
required:
- source
- type
- description
type: object
osvRange:
description: Affected ranges.
properties:
events:
description: Required. Version event information.
items:
$ref: '#/components/schemas/osvEvent'
type: array
repo:
description: >-
Required if type is GIT. The publicly accessible URL of the repo
that can
be directly passed to clone commands.
type: string
type:
$ref: '#/components/schemas/osvRangeType'
type: object
osvReferenceType:
default: NONE
enum:
- NONE
- WEB
- ADVISORY
- REPORT
- FIX
- PACKAGE
- ARTICLE
type: string
osvSeverityType:
default: UNSPECIFIED
description: Type of the severity.
enum:
- UNSPECIFIED
- CVSS_V3
type: string
ConfigCVSSNode:
properties:
cpe_match:
items:
$ref: '#/components/schemas/CVSSNodeCpeMatch'
type: array
negate:
type: boolean
operator:
$ref: '#/components/schemas/ConfigOperator'
required:
- operator
- cpe_match
type: object
ConfigOperator:
default: OPERATOR_UNSPECIFIED
enum:
- OPERATOR_UNSPECIFIED
- OPERATOR_AND
- OPERATOR_OR
type: string
NVDVulnerabilityCvssMetricV2:
description: >-
Based on schema definition provided by NVD here.
https://csrc.nist.gov/schema/nvd/api/2.0/external/cvss-v2.0.json.
properties:
ac_insuf_info:
type: boolean
base_severity:
type: string
cvss_data:
$ref: '#/components/schemas/v1CvssDataV2'
exploitability_score:
format: float
type: number
impact_score:
format: float
type: number
obtain_all_privilege:
type: boolean
obtain_other_privilege:
type: boolean
obtain_user_privilege:
type: boolean
source:
type: string
type:
$ref: '#/components/schemas/v1NVDMetricType'
user_interaction_required:
type: boolean
required:
- source
- type
- cvss_data
type: object
NVDVulnerabilityCvssMetricV30:
description: >-
Based on schema definition provided by NVD here.
https://csrc.nist.gov/schema/nvd/api/3.0/external/cvss-v2.0.json.
properties:
cvss_data:
$ref: '#/components/schemas/v1CvssDataV30'
exploitability_score:
format: float
type: number
impact_score:
format: float
type: number
source:
type: string
type:
$ref: '#/components/schemas/v1NVDMetricType'
required:
- source
- type
- cvss_data
type: object
NVDVulnerabilityCvssMetricV31:
description: >-
Based on schema definition provided by NVD here.
https://csrc.nist.gov/schema/nvd/api/2.0/external/cvss-v3.1.json.
properties:
cvss_data:
$ref: '#/components/schemas/v1CvssDataV31'
exploitability_score:
format: float
type: number
impact_score:
format: float
type: number
source:
type: string
type:
$ref: '#/components/schemas/v1NVDMetricType'
required:
- source
- type
- cvss_data
type: object
NVDVulnerabilityCvssMetricV40:
description: >-
CvssMetricV40. Based on schema definition provided by FIRST.ORG for CVSS
v4.0.
schema in
https://csrc.nist.gov/schema/nvd/api/2.0/external/cvss-v4.0.json.
properties:
cvss_data:
$ref: '#/components/schemas/v1CvssDataV40'
exploitability_score:
format: float
type: number
impact_score:
format: float
type: number
source:
type: string
type:
$ref: '#/components/schemas/v1NVDMetricType'
required:
- source
- type
- cvss_data
type: object
osvEvent:
description: Version events.
properties:
fixed:
description: The version/commit that this vulnerability was fixed in.
type: string
introduced:
description: |-
The earliest version/commit where this vulnerability
was introduced in.
type: string
limit:
description: The limit to apply to the range.
type: string
type: object
osvRangeType:
default: UNSPECIFIED
description: Type of the version information.
enum:
- UNSPECIFIED
- GIT
- SEMVER
- ECOSYSTEM
type: string
CVSSNodeCpeMatch:
properties:
criteria:
type: string
match_criteria_id:
type: string
version_end_excluding:
type: string
version_end_including:
type: string
version_start_excluding:
type: string
version_start_including:
type: string
vulnerable:
type: boolean
required:
- vulnerable
- criteria
- match_criteria_id
type: object
v1CvssDataV2:
properties:
access_complexity:
$ref: '#/components/schemas/CvssDataV2AccessComplexity'
access_vector:
$ref: '#/components/schemas/v1NVDAttackVector'
authentication:
$ref: '#/components/schemas/CvssDataV2Auth'
availability_impact:
$ref: '#/components/schemas/CvssDataV2V2Impact'
availability_requirement:
$ref: '#/components/schemas/v1NVDRequirement'
base_score:
format: float
type: number
collateral_damage_potential:
$ref: '#/components/schemas/CvssDataV2CollateralDamagePotential'
confidentiality_impact:
$ref: '#/components/schemas/CvssDataV2V2Impact'
confidentiality_requirement:
$ref: '#/components/schemas/v1NVDRequirement'
environmental_score:
format: float
type: number
exploitability:
$ref: '#/components/schemas/CvssDataV2Exploitability'
integrity_impact:
$ref: '#/components/schemas/CvssDataV2V2Impact'
integrity_requirement:
$ref: '#/components/schemas/v1NVDRequirement'
remediation_level:
$ref: '#/components/schemas/v1NVDRemediationLevel'
report_confidence:
$ref: '#/components/schemas/CvssDataV2ReportConfidence'
target_distribution:
$ref: '#/components/schemas/CvssDataV2TargetDistribution'
temporal_score:
format: float
type: number
vector_string:
type: string
version:
type: string
required:
- version
- vector_string
- base_score
type: object
v1NVDMetricType:
default: NVD_METRIC_TYPE_UNSPECIFIED
enum:
- NVD_METRIC_TYPE_UNSPECIFIED
- NVD_METRIC_TYPE_PRIMARY
- NVD_METRIC_TYPE_SECONDARY
type: string
v1CvssDataV30:
properties:
attack_complexity:
$ref: '#/components/schemas/v1NVDAttackComplexity'
attack_vector:
$ref: '#/components/schemas/v1NVDAttackVector'
availability_impact:
$ref: '#/components/schemas/v1NVDImpact'
availability_requirement:
$ref: '#/components/schemas/v1NVDRequirement'
base_score:
format: float
type: number
base_severity:
$ref: '#/components/schemas/v1NVDSeverity'
confidentiality_impact:
$ref: '#/components/schemas/v1NVDImpact'
confidentiality_requirement:
$ref: '#/components/schemas/v1NVDRequirement'
environmental_score:
format: float
type: number
environmental_severity:
$ref: '#/components/schemas/v1NVDSeverity'
exploit_code_maturity:
$ref: '#/components/schemas/v1NVDExploitCodeMaturity'
integrity_impact:
$ref: '#/components/schemas/v1NVDImpact'
integrity_requirement:
$ref: '#/components/schemas/v1NVDRequirement'
modified_attack_complexity:
$ref: '#/components/schemas/v1NVDModifiedAttackComplexity'
modified_attack_vector:
$ref: '#/components/schemas/v1NVDModifiedAttackVector'
modified_availability_impact:
$ref: '#/components/schemas/v1NVDModifiedImpact'
modified_confidentiality_impact:
$ref: '#/components/schemas/v1NVDModifiedImpact'
modified_integrity_impact:
$ref: '#/components/schemas/v1NVDModifiedImpact'
modified_privileges_required:
$ref: '#/components/schemas/v1NVDModifiedPrivilegesRequired'
modified_scope:
$ref: '#/components/schemas/v1NVDModifiedScope'
modified_user_interaction:
$ref: '#/components/schemas/v1NVDModifiedUserInteraction'
privileges_required:
$ref: '#/components/schemas/v1NVDPrivilegesRequired'
remediation_level:
$ref: '#/components/schemas/v1NVDRemediationLevel'
report_confidence:
$ref: '#/components/schemas/v1NVDReportConfidence'
scope:
$ref: '#/components/schemas/v1NVDScope'
temporal_score:
format: float
type: number
temporal_severity:
$ref: '#/components/schemas/v1NVDSeverity'
user_interaction:
$ref: '#/components/schemas/v1NVDUserInteraction'
vector_string:
type: string
version:
type: string
required:
- version
- vector_string
- base_score
- base_severity
type: object
v1CvssDataV31:
properties:
attack_complexity:
$ref: '#/components/schemas/v1NVDAttackComplexity'
attack_vector:
$ref: '#/components/schemas/v1NVDAttackVector'
availability_impact:
$ref: '#/components/schemas/v1NVDImpact'
availability_requirement:
$ref: '#/components/schemas/v1NVDRequirement'
base_score:
format: float
type: number
base_severity:
$ref: '#/components/schemas/v1NVDSeverity'
confidentiality_impact:
$ref: '#/components/schemas/v1NVDImpact'
confidentiality_requirement:
$ref: '#/components/schemas/v1NVDRequirement'
environmental_score:
format: float
type: number
environmental_severity:
$ref: '#/components/schemas/v1NVDSeverity'
exploit_code_maturity:
$ref: '#/components/schemas/v1NVDExploitCodeMaturity'
integrity_impact:
$ref: '#/components/schemas/v1NVDImpact'
integrity_requirement:
$ref: '#/components/schemas/v1NVDRequirement'
modified_attack_complexity:
$ref: '#/components/schemas/v1NVDModifiedAttackComplexity'
modified_attack_vector:
$ref: '#/components/schemas/v1NVDModifiedAttackVector'
modified_availability_impact:
$ref: '#/components/schemas/v1NVDModifiedImpact'
modified_confidentiality_impact:
$ref: '#/components/schemas/v1NVDModifiedScope'
modified_integrity_impact:
$ref: '#/components/schemas/v1NVDModifiedImpact'
modified_privileges_required:
$ref: '#/components/schemas/v1NVDModifiedPrivilegesRequired'
modified_scope:
$ref: '#/components/schemas/v1NVDModifiedScope'
modified_user_interaction:
$ref: '#/components/schemas/v1NVDModifiedUserInteraction'
privileges_required:
$ref: '#/components/schemas/v1NVDPrivilegesRequired'
remediation_level:
$ref: '#/components/schemas/v1NVDRemediationLevel'
report_confidence:
$ref: '#/components/schemas/v1NVDReportConfidence'
scope:
$ref: '#/components/schemas/v1NVDScope'
temporal_score:
format: float
type: number
temporal_severity:
$ref: '#/components/schemas/v1NVDSeverity'
user_interaction:
$ref: '#/components/schemas/v1NVDUserInteraction'
vector_string:
type: string
version:
type: string
required:
- version
- vector_string
- base_score
- base_severity
type: object
v1CvssDataV40:
properties:
attack_complexity:
$ref: '#/components/schemas/v1NVDV40AttackComplexity'
attack_requirements:
$ref: '#/components/schemas/v1NVDV40AttackRequirements'
attack_vector:
$ref: '#/components/schemas/v1NVDV40AttackVector'
automatable:
$ref: '#/components/schemas/v1NVDV40Automatable'
availability_requirement:
$ref: '#/components/schemas/v1NVDV40Requirement'
base_score:
format: float
type: number
base_severity:
$ref: '#/components/schemas/v1NVDSeverity'
confidentiality_requirement:
$ref: '#/components/schemas/v1NVDV40Requirement'
environmental_score:
format: float
type: number
environmental_severity:
$ref: '#/components/schemas/v1NVDSeverity'
exploit_maturity:
$ref: '#/components/schemas/v1NVDV40ExploitMaturity'
integrity_requirement:
$ref: '#/components/schemas/v1NVDV40Requirement'
modified_attack_complexity:
$ref: '#/components/schemas/v1NVDV40ModifiedAttackComplexity'
modified_attack_requirements:
$ref: '#/components/schemas/v1NVDV40ModifiedAttackRequirements'
modified_attack_vector:
$ref: '#/components/schemas/v1NVDV40ModifiedAttackVector'
modified_privileges_required:
$ref: '#/components/schemas/v1NVDV40ModifiedPrivilegesRequired'
modified_sub_availability_impact:
$ref: '#/components/schemas/v1NVDV40ModifiedSubImpact'
modified_sub_confidentiality_impact:
$ref: '#/components/schemas/v1NVDV40ModifiedSubImpact'
modified_sub_integrity_impact:
$ref: '#/components/schemas/v1NVDV40ModifiedSubImpact'
modified_user_interaction:
$ref: '#/components/schemas/v1NVDV40ModifiedUserInteraction'
modified_vuln_availability_impact:
$ref: '#/components/schemas/v1NVDV40ModifiedImpact'
modified_vuln_confidentiality_impact:
$ref: '#/components/schemas/v1NVDV40ModifiedImpact'
modified_vuln_integrity_impact:
$ref: '#/components/schemas/v1NVDV40ModifiedImpact'
privileges_required:
$ref: '#/components/schemas/v1NVDV40PrivilegesRequired'
provider_urgency:
$ref: '#/components/schemas/v1NVDV40ProviderUrgency'
recovery:
$ref: '#/components/schemas/v1NVDV40Recovery'
safety:
$ref: '#/components/schemas/v1NVDV40Safety'
sub_availability_impact:
$ref: '#/components/schemas/v1NVDV40Impact'
sub_confidentiality_impact:
$ref: '#/components/schemas/v1NVDV40Impact'
sub_integrity_impact:
$ref: '#/components/schemas/v1NVDV40Impact'
threat_score:
format: float
type: number
threat_severity:
$ref: '#/components/schemas/v1NVDSeverity'
user_interaction:
$ref: '#/components/schemas/v1NVDV40UserInteraction'
value_density:
$ref: '#/components/schemas/v1NVDV40ValueDensity'
vector_string:
type: string
version:
type: string
vuln_availability_impact:
$ref: '#/components/schemas/v1NVDV40Impact'
vuln_confidentiality_impact:
$ref: '#/components/schemas/v1NVDV40Impact'
vuln_integrity_impact:
$ref: '#/components/schemas/v1NVDV40Impact'
vulnerability_response_effort:
$ref: '#/components/schemas/v1NVDV40VulnerabilityResponseEffort'
required:
- version
- vector_string
- base_score
- base_severity
type: object
CvssDataV2AccessComplexity:
default: ACCESS_COMPLEXITY_UNSPECIFIED
enum:
- ACCESS_COMPLEXITY_UNSPECIFIED
- ACCESS_COMPLEXITY_HIGH
- ACCESS_COMPLEXITY_MEDIUM
- ACCESS_COMPLEXITY_LOW
type: string
v1NVDAttackVector:
default: NVD_ATTACK_VECTOR_UNSPECIFIED
enum:
- NVD_ATTACK_VECTOR_UNSPECIFIED
- NVD_ATTACK_VECTOR_NETWORK
- NVD_ATTACK_VECTOR_ADJACENT_NETWORK
- NVD_ATTACK_VECTOR_LOCAL
- NVD_ATTACK_VECTOR_PHYSICAL
type: string
CvssDataV2Auth:
default: AUTH_UNSPECIFIED
enum:
- AUTH_UNSPECIFIED
- AUTH_MULTIPLE
- AUTH_SINGLE
- AUTH_NONE
type: string
CvssDataV2V2Impact:
default: V2_IMPACT_IMPACT_UNSPECIFIED
enum:
- V2_IMPACT_IMPACT_UNSPECIFIED
- V2_IMPACT_IMPACT_NONE
- V2_IMPACT_IMPACT_PARTIAL
- V2_IMPACT_IMPACT_COMPLETE
type: string
v1NVDRequirement:
default: NVD_REQUIREMENT_UNSPECIFIED
enum:
- NVD_REQUIREMENT_UNSPECIFIED
- NVD_REQUIREMENT_LOW
- NVD_REQUIREMENT_MEDIUM
- NVD_REQUIREMENT_HIGH
- NVD_REQUIREMENT_NOT_DEFINED
type: string
CvssDataV2CollateralDamagePotential:
default: COLLATERAL_DAMAGE_POTENTIAL_UNSPECIFIED
enum:
- COLLATERAL_DAMAGE_POTENTIAL_UNSPECIFIED
- COLLATERAL_DAMAGE_POTENTIAL_NONE
- COLLATERAL_DAMAGE_POTENTIAL_LOW
- COLLATERAL_DAMAGE_POTENTIAL_LOW_MEDIUM
- COLLATERAL_DAMAGE_POTENTIAL_MEDIUM_HIGH
- COLLATERAL_DAMAGE_POTENTIAL_HIGH
- COLLATERAL_DAMAGE_POTENTIAL_NOT_DEFINED
type: string
CvssDataV2Exploitability:
default: EXPLOITABILITY_UNSPECIFIED
enum:
- EXPLOITABILITY_UNSPECIFIED
- EXPLOITABILITY_UNPROVEN
- EXPLOITABILITY_PROOF_OF_CONCEPT
- EXPLOITABILITY_FUNCTIONAL
- EXPLOITABILITY_HIGH
- EXPLOITABILITY_NOT_DEFINED
type: string
v1NVDRemediationLevel:
default: NVD_REMEDIATION_LEVEL_UNSPECIFIED
enum:
- NVD_REMEDIATION_LEVEL_UNSPECIFIED
- NVD_REMEDIATION_LEVEL_OFFICIAL_FIX
- NVD_REMEDIATION_LEVEL_TEMPORARY_FIX
- NVD_REMEDIATION_LEVEL_WORKAROUND
- NVD_REMEDIATION_LEVEL_UNAVAILABLE
- NVD_REMEDIATION_LEVEL_NOT_DEFINED
type: string
CvssDataV2ReportConfidence:
default: REPORT_CONFIDENCE_UNSPECIFIED
enum:
- REPORT_CONFIDENCE_UNSPECIFIED
- REPORT_CONFIDENCE_UNCONFIRMED
- REPORT_CONFIDENCE_UNCORROBORATED
- REPORT_CONFIDENCE_CONFIRMED
- REPORT_CONFIDENCE_NOT_DEFINED
type: string
CvssDataV2TargetDistribution:
default: TARGET_DISTRIBUTION_UNSPECIFIED
enum:
- TARGET_DISTRIBUTION_UNSPECIFIED
- TARGET_DISTRIBUTION_NONE
- TARGET_DISTRIBUTION_LOW
- TARGET_DISTRIBUTION_MEDIUM
- TARGET_DISTRIBUTION_HIGH
- TARGET_DISTRIBUTION_NOT_DEFINED
type: string
v1NVDAttackComplexity:
default: NVD_ATTACK_COMPLEXITY_UNSPECIFIED
enum:
- NVD_ATTACK_COMPLEXITY_UNSPECIFIED
- NVD_ATTACK_COMPLEXITY_HIGH
- NVD_ATTACK_COMPLEXITY_LOW
type: string
v1NVDImpact:
default: NVD_IMPACT_UNSPECIFIED
enum:
- NVD_IMPACT_UNSPECIFIED
- NVD_IMPACT_NONE
- NVD_IMPACT_LOW
- NVD_IMPACT_HIGH
type: string
v1NVDSeverity:
default: NVD_SEVERITY_UNSPECIFIED
enum:
- NVD_SEVERITY_UNSPECIFIED
- NVD_SEVERITY_NONE
- NVD_SEVERITY_LOW
- NVD_SEVERITY_MEDIUM
- NVD_SEVERITY_HIGH
- NVD_SEVERITY_CRITICAL
type: string
v1NVDExploitCodeMaturity:
default: NVD_EXPLOIT_CODE_MATURITY_UNSPECIFIED
enum:
- NVD_EXPLOIT_CODE_MATURITY_UNSPECIFIED
- NVD_EXPLOIT_CODE_MATURITY_UNPROVEN
- NVD_EXPLOIT_CODE_MATURITY_PROOF_OF_CONCEPT
- NVD_EXPLOIT_CODE_MATURITY_FUNCTIONAL
- NVD_EXPLOIT_CODE_MATURITY_HIGH
- NVD_EXPLOIT_CODE_MATURITY_NOT_DEFINED
type: string
v1NVDModifiedAttackComplexity:
default: NVD_MODIFIED_ATTACK_COMPLEXITY_UNSPECIFIED
enum:
- NVD_MODIFIED_ATTACK_COMPLEXITY_UNSPECIFIED
- NVD_MODIFIED_ATTACK_COMPLEXITY_HIGH
- NVD_MODIFIED_ATTACK_COMPLEXITY_LOW
- NVD_MODIFIED_ATTACK_COMPLEXITY_NOT_DEFINED
type: string
v1NVDModifiedAttackVector:
default: NVD_MODIFIED_ATTACK_VECTOR_UNSPECIFIED
enum:
- NVD_MODIFIED_ATTACK_VECTOR_UNSPECIFIED
- NVD_MODIFIED_ATTACK_VECTOR_NETWORK
- NVD_MODIFIED_ATTACK_VECTOR_ADJACENT_NETWORK
- NVD_MODIFIED_ATTACK_VECTOR_LOCAL
- NVD_MODIFIED_ATTACK_VECTOR_PHYSICAL
- NVD_MODIFIED_ATTACK_VECTOR_NOT_DEFINED
type: string
v1NVDModifiedImpact:
default: NVD_MODIFIED_IMPACT_UNSPECIFIED
enum:
- NVD_MODIFIED_IMPACT_UNSPECIFIED
- NVD_MODIFIED_IMPACT_NONE
- NVD_MODIFIED_IMPACT_LOW
- NVD_MODIFIED_IMPACT_HIGH
- NVD_MODIFIED_IMPACT_NOT_DEFINED
type: string
v1NVDModifiedPrivilegesRequired:
default: NVD_MODIFIED_PRIVILEGES_REQUIRED_UNSPECIFIED
enum:
- NVD_MODIFIED_PRIVILEGES_REQUIRED_UNSPECIFIED
- NVD_MODIFIED_PRIVILEGES_REQUIRED_HIGH
- NVD_MODIFIED_PRIVILEGES_REQUIRED_LOW
- NVD_MODIFIED_PRIVILEGES_REQUIRED_NONE
- NVD_MODIFIED_PRIVILEGES_REQUIRED_NOT_DEFINED
type: string
v1NVDModifiedScope:
default: NVD_MODIFIED_SCOPE_UNSPECIFIED
enum:
- NVD_MODIFIED_SCOPE_UNSPECIFIED
- NVD_MODIFIED_SCOPE_UNCHANGED
- NVD_MODIFIED_SCOPE_CHANGED
- NVD_MODIFIED_SCOPE_NOT_DEFINED
type: string
v1NVDModifiedUserInteraction:
default: NVD_MODIFIED_USER_INTERACTION_UNSPECIFIED
enum:
- NVD_MODIFIED_USER_INTERACTION_UNSPECIFIED
- NVD_MODIFIED_USER_INTERACTION_NONE
- NVD_MODIFIED_USER_INTERACTION_REQUIRED
- NVD_MODIFIED_USER_INTERACTION_NOT_DEFINED
type: string
v1NVDPrivilegesRequired:
default: NVD_PRIVILEGES_REQUIRED_UNSPECIFIED
enum:
- NVD_PRIVILEGES_REQUIRED_UNSPECIFIED
- NVD_PRIVILEGES_REQUIRED_HIGH
- NVD_PRIVILEGES_REQUIRED_LOW
- NVD_PRIVILEGES_REQUIRED_NONE
type: string
v1NVDReportConfidence:
default: NVD_REPORT_CONFIDENCE_UNSPECIFIED
enum:
- NVD_REPORT_CONFIDENCE_UNSPECIFIED
- NVD_REPORT_CONFIDENCE_UNKNOWN
- NVD_REPORT_CONFIDENCE_REASONABLE
- NVD_REPORT_CONFIDENCE_CONFIRMED
- NVD_REPORT_CONFIDENCE_NOT_DEFINED
type: string
v1NVDScope:
default: NVD_SCOPE_UNSPECIFIED
enum:
- NVD_SCOPE_UNSPECIFIED
- NVD_SCOPE_UNCHANGED
- NVD_SCOPE_CHANGED
type: string
v1NVDUserInteraction:
default: NVD_USER_INTERACTION_UNSPECIFIED
enum:
- NVD_USER_INTERACTION_UNSPECIFIED
- NVD_USER_INTERACTION_NONE
- NVD_USER_INTERACTION_REQUIRED
type: string
v1NVDV40AttackComplexity:
default: NVDV40_ATTACK_COMPLEXITY_UNSPECIFIED
enum:
- NVDV40_ATTACK_COMPLEXITY_UNSPECIFIED
- NVDV40_ATTACK_COMPLEXITY_HIGH
- NVDV40_ATTACK_COMPLEXITY_LOW
type: string
v1NVDV40AttackRequirements:
default: NVDV40_ATTACK_REQUIREMENTS_UNSPECIFIED
enum:
- NVDV40_ATTACK_REQUIREMENTS_UNSPECIFIED
- NVDV40_ATTACK_REQUIREMENTS_NONE
- NVDV40_ATTACK_REQUIREMENTS_PRESENT
type: string
v1NVDV40AttackVector:
default: NVDV40_ATTACK_VECTOR_UNSPECIFIED
enum:
- NVDV40_ATTACK_VECTOR_UNSPECIFIED
- NVDV40_ATTACK_VECTOR_NETWORK
- NVDV40_ATTACK_VECTOR_ADJACENT
- NVDV40_ATTACK_VECTOR_LOCAL
- NVDV40_ATTACK_VECTOR_PHYSICAL
type: string
v1NVDV40Automatable:
default: NVDV40_AUTOMATABLE_UNSPECIFIED
enum:
- NVDV40_AUTOMATABLE_UNSPECIFIED
- NVDV40_AUTOMATABLE_NO
- NVDV40_AUTOMATABLE_YES
- NVDV40_AUTOMATABLE_NOT_DEFINED
type: string
v1NVDV40Requirement:
default: NVDV40_REQUIREMENT_UNSPECIFIED
enum:
- NVDV40_REQUIREMENT_UNSPECIFIED
- NVDV40_REQUIREMENT_LOW
- NVDV40_REQUIREMENT_MEDIUM
- NVDV40_REQUIREMENT_HIGH
- NVDV40_REQUIREMENT_NOT_DEFINED
type: string
v1NVDV40ExploitMaturity:
default: NVDV40_EXPLOIT_MATURITY_UNSPECIFIED
enum:
- NVDV40_EXPLOIT_MATURITY_UNSPECIFIED
- NVDV40_EXPLOIT_MATURITY_UNREPORTED
- NVDV40_EXPLOIT_MATURITY_PROOF_OF_CONCEPT
- NVDV40_EXPLOIT_MATURITY_ATTACKED
- NVDV40_EXPLOIT_MATURITY_NOT_DEFINED
type: string
v1NVDV40ModifiedAttackComplexity:
default: NVDV40_MODIFIED_ATTACK_COMPLEXITY_UNSPECIFIED
enum:
- NVDV40_MODIFIED_ATTACK_COMPLEXITY_UNSPECIFIED
- NVDV40_MODIFIED_ATTACK_COMPLEXITY_HIGH
- NVDV40_MODIFIED_ATTACK_COMPLEXITY_LOW
- NVDV40_MODIFIED_ATTACK_COMPLEXITY_NOT_DEFINED
type: string
v1NVDV40ModifiedAttackRequirements:
default: NVDV40_MODIFIED_ATTACK_REQUIREMENTS_UNSPECIFIED
enum:
- NVDV40_MODIFIED_ATTACK_REQUIREMENTS_UNSPECIFIED
- NVDV40_MODIFIED_ATTACK_REQUIREMENTS_NONE
- NVDV40_MODIFIED_ATTACK_REQUIREMENTS_PRESENT
- NVDV40_MODIFIED_ATTACK_REQUIREMENTS_NOT_DEFINED
type: string
v1NVDV40ModifiedAttackVector:
default: NVDV40_MODIFIED_ATTACK_VECTOR_UNSPECIFIED
enum:
- NVDV40_MODIFIED_ATTACK_VECTOR_UNSPECIFIED
- NVDV40_MODIFIED_ATTACK_VECTOR_NETWORK
- NVDV40_MODIFIED_ATTACK_VECTOR_ADJACENT
- NVDV40_MODIFIED_ATTACK_VECTOR_LOCAL
- NVDV40_MODIFIED_ATTACK_VECTOR_PHYSICAL
- NVDV40_MODIFIED_ATTACK_VECTOR_NOT_DEFINED
type: string
v1NVDV40ModifiedPrivilegesRequired:
default: NVDV40_MODIFIED_PRIVILEGES_REQUIRED_UNSPECIFIED
enum:
- NVDV40_MODIFIED_PRIVILEGES_REQUIRED_UNSPECIFIED
- NVDV40_MODIFIED_PRIVILEGES_REQUIRED_HIGH
- NVDV40_MODIFIED_PRIVILEGES_REQUIRED_LOW
- NVDV40_MODIFIED_PRIVILEGES_REQUIRED_NONE
- NVDV40_MODIFIED_PRIVILEGES_REQUIRED_NOT_DEFINED
type: string
v1NVDV40ModifiedSubImpact:
default: NVDV40_MODIFIED_SUB_IMPACT_UNSPECIFIED
enum:
- NVDV40_MODIFIED_SUB_IMPACT_UNSPECIFIED
- NVDV40_MODIFIED_SUB_IMPACT_NEGLIGIBLE
- NVDV40_MODIFIED_SUB_IMPACT_LOW
- NVDV40_MODIFIED_SUB_IMPACT_HIGH
- NVDV40_MODIFIED_SUB_IMPACT_SAFETY
- NVDV40_MODIFIED_SUB_IMPACT_NOT_DEFINED
type: string
v1NVDV40ModifiedUserInteraction:
default: NVDV40_MODIFIED_USER_INTERACTION_UNSPECIFIED
enum:
- NVDV40_MODIFIED_USER_INTERACTION_UNSPECIFIED
- NVDV40_MODIFIED_USER_INTERACTION_NONE
- NVDV40_MODIFIED_USER_INTERACTION_PASSIVE
- NVDV40_MODIFIED_USER_INTERACTION_ACTIVE
- NVDV40_MODIFIED_USER_INTERACTION_NOT_DEFINED
type: string
v1NVDV40ModifiedImpact:
default: NVDV40_MODIFIED_IMPACT_UNSPECIFIED
enum:
- NVDV40_MODIFIED_IMPACT_UNSPECIFIED
- NVDV40_MODIFIED_IMPACT_NONE
- NVDV40_MODIFIED_IMPACT_LOW
- NVDV40_MODIFIED_IMPACT_HIGH
- NVDV40_MODIFIED_IMPACT_NOT_DEFINED
type: string
v1NVDV40PrivilegesRequired:
default: NVDV40_PRIVILEGES_REQUIRED_UNSPECIFIED
enum:
- NVDV40_PRIVILEGES_REQUIRED_UNSPECIFIED
- NVDV40_PRIVILEGES_REQUIRED_HIGH
- NVDV40_PRIVILEGES_REQUIRED_LOW
- NVDV40_PRIVILEGES_REQUIRED_NONE
type: string
v1NVDV40ProviderUrgency:
default: NVDV40_PROVIDER_URGENCY_UNSPECIFIED
enum:
- NVDV40_PROVIDER_URGENCY_UNSPECIFIED
- NVDV40_PROVIDER_URGENCY_CLEAR
- NVDV40_PROVIDER_URGENCY_GREEN
- NVDV40_PROVIDER_URGENCY_AMBER
- NVDV40_PROVIDER_URGENCY_RED
- NVDV40_PROVIDER_URGENCY_NOT_DEFINED
type: string
v1NVDV40Recovery:
default: NVDV40_RECOVERY_UNSPECIFIED
enum:
- NVDV40_RECOVERY_UNSPECIFIED
- NVDV40_RECOVERY_AUTOMATIC
- NVDV40_RECOVERY_USER
- NVDV40_RECOVERY_IRRECOVERABLE
- NVDV40_RECOVERY_NOT_DEFINED
type: string
v1NVDV40Safety:
default: NVDV40_SAFETY_UNSPECIFIED
enum:
- NVDV40_SAFETY_UNSPECIFIED
- NVDV40_SAFETY_NEGLIGIBLE
- NVDV40_SAFETY_PRESENT
- NVDV40_SAFETY_NOT_DEFINED
type: string
v1NVDV40Impact:
default: NVDV40_IMPACT_UNSPECIFIED
enum:
- NVDV40_IMPACT_UNSPECIFIED
- NVDV40_IMPACT_NONE
- NVDV40_IMPACT_LOW
- NVDV40_IMPACT_HIGH
type: string
v1NVDV40UserInteraction:
default: NVDV40_USER_INTERACTION_UNSPECIFIED
enum:
- NVDV40_USER_INTERACTION_UNSPECIFIED
- NVDV40_USER_INTERACTION_NONE
- NVDV40_USER_INTERACTION_PASSIVE
- NVDV40_USER_INTERACTION_ACTIVE
type: string
v1NVDV40ValueDensity:
default: NVDV40_VALUE_DENSITY_UNSPECIFIED
enum:
- NVDV40_VALUE_DENSITY_UNSPECIFIED
- NVDV40_VALUE_DENSITY_DIFFUSE
- NVDV40_VALUE_DENSITY_CONCENTRATED
- NVDV40_VALUE_DENSITY_NOT_DEFINED
type: string
v1NVDV40VulnerabilityResponseEffort:
default: NVDV40_VULNERABILITY_RESPONSE_EFFORT_UNSPECIFIED
enum:
- NVDV40_VULNERABILITY_RESPONSE_EFFORT_UNSPECIFIED
- NVDV40_VULNERABILITY_RESPONSE_EFFORT_LOW
- NVDV40_VULNERABILITY_RESPONSE_EFFORT_MODERATE
- NVDV40_VULNERABILITY_RESPONSE_EFFORT_HIGH
- NVDV40_VULNERABILITY_RESPONSE_EFFORT_NOT_DEFINED
type: string
````