Vulnerability
A security vulnerability identified by a Common Vulnerabilities and Exposures (CVE) identifier. A single vulnerability may relate to multiple findings and impact multiple resources. The IMPACTS relationship between the Vulnerability and the resource entity that was impacted serves as the record of the finding. The IMPACTS relationship carries properties such as 'identifiedOn', 'remediatedOn', 'remediationDueOn', 'issueLink', etc.
Vulnerability properties
Property | Type | Description | Specifications |
---|---|---|---|
cveId * | string | null | The Common Vulnerabilities and Exposures (CVE) identifier of the vulnerability as a string, formatted exactly as CVE-YYYY-NNNN (where YYYY is the 4-digit year and NNNN is a sequence of at least 4 digits). This field must contain only the CVE ID with no additional text or details. For example, CVE-2021-44228 is valid, but CVE-2021-44228 (YOKOGAWA) is invalid. | |
open * | boolean | null | Indicates whether the CVE vulnerability is currently open (unresolved) against the entity. This boolean field is true when the vulnerability is active and false when it is resolved or no longer applicable. If the open status is not provided, it defaults to true. | default: true |
blocking | boolean | null | Indicates whether this vulnerability finding is a blocking issue. If true, it should block a production deploy. Defaults to false. | default: false |
category | string | null | The category of the vulnerability finding Examples: application, system, infrastructure, other | |
exploitability | number | null | The exploitability score/rating. | |
impact | number | null | The impact score/rating. | |
impacts | array | null | The target listing of projects, applications, repos or systems this vulnerability impacts. Specifying either the project/repo name or the application URL here will auto-map this Vulnerability to the corresponding Project/CodeRepo/Application entity if a match is found. | |
priority | string | null | Priority level mapping to Severity rating. Can be a string such as 'critical', 'high', 'medium', 'low', 'info'. Or an integer usually between 0-5. | |
production | boolean | null | Indicates if this vulnerability is in production. | |
public | boolean | null | Indicates if this is a publicly disclosed vulnerability. If yes, this is usually a CVE and the 'webLink' should be set to 'https://nvd.nist.gov/vuln/detail/${CVE-Number}' or to a vendor URL. If not, it is most likely a custom application vulnerability. | |
references | array | null | The array of links to references. | |
remediationSLA | integer | null | The number of days that the Vulnerability must be remediated within, based on SLA set by the organization's internal vulnerability management program policy. The actually due date is set by 'remediationDueOn' property on the IMPACTS relationship between the Vulnerability and its impacted resource entity. | |
score | number | null | The overall vulnerability score, e.g. CVSSv3. | |
severity | string | null | Severity rating based on impact and exploitability. Can be a string such as 'critical', 'high', 'medium', 'low', 'info'. Or an integer usually between 0-5. | |
status | string | null | Status of the vulnerability | |
validated | boolean | null | Indicates if this Vulnerability finding has been validated by the security team. | |
vector | string | null | The vulnerability attack vector. (e.g. a CVSSv3 vector looks like this - 'AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N') |
Inherited properties
Property | Type | Description | Specifications |
---|---|---|---|
_class * | string | array of string s | One or more classes conforming to a standard, abstract security data model. For example, an EC2 instance will have '_class':'Host'. | |
_key * | string | An identifier unique within the scope containing the object. For example, for a Bitbucket repo, this will be the GUID of the repo as assigned by Bitbucket. For an IAM Role, this will be the ARN of the role. | minLength: 10 |
_type * | string | The type of object, typically reflecting the vendor and resource type. For example, 'aws_iam_user'. In some cases, a system knows about a type of entity that other systems know about, such as 'user_endpoint' or 'cve'. | minLength: 3 |
displayName * | string | Display name, e.g. a person's preferred name or an AWS account alias | |
name * | string | Name of this entity | |
approved | boolean | If this is record has been reviewed and approved. | |
approvedOn | number | The timestamp (in milliseconds since epoch) when this record was approved. | Format: date-time |
approvers | array of string s | The list of approvers on the record. | |
classification | string | The sensitivity of the data; should match company data classification scheme. For example: critical - confidential - internal - public. Examples: critical, confidential, internal, public | |
content | string | Text content of the record/documentation | |
createdOn | number | The timestamp (in milliseconds since epoch) when the entity was created at the source. This is different than _createdOn which is the timestamp the entity was first ingested into JupiterOne. | Format: date-time |
description | string | An extended description of this entity. | |
exception | boolean | Indicates if this record has an applied exception. For example, exception for a known finding or a PR that is not fully approved. | |
exceptionReason | string | Reason / description of the exception. | |
reportedOn | number | The timestamp (in milliseconds since epoch) when this record was reported/opened. In most cases, this would be the same as createdOn but occasionally a record can be created at a different time than when it was first reported. | Format: date-time |
reporter | string | The person or system that reported or created this record. | |
summary | string | A summary / short description of this entity. | |
updatedOn | number | The timestamp (in milliseconds since epoch) when the entity was last updated at the source. | Format: date-time |
webLink | string | Hyperlink to the location of this record, e.g. URL to a Jira issue | Format: uri |
Required properties
_key
_class
_type
name
displayName
open
cveId