Package-level declarations

The alias kind.

Provides the state of this Vulnerability assessment.

The type of the key, either stored in public_key or referenced in key_id.

Defined in CVSS v3, CVSS v2

Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. Defined in CVSS v3, CVSS v2

Defined in CVSS v2

Defined in CVSS v3, CVSS v2

Defined in CVSS v3, CVSS v2

Defined in CVSS v3, CVSS v2

Defined in CVSS v3

Defined in CVSS v3

Defined in CVSS v3

Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments.

Platform hosting this deployment.

The status of discovery for the resource.

Whether the resource is continuously analyzed.

Required. Immutable. The kind of analysis that is handled by this discovery.

The CPU architecture for which packages in this distribution channel were built.

An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package

This field provides information about the type of file identified

Type (for example schema) of the attestation payload that was signed. The verifier must ensure that the provided type is one that the verifier supports, and that the attestation payload is a valid instantiation of that type (for example by validating a JSON schema).

The distro assigned severity for this vulnerability when it is available, and note provider assigned severity when distro has not yet assigned a severity for this vulnerability. When there are multiple PackageIssues for this vulnerability, they can have different effective severities because some might be provided by the distro while others are provided by the language ecosystem for a language pack. For this reason, it is advised to use the effective severity on the PackageIssue level. In the case where multiple PackageIssues have differing effective severities, this field should be the highest severity for any of the PackageIssues.

Required. The type of hash that was performed.

The justification type for this vulnerability.

Required. The recovered Dockerfile directive used to construct this layer.

The CPU architecture for which packages in this distribution channel were built. Architecture will be blank for language packages.

Type (for example schema) of the attestation payload that was signed. The verifier must ensure that the provided type is one that the verifier supports, and that the attestation payload is a valid instantiation of that type (for example by validating a JSON schema).

The type of relationship between the source and target SPDX elements

The type of remediation that can be applied.

Required. Distinguishes between sentinel MIN/MAX versions and normal versions.

Provides the state of this Vulnerability assessment.

CVSS version used to populate cvss_score and severity.

Note provider assigned impact of the vulnerability.