Added CISA VEX use case #5

Author: stevespringett

VEX/CISA-Use-Cases/Case-5/README.md

@@ -0,0 +1,7 @@
+# CISA VEX Use Case 5
+
+### Single Product, All Versions, Single Vulnerability, Single Status
+
+In this use case, Example Company has fielded product XYZ. The company makes statements about all versions of product XYZ in a single VEX file.
+
+When the Log4j vulnerability with associated CVE-2021-44228 was disclosed, the Example Company’s PSIRT released a VEX stating that all of XYZ's versions are currently being investigated (status: UNDER INVESTIGATION) as to whether they are affected by CVE-2021-44228.

VEX/CISA-Use-Cases/Case-5/vex.json

@@ -0,0 +1,42 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "version": 1,
+  "metadata" : {
+    "timestamp" : "2022-03-03T00:00:00Z",
+    "component" : {
+      "name" : "XYZ",
+      "type" : "application",
+      "bom-ref" : "product-XYZ"
+    }
+  },
+  "vulnerabilities": [
+    {
+      "id": "CVE-2021-44228",
+      "source": {
+        "name": "NVD",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
+      },
+      "ratings": [
+        {
+          "source": {
+            "name": "NVD",
+            "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1"
+          },
+          "score": 10.0,
+          "severity": "critical",
+          "method": "CVSSv31",
+          "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+        }
+      ],
+      "analysis": {
+        "state": "in_triage"
+      },
+      "affects": [
+        {
+          "ref": "product-XYZ"
+        }
+      ]
+    }
+  ]
+}