CvssV3VulnAssessmentRelationship

Summary

Provides a CVSS version 3 assessment for a vulnerability.

Description

A CvssV3VulnAssessmentRelationship relationship describes the determined score, severity, and vector of a vulnerability as defined in Common Vulnerability Scoring System v3.0: Specification Document or Common Vulnerability Scoring System v3.1: Specification Document.

It is intended to communicate the results of using a CVSS calculator.

Constraints

  • The relationship type must be set to hasAssessmentFor.

Example

{
  "type": "CvssV3VulnAssessmentRelationship",
  "spdxId": "urn:spdx.dev:cvssv3-cve-2020-28498",
  "relationshipType": "hasAssessmentFor",
  "security_score": "6.8",
  "security_severity": "medium",
  "security_vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
  "from": "urn:spdx.dev:vuln-cve-2020-28498",
  "to": ["urn:product-acme-application-1.3"],
  "security_assessedElement": "urn:npm-elliptic-6.5.2",
  "externalRef": [
    {
      "type": "ExternalRef",
      "externalRefType": "securityAdvisory",
      "locator": "https://nvd.nist.gov/vuln/detail/CVE-2020-28498"
    },
    {
      "type": "ExternalRef",
      "externalRefType": "securityAdvisory",
      "locator": "https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899"
    },
    {
      "type": "ExternalRef",
      "externalRefType": "securityFix",
      "locator": "https://github.com/indutny/elliptic/commit/441b742"
    }
  ],
  "suppliedBy": ["urn:spdx.dev:agent-my-security-vendor"],
  "publishedTime": "2023-05-06T10:06:13Z"
},
{
  "type": "Relationship",
  "spdxId": "urn:spdx.dev:vulnAgentRel-1",
  "relationshipType": "publishedBy",
  "from": "urn:spdx.dev:cvssv3-cve-2020-28498",
  "to": ["urn:spdx.dev:agent-snyk"],
  "startTime": "2021-03-08T16:06:50Z"
}

Metadata

https://spdx.org/rdf/3.0.1/terms/Security/CvssV3VulnAssessmentRelationship

Name CvssV3VulnAssessmentRelationship
Instantiability Concrete
SubclassOf VulnAssessmentRelationship

Superclasses

/Core/Element
       /Core/Relationship
             /Security/VulnAssessmentRelationship
                   /Security/CvssV3VulnAssessmentRelationship

Properties

Property Type minCount maxCount
score xsd:decimal 1 1
severity CvssSeverityType 1 1
vectorString xsd:string 1 1

All properties

Property Type minCount maxCount
assessedElement Element 0 1
comment xsd:string 0 1
completeness RelationshipCompleteness 0 1
creationInfo CreationInfo 1 1
description xsd:string 0 1
endTime DateTime 0 1
extension Extension 0 *
externalIdentifier ExternalIdentifier 0 *
externalRef ExternalRef 0 *
from Element 1 1
modifiedTime DateTime 0 1
name xsd:string 0 1
publishedTime DateTime 0 1
relationshipType RelationshipType 1 1
score xsd:decimal 1 1
severity CvssSeverityType 1 1
spdxId xsd:anyURI 1 1
startTime DateTime 0 1
summary xsd:string 0 1
suppliedBy Agent 0 1
to Element 1 *
vectorString xsd:string 1 1
verifiedUsing IntegrityMethod 0 *
withdrawnTime DateTime 0 1