Skip to content

Format conversion

Deprecated inventory format

In prior versions of CVEScan, a proprietary SBom format was in use.
It contained the following fields:

  • version: the format's version.
  • packages: a dictionary of package objects.

Each package object was defined with the following keys:

  • pv: product version.
  • bpn: bare product name.
  • src_uri: an array of URIs pointing to the package sources and its patches.
  • cve_product: an array of product names to differentiate packages sharing the same name referenced in CVE reports.
  • cve_version: a string representing the package version affected by the CVE.
  • cve_whitelist: an array of whitelisted CVE IDs referencing the current package.
    It suggests that the returned CVE is acceptable in the security policy defined by the user if it matched one of these IDs.
  • patched_cves: an array of patched CVE IDs referencing the current package.
    It suggests that the package was already patched against the returned CVE if it matched one of these IDs.
  • runtime: an array of runtime objects.
  • vendored: unused dictionary.
  • arch: yields the platform for which the package was built.
  • config: contains kernel configuration flags.

CycloneDX inventory mappings

As of update 2.5.0, CVEScan can generate a CycloneDX compatible inventory under version 1.5 of the CycloneDX format.
Mappings between the fields of the older format to the CycloneDX format had to be created as a layer of compatibility.
The following mappings were decided for CVEScan cli:

CVE Scan inventory mappings

Deprecated report format

Using the inventory format described above, CVEScan used to generate a proprietary formatted json report with the following fields:

  • packages: an array of report specific package objects.
  • runtimes: an array of command objects used to generate the report.
  • vulnerabilities: an array of vulnerability objects.

Packages objects

Each report specific package objects made use of the following keys:

  • name: the package name.
  • version: the package version.
  • details: an object with the same fields present under the corresponding package key defined in the inventory.
  • cve_product: if the key exists, it defines a string representing the product name of the current package.

Runtimes objects

Each object present in the runtimes array possesses the following fields:

  • command: an object describing the CVEScan specific subcommand.
  • timestamp: the timestamp at which the command started.
  • version: the CVEScan version.

Each command object made use of the following keys:

  • name: the CVEScan specific command's name.
  • inventory: the filepath passed as argument to the --inventory flag of CVEScan's subcommands.
  • sources: an object containing the sources used by CVEScan.

The source object contains the following fields:

  • match: an array of strings representing each database in which at least one CVE present in the report was found.
  • fetch: an array of strings representing each database that was fetched from local storage at analysis time.
  • Several database specific objects using one of the strings in either match or fetch as keys.

Vulnerabilities objects

Each object present in the vulnerabilities array possesses the following fields:

  • cve: the current CVE id.
  • cve_last_modified_date: the date at which the CVE report was last modified.
  • cve_last_published_date: the date at which the CVE report was published.
  • description: a summary of the CVE report.
  • package_name: the package affected by the CVE.
  • package_version: the version of the referenced packaged affected by the CVE.
  • product: the product name of the package affected by the CVE.
  • vulnerable: a boolean representing the vulnerable state of the package.
  • assessments: an array of assessment objects describing the why the package is vulnerable to the CVE.
  • references: an array of objects documenting several aspects of the CVE such as its reports sources or the patches published to mitigate it.
  • impact: an array of objects representing the CVSS reports of CVE.
    It uses the NVD format.
  • matches: an array of objects describing one or several matching entries in each database used by CVEScan to conduct its analysis.

CycloneDX report mappings

As of update 2.6.0, CVEScan will generate a CycloneDX compatible report under version 1.5 of the CycloneDX format.
Mappings between the fields of the older format to the CycloneDX format had to be created as a layer of compatibility.
The following mappings were decided for CVEScan cli:

CVE Scan report package key mappings CVE Scan report runtimes key mappings CVE Scan report vulnerabilities key mappings