Package-level declarations
Types
Provides the state of this Vulnerability assessment.
The type of the key, either stored in public_key
or referenced in key_id
The severity level of this CIS benchmark check.
Defined in CVSS v3, CVSS v2
Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. Defined in CVSS v3, CVSS v2
Defined in CVSS v2
Defined in CVSS v3, CVSS v2
Defined in CVSS v3, CVSS v2
Defined in CVSS v3, CVSS v2
Defined in CVSS v3
Defined in CVSS v3
Platform hosting this deployment.
The status of discovery for the resource.
Whether the resource is continuously analyzed.
The kind of analysis that is handled by this discovery.
The CPU architecture for which packages in this distribution channel were built
An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package
This field provides information about the type of file identified
The alias kind.
The field that is set in the API proto.
The justification type for this vulnerability.
The recovered Dockerfile directive used to construct this layer.
The CPU architecture for which packages in this distribution channel were built. Architecture will be blank for language packages.
Type (for example schema) of the attestation payload that was signed. The verifier must ensure that the provided type is one that the verifier supports, and that the attestation payload is a valid instantiation of that type (for example by validating a JSON schema).
The type of relationship between the source and target SPDX elements
The type of remediation that can be applied.
Distinguish between sentinel MIN/MAX versions and normal versions. If kind is not NORMAL, then the other fields are ignored.
Provides the state of this Vulnerability assessment.
The distro assigned severity for this vulnerability when that is available and note provider assigned severity when distro has not yet assigned a severity for this vulnerability. When there are multiple package issues for this vulnerability, they can have different effective severities because some might come from the distro and some might come from installed language packs (e.g. Maven JARs or Go binaries). For this reason, it is advised to use the effective severity on the PackageIssue level, as this field may eventually be deprecated. In the case where multiple PackageIssues have different effective severities, the one set here will be the highest severity of any of the PackageIssues.
CVSS version used to populate cvss_score and severity.
Note provider assigned impact of the vulnerability