VXDF Logo
VXDF
Back

VXDF Schema Reference

Home
VXDF v0.0.1 Schema Documentation

Complete Schema Reference

Comprehensive documentation of all VXDF objects, properties, enums, and evidence types

Filter by Category
Complete VXDF Example
{
  "vxdfVersion": "0.0.1",
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "generatedAt": "2025-01-15T14:30:00Z",
  "generatorTool": {
    "name": "VXDF Security Scanner",
    "version": "2.1.0"
  },
  "applicationInfo": {
    "name": "E-Commerce Platform",
    "version": "3.2.1",
    "environment": "production"
  },
  "exploitFlows": [
    {
      "id": "123e4567-e89b-12d3-a456-426614174000",
      "title": "SQL Injection in Product Search",
      "description": "User input in search parameter is directly concatenated into SQL query without proper sanitization",
      "validatedAt": "2025-01-15T13:45:00Z",
      "severity": {
        "level": "CRITICAL",
        "cvssV3_1": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "baseScore": 9.8
        }
      },
      "category": "INJECTION",
      "cwe": [
        "CWE-89"
      ],
      "source": {
        "locationType": "WEB_ENDPOINT_PARAMETER",
        "uri": "/api/products/search",
        "httpMethod": "GET",
        "parameterName": "q",
        "parameterLocation": "query",
        "description": "Search query parameter accepts unsanitized input"
      },
      "sink": {
        "locationType": "SOURCE_CODE_UNIT",
        "filePath": "src/controllers/ProductController.java",
        "startLine": 156,
        "endLine": 158,
        "functionName": "searchProducts",
        "description": "SQL query construction using string concatenation"
      },
      "evidence": [
        {
          "evidenceType": "HTTP_REQUEST_LOG",
          "description": "Malicious request that extracts all user data",
          "validationMethod": "MANUAL_PENETRATION_TESTING_EXPLOIT",
          "data": {
            "method": "GET",
            "url": "/api/products/search?q=' UNION SELECT * FROM users--",
            "headers": [
              {
                "name": "User-Agent",
                "value": "VXDF-Scanner/2.1.0"
              }
            ]
          }
        },
        {
          "evidenceType": "CODE_SNIPPET_SINK",
          "description": "Vulnerable code performing SQL query",
          "data": {
            "content": "String query = \"SELECT * FROM products WHERE name LIKE '%\" + searchQuery + \"%'\";\nResultSet rs = statement.executeQuery(query);",
            "language": "java",
            "filePath": "src/controllers/ProductController.java",
            "startLine": 156,
            "endLine": 157
          }
        }
      ],
      "status": "OPEN",
      "remediation": {
        "summary": "Use parameterized queries instead of string concatenation",
        "detailsUrl": "https://owasp.org/www-community/attacks/SQL_Injection"
      }
    }
  ]
}
VXDFPayload
The root object of a VXDF document containing metadata and exploit flows
core
7 properties
ExploitFlow
Represents a single validated, exploitable vulnerability instance
core
16 properties
Location
Describes a specific location relevant to a vulnerability with context-dependent properties
supporting
16 properties
Severity
Structured severity assessment with CVSS integration
supporting
5 properties
Evidence
Proof supporting the exploitability claim
evidence
7 properties
TraceStep
A single step in the exploit flow trace
supporting
6 properties
AffectedComponent
A component affected by or involved in the vulnerability
supporting
8 properties

Enumerations

Predefined values and constants used throughout the VXDF schema

SeverityLevel
Qualitative severity ratings based on impact and exploitability
Severity
6 values
CRITICAL

Vulnerabilities requiring immediate action with severe impact

HIGH

Serious vulnerabilities with significant impact

MEDIUM

Moderate vulnerabilities requiring attention

LOW

Minor vulnerabilities with limited impact

INFORMATIONAL

Information that may be useful but not directly exploitable

NONE

No security impact

Status
Vulnerability lifecycle states for tracking remediation progress
Lifecycle
9 values
OPEN

Newly discovered, awaiting action

UNDER_INVESTIGATION

Being analyzed by security team

REMEDIATION_IN_PROGRESS

Fix is being implemented

REMEDIATED

Fix has been applied

REMEDIATION_VERIFIED

Fix has been tested and verified

FALSE_POSITIVE_AFTER_REVALIDATION

Determined to be non-exploitable

ACCEPTED_RISK

Risk has been formally accepted

DEFERRED

Remediation postponed to future date

OTHER

Custom status not covered above

LocationType
Types of locations where vulnerabilities can exist
Location
16 values
SOURCE_CODE_UNIT

Code file, line, function

WEB_ENDPOINT_PARAMETER

HTTP parameter (query, body, etc.)

WEB_HTTP_HEADER

HTTP request/response header

WEB_COOKIE

HTTP cookie

SOFTWARE_COMPONENT_LIBRARY

Third-party library or dependency

CONFIGURATION_FILE_SETTING

Configuration file entry

FILE_SYSTEM_ARTIFACT

File or directory on filesystem

NETWORK_SERVICE_ENDPOINT

Network service or port

DATABASE_SCHEMA_OBJECT

Database table, column, procedure

ENVIRONMENT_VARIABLE

System or application environment variable

OPERATING_SYSTEM_REGISTRY_KEY

Windows registry key or similar

CLOUD_PLATFORM_RESOURCE

Cloud service or resource

EXECUTABLE_BINARY_FUNCTION

Function in compiled binary

PROCESS_MEMORY_REGION

Memory region in running process

USER_INTERFACE_ELEMENT

UI component or element

GENERIC_RESOURCE_IDENTIFIER

Generic resource identifier

Category
High-level vulnerability classifications (Appendix I)
Vulnerability
11 values
INJECTION

SQL, NoSQL, OS, LDAP injection vulnerabilities

BROKEN_ACCESS_CONTROL

Authorization and access control failures

CRYPTOGRAPHIC_FAILURES

Weak cryptography or missing encryption

INSECURE_DESIGN

Design and architectural flaws

SECURITY_MISCONFIGURATION

Incorrect security settings

VULNERABLE_COMPONENTS

Using components with known vulnerabilities

IDENTIFICATION_AUTHENTICATION_FAILURES

Authentication weaknesses

SOFTWARE_DATA_INTEGRITY_FAILURES

Code and infrastructure integrity issues

SECURITY_LOGGING_MONITORING_FAILURES

Insufficient logging and monitoring

SERVER_SIDE_REQUEST_FORGERY

SSRF vulnerabilities

OTHER

Vulnerabilities not fitting other categories

StepType
Types of steps in an exploit flow trace
Trace
10 values
SOURCE_INTERACTION

Initial interaction with data source

DATA_TRANSFORMATION

Data is transformed or modified

DATA_PROPAGATION

Data flows to another location

CONTROL_FLOW_BRANCH

Conditional logic based on data

SINK_INTERACTION

Final exploitation point

VALIDATION_OR_SANITIZATION

Attempted data validation

CONFIGURATION_ACCESS

Configuration data accessed

COMPONENT_CALL

Call to another component

STATE_CHANGE

System state modification

INTERMEDIATE_NODE

General intermediate step

ComponentType
Types of system components that can be affected
Component
14 values
SOFTWARE_LIBRARY

Third-party library or package

APPLICATION_MODULE

Application module or component

EXECUTABLE_FILE

Executable binary file

OPERATING_SYSTEM

Operating system component

HARDWARE_DEVICE

Hardware device or driver

FIRMWARE

Firmware component

CONTAINER_IMAGE

Container or VM image

CONFIGURATION_FILE

Configuration file

SERVICE_ENDPOINT

Network service endpoint

NETWORK_INFRASTRUCTURE_DEVICE

Router, switch, firewall

CLOUD_SERVICE_COMPONENT

Cloud service component

DATA_STORE_INSTANCE

Database or data store

PROTOCOL_SPECIFICATION

Protocol implementation

OTHER_COMPONENT

Other component type

EvidenceType
Types of evidence that can prove exploitability
Evidence
33 values
HTTP_REQUEST_LOG

HTTP request that exploits the vulnerability

HTTP_RESPONSE_LOG

HTTP response showing exploitation

CODE_SNIPPET_SOURCE

Vulnerable source code

CODE_SNIPPET_SINK

Code where exploitation occurs

CODE_SNIPPET_CONTEXT

Additional code context

POC_SCRIPT

Proof-of-concept exploit script

RUNTIME_APPLICATION_LOG_ENTRY

Application log showing exploitation

RUNTIME_SYSTEM_LOG_ENTRY

System log entry

RUNTIME_WEB_SERVER_LOG_ENTRY

Web server log entry

RUNTIME_DATABASE_LOG_ENTRY

Database log entry

RUNTIME_DEBUGGER_OUTPUT

Debugger output

RUNTIME_EXCEPTION_TRACE

Exception stack trace

SCREENSHOT_URL

Screenshot URL

SCREENSHOT_EMBEDDED_BASE64

Embedded screenshot

MANUAL_VERIFICATION_NOTES

Manual test notes

TEST_PAYLOAD_USED

Test payload that triggered vulnerability

ENVIRONMENT_CONFIGURATION_DETAILS

Environment configuration

NETWORK_TRAFFIC_CAPTURE_SUMMARY

Network traffic capture

STATIC_ANALYSIS_DATA_FLOW_PATH

Static analysis flow

STATIC_ANALYSIS_CONTROL_FLOW_GRAPH

Control flow graph

CONFIGURATION_FILE_SNIPPET

Vulnerable configuration

VULNERABLE_COMPONENT_SCAN_OUTPUT

Component scan results

MISSING_ARTIFACT_VERIFICATION

Missing security artifact

OBSERVED_BEHAVIORAL_CHANGE

Behavioral change observation

DATABASE_STATE_CHANGE_PROOF

Database modification proof

FILE_SYSTEM_CHANGE_PROOF

File system modification

COMMAND_EXECUTION_OUTPUT

Command execution output

EXFILTRATED_DATA_SAMPLE

Sample of exfiltrated data

SESSION_INFORMATION_LEAK

Leaked session information

EXTERNAL_INTERACTION_PROOF

External system interaction

DIFFERENTIAL_ANALYSIS_RESULT

Differential analysis results

TOOL_SPECIFIC_OUTPUT_LOG

Tool-specific output

OTHER_EVIDENCE

Other evidence type

ValidationMethod
Methods used to validate vulnerability evidence
Evidence
13 values
STATIC_ANALYSIS_VALIDATION

Static code analysis

DYNAMIC_ANALYSIS_EXPLOIT

Runtime testing exploitation

INTERACTIVE_APPLICATION_SECURITY_TESTING_EXPLOIT

IAST exploitation

MANUAL_CODE_REVIEW_CONFIRMATION

Manual code review

MANUAL_PENETRATION_TESTING_EXPLOIT

Manual penetration test

AUTOMATED_EXPLOIT_TOOL_CONFIRMATION

Automated exploit tool

SOFTWARE_COMPOSITION_ANALYSIS_CONTEXTUAL_VALIDATION

SCA validation

FUZZ_TESTING_CRASH_ANALYSIS

Fuzzing crash analysis

REVERSE_ENGINEERING_PROOF

Reverse engineering

CONFIGURATION_AUDIT_VERIFICATION

Configuration audit

LOG_ANALYSIS_CORRELATION

Log correlation analysis

HYBRID_VALIDATION

Multiple validation methods

OTHER_VALIDATION_METHOD

Other validation method

HttpMethod
HTTP methods used in web requests
Web
10 values
GET

HTTP GET method

POST

HTTP POST method

PUT

HTTP PUT method

DELETE

HTTP DELETE method

PATCH

HTTP PATCH method

OPTIONS

HTTP OPTIONS method

HEAD

HTTP HEAD method

CONNECT

HTTP CONNECT method

TRACE

HTTP TRACE method

OTHER

Other HTTP method

HttpParameterLocation
Where HTTP parameters are located in requests
Web
6 values
query

URL query parameter

body_form

Form-encoded body parameter

body_json_pointer

JSON body using JSON Pointer (RFC 6901)

body_xml_xpath

XML body using XPath 1.0

body_multipart_field_name

Multipart form field

path_segment

URL path segment

CloudPlatform
Cloud service providers
Infrastructure
5 values
AWS

Amazon Web Services

Azure

Microsoft Azure

GCP

Google Cloud Platform

OCI

Oracle Cloud Infrastructure

Other

Other cloud platform

ExploitabilityLevel
How easy or difficult it is to exploit a vulnerability
Assessment
5 values
EASY

Easily exploitable with common tools

MODERATE

Requires some expertise or specific conditions

DIFFICULT

Requires significant expertise or rare conditions

THEORETICAL_BUT_PROVEN

Proven possible but very difficult in practice

NOT_ASSESSED

Exploitability not yet assessed

Evidence Data Structures

Structured data formats for different types of vulnerability evidence

Evidence Type Details
Each evidence type has a specific data structure. The `data` field structure depends on the `evidenceType`.

Evidence Type
HTTP_REQUEST_LOG

HTTP request that demonstrates the vulnerability

Properties
6 properties
methodHttpMethodEnum
Required

HTTP method

urlstring
Required

Request URL

versionstring
Optional

HTTP version

Example: HTTP/1.1
headersarray[HttpHeader]
Optional

Request headers

bodystring
Optional

Request body content

bodyEncodingHttpRequestBodyEncodingEnum
Optional

Body encoding

Default: plaintext

Example:
{
  "method": "POST",
  "url": "/api/login",
  "headers": [
    {
      "name": "Content-Type",
      "value": "application/json"
    }
  ],
  "body": "{\"username\":\"admin' OR '1'='1\",\"password\":\"any\"}",
  "bodyEncoding": "json"
}

All Evidence Types

VXDF supports 33 evidence types for comprehensive vulnerability documentation:

HTTP & Web:
  • • HTTP Request/Response Logs
  • • Screenshots (URL/Embedded)
  • • Session Information Leaks
Code & Scripts:
  • • Code Snippets (Source/Sink/Context)
  • • PoC Scripts
  • • Test Payloads
Runtime & Logs:
  • • Application/System/Web Server Logs
  • • Database Logs
  • • Debugger Output
  • • Exception Traces
Analysis & Behavior:
  • • Static/Dynamic Analysis Results
  • • Behavioral Changes
  • • State Change Proofs
  • • External Interactions
Field Status Legend
Mandatory
Required in all cases
Optional
May be included if relevant
Conditional
Required under specific conditions