Skip to content

Commit 35128af

Browse files
stevespringettstevespringett
authoredApr 6, 2022
Merge pull request #32 from tschmidtb51/use-case-8
Use case 8
2 parents 7ca77b1 + 67ea805 commit 35128af

File tree

2 files changed

+150
-16
lines changed

2 files changed

+150
-16
lines changed
 

‎VEX/CISA-Use-Cases/Case-8/bom-2.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
"metadata" : {
77
"timestamp" : "2022-01-13T00:00:00Z",
88
"component" : {
9-
"name" : "ABC",
9+
"name" : "JKL",
1010
"type" : "application",
1111
"bom-ref" : "product-JKL"
1212
}

‎VEX/CISA-Use-Cases/Case-8/vex.json

+149-15
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@
3939
"status": "affected"
4040
},
4141
{
42-
"range": "vers:semver/>=2.9|<=4.1",
42+
"range": "vers:generic/>=2.9|<=4.1",
4343
"status": "affected"
4444
}
4545
]
@@ -48,7 +48,7 @@
4848
"ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL",
4949
"versions": [
5050
{
51-
"range": "vers:semver/>=4.5|<=5.0",
51+
"range": "vers:generic/>=4.5|<=5.0",
5252
"status": "affected"
5353
}
5454
]
@@ -74,40 +74,102 @@
7474
}
7575
],
7676
"analysis": {
77-
"state": "not_affected"
77+
"state": "not_affected",
78+
"justification": "code_not_present",
79+
"response": ["will_not_fix"],
80+
"detail": "These versions of Product ABC are not affected by the vulnerability. Class with vulnerable code was removed before shipping."
7881
},
7982
"affects": [
8083
{
8184
"ref": "urn:cdx:cbb2cd68-2857-43b8-a10b-e8c03d277d18/1#product-ABC",
8285
"versions": [
8386
{
84-
"range": "vers:semver/>=1.0|<=2.3",
87+
"range": "vers:generic/>=1.0|<=2.3",
8588
"status": "unaffected"
8689
},
8790
{
8891
"version": "2.5",
8992
"status": "unaffected"
9093
},
9194
{
92-
"range": "vers:semver/>=2.7|<=2.8",
95+
"range": "vers:generic/>=2.7|<=2.8",
9396
"status": "unaffected"
9497
},
9598
{
9699
"version": "4.2",
97100
"status": "unaffected"
98101
}
99102
]
100-
},
103+
}
104+
]
105+
},
106+
{
107+
"id": "CVE-2021-44228",
108+
"source": {
109+
"name": "NVD",
110+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
111+
},
112+
"ratings": [
113+
{
114+
"source": {
115+
"name": "NVD",
116+
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1"
117+
},
118+
"score": 0.0,
119+
"severity": "none",
120+
"method": "CVSSv31",
121+
"vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N"
122+
}
123+
],
124+
"analysis": {
125+
"state": "not_affected",
126+
"justification": "code_not_present",
127+
"response": ["will_not_fix"],
128+
"detail": "These versions of Product JKL are not affected by the vulnerability. Log4j was not included in those versions at all."
129+
},
130+
"affects": [
101131
{
102132
"ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL",
103133
"versions": [
104134
{
105-
"range": "vers:semver/>=1.0|<=4.4",
135+
"range": "vers:generic/>=1.0|<=4.4",
106136
"status": "unaffected"
137+
}
138+
]
139+
}
140+
]
141+
},
142+
{
143+
"id": "CVE-2021-44228",
144+
"source": {
145+
"name": "NVD",
146+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
147+
},
148+
"ratings": [
149+
{
150+
"source": {
151+
"name": "NVD",
152+
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1"
153+
},
154+
"score": 0.0,
155+
"severity": "none",
156+
"method": "CVSSv31",
157+
"vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N"
158+
}
159+
],
160+
"analysis": {
161+
"state": "resolved",
162+
"detail": "This version of Product JKL has been fixed."
163+
},
164+
"affects": [
165+
{
166+
"ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL",
167+
"versions": [
168+
{
169+
"version": "5.1"
107170
},
108171
{
109-
"version": "5.1",
110-
"status": "unaffected"
172+
"version": "5.2"
111173
}
112174
]
113175
}
@@ -149,7 +211,7 @@
149211
"status": "affected"
150212
},
151213
{
152-
"range": "vers:semver/>=2.9|<=4.1",
214+
"range": "vers:generic/>=2.9|<=4.1",
153215
"status": "affected"
154216
}
155217
]
@@ -158,7 +220,7 @@
158220
"ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL",
159221
"versions": [
160222
{
161-
"range": "vers:semver/>=4.5|<=5.0",
223+
"range": "vers:generic/>=4.5|<=5.0",
162224
"status": "affected"
163225
},
164226
{
@@ -188,22 +250,25 @@
188250
}
189251
],
190252
"analysis": {
191-
"state": "not_affected"
253+
"state": "not_affected",
254+
"justification": "code_not_present",
255+
"response": ["will_not_fix"],
256+
"detail": "These versions of Product ABC are not affected by the vulnerability. Class with vulnerable code was removed before shipping."
192257
},
193258
"affects": [
194259
{
195260
"ref": "urn:cdx:cbb2cd68-2857-43b8-a10b-e8c03d277d18/1#product-ABC",
196261
"versions": [
197262
{
198-
"range": "vers:semver/>=1.0|<=2.3",
263+
"range": "vers:generic/>=1.0|<=2.3",
199264
"status": "unaffected"
200265
},
201266
{
202267
"version": "2.5",
203268
"status": "unaffected"
204269
},
205270
{
206-
"range": "vers:semver/>=2.7|<=2.8",
271+
"range": "vers:generic/>=2.7|<=2.8",
207272
"status": "unaffected"
208273
},
209274
{
@@ -216,7 +281,7 @@
216281
"ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL",
217282
"versions": [
218283
{
219-
"range": "vers:semver/>=1.0|<=4.4",
284+
"range": "vers:generic/>=1.0|<=4.4",
220285
"status": "unaffected"
221286
},
222287
{
@@ -226,6 +291,75 @@
226291
]
227292
}
228293
]
294+
},
295+
{
296+
"id": "CVE-2021-45105",
297+
"source": {
298+
"name": "NVD",
299+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105"
300+
},
301+
"ratings": [
302+
{
303+
"source": {
304+
"name": "NVD",
305+
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1"
306+
},
307+
"score": 0.0,
308+
"severity": "none",
309+
"method": "CVSSv31",
310+
"vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N"
311+
}
312+
],
313+
"analysis": {
314+
"state": "not_affected",
315+
"justification": "code_not_present",
316+
"response": ["will_not_fix"],
317+
"detail": "These versions of Product JKL are not affected by the vulnerability. Log4j was not included in those versions at all."
318+
},
319+
"affects": [
320+
{
321+
"ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL",
322+
"versions": [
323+
{
324+
"range": "vers:generic/>=1.0|<=4.4",
325+
"status": "unaffected"
326+
}
327+
]
328+
}
329+
]
330+
},
331+
{
332+
"id": "CVE-2021-45105",
333+
"source": {
334+
"name": "NVD",
335+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105"
336+
},
337+
"ratings": [
338+
{
339+
"source": {
340+
"name": "NVD",
341+
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1"
342+
},
343+
"score": 0.0,
344+
"severity": "none",
345+
"method": "CVSSv31",
346+
"vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N"
347+
}
348+
],
349+
"analysis": {
350+
"state": "resolved",
351+
"detail": "This version of Product JKL has been fixed."
352+
},
353+
"affects": [
354+
{
355+
"ref": "urn:cdx:e4c3eedc-4978-470c-ad02-6ffff63738ff/1#product-JKL",
356+
"versions": [
357+
{
358+
"version": "5.2"
359+
}
360+
]
361+
}
362+
]
229363
}
230364
]
231365
}

0 commit comments

Comments
 (0)
Please sign in to comment.