Product Object
The software and/or hardware configurations that are known to be vulnerable to exploitation of the vulnerability scenario. Different Product configurations can be associated with different scenarios to allow for description of varying impacts and exploitation mechanisms.
Properties
None.
Relationships
A product has the following relationships.
A product object MUST include one of the following relationships:
Product Enumeration
Name
hasProductEnumeration
Cardinality one
Description
The enumeration of one or many products as dictated by the identification scheme. Contains an array of scheme and value pairs.
This is intended to be used for simple enumerations such as generic free text or common formats that identify explicit instances of products such as CPE or SWID.
The scheme value MUST be an absolute URI as specified by RFC 3986 section 4.3.
Suggested scheme values include:
https://csrc.nist.gov/ns/cpe/2.3: for a CPE 2.3 name.
The value MUST be based on the lexical space of a string as defined by ECMA-404 2nd edition, section 9.
NVD CPE Applicability Statement
Name
hasNvdCpeApplicabilityStatement
Cardinality one
Description This is to reference the NVD configurations section, which requires much more complex JSON than simple strings.
CVE v5 Product
Name
hasCve5Product
Cardinality one
Description This is to reference the CVE 5 JSON format’s product section, which can communicate many complicated methods of string based product applicability.
Example
{
"affectsProduct": {
"hasEnumeration": [{
"scheme": "https://nist.gov/cpe/2.3",
"values": ["cpe:2.3:a:fake:fakeproduct:1.0.0"]
}],
"hasCPEApplicabilityStatement": [
{
"operator": "AND",
"children": [
{
"operator": "OR",
"cpe_match": [
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:fakevendor:fakeproduct:*:*:*:*:*:fake_TSW:*:*",
"versionEndIncluding": "32.0.0.114"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:fakevendor:fakeproduct:*:*:*:*:*:fake_TSW:*:*",
"versionEndIncluding": "32.0.0.114"
}
]
}
]
},
]
}
}
Graph View
