Package-level declarations
Types
The alias kind.
Provides the state of this Vulnerability assessment.
The type of the key, either stored in public_key
or referenced in key_id
.
Defined in CVSS v3, CVSS v2
Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. Defined in CVSS v3, CVSS v2
Defined in CVSS v2
Defined in CVSS v3, CVSS v2
Defined in CVSS v3, CVSS v2
Defined in CVSS v3, CVSS v2
Defined in CVSS v3
Defined in CVSS v3
Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments.
Platform hosting this deployment.
The status of discovery for the resource.
Whether the resource is continuously analyzed.
Required. Immutable. The kind of analysis that is handled by this discovery.
The CPU architecture for which packages in this distribution channel were built.
An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package
This field provides information about the type of file identified
Type (for example schema) of the attestation payload that was signed. The verifier must ensure that the provided type is one that the verifier supports, and that the attestation payload is a valid instantiation of that type (for example by validating a JSON schema).
The distro assigned severity for this vulnerability when it is available, and note provider assigned severity when distro has not yet assigned a severity for this vulnerability. When there are multiple PackageIssues for this vulnerability, they can have different effective severities because some might be provided by the distro while others are provided by the language ecosystem for a language pack. For this reason, it is advised to use the effective severity on the PackageIssue level. In the case where multiple PackageIssues have differing effective severities, this field should be the highest severity for any of the PackageIssues.
The justification type for this vulnerability.
Required. The recovered Dockerfile directive used to construct this layer.
The CPU architecture for which packages in this distribution channel were built. Architecture will be blank for language packages.
Type (for example schema) of the attestation payload that was signed. The verifier must ensure that the provided type is one that the verifier supports, and that the attestation payload is a valid instantiation of that type (for example by validating a JSON schema).
The type of relationship between the source and target SPDX elements
The type of remediation that can be applied.
Required. Distinguishes between sentinel MIN/MAX versions and normal versions.
Provides the state of this Vulnerability assessment.
CVSS version used to populate cvss_score and severity.
Note provider assigned impact of the vulnerability.