Vulnerability Object

A Vulnerability is any weakness in the computational logic found in products or devices that could be exploited by a threat source NISTIR 7298.

Semantics

A vulnerability affects a set of originating products and is described by a set of distinct exploitation scenarios. An originating product may be or contain the vulnerable product.

Each scenario is related to a set of affected products, which may be a subset of the originating products or may represent a product that depends on the originating product.

Properties

A vulnerability has the following properties.

Sector Of Interest

Name hasSectorOfInterest

Cardinality zero or many

Description Supplemental information identifying potential sectors or use cases where the vulnerability could have an impact.

The value of hasSectorOfInterest MUST be a value from the sector of interest value list.

Relationships

A vulnerability has the following relationships.

Known Chain

Name hasKnownChain

Cardinality zero or many

Description Identifies other known vulnerabilities that can be used in conjunction with the vulnerability in question to achieve a different and likely greater impact.

The object value of the hasKnownChain relationship MUST be a vulnerability identifier object.

Identity

Name hasIdentity

Cardinality one or many

Description Indicates an alternate string used to identify the vulnerability.

The object value of the hasIdentity relationship MUST be a vulnerability identifier object.

Scenario

Name hasScenario

Cardinality one or many

Description Lists the scenarios associated with the vulnerability.

The object value of the hasScenario relationship MUST be a scenario object.

Originating Product

Name hasOriginatingProduct

Cardinality one or many

Description Product shall be associated with Vulnerability

The object value of the hasOriginatingProduct relationship MUST be a product object.

Example

{
 "Vulnerability": {
  "hasIdentity": [
    {
     "scheme": "http://cve.mitre.org",
     "value": "CVE-2050-1234"
    }
  ],
  "hasSectorOfInterest": [
   "Industrial Control System",
   "Health Care"
   ],
  "hasOriginatingProduct": {
   "hasEnumeration": [
    {
     "scheme": "https://csrc.nist.gov/ns/cpe/2.3",
     "values": [
      "cpe:2.3:a:fake:fakeproductX:1.0.0",
      "cpe:2.3:a:fake:fakeproductY:1.0.0"
     ]
    },
    {
     "scheme": "https://nist.gov/cpe/2.2",
     "values": ["cpe:/a:fake"]
    }
   ],
  },
  "hasScenario": [
   ]
 }
}

Graph View

Vulnerability Graph