CycloneDX · shaikhu · Jun 23, 2024
@@ -34,6 +34,7 @@
 import org.cyclonedx.model.Property;
 import org.cyclonedx.model.Tool;
 import org.cyclonedx.model.VersionFilter;
+import org.cyclonedx.model.metadata.ToolInformation;
 import org.cyclonedx.util.serializer.CustomDateSerializer;
 
 /**
@@ -94,6 +95,10 @@ public Vulnerability() {}
   @JacksonXmlElementWrapper(localName = "tools")
   @JacksonXmlProperty(localName = "tool")
   private List<Tool> tools;
+  @JacksonXmlElementWrapper(localName = "tools")
+  @JacksonXmlProperty(localName = "tool")
+  @VersionFilter(org.cyclonedx.Version.VERSION_15)
+  private ToolInformation toolInformation;
   private Analysis analysis;
   private List<Affect> affects;
   private List<Property> properties;
@@ -248,6 +253,14 @@ public void setTools(final List<Tool> tools) {
     this.tools = tools;
   }
 
+  public ToolInformation getToolChoice() {
+    return toolInformation;
+  }
+
+  public void setToolChoice(final ToolInformation toolInformation) {
+    this.toolInformation = toolInformation;
+  }
+
   public Analysis getAnalysis() {
     return analysis;
   }

@@ -0,0 +1,154 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "bom-ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
+      "type": "library",
+      "group": "com.fasterxml.jackson.core",
+      "name": "jackson-databind",
+      "version": "2.9.4",
+      "purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]"
+    }
+  ],
+  "vulnerabilities": [
+    {
+      "bom-ref": "6eee14da-8f42-4cc4-bb65-203235f02415",
+      "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111",
+      "source": {
+        "name": "Snyk",
+        "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111"
+      },
+      "references": [
+        {
+          "id": "CVE-2018-7489",
+          "source": {
+            "name": "NVD",
+            "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997"
+          }
+        }
+      ],
+      "ratings": [
+        {
+          "source": {
+            "name": "NVD",
+            "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0"
+          },
+          "score": 9.8,
+          "severity": "critical",
+          "method": "CVSSv3",
+          "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+          "justification": "An optional reason for rating the vulnerability as it was"
+        }
+      ],
+      "cwes": [
+        184,
+        502
+      ],
+      "description": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.",
+      "detail": "",
+      "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.",
+      "advisories": [
+        {
+          "title": "GitHub Commit",
+          "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2"
+        },
+        {
+          "title": "GitHub Issue",
+          "url": "https://github.com/FasterXML/jackson-databind/issues/1931"
+        }
+      ],
+      "created": "2021-01-01T00:00:00.000Z",
+      "published": "2021-01-01T00:00:00.000Z",
+      "updated": "2021-01-01T00:00:00.000Z",
+      "credits": {
+        "organizations": [
+          {
+            "name": "Acme, Inc.",
+            "url": [
+              "https://example.com"
+            ]
+          }
+        ],
+        "individuals": [
+          {
+            "name": "Jane Doe",
+            "email": "[email protected]"
+          }
+        ]
+      },
+      "tools": {
+        "components": [
+          {
+            "type": "application",
+            "group": "Snyk",
+            "name": "Snyk CLI (Linux)",
+            "version": "1.729.0",
+            "hashes": [
+              {
+                "alg": "SHA-256",
+                "content": "2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d"
+              }
+            ]
+          }
+        ],
+        "services": [
+          {
+            "provider": {
+              "name": "Acme Inc"
+            },
+            "name": "Acme BOM Analyzer",
+            "endpoints": [
+              "https://example.com/analyze"
+            ]
+          }
+        ]
+      },
+      "analysis": {
+        "state": "not_affected",
+        "justification": "code_not_reachable",
+        "response": ["will_not_fix", "update"],
+        "detail": "An optional explanation of why the application is not affected by the vulnerable component."
+      },
+      "affects": [
+        {
+          "ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
+          "versions": [
+            {
+              "range": "vers:semver/<2.6.7.5",
+              "status": "affected"
+            },
+            {
+              "range": "vers:semver/2.7.0|<2.8.11.1",
+              "status": "affected"
+            },
+            {
+              "range": "vers:semver/2.9.0|<2.9.5",
+              "status": "affected"
+            }
+          ]
+        }
+      ],
+      "properties": [
+        {
+          "name": "Foo",
+          "value": "Bar"
+        },
+        {
+          "name": "Foo",
+          "value": "You"
+        },
+        {
+          "name": "Foo",
+          "value": "Two"
+        },
+        {
+          "name": "Bar",
+          "value": "Foo"
+        }
+      ]
+    }
+  ]
+}
@@ -0,0 +1,137 @@
+spec_version: "1.5"
+version: 1
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+components {
+  type: CLASSIFICATION_LIBRARY
+  bom_ref: "pkg:maven/com.fasterxml.jackson.core/[email protected]"
+  group: "com.fasterxml.jackson.core"
+  name: "jackson-databind"
+  version: "2.9.4"
+  purl: "pkg:maven/com.fasterxml.jackson.core/[email protected]"
+}
+vulnerabilities {
+  bom_ref: "6eee14da-8f42-4cc4-bb65-203235f02415"
+  id: "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111"
+  source: {
+    name: "Snyk"
+    url: "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111"
+  }
+  references: {
+    id: "CVE-2018-7489"
+    source: {
+      name: "NVD",
+      url: "https://nvd.nist.gov/vuln/detail/CVE-2019-9997"
+    }
+  }
+  ratings: {
+    source: {
+      name: "NVD"
+      url: "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0"
+    }
+    score: 9.8
+    severity: SEVERITY_CRITICAL
+    method: SCORE_METHOD_CVSSV3
+    vector: "AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    justification: "An optional reason for rating the vulnerability as it was"
+  }
+  cwes: 184
+  cwes: 502
+  description: "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath."
+  detail: ""
+  recommendation:  "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher."
+  advisories: {
+    title: "GitHub Commit"
+    url: "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2"
+  }
+  advisories: {
+    title: "GitHub Issue"
+    url: "https://github.com/FasterXML/jackson-databind/issues/1931"
+  }
+  created: {
+    seconds: 3173618478
+    nanos: 3
+  }
+  published: {
+    seconds: 3173618478
+    nanos: 3
+  }
+  updated: {
+    seconds: 3173618478
+    nanos: 3
+  }
+  credits: {
+    organizations: {
+      name: "Acme, Inc."
+      url: "https://example.com"
+    }
+    individuals: {
+      name: "Jane Doe"
+      email: "[email protected]"
+    }
+  }
+  tools: {
+    components: [
+      {
+        type: CLASSIFICATION_APPLICATION,
+        group: "Snyk",
+        name: "Snyk CLI (Linux)",
+        version: "1.729.0",
+        hashes: [
+          {
+            alg: HASH_ALG_SHA_256
+            value: "2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d"
+          }
+        ]
+      }
+    ]
+    services: [
+      {
+        provider: {
+          name: "Acme Inc"
+        },
+        name: "Acme BOM Analyzer",
+        endpoints: [
+          "https://example.com/analyze"
+        ]
+      }
+    ]
+  }
+  analysis: {
+    state: IMPACT_ANALYSIS_STATE_NOT_AFFECTED
+    justification: IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE
+    response: VULNERABILITY_RESPONSE_WILL_NOT_FIX
+    response: VULNERABILITY_RESPONSE_UPDATE
+    detail: "An optional explanation of why the application is not affected by the vulnerable component."
+  }
+  affects: {
+    ref: "pkg:maven/com.fasterxml.jackson.core/[email protected]"
+    versions: {
+      range: "vers:semver/<2.6.7.5"
+      status: VULNERABILITY_AFFECTED_STATUS_AFFECTED
+    }
+    versions: {
+      range: "vers:semver/2.7.0|<2.8.11.1"
+      status: VULNERABILITY_AFFECTED_STATUS_AFFECTED
+    }
+    versions: {
+      range: "vers:semver/2.9.0|<2.9.5"
+      status: VULNERABILITY_AFFECTED_STATUS_AFFECTED
+    }
+  }
+  properties {
+    name: "Foo"
+    value: "Bar"
+  }
+  properties {
+    name: "Foo"
+    value: "You"
+  }
+  properties {
+    name: "Foo"
+    value: "Two"
+  }
+  properties {
+    name: "Bar"
+    value: "Foo"
+  }
+}