{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://vxdf.org/schemas/vxdf-0.0.1.json", "title": "VXDF (Validated Exploitable Data Flow)", "description": "JSON Schema for VXDF format version 0.0.1, focusing on validated, exploitable vulnerabilities with structured evidence. This standard aims to provide a comprehensive and extensible format for reporting security findings.", "type": "object", "properties": { "vxdfVersion": { "type": "string", "const": "0.0.1", "description": "The VXDF format version. MUST be '0.0.1' for this version of the specification." }, "id": { "type": "string", "format": "uuid", "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", "description": "A UUID uniquely identifying this VXDF document." }, "generatedAt": { "type": "string", "format": "date-time", "description": "Timestamp of when this VXDF document was generated, in ISO 8601 format (e.g., '2023-10-26T10:00:00Z')." }, "generatorTool": { "type": "object", "description": "Information about the tool, script, or process that generated this VXDF document.", "properties": { "name": { "type": "string", "description": "The name of the tool or generator." }, "version": { "type": "string", "description": "The version of the tool or generator, if applicable." } }, "required": ["name"], "additionalProperties": false, "patternProperties": { "^x-": {} } }, "applicationInfo": { "type": "object", "description": "Information about the application, system, or component that was the target of the assessment and to which the findings apply.", "properties": { "name": { "type": "string", "description": "The primary name of the application or target." }, "version": { "type": "string", "description": "The version of the application or target." }, "repositoryUrl": { "type": "string", "format": "uri", "description": "URL of the source code repository for the application." }, "environment": { "type": "string", "description": "The environment in which the assessment was performed or to which it applies (e.g., 'production', 'staging', 'test', 'development')." }, "purl": { "type": "string", "description": "Package URL (PURL) identifying the overall application or target." }, "cpe": { "type": "string", "description": "Common Platform Enumeration (CPE) for the overall application or target." }, "customProperties": { "type": "object", "description": "A key-value map for additional custom information about the application or target.", "additionalProperties": true } }, "required": ["name"], "additionalProperties": false, "patternProperties": { "^x-": {} } }, "exploitFlows": { "type": "array", "minItems": 1, "description": "An array containing one or more ExploitFlow objects, each representing a single validated, exploitable vulnerability.", "items": { "$ref": "#/$defs/ExploitFlow" } }, "customProperties": { "type": "object", "description": "A key-value map for arbitrary custom data relevant to the entire document not covered by standard fields. Keys should ideally be namespaced.", "additionalProperties": true } }, "required": [ "vxdfVersion", "id", "generatedAt", "exploitFlows" ], "additionalProperties": false, "patternProperties": { "^x-": {} }, "$defs": { "ExploitFlow": { "type": "object", "description": "Represents a single validated, exploitable vulnerability instance. It describes the nature of the vulnerability, its location (either as a data flow or within affected components), its severity, and provides structured evidence of its exploitability.", "properties": { "id": { "type": "string", "format": "uuid", "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", "description": "A UUID uniquely identifying this specific exploit flow or vulnerability instance." }, "title": { "type": "string", "description": "A concise, human-readable title summarizing the vulnerability (e.g., 'SQL Injection in Product Search API')." }, "description": { "type": "string", "description": "A detailed human-readable description of the vulnerability, its technical nature, how it can be exploited, its context, and potential impact." }, "validatedAt": { "type": "string", "format": "date-time", "description": "Timestamp of when this vulnerability was last validated as exploitable, in ISO 8601 format." }, "validationEngine": { "type": "object", "description": "Information about the primary tool, engine, or methodology used for validating the exploitability of this finding.", "properties": { "name": { "type": "string", "description": "Name of the validation tool, engine, or methodology (e.g., 'Manual Penetration Test by SecureTeam', 'DAST Engine X', 'Automated Exploit Verification Module', 'SCA Validation Ruleset')." }, "version": { "type": "string", "description": "Version of the validation tool or engine, if applicable." } }, "required": ["name"], "additionalProperties": false, "patternProperties": { "^x-": {} } }, "severity": { "$ref": "#/$defs/Severity", "description": "A structured object detailing the severity of the vulnerability." }, "category": { "type": "string", "description": "A high-level classification of the vulnerability type. See Appendix J: `ExploitFlow.category` - Recommended Values and Descriptions for details and recommended values." }, "cwe": { "type": "array", "items": { "type": "string", "pattern": "^CWE-[1-9][0-9]*$", "description": "A Common Weakness Enumeration (CWE) identifier (e.g., 'CWE-89')." }, "uniqueItems": true, "description": "An array of CWE identifiers relevant to this vulnerability. Multiple CWEs can be listed if applicable." }, "remediation": { "type": "object", "description": "Guidance on how to remediate the vulnerability.", "properties": { "summary": { "type": "string", "description": "A brief summary of the recommended remediation actions." }, "detailsUrl": { "type": "string", "format": "uri", "description": "A URL pointing to more detailed remediation guidance, documentation, or resources." }, "codePatches": { "type": "array", "items": { "type": "object", "properties": { "description": {"type": "string", "description": "Description of the patch or change."}, "diffUrl": {"type": "string", "format": "uri", "description": "URL to a diff or patch file."}, "diffContent": {"type": "string", "description": "The content of the patch or diff itself."} } }, "description": "Suggested code patches or diffs." } }, "required": ["summary"], "additionalProperties": true, "patternProperties": { "^x-": {} } }, "status": { "type": "string", "enum": [ "OPEN", "UNDER_INVESTIGATION", "REMEDIATION_IN_PROGRESS", "REMEDIATED", "REMEDIATION_VERIFIED", "FALSE_POSITIVE_AFTER_REVALIDATION", "ACCEPTED_RISK", "DEFERRED", "OTHER" ], "default": "OPEN", "description": "The current status of this vulnerability finding within a management lifecycle. See Appendix L: `ExploitFlow.status` - Definitions for details." }, "tags": { "type": "array", "items": { "type": "string" }, "uniqueItems": true, "description": "Custom tags for additional categorization, filtering, or tracking (e.g., 'PCI_SCOPE', 'PII_EXPOSED', 'ZERO_DAY')." }, "source": { "$ref": "#/$defs/Location", "description": "(Optional, but conditionally required with 'sink' for flow-based vulnerabilities) The entry point of untrusted data or the starting point of the exploit." }, "sink": { "$ref": "#/$defs/Location", "description": "(Optional, but conditionally required with 'source' for flow-based vulnerabilities) The point of exploitation where the vulnerability manifests." }, "steps": { "type": "array", "items": { "$ref": "#/$defs/TraceStep" }, "description": "(Optional) An ordered sequence of steps detailing the data flow or exploit path from source to sink. Recommended if the path is non-obvious." }, "affectedComponents": { "type": "array", "items": { "$ref": "#/$defs/AffectedComponent" }, "description": "(Optional, but conditionally required if 'source'/'sink' are not primary) An array of specific components affected by or contributing to the vulnerability." }, "evidence": { "type": "array", "minItems": 1, "description": "An array of one or more Evidence objects supporting the claim of exploitability. At least one evidence item is MANDATORY.", "items": { "$ref": "#/$defs/Evidence" } }, "correlationGuids": { "type": "array", "items": { "type": "string" }, "uniqueItems": true, "description": "Globally unique identifiers for correlating this finding with findings from other tools or systems (e.g., a SARIF result.correlationGuid)." }, "exploitabilityAssessment": { "type": "object", "description": "Assessment of how easy or likely the vulnerability is to be exploited.", "properties": { "level": { "type": "string", "enum": ["EASY", "MODERATE", "DIFFICULT", "THEORETICAL_BUT_PROVEN", "NOT_ASSESSED"], "description": "Qualitative assessment of exploitability." }, "description": { "type": "string", "description": "Narrative explaining the exploitability assessment." }, "cvssExploitabilitySubscore": { "type": "number", "minimum": 0.0, "maximum": 10.0, "description": "CVSS Exploitability Subscore if calculated separately (e.g., from Base Metrics)." } }, "additionalProperties": false, "patternProperties": { "^x-": {} } }, "customProperties": { "type": "object", "description": "A key-value map for arbitrary custom data specific to this exploit flow. Keys should ideally be namespaced.", "additionalProperties": true } }, "required": [ "id", "title", "severity", "category", "evidence", "validatedAt" ], "anyOf": [ { "required": ["source", "sink"] }, { "required": ["affectedComponents"] } ], "additionalProperties": false, "patternProperties": { "^x-": {} } }, "Location": { "type": "object", "description": "Describes a specific location relevant to the vulnerability, such as a point in source code, a web endpoint, a configuration setting, or a software component.", "properties": { "description": { "type": "string", "description": "A human-readable description of this location and its significance in the context of the vulnerability." }, "locationType": { "type": "string", "enum": [ "SOURCE_CODE_UNIT", "WEB_ENDPOINT_PARAMETER", "WEB_HTTP_HEADER", "WEB_COOKIE", "SOFTWARE_COMPONENT_LIBRARY", "CONFIGURATION_FILE_SETTING", "FILE_SYSTEM_ARTIFACT", "NETWORK_SERVICE_ENDPOINT", "DATABASE_SCHEMA_OBJECT", "ENVIRONMENT_VARIABLE", "OPERATING_SYSTEM_REGISTRY_KEY", "CLOUD_PLATFORM_RESOURCE", "EXECUTABLE_BINARY_FUNCTION", "PROCESS_MEMORY_REGION", "USER_INTERFACE_ELEMENT", "GENERIC_RESOURCE_IDENTIFIER" ], "description": "The primary type of location being described. See Appendix M: `Location.locationType` - Definitions and Usage Guidance for details on each type and their relevant properties." }, "uri": { "type": "string", "format": "uri-reference", "description": "A URI identifying the resource where the location exists (e.g., file URI, repository URL with line numbers, API endpoint)." }, "uriBaseId": { "type": "string", "description": "A SARIF-like symbolic name for a URI base, used if 'uri' is relative." }, "filePath": { "type": "string", "description": "Path to the file (e.g., for SOURCE_CODE_UNIT, CONFIGURATION_FILE_SETTING, FILE_SYSTEM_ARTIFACT, EXECUTABLE_BINARY_FUNCTION)." }, "startLine": { "type": "integer", "minimum": 1, "description": "The one-based starting line number in the file." }, "endLine": { "type": "integer", "minimum": 1, "description": "The one-based ending line number in the file." }, "startColumn": { "type": "integer", "minimum": 1, "description": "The one-based starting column number." }, "endColumn": { "type": "integer", "minimum": 1, "description": "The one-based ending column number." }, "snippet": { "type": "string", "description": "A snippet of the code, text, or content at this location." }, "fullyQualifiedName": { "type": "string", "description": "Fully qualified name of the code element (e.g., 'com.example.MyClass.myMethod', 'namespace::function'). Relevant for SOURCE_CODE_UNIT." }, "symbol": { "type": "string", "description": "The specific symbol, variable name, identifier, or UI element identifier at this location." }, "url": { "type": "string", "format": "uri", "description": "The URL of the web endpoint. Relevant for WEB_ENDPOINT_PARAMETER and WEB_HTTP_HEADER (contextually)." }, "httpMethod": { "type": "string", "enum": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD", "CONNECT", "TRACE", "OTHER"], "description": "The HTTP method. Relevant for WEB_ENDPOINT_PARAMETER." }, "parameterName": { "type": "string", "description": "Name of the HTTP parameter. Relevant for WEB_ENDPOINT_PARAMETER." }, "parameterLocation": { "type": "string", "enum": ["query", "body_form", "body_json_pointer", "body_xml_xpath", "body_multipart_field_name", "path_segment"], "description": "Location of the parameter within an HTTP request. 'body_json_pointer' uses JSON Pointer (RFC 6901), 'body_xml_xpath' uses XPath 1.0. For headers or cookies, use locationType WEB_HTTP_HEADER or WEB_COOKIE respectively." }, "headerName": { "type": "string", "description": "Name of the HTTP header. Relevant for WEB_HTTP_HEADER." }, "cookieName": { "type": "string", "description": "Name of the cookie. Relevant for WEB_COOKIE." }, "componentName": { "type": "string", "description": "Name of the software component/library. Relevant for SOFTWARE_COMPONENT_LIBRARY." }, "componentVersion": { "type": "string", "description": "Version of the software component/library. Relevant for SOFTWARE_COMPONENT_LIBRARY." }, "purl": { "type": "string", "description": "Package URL (PURL) of the software component. Relevant for SOFTWARE_COMPONENT_LIBRARY." }, "cpe": { "type": "string", "description": "Common Platform Enumeration (CPE) of the software component or hardware. Relevant for SOFTWARE_COMPONENT_LIBRARY and other types." }, "ecosystem": { "type": "string", "description": "The software ecosystem (e.g., 'Maven', 'npm', 'PyPI', 'NuGet'). Relevant for SOFTWARE_COMPONENT_LIBRARY." }, "settingName": { "type": "string", "description": "Name of the configuration setting, property, or registry value name. Relevant for CONFIGURATION_FILE_SETTING, CLOUD_PLATFORM_RESOURCE, OPERATING_SYSTEM_REGISTRY_KEY." }, "settingValue": { "type": "string", "description": "Value of the configuration setting or property. Relevant for CONFIGURATION_FILE_SETTING, CLOUD_PLATFORM_RESOURCE, OPERATING_SYSTEM_REGISTRY_KEY, ENVIRONMENT_VARIABLE." }, "ipAddress": { "type": "string", "oneOf": [ { "format": "ipv4" }, { "format": "ipv6" } ], "description": "IP address of the network service. Relevant for NETWORK_SERVICE_ENDPOINT." }, "hostname": { "type": "string", "format": "hostname", "description": "Hostname of the network service. Relevant for NETWORK_SERVICE_ENDPOINT." }, "port": { "type": "integer", "minimum": 0, "maximum": 65535, "description": "Port number of the network service. Relevant for NETWORK_SERVICE_ENDPOINT." }, "protocol": { "type": "string", "description": "Network protocol (e.g., 'tcp', 'udp', 'http', 'https'). Relevant for NETWORK_SERVICE_ENDPOINT." }, "databaseType": { "type": "string", "description": "Type of database (e.g., 'MySQL', 'PostgreSQL', 'MongoDB'). Relevant for DATABASE_SCHEMA_OBJECT." }, "databaseName": { "type": "string", "description": "Name of the database or schema. Relevant for DATABASE_SCHEMA_OBJECT." }, "objectType": { "type": "string", "description": "Type of database object (e.g., 'TABLE', 'COLUMN', 'STORED_PROCEDURE', 'QUERY_FRAGMENT'). Relevant for DATABASE_SCHEMA_OBJECT." }, "objectName": { "type": "string", "description": "Name of the database object. Relevant for DATABASE_SCHEMA_OBJECT." }, "environmentVariableName": { "type": "string", "description": "Name of the environment variable. Relevant for ENVIRONMENT_VARIABLE." }, "cloudPlatform": { "type": "string", "enum": ["AWS", "Azure", "GCP", "OCI", "Other"], "description": "Cloud platform provider. Relevant for CLOUD_PLATFORM_RESOURCE." }, "cloudServiceName": { "type": "string", "description": "Name of the cloud service (e.g., 'S3', 'EC2', 'Azure Blob Storage', 'Cloud Functions'). Relevant for CLOUD_PLATFORM_RESOURCE." }, "cloudResourceId": { "type": "string", "description": "Unique identifier of the cloud resource (e.g., ARN, Azure Resource ID). Relevant for CLOUD_PLATFORM_RESOURCE." }, "binaryFunctionName": { "type": "string", "description": "Name of the function in a compiled binary. Relevant for EXECUTABLE_BINARY_FUNCTION." }, "binaryOffset": { "type": "string", "pattern": "^0x[0-9a-fA-F]+$", "description": "Offset within the binary (hexadecimal string, e.g., '0x4011ab'). Relevant for EXECUTABLE_BINARY_FUNCTION and PROCESS_MEMORY_REGION." }, "customProperties": { "type": "object", "description": "A key-value map for additional custom information about the location.", "additionalProperties": true } }, "required": ["locationType"], "additionalProperties": false, "patternProperties": { "^x-": {} } }, "TraceStep": { "type": "object", "description": "A single step in the data flow or exploit path, providing context for how a vulnerability progresses from source to sink.", "properties": { "order": { "type": "integer", "minimum": 0, "description": "The zero-based sequence number of this step in the trace." }, "location": { "$ref": "#/$defs/Location", "description": "The location where this step occurs." }, "description": { "type": "string", "description": "A human-readable description of the action, data transformation, or control flow decision occurring at this step." }, "stepType": { "type": "string", "enum": [ "SOURCE_INTERACTION", "DATA_TRANSFORMATION", "DATA_PROPAGATION", "CONTROL_FLOW_BRANCH", "SINK_INTERACTION", "VALIDATION_OR_SANITIZATION", "CONFIGURATION_ACCESS", "COMPONENT_CALL", "STATE_CHANGE", "INTERMEDIATE_NODE" ], "description": "The nature of this step in the flow. See Appendix N: `TraceStep.stepType` - Definitions for details." }, "evidenceRefs": { "type": "array", "items": { "type": "string", "format": "uuid", "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$" }, "uniqueItems": true, "description": "An array of UUIDs referencing specific Evidence items (from the ExploitFlow's 'evidence' array) that are particularly relevant to this step in the trace." }, "customProperties": { "type": "object", "description": "A key-value map for custom data about this trace step.", "additionalProperties": true } }, "required": ["order", "location", "description"], "additionalProperties": false, "patternProperties": { "^x-": {} } }, "AffectedComponent": { "type": "object", "description": "Describes a specific software component, library, hardware device, configuration file, or service that is affected by or contributes to the vulnerability.", "properties": { "name": { "type": "string", "description": "The primary name of the component (e.g., 'Apache Struts Core', 'OpenSSL Library', 'nginx.conf', 'User Authentication Service')." }, "version": { "type": "string", "description": "The version of the component, if applicable and known." }, "purl": { "type": "string", "description": "Package URL (PURL) for the component, highly recommended for software libraries and applications." }, "cpe": { "type": "string", "description": "Common Platform Enumeration (CPE) for the component." }, "componentType": { "type": "string", "enum": [ "SOFTWARE_LIBRARY", "APPLICATION_MODULE", "EXECUTABLE_FILE", "OPERATING_SYSTEM", "HARDWARE_DEVICE", "FIRMWARE", "CONTAINER_IMAGE", "CONFIGURATION_FILE", "SERVICE_ENDPOINT", "NETWORK_INFRASTRUCTURE_DEVICE", "CLOUD_SERVICE_COMPONENT", "DATA_STORE_INSTANCE", "PROTOCOL_SPECIFICATION", "OTHER_COMPONENT" ], "description": "The general type or category of the component. See Appendix O: `AffectedComponent.componentType` - Definitions for details." }, "description": { "type": "string", "description": "Further details about the component and how it is affected by or involved in the vulnerability." }, "locations": { "type": "array", "items": { "$ref": "#/$defs/Location" }, "description": "Specific locations within or related to this component that are relevant to the vulnerability (e.g., a vulnerable function within a library identified by its Location object, a specific setting within a config file Location)." }, "evidenceRefs": { "type": "array", "items": { "type": "string", "format": "uuid", "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$" }, "uniqueItems": true, "description": "An array of UUIDs referencing specific Evidence items (from the ExploitFlow's 'evidence' array) that are particularly relevant to this affected component." }, "customProperties": { "type": "object", "description": "A key-value map for custom data about this affected component.", "additionalProperties": true } }, "required": ["name", "componentType"], "additionalProperties": false, "patternProperties": { "^x-": {} } }, "Severity": { "type": "object", "description": "Represents the severity of the vulnerability, allowing for both qualitative assessment and quantitative scoring (e.g., CVSS).", "properties": { "level": { "type": "string", "enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFORMATIONAL", "NONE"], "description": "A qualitative severity level assigned to the vulnerability. See Appendix K: `Severity.level` - Definitions for details." }, "cvssV3_1": { "$ref": "#/$defs/CvssV3_1", "description": "CVSS v3.1 scoring details." }, "cvssV4_0": { "$ref": "#/$defs/CvssV4_0", "description": "CVSS v4.0 scoring details." }, "customScore": { "type": "object", "description": "Allows for representing scores from other scoring systems.", "properties": { "systemName": { "type": "string", "description": "Name of the custom scoring system (e.g., 'OWASP Risk Rating Methodology', 'Internal Risk Matrix v2')." }, "scoreValue": { "oneOf": [ { "type": "string" }, { "type": "number" } ], "description": "The score value itself, can be numeric or a qualitative string (e.g., 'High', 7.5)." }, "scoreDescription": { "type": "string", "description": "A brief description or interpretation of the custom score." } }, "required": ["systemName", "scoreValue"], "additionalProperties": false, "patternProperties": { "^x-": {} } }, "justification": { "type": "string", "description": "A textual rationale for the assigned severity level, especially if it deviates from calculated scores, or to provide context specific to the assessed environment." } }, "required": ["level"], "additionalProperties": false, "patternProperties": { "^x-": {} } }, "CvssV3_1": { "type": "object", "description": "Common Vulnerability Scoring System v3.1 details.", "properties": { "version": { "type": "string", "const": "3.1" }, "vectorString": { "type": "string", "pattern": "^CVSS:3\\.1/((AV:[NALP]/AC:[LH]/PR:[NLH]/UI:[NR]/S:[UC]/C:[NLH]/I:[NLH]/A:[NLH])(/[A-Za-z]+:[A-Za-z_]+)*)$", "description": "The full CVSS v3.1 vector string (e.g., 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H')." }, "baseScore": { "type": "number", "minimum": 0.0, "maximum": 10.0, "description": "The CVSS Base Score." }, "baseMetrics": { "type": "object", "description": "CVSS v3.1 Base Metric Group.", "properties": { "attackVector": {"type": "string", "enum": ["NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL"]}, "attackComplexity": {"type": "string", "enum": ["LOW", "HIGH"]}, "privilegesRequired": {"type": "string", "enum": ["NONE", "LOW", "HIGH"]}, "userInteraction": {"type": "string", "enum": ["NONE", "REQUIRED"]}, "scope": {"type": "string", "enum": ["UNCHANGED", "CHANGED"]}, "confidentialityImpact": {"type": "string", "enum": ["NONE", "LOW", "HIGH"]}, "integrityImpact": {"type": "string", "enum": ["NONE", "LOW", "HIGH"]}, "availabilityImpact": {"type": "string", "enum": ["NONE", "LOW", "HIGH"]} }, "required": ["attackVector", "attackComplexity", "privilegesRequired", "userInteraction", "scope", "confidentialityImpact", "integrityImpact", "availabilityImpact"] }, "temporalScore": { "type": "number", "minimum": 0.0, "maximum": 10.0, "description": "The CVSS Temporal Score." }, "temporalMetrics": { "type": "object", "description": "CVSS v3.1 Temporal Metric Group.", "properties": { "exploitCodeMaturity": {"type": "string", "enum": ["UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED"]}, "remediationLevel": {"type": "string", "enum": ["OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED"]}, "reportConfidence": {"type": "string", "enum": ["UNKNOWN", "REASONABLE", "CONFIRMED", "NOT_DEFINED"]} } }, "environmentalScore": { "type": "number", "minimum": 0.0, "maximum": 10.0, "description": "The CVSS Environmental Score." }, "environmentalMetrics": { "type": "object", "description": "CVSS v3.1 Environmental Metric Group.", "properties": { "confidentialityRequirement": {"type": "string", "enum": ["LOW", "MEDIUM", "HIGH", "NOT_DEFINED"]}, "integrityRequirement": {"type": "string", "enum": ["LOW", "MEDIUM", "HIGH", "NOT_DEFINED"]}, "availabilityRequirement": {"type": "string", "enum": ["LOW", "MEDIUM", "HIGH", "NOT_DEFINED"]}, "modifiedAttackVector": {"type": "string", "enum": ["NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL", "NOT_DEFINED"]}, "modifiedAttackComplexity": {"type": "string", "enum": ["LOW", "HIGH", "NOT_DEFINED"]}, "modifiedPrivilegesRequired": {"type": "string", "enum": ["NONE", "LOW", "HIGH", "NOT_DEFINED"]}, "modifiedUserInteraction": {"type": "string", "enum": ["NONE", "REQUIRED", "NOT_DEFINED"]}, "modifiedScope": {"type": "string", "enum": ["UNCHANGED", "CHANGED", "NOT_DEFINED"]}, "modifiedConfidentialityImpact": {"type": "string", "enum": ["NONE", "LOW", "HIGH", "NOT_DEFINED"]}, "modifiedIntegrityImpact": {"type": "string", "enum": ["NONE", "LOW", "HIGH", "NOT_DEFINED"]}, "modifiedAvailabilityImpact": {"type": "string", "enum": ["NONE", "LOW", "HIGH", "NOT_DEFINED"]} } } }, "required": ["version", "vectorString", "baseScore", "baseMetrics"], "additionalProperties": false }, "CvssV4_0": { "type": "object", "description": "Common Vulnerability Scoring System v4.0 details.", "properties": { "version": { "type": "string", "const": "4.0" }, "vectorString": { "type": "string", "pattern": "^CVSS:4\\.0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[NLH]/VI:[NLH]/VA:[NLH]/SC:[NLH]/SI:[NLH]/SA:[NLH](?:/E:[APU])?(?:/CR:[LMH])?(?:/IR:[LMH])?(?:/AR:[LMH])?(?:/MAV:[NALP])?(?:/MAC:[LH])?(?:/MAT:[NP])?(?:/MPR:[NLH])?(?:/MUI:[NPA])?(?:/MVC:[NLH])?(?:/MVI:[NLH])?(?:/MVA:[NLH])?(?:/MSC:[NLH])?(?:/MSI:[NLH])?(?:/MSA:[NLH])?(?:/S:[NP])?(?:/AU:[YN])?(?:/R:[AIU])?(?:/V:[CD])?(?:/RE:[LMH])?(?:/U:(?:Clear|Green|Amber|Red))?(/[A-Za-z0-9_]+:[A-Za-z0-9_]+)*$", "description": "The full CVSS v4.0 vector string." }, "baseScore": { "type": "number", "minimum": 0.0, "maximum": 10.0, "description": "CVSS v4.0 Base Score (CVSS-B)." }, "threatScore": { "type": "number", "minimum": 0.0, "maximum": 10.0, "description": "CVSS v4.0 Threat Score (CVSS-BT)." }, "environmentalScore": { "type": "number", "minimum": 0.0, "maximum": 10.0, "description": "CVSS v4.0 Environmental Score (CVSS-BE)." }, "baseMetrics": { "type": "object", "description": "CVSS v4.0 Base (Exploitability and Impact) Metric Group.", "properties": { "attackVector": {"type": "string", "enum": ["NETWORK", "ADJACENT", "LOCAL", "PHYSICAL"]}, "attackComplexity": {"type": "string", "enum": ["LOW", "HIGH"]}, "attackRequirements": {"type": "string", "enum": ["NONE", "PRESENT"]}, "privilegesRequired": {"type": "string", "enum": ["NONE", "LOW", "HIGH"]}, "userInteraction": {"type": "string", "enum": ["NONE", "PASSIVE", "ACTIVE"]}, "vulnerableSystemConfidentiality": {"type": "string", "enum": ["HIGH", "LOW", "NONE"]}, "vulnerableSystemIntegrity": {"type": "string", "enum": ["HIGH", "LOW", "NONE"]}, "vulnerableSystemAvailability": {"type": "string", "enum": ["HIGH", "LOW", "NONE"]}, "subsequentSystemConfidentiality": {"type": "string", "enum": ["HIGH", "LOW", "NONE"]}, "subsequentSystemIntegrity": {"type": "string", "enum": ["HIGH", "LOW", "NONE"]}, "subsequentSystemAvailability": {"type": "string", "enum": ["HIGH", "LOW", "NONE"]} }, "required": ["attackVector", "attackComplexity", "attackRequirements", "privilegesRequired", "userInteraction", "vulnerableSystemConfidentiality", "vulnerableSystemIntegrity", "vulnerableSystemAvailability", "subsequentSystemConfidentiality", "subsequentSystemIntegrity", "subsequentSystemAvailability"] }, "threatMetrics": { "type": "object", "description": "CVSS v4.0 Threat Metric Group.", "properties": { "exploitMaturity": {"type": "string", "enum": ["ATTACKED", "PROOF_OF_CONCEPT", "UNREPORTED", "NOT_DEFINED"]} } }, "environmentalMetrics": { "type": "object", "description": "CVSS v4.0 Environmental Metric Group.", "properties": { "confidentialityRequirement": {"type": "string", "enum": ["HIGH", "MEDIUM", "LOW", "NOT_DEFINED"]}, "integrityRequirement": {"type": "string", "enum": ["HIGH", "MEDIUM", "LOW", "NOT_DEFINED"]}, "availabilityRequirement": {"type": "string", "enum": ["HIGH", "MEDIUM", "LOW", "NOT_DEFINED"]}, "modifiedAttackVector": {"type": "string", "enum": ["NETWORK", "ADJACENT", "LOCAL", "PHYSICAL", "NOT_DEFINED"]}, "modifiedAttackComplexity": {"type": "string", "enum": ["LOW", "HIGH", "NOT_DEFINED"]}, "modifiedAttackRequirements": {"type": "string", "enum": ["NONE", "PRESENT", "NOT_DEFINED"]}, "modifiedPrivilegesRequired": {"type": "string", "enum": ["NONE", "LOW", "HIGH", "NOT_DEFINED"]}, "modifiedUserInteraction": {"type": "string", "enum": ["NONE", "PASSIVE", "ACTIVE", "NOT_DEFINED"]}, "modifiedVulnerableSystemConfidentiality": {"type": "string", "enum": ["HIGH", "LOW", "NONE", "NOT_DEFINED"]}, "modifiedVulnerableSystemIntegrity": {"type": "string", "enum": ["HIGH", "LOW", "NONE", "NOT_DEFINED"]}, "modifiedVulnerableSystemAvailability": {"type": "string", "enum": ["HIGH", "LOW", "NONE", "NOT_DEFINED"]}, "modifiedSubsequentSystemConfidentiality": {"type": "string", "enum": ["HIGH", "LOW", "NONE", "NOT_DEFINED"]}, "modifiedSubsequentSystemIntegrity": {"type": "string", "enum": ["HIGH", "LOW", "NONE", "NOT_DEFINED"]}, "modifiedSubsequentSystemAvailability": {"type": "string", "enum": ["HIGH", "LOW", "NONE", "NOT_DEFINED"]} } }, "supplementalMetrics": { "type": "object", "description": "CVSS v4.0 Supplemental Metric Group.", "properties": { "safety": {"type": "string", "enum": ["NEGLIGIBLE", "PRESENT", "NOT_DEFINED"]}, "automatable": {"type": "string", "enum": ["YES", "NO", "NOT_DEFINED"]}, "recovery": {"type": "string", "enum": ["AUTOMATIC", "USER", "IRRECOVERABLE", "NOT_DEFINED"]}, "valueDensity": {"type": "string", "enum": ["DIFFUSE", "CONCENTRATED", "NOT_DEFINED"]}, "vulnerabilityResponseEffort": {"type": "string", "enum": ["LOW", "MODERATE", "HIGH", "NOT_DEFINED"]}, "providerUrgency": {"type": "string", "enum": ["CLEAR", "GREEN", "AMBER", "RED", "NOT_DEFINED"]} } } }, "required": ["version", "vectorString", "baseScore", "baseMetrics"], "additionalProperties": false }, "Evidence": { "type": "object", "description": "A single piece of evidence supporting the vulnerability claim, detailing what was observed and how it proves exploitability.", "properties": { "id": { "type": "string", "format": "uuid", "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", "description": "(Optional) A UUID uniquely identifying this evidence item. Useful for linking from TraceSteps or AffectedComponents." }, "evidenceType": { "type": "string", "enum": [ "HTTP_REQUEST_LOG", "HTTP_RESPONSE_LOG", "CODE_SNIPPET_SOURCE", "CODE_SNIPPET_SINK", "CODE_SNIPPET_CONTEXT", "POC_SCRIPT", "RUNTIME_APPLICATION_LOG_ENTRY", "RUNTIME_SYSTEM_LOG_ENTRY", "RUNTIME_WEB_SERVER_LOG_ENTRY", "RUNTIME_DATABASE_LOG_ENTRY", "RUNTIME_DEBUGGER_OUTPUT", "RUNTIME_EXCEPTION_TRACE", "SCREENSHOT_URL", "SCREENSHOT_EMBEDDED_BASE64", "MANUAL_VERIFICATION_NOTES", "TEST_PAYLOAD_USED", "ENVIRONMENT_CONFIGURATION_DETAILS", "NETWORK_TRAFFIC_CAPTURE_SUMMARY", "STATIC_ANALYSIS_DATA_FLOW_PATH", "STATIC_ANALYSIS_CONTROL_FLOW_GRAPH", "CONFIGURATION_FILE_SNIPPET", "VULNERABLE_COMPONENT_SCAN_OUTPUT", "MISSING_ARTIFACT_VERIFICATION", "OBSERVED_BEHAVIORAL_CHANGE", "DATABASE_STATE_CHANGE_PROOF", "FILE_SYSTEM_CHANGE_PROOF", "COMMAND_EXECUTION_OUTPUT", "EXFILTRATED_DATA_SAMPLE", "SESSION_INFORMATION_LEAK", "EXTERNAL_INTERACTION_PROOF", "DIFFERENTIAL_ANALYSIS_RESULT", "TOOL_SPECIFIC_OUTPUT_LOG", "OTHER_EVIDENCE" ], "description": "The type of evidence provided. The structure of the 'data' field depends on this type. See Appendix Q: `Evidence.evidenceType` - Definitions, Usage, and Data Structure Summaries for details." }, "validationMethod": { "type": "string", "enum": [ "STATIC_ANALYSIS_VALIDATION", "DYNAMIC_ANALYSIS_EXPLOIT", "INTERACTIVE_APPLICATION_SECURITY_TESTING_EXPLOIT", "MANUAL_CODE_REVIEW_CONFIRMATION", "MANUAL_PENETRATION_TESTING_EXPLOIT", "AUTOMATED_EXPLOIT_TOOL_CONFIRMATION", "SOFTWARE_COMPOSITION_ANALYSIS_CONTEXTUAL_VALIDATION", "FUZZ_TESTING_CRASH_ANALYSIS", "REVERSE_ENGINEERING_PROOF", "CONFIGURATION_AUDIT_VERIFICATION", "LOG_ANALYSIS_CORRELATION", "HYBRID_VALIDATION", "OTHER_VALIDATION_METHOD" ], "description": "The primary method used to obtain or validate this specific piece of evidence as proof of exploitability. See Appendix P: `Evidence.validationMethod` - Definitions for details." }, "description": { "type": "string", "description": "A human-readable summary of this evidence item, explaining what it demonstrates and its significance in proving the vulnerability's exploitability." }, "timestamp": { "type": "string", "format": "date-time", "description": "Timestamp of when this evidence was captured, observed, or generated, in ISO 8601 format." }, "data": { "$ref": "#/$defs/EvidenceDataVariant", "description": "Structured data specific to the evidenceType. The schema for this object is determined by the value of 'evidenceType'." }, "customProperties": { "type": "object", "description": "A key-value map for custom data related to this evidence item.", "additionalProperties": true } }, "required": ["evidenceType", "description", "data"], "additionalProperties": false, "patternProperties": { "^x-": {} } }, "EvidenceDataVariant": { "description": "A container that uses 'oneOf' to ensure that the 'data' field of an Evidence object matches the structure defined for its 'evidenceType'.", "oneOf": [ { "$ref": "#/$defs/HttpRequestLogData" }, { "$ref": "#/$defs/HttpResponseLogData" }, { "$ref": "#/$defs/CodeSnippetData" }, { "$ref": "#/$defs/PocScriptData" }, { "$ref": "#/$defs/RuntimeLogEntryData" }, { "$ref": "#/$defs/DebuggerOutputData" }, { "$ref": "#/$defs/ExceptionTraceData" }, { "$ref": "#/$defs/ScreenshotUrlData" }, { "$ref": "#/$defs/ScreenshotEmbeddedData" }, { "$ref": "#/$defs/ManualVerificationData" }, { "$ref": "#/$defs/TestPayloadData" }, { "$ref": "#/$defs/EnvironmentConfigData" }, { "$ref": "#/$defs/NetworkCaptureSummaryData" }, { "$ref": "#/$defs/StaticAnalysisPathData" }, { "$ref": "#/$defs/StaticAnalysisGraphData" }, { "$ref": "#/$defs/ConfigFileSnippetData" }, { "$ref": "#/$defs/ScaOutputData" }, { "$ref": "#/$defs/MissingArtifactData" }, { "$ref": "#/$defs/ObservedBehaviorData" }, { "$ref": "#/$defs/DbStateChangeData" }, { "$ref": "#/$defs/FsChangeData" }, { "$ref": "#/$defs/CommandOutputData" }, { "$ref": "#/$defs/ExfiltratedDataSampleData" }, { "$ref": "#/$defs/SessionInfoLeakData" }, { "$ref": "#/$defs/ExternalInteractionProofData" }, { "$ref": "#/$defs/DifferentialAnalysisData" }, { "$ref": "#/$defs/ToolSpecificOutputData" }, { "$ref": "#/$defs/OtherEvidenceData" } ] }, "HttpHeader": { "type": "object", "properties": { "name": {"type": "string"}, "value": {"type": "string"} }, "required": ["name", "value"] }, "HttpRequestLogData": { "type": "object", "description": "Structured data for evidenceType: HTTP_REQUEST_LOG.", "properties": { "method": {"type": "string", "enum": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD", "CONNECT", "TRACE", "OTHER"], "description": "HTTP method used."}, "url": {"type": "string", "format": "uri-reference", "description": "Full URL of the request, including query parameters."}, "version": {"type": "string", "description": "HTTP version (e.g., 'HTTP/1.1', 'HTTP/2')."}, "headers": { "type": "array", "items": {"$ref": "#/$defs/HttpHeader"}, "description": "HTTP request headers." }, "body": {"type": "string", "description": "Request body. For binary data, SHOULD be Base64 encoded and indicated by 'bodyEncoding'."}, "bodyEncoding": {"type": "string", "enum": ["plaintext", "base64", "json", "xml", "form_urlencoded"], "default": "plaintext", "description": "Encoding of the request body."} }, "required": ["method", "url"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "HttpResponseLogData": { "type": "object", "description": "Structured data for evidenceType: HTTP_RESPONSE_LOG.", "properties": { "url": {"type": "string", "format": "uri-reference", "description": "URL that generated this response (useful for context if not immediately paired with a request log)."}, "statusCode": {"type": "integer", "description": "HTTP status code (e.g., 200, 404, 500)."}, "reasonPhrase": {"type": "string", "description": "HTTP reason phrase (e.g., 'OK', 'Not Found')."}, "version": {"type": "string", "description": "HTTP version (e.g., 'HTTP/1.1', 'HTTP/2')."}, "headers": { "type": "array", "items": {"$ref": "#/$defs/HttpHeader"}, "description": "HTTP response headers." }, "body": {"type": "string", "description": "Response body. For binary data, SHOULD be Base64 encoded and indicated by 'bodyEncoding'."}, "bodyEncoding": {"type": "string", "enum": ["plaintext", "base64", "json", "xml", "html"], "default": "plaintext", "description": "Encoding of the response body."} }, "required": ["statusCode"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "CodeSnippetData": { "type": "object", "description": "Structured data for evidenceType: CODE_SNIPPET_SOURCE, CODE_SNIPPET_SINK, or CODE_SNIPPET_CONTEXT.", "properties": { "content": {"type": "string", "description": "The actual code snippet."}, "language": {"type": "string", "description": "Programming language of the snippet (e.g., 'java', 'python', 'javascript', 'csharp', 'php', 'ruby', 'go', 'swift', 'kotlin', 'c', 'cpp')."}, "filePath": {"type": "string", "description": "Path to the source file containing this snippet, if different from the primary location associated with the flow."}, "startLine": {"type": "integer", "minimum": 1, "description": "One-based starting line number of the snippet in the file."}, "endLine": {"type": "integer", "minimum": 1, "description": "One-based ending line number of the snippet in the file."} }, "required": ["content"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "PocScriptData": { "type": "object", "description": "Structured data for evidenceType: POC_SCRIPT.", "properties": { "scriptLanguage": {"type": "string", "description": "Language of the PoC script (e.g., 'python', 'bash', 'powershell', 'javascript', 'ruby', 'text/plain' for step-by-step instructions, 'markdown')."}, "scriptContent": {"type": "string", "description": "The content of the PoC script or textual steps to reproduce."}, "scriptArguments": {"type": "array", "items": {"type": "string"}, "description": "Arguments or parameters the script might require to run, or placeholder explanations for what the user should input."}, "expectedOutcome": {"type": "string", "description": "What the script is expected to achieve or demonstrate (e.g., 'A file /tmp/pwned will be created', 'An alert box will appear')."} }, "required": ["scriptLanguage", "scriptContent"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "RuntimeLogEntryData": { "type": "object", "description": "Structured data for evidenceType: RUNTIME_APPLICATION_LOG_ENTRY, RUNTIME_SYSTEM_LOG_ENTRY, RUNTIME_WEB_SERVER_LOG_ENTRY, RUNTIME_DATABASE_LOG_ENTRY.", "properties": { "logSourceIdentifier": {"type": "string", "description": "Identifier for the log source (e.g., file path like '/var/log/app.log', 'Windows Event Log - Application', 'stdout', 'Kubernetes Pod Log: mypod-123')."}, "timestampInLog": {"type": "string", "format": "date-time", "description": "Timestamp as it appears in the log entry itself, if available and different from the evidence capture timestamp."}, "logLevel": {"type": "string", "description": "Log level if applicable (e.g., 'INFO', 'ERROR', 'DEBUG', 'WARN', 'FATAL')."}, "threadId": {"type": "string", "description": "Thread ID associated with the log entry, if applicable."}, "processId": {"type": "string", "description": "Process ID associated with the log entry, if applicable."}, "componentName": {"type": "string", "description": "Name of the application component or module that generated the log."}, "message": {"type": "string", "description": "The primary log message content."}, "structuredLogData": { "type": "object", "additionalProperties": true, "description": "Key-value pairs for structured log entries (e.g., from JSON formatted logs)." } }, "required": ["message"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "DebuggerOutputData": { "type": "object", "description": "Structured data for evidenceType: RUNTIME_DEBUGGER_OUTPUT.", "properties": { "debuggerName": {"type": "string", "description": "Name of the debugger used (e.g., 'GDB', 'WinDbg', 'Chrome DevTools', 'pdb')."}, "timestampInDebugger": {"type": "string", "format": "date-time", "description": "Timestamp of the debugger state capture."}, "commandExecuted": {"type": "string", "description": "Debugger command that yielded this output (e.g., 'print variable_x', 'bt', 'info registers')."}, "output": {"type": "string", "description": "The raw output from the debugger command or state dump."}, "callStack": { "type": "array", "items": {"type": "string"}, "description": "Array of strings representing the call stack frames at the point of interest." }, "variableStates": { "type": "array", "items": { "type": "object", "properties": { "name": {"type": "string"}, "value": {"type": "string"}, "type": {"type": "string"}, "address": {"type": "string"} }, "required": ["name", "value"] }, "description": "State of relevant variables (name, value, type, memory address) at the time of capture." } }, "required": ["output"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "ExceptionTraceData": { "type": "object", "description": "Structured data for evidenceType: RUNTIME_EXCEPTION_TRACE.", "properties": { "exceptionClass": {"type": "string", "description": "The class or type name of the exception that was thrown (e.g., 'java.sql.SQLSyntaxErrorException', 'NullPointerException', 'System.IO.PathTooLongException')."}, "exceptionMessage": {"type": "string", "description": "The message associated with the exception (e.g., 'ORA-00904: invalid identifier', 'Attempt to dereference a null object')."}, "stackTrace": { "type": "array", "items": {"type": "string"}, "description": "An ordered array of strings, each representing a frame in the call stack at the time the exception occurred. The format of each frame string may vary by language/platform but should be as detailed as possible (e.g., 'com.example.MyClass.myMethod(MyClass.java:42)')." }, "rootCause": { "$ref": "#/$defs/ExceptionTraceData", "description": "Nested exception trace object for the root cause, if the exception handling framework provides this (common in Java, .NET)." } }, "required": ["exceptionClass", "stackTrace"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "ScreenshotUrlData": { "type": "object", "description": "Structured data for evidenceType: SCREENSHOT_URL.", "properties": { "url": {"type": "string", "format": "uri", "description": "URL pointing to the screenshot image."}, "caption": {"type": "string", "description": "A brief caption describing what the screenshot shows."}, "requiresAuthentication": {"type": "boolean", "default": false, "description": "Indicates if accessing the URL requires authentication."} }, "required": ["url"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "ScreenshotEmbeddedData": { "type": "object", "description": "Structured data for evidenceType: SCREENSHOT_EMBEDDED_BASE64.", "properties": { "imageDataBase64": {"type": "string", "contentEncoding": "base64", "description": "Base64 encoded string of the image data."}, "imageFormat": {"type": "string", "enum": ["png", "jpeg", "gif", "bmp", "webp"], "description": "Format of the embedded image (e.g., 'png', 'jpeg')."}, "caption": {"type": "string", "description": "A brief caption describing what the screenshot shows."} }, "required": ["imageDataBase64", "imageFormat"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "ManualVerificationData": { "type": "object", "description": "Structured data for evidenceType: MANUAL_VERIFICATION_NOTES.", "properties": { "testerName": {"type": "string", "description": "Name or identifier of the person who performed the manual verification."}, "verificationSteps": {"type": "string", "description": "Detailed step-by-step account of how the vulnerability was manually verified. Markdown is permitted for rich text formatting."}, "observedOutcome": {"type": "string", "description": "The outcome observed during manual verification that confirms exploitability."}, "toolsUsed": {"type": "array", "items": {"type": "string"}, "description": "List of tools used during manual verification (e.g., 'Burp Suite Professional v2023.10', 'curl 7.81.0', 'Browser Developer Tools (Firefox 115)')."} }, "required": ["verificationSteps", "observedOutcome"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "TestPayloadData": { "type": "object", "description": "Structured data for evidenceType: TEST_PAYLOAD_USED.", "properties": { "payloadDescription": {"type": "string", "description": "A description of the payload and its intended effect."}, "payloadContent": {"type": "string", "description": "The actual payload string or data. For binary payloads, Base64 encoding is recommended, indicated by 'payloadEncoding'."}, "payloadEncoding": {"type": "string", "enum": ["plaintext", "base64", "hex", "urlencoded", "utf16le", "utf16be", "json_escaped", "xml_escaped", "custom"], "default": "plaintext", "description": "Encoding of the payloadContent. 'custom' implies description in payloadDescription."}, "targetParameterOrLocation": {"type": "string", "description": "The specific parameter, HTTP header, input field, file, or other location where this payload was injected or applied (e.g., 'HTTP GET parameter id', 'JSON body field user.name', 'File upload field avatar.filename')."} }, "required": ["payloadContent"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "EnvironmentConfigData": { "type": "object", "description": "Structured data for evidenceType: ENVIRONMENT_CONFIGURATION_DETAILS. Describes specific environmental conditions that were necessary for or contributed to the exploit.", "properties": { "operatingSystem": {"type": "string", "description": "Operating system name and version (e.g., 'Ubuntu 22.04 LTS', 'Windows Server 2019 Datacenter Build 17763')."}, "softwareStack": { "type": "array", "items": { "type": "object", "properties": { "name": {"type": "string"}, "version": {"type": "string"}, "purl": {"type": "string"} }, "required": ["name"] }, "description": "List of relevant software components and their versions (e.g., web server, application server, database, key libraries) that constitute the environment." }, "networkConfiguration": {"type": "string", "description": "Relevant network configuration details (e.g., 'Target server in DMZ, firewall rule X allows inbound on port 443', 'Internal DNS resolution for serviceX.internal.corp')."}, "hardwareDetails": {"type": "string", "description": "Specific hardware details if relevant to the exploit (e.g., 'CPU Architecture: x86_64', 'Specific IoT device model: XYZ-123 Rev B')."}, "relevantSettings": { "type": "array", "items": { "type": "object", "properties": { "settingName": {"type": "string"}, "settingValue": {"type": "string"}, "sourceDescription": {"type": "string", "description": "Where this setting was found or how it was determined (e.g., 'Environment Variable: DEBUG_MODE', 'Application config file: /app/config/settings.ini', 'OS Registry Key: HKLM\\...')."} }, "required": ["settingName"] }, "description": "Key-value pairs of specific configuration settings relevant to the exploit." }, "notes": {"type": "string", "description": "Additional notes about how the environment contributed to or was necessary for the exploit (e.g., 'Exploit only works if feature flag X is enabled', 'Vulnerability requires specific non-default OS patch level')."} }, "additionalProperties": false, "patternProperties": {"^x-": {}} }, "NetworkCaptureSummaryData": { "type": "object", "description": "Structured data for evidenceType: NETWORK_TRAFFIC_CAPTURE_SUMMARY. Describes key aspects of a network capture, not the full capture itself.", "properties": { "captureTool": {"type": "string", "description": "Tool used for capturing traffic (e.g., 'Wireshark 4.0.1', 'tcpdump 4.9.3')."}, "captureFilterApplied": {"type": "string", "description": "Capture filter used (e.g., 'host 10.0.0.5 and port 443', 'tcp port 80 and contains \"password\"')."}, "relevantPacketsDescription": { "type": "array", "items": {"type": "string"}, "description": "Textual descriptions of key packets or sequences of packets relevant to the exploit (e.g., 'Packet 5: Initial handshake', 'Packets 10-12: Data exfiltration containing pattern XXX')." }, "exchangedDataSummary": {"type": "string", "description": "A summary of any sensitive data or exploit payloads observed in the traffic (should be sanitized if including actual data)."}, "referenceToFullCapture": {"type": "string", "description": "An identifier, path, or note on where the full network capture (e.g., PCAP file) is stored, if applicable and too large to include directly. This might be an internal reference."} }, "required": ["relevantPacketsDescription"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "StaticAnalysisPathData": { "type": "object", "description": "Structured data for evidenceType: STATIC_ANALYSIS_DATA_FLOW_PATH. Represents a tainted data flow path identified by static analysis and confirmed as relevant to the validated exploit.", "properties": { "toolName": {"type": "string", "description": "Name of the SAST tool that originally identified this path."}, "queryOrRuleId": {"type": "string", "description": "Identifier of the SAST query or rule that found this path."}, "pathNodes": { "type": "array", "minItems": 2, "items": { "type": "object", "properties": { "order": {"type": "integer", "minimum": 0, "description": "Sequence order of this node in the path."}, "location": {"$ref": "#/$defs/Location", "description": "The code location of this node."}, "description": {"type": "string", "description": "Description of this node in the data flow path (e.g., 'Input from HTTP request parameter `id`', 'Data passed to `sanitizeUserInput()`', 'Unsanitized data used in SQL query construction')."} }, "required": ["order", "location", "description"] }, "description": "An ordered array of nodes representing the data flow path from source to sink." } }, "required": ["pathNodes"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "StaticAnalysisGraphData": { "type": "object", "description": "Structured data for evidenceType: STATIC_ANALYSIS_CONTROL_FLOW_GRAPH or other graph-based static analysis evidence (e.g., call graph, data dependency graph).", "properties": { "toolName": {"type": "string", "description": "Name of the SAST tool or analysis technique that produced the graph."}, "graphType": {"type": "string", "enum": ["CONTROL_FLOW", "CALL_GRAPH", "DATA_DEPENDENCE_GRAPH", "PROGRAM_DEPENDENCE_GRAPH", "OTHER"], "description": "Type of graph represented."}, "functionNameOrScope": {"type": "string", "description": "Name of the function or scope this graph pertains to."}, "graphDescription": {"type": "string", "description": "A summary of what the graph or its relevant portion demonstrates in relation to the vulnerability."}, "relevantNodesOrEdges": { "type": "array", "items": { "type": "object", "properties": { "elementType": {"type": "string", "enum": ["NODE", "EDGE"]}, "elementId": {"type": "string", "description": "Identifier for the node or edge within the graph representation."}, "description": {"type": "string", "description": "Description of the node/edge's significance."} }, "required": ["elementType", "elementId", "description"] }, "description": "Descriptions of specific nodes or edges in the graph that are key to the evidence." }, "imageOfGraphUrl": {"type": "string", "format": "uri", "description": "URL to an image or visual representation of the graph, if available and helpful."} }, "required": ["graphType", "graphDescription"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "ConfigFileSnippetData": { "type": "object", "description": "Structured data for evidenceType: CONFIGURATION_FILE_SNIPPET.", "properties": { "filePath": {"type": "string", "description": "Full path to the configuration file."}, "settingName": {"type": "string", "description": "Name of the specific setting or section if applicable (e.g., 'debug_mode', 'allowed_origins', 'security.protocol.version')."}, "snippet": {"type": "string", "description": "The relevant snippet from the configuration file."}, "interpretation": {"type": "string", "description": "Explanation of why this configuration snippet is evidence of a vulnerability (e.g., 'Debug mode enabled in production environment', 'Missing HttpOnly flag on session cookie setting in web.xml')."} }, "required": ["filePath", "snippet"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "ScaOutputData": { "type": "object", "description": "Structured data for evidenceType: VULNERABLE_COMPONENT_SCAN_OUTPUT. Summarizes output from an SCA tool identifying a vulnerable component.", "properties": { "toolName": {"type": "string", "description": "Name of the SCA tool or dependency checker used (e.g., 'OWASP Dependency-Check', 'Snyk', 'Trivy')."}, "componentIdentifier": { "type": "object", "properties": { "name": {"type": "string", "description": "Name of the component (e.g., 'org.apache.logging.log4j:log4j-core', 'lodash')."}, "version": {"type": "string", "description": "The version of the component found."}, "purl": {"type": "string", "description": "Package URL (PURL) of the component. Highly Recommended."}, "cpe": {"type": "string", "description": "Common Platform Enumeration (CPE) of the component."} }, "required": ["name", "version"], "description": "Details identifying the vulnerable component." }, "vulnerabilityIdentifiers": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "idSystem": {"type": "string", "enum": ["CVE", "GHSA", "OSV", "NVD", "SNYK", "VENDOR_SPECIFIC", "OTHER"], "description": "The system/namespace of the vulnerability ID."}, "idValue": {"type": "string", "description": "The vulnerability ID itself (e.g., 'CVE-2021-44228', 'GHSA-jfh8-c2jp-5v3q')."} }, "required": ["idSystem", "idValue"] }, "description": "List of known vulnerability identifiers (e.g., CVEs) associated with this component version." }, "vulnerabilitySeverity": {"type": "string", "description": "Severity of the identified component vulnerability as reported by the scanner, NVD, or advisory (e.g., 'CRITICAL', 'HIGH'). This is the pre-validation severity."}, "details": {"type": "string", "description": "Additional details from the SCA tool, such as the path to the vulnerable library in the project, a link to the advisory, or specific notes about the finding from the tool."} }, "required": ["componentIdentifier", "vulnerabilityIdentifiers"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "MissingArtifactData": { "type": "object", "description": "Structured data for evidenceType: MISSING_ARTIFACT_VERIFICATION. Demonstrates the absence or incorrect configuration of a required security control, artifact, or setting.", "properties": { "artifactName": {"type": "string", "description": "Name or description of the missing security artifact (e.g., 'X-Frame-Options Header', 'Input Validation Routine for username parameter', 'CSRF Token Field in payment form')."}, "artifactType": {"type": "string", "description": "Type of artifact (e.g., 'HTTP_Security_Header', 'Security_Control_Function', 'Configuration_Setting', 'File', 'Process_Control')."}, "checkMethodDescription": {"type": "string", "description": "How the absence or misconfiguration of the artifact was verified (e.g., 'Reviewed HTTP response headers via curl for /login endpoint', 'Manual code review of login.php, line 42-50', 'Scanned server configuration for SSLProtocol directive using openssl s_client')."}, "expectedState": {"type": "string", "description": "The expected state, presence, or configuration of the artifact for secure operation (e.g., 'X-Frame-Options header should be present with value DENY or SAMEORIGIN', 'Username parameter should be validated against a whitelist pattern: ^[a-zA-Z0-9_]{3,16}$ and HTML-encoded before rendering.')."}, "observedState": {"type": "string", "description": "The observed state, confirming the absence or incorrect configuration (e.g., 'Header not present in response.', 'No input validation or output encoding found for parameter username in reviewed code.', 'CSRF token was not found in the form submission to /transfer_funds.')."} }, "required": ["artifactName", "expectedState", "observedState"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "ObservedBehaviorData": { "type": "object", "description": "Structured data for evidenceType: OBSERVED_BEHAVIORAL_CHANGE. Describes an observed change in application or system behavior indicative of exploitation.", "properties": { "actionPerformedToTrigger": {"type": "string", "description": "The action or sequence of actions performed by the tester/attacker that led to the observed behavior (e.g., 'Submitted payment form with negative quantity for item X', 'Accessed admin endpoint /api/deleteUser?id=123 with regular user session cookie')."}, "expectedBehavior": {"type": "string", "description": "What the application behavior should have been under normal, secure conditions in response to the action (e.g., 'Form submission should be rejected with an invalid quantity error', 'Access to admin endpoint /api/deleteUser should be denied with a 403 Forbidden error.')."}, "observedBehavior": {"type": "string", "description": "The actual behavior observed that indicates successful exploitation or a security weakness (e.g., 'Order was processed successfully, and a refund was issued for the negative quantity.', 'User ID 123 was successfully deleted from the system.', 'Webpage content was replaced with attacker-supplied HTML.')."}, "contextualNotes": {"type": "string", "description": "Any relevant context or notes that help understand the significance of the behavioral change or how it was observed (e.g., 'This demonstrates a business logic flaw in order processing.', 'Confirms privilege escalation from user to admin capabilities.')."} }, "required": ["actionPerformedToTrigger", "expectedBehavior", "observedBehavior"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "DbStateChangeData": { "type": "object", "description": "Structured data for evidenceType: DATABASE_STATE_CHANGE_PROOF. Shows changes to database state as evidence of exploitation.", "properties": { "databaseType": {"type": "string", "description": "Type of database (e.g., 'MySQL', 'PostgreSQL', 'Oracle', 'MongoDB')."}, "targetObjectDescription": {"type": "string", "description": "Description of the database object affected (e.g., 'users table, record where username=admin', 'products.price column for product_id=123', 'customer_audit_log table')."}, "stateBeforeExploit": {"type": "string", "description": "Description or snippet of the relevant database state before the exploit attempt (e.g., 'admin_user.password_hash = ', 'product_123.price = 19.99', 'customer_audit_log count = 5')."}, "actionTriggeringChange": {"type": "string", "description": "The action or exploit that was performed to cause the state change (e.g., 'SQL injection payload submitted via login form', 'API call to /updateProduct with manipulated price')."}, "stateAfterExploit": {"type": "string", "description": "Description or snippet of the database state after the exploit attempt, showing the malicious or unexpected change (e.g., 'admin_user.password_hash = ', 'product_123.price = 0.01', 'customer_audit_log count = 5 (no new entry for failed login due to injection)')."}, "queryUsedForVerification": {"type": "string", "description": "SQL query or method used to observe the database state before and/or after the exploit, if applicable."} }, "required": ["targetObjectDescription", "stateAfterExploit"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "FsChangeData": { "type": "object", "description": "Structured data for evidenceType: FILE_SYSTEM_CHANGE_PROOF. Shows creation, modification, deletion, or permission changes of files/directories.", "properties": { "filePath": {"type": "string", "description": "The full path to the file or directory affected on the target system."}, "changeType": {"type": "string", "enum": ["CREATION", "MODIFICATION", "DELETION", "PERMISSION_CHANGE", "READ_ACCESS"], "description": "Type of change observed on the file system artifact."}, "contentOrPermissionBefore": {"type": "string", "description": "Content snippet or permission state (e.g., 'rwxr-xr-x') before the change (if applicable and known)."}, "contentOrPermissionAfter": {"type": "string", "description": "Content snippet or permission state after the change (if applicable and known). For CREATION, this would be the new content/permissions. For DELETION, this might be 'File no longer exists'."}, "commandOrMethodUsed": {"type": "string", "description": "The command, payload, or method that caused this file system change (e.g., 'Path traversal payload in file upload', 'OS command injection: rm /tmp/important.file')."} }, "required": ["filePath", "changeType"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "ExfiltratedDataSampleData": { "type": "object", "description": "Structured data for evidenceType: EXFILTRATED_DATA_SAMPLE. Provides a sample of data confirmed to be exfiltrated from the target system.", "properties": { "dataDescription": {"type": "string", "description": "Description of the type of data exfiltrated (e.g., 'User credentials (usernames and password hashes)', 'Session cookies for active users', 'Partial PII records from customer database', 'Contents of /etc/shadow')."}, "dataSample": {"type": "string", "description": "A small, sanitized, and illustrative sample of the exfiltrated data. **Actual sensitive data SHOULD NOT be included directly unless absolutely necessary and with extreme caution/redaction.** Use placeholders or descriptions where possible (e.g., 'Format: username:hash - admin:$2a...', 'First 5 customer names: [UserA, UserB...]', 'Cookie: JSESSIONID=REDACTED_VALUE...')."}, "exfiltrationMethod": {"type": "string", "description": "How the data was exfiltrated (e.g., 'Via DNS query to attacker-controlled server', 'HTTP POST to external endpoint', 'Written to web-accessible file and downloaded', 'Blind SQLi time-based character extraction')."}, "destinationIndicator": {"type": "string", "description": "Indicator of the exfiltration destination, if known (e.g., 'Attacker domain: evil-collector.com', 'IP: 1.2.3.4', 'Web shell URL: /uploads/shell.php?cmd=cat /etc/passwd')."} }, "required": ["dataDescription", "dataSample"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "SessionInfoLeakData": { "type": "object", "description": "Structured data for evidenceType: SESSION_INFORMATION_LEAK. Details the leakage of sensitive session-related information.", "properties": { "leakedInformationType": {"type": "string", "description": "Type of session information leaked (e.g., 'SessionID Cookie Value', 'CSRF Token in URL Parameter', 'Authorization Bearer Token in Logs', 'User-specific API Key in Referer Header')."}, "leakedDataSample": {"type": "string", "description": "The leaked session data itself (should be illustrative or partially masked if highly sensitive, e.g., 'JSESSIONID=ABC...XYZ', 'token=REDACTED...DEF')."}, "exposureContextDescription": {"type": "string", "description": "How and where the session information was exposed (e.g., 'Observed in Referer header sent to third-party analytics domain', 'Found in browser history due to GET request parameters', 'Logged in plaintext in application debug logs accessible to lower-privileged users')."}, "potentialImpact": {"type": "string", "description": "The potential impact of this leak (e.g., 'Session hijacking of victim user accounts', 'CSRF attack facilitation', 'Unauthorized API access using leaked token')."} }, "required": ["leakedInformationType", "leakedDataSample", "exposureContextDescription"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "DifferentialAnalysisData": { "type": "object", "description": "Structured data for evidenceType: DIFFERENTIAL_ANALYSIS_RESULT. Compares outcomes of different interaction attempts to demonstrate a vulnerability (e.g., for authorization bypasses, timing attacks).", "properties": { "baselineRequestDescription": {"type": "string", "description": "Description of the baseline or control request/action (e.g., 'Request to /api/resource/123 with low-privilege user session')."}, "baselineResponseOrOutcomeSummary": {"type": "string", "description": "Summary of the response or outcome for the baseline request/action (e.g., 'Received HTTP 403 Forbidden', 'System processed request normally without error')."}, "modifiedRequestOrActionDescription": {"type": "string", "description": "Description of the modified request or action that demonstrates the vulnerability (e.g., 'Same request to /api/resource/123 with low-privilege user session but with X-Original-User-ID header set to admin', 'Request to /api/resource/123 with slightly different timing for parameter X')."}, "modifiedResponseOrOutcomeSummary": {"type": "string", "description": "Summary of the response or outcome for the modified request/action, showing the exploit (e.g., 'Received HTTP 200 OK with resource 123 data', 'System response time was 500ms slower, indicating processing of privileged data')."}, "analysisOfDifference": {"type": "string", "description": "Explanation of how the difference in outcomes demonstrates the vulnerability (e.g., 'The presence of X-Original-User-ID header bypassed authorization checks.', 'The timing difference suggests a time-based oracle for data extraction.')."} }, "required": ["baselineRequestDescription", "baselineResponseOrOutcomeSummary", "modifiedRequestOrActionDescription", "modifiedResponseOrOutcomeSummary", "analysisOfDifference"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "ToolSpecificOutputData": { "type": "object", "description": "Structured data for evidenceType: TOOL_SPECIFIC_OUTPUT_LOG. Relevant output from a specific security tool that directly supports the vulnerability claim.", "properties": { "toolName": {"type": "string", "description": "Name of the tool that produced this output (e.g., 'Nmap', 'SQLMap', 'Metasploit Framework', 'Custom Fuzzer')."}, "toolVersion": {"type": "string", "description": "Version of the tool, if known."}, "commandLineExecuted": {"type": "string", "description": "The command line used to run the tool, if applicable and relevant."}, "relevantLogSectionOrOutput": {"type": "string", "description": "The specific snippet or section of the tool's output that constitutes or supports the evidence. This could be a multi-line string."}, "interpretationOfOutput": {"type": "string", "description": "How this tool output confirms the vulnerability or its exploitability (e.g., 'Nmap output shows port 3306 (MySQL) open to the internet with version X.Y.Z known to be vulnerable.', 'SQLMap confirmed time-based blind SQL injection.')."} }, "required": ["toolName", "relevantLogSectionOrOutput"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "OtherEvidenceData": { "type": "object", "description": "A generic container for evidence types not specifically structured by other 'evidenceType' values. Use sparingly when other types are not adequate.", "properties": { "dataTypeDescription": { "type": "string", "description": "A string clearly describing the nature and format of the dataContent (e.g., 'Proprietary binary log format snippet', 'Mathematical proof of cryptographic weakness')." }, "dataContent": { "type": "string", "description": "The evidence data, typically as a string. For complex binary or structured data not fitting other types, consider Base64 encoding and note it in dataTypeDescription or encodingFormat, or link to external resources if too large and allowed by policy." }, "encodingFormat": { "type": "string", "enum": ["plaintext", "base64", "hex", "json_string", "xml_string", "custom_format", "uri_to_external_resource"], "default": "plaintext", "description": "Encoding or format of dataContent. If 'uri_to_external_resource', dataContent should be the URI." } }, "required": ["dataTypeDescription", "dataContent"], "additionalProperties": true, "patternProperties": { "^x-": {} } }, "CommandOutputData": { "type": "object", "description": "Structured data for evidenceType: COMMAND_EXECUTION_OUTPUT.", "properties": { "commandInjected": {"type": "string", "description": "The command string that was successfully injected and executed."}, "outputReceived": {"type": "string", "description": "The standard output (stdout) and/or standard error (stderr) received from the executed command."}, "executionEnvironment": {"type": "string", "description": "Context of execution (e.g., 'Executed as www-data user on Linux', 'PowerShell on Windows Server 2019', 'Within a Docker container xyz')."} }, "required": ["commandInjected", "outputReceived"], "additionalProperties": false, "patternProperties": {"^x-": {}} }, "ExternalInteractionProofData": { "type": "object", "description": "Structured data for evidenceType: EXTERNAL_INTERACTION_PROOF.", "properties": { "interactionType": {"type": "string", "enum": ["DNS_QUERY", "HTTP_REQUEST", "HTTPS_REQUEST", "TCP_CONNECTION", "UDP_PACKET", "SMTP_CONNECTION", "FTP_CONNECTION", "OTHER"], "description": "The type of external network interaction observed."}, "sourceIpOrHostname": {"type": "string", "description": "The IP address or hostname of the vulnerable system that initiated the interaction (if identifiable from the interaction logs)."}, "destinationIpOrHostname": {"type": "string", "description": "The destination IP address or hostname that received the interaction (typically an attacker/tester-controlled system)."}, "destinationPort": {"type": "integer", "minimum": 0, "maximum": 65535, "description": "The destination port number, if applicable."}, "protocolUsed": {"type": "string", "description": "The network protocol used (e.g., 'DNS', 'HTTP', 'TCP'). This might be redundant if interactionType is specific but can add clarity."}, "timestampOfInteraction": {"type": "string", "format": "date-time", "description": "The timestamp when the interaction was observed on the external system."}, "requestPayloadOrQueryDetails": {"type": "string", "description": "Specific details from the interaction that link it to the exploit (e.g., the unique subdomain queried in a DNS interaction, specific path or headers in an HTTP callback, data included in the payload sent by the vulnerable application)."}, "responseSummaryReceived": {"type": "string", "description": "A summary of any response sent back to the vulnerable system by the external entity, if observed and relevant to the proof."}, "notes": {"type": "string", "description": "Contextual notes explaining how this interaction confirms the vulnerability (e.g., 'Confirms blind SSRF by triggering DNS lookup to [unique_id].collaborator.net', 'HTTP callback received containing exfiltrated user session cookie.')."} }, "required": ["interactionType", "destinationIpOrHostname"], "additionalProperties": false, "patternProperties": {"^x-": {}} } } }