Affected Software Package

affected_package

The Affected Package object describes details about a software package identified as affected by a vulnerability/vulnerabilities.

Attributes

Caption	Name	Type	Description
Architecture	`architecture`	String	Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on.
The product CPE identifier	`cpe_name`	String	The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.
Epoch	`epoch`	Integer	The software package epoch. Epoch is a way to define weighted dependencies based on version numbers.
Fixed In Version	`fixed_in_version`	String	The software package version in which a reported vulnerability was patched/fixed.
Hash	`hash`	Fingerprint[]	Entity:`FINGERPRINT` Cryptographic hash to identify the binary instance of a software component. This can include any component such file, package, or library.
Software License	`license`	String	The software license applied to this package.
Software License URL	`license_url`	URL String	Entity:`URL_STRING` The URL pointing to the license applied on package or software. This is typically a LICENSE.md file within a repository.
Name	`name`	String	The software package name.
Package Manager	`package_manager`	String	The software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc.
Package Manager URL	`package_manager_url`	URL String	Entity:`URL_STRING` The URL of the package or library at the package manager, or the specific URL or URI of an internal package manager link such as AWS CodeArtifact or Artifactory.
Path	`path`	File Path	Entity:`FILE_PATH` The installation path of the affected package.
Package URL	`purl`	String	A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Software Release Details	`release`	String	Release is the number of times a version of the software has been packaged.
Remediation Guidance	`remediation`	Remediation[]	Describes the recommended remediation steps to address identified issue(s).
Source URL	`src_url`	URL String	Entity:`URL_STRING` The link to the specific library or package such as within GitHub, this is different from the link to the package manager where the library or package is hosted.
Type	`type`	String	The type of software package, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source.
Type ID	`type_id`	Integer	The type of software package. `1`: Application (`APPLICATION`) `2`: Operating System (`OPERATING_SYSTEM`) `0`: Unknown (`UNKNOWN`) `99`: Other (`OTHER`)
Package UID	`uid`	String	A unique identifier for the package or library reported by the source tool. E.g., the libId within the sbom field of an OX Security Issue or the SPDX components.*.bom-ref.
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.
Vendor Name	`vendor_name`	String	The name of the vendor who published the software package.
Version	`version`	String	The software package version.

Relationships

Affected Software Package shown in context

Inbound Relationships

These objects and events reference Affected Software Package in their attributes:

Vulnerability Details

Outbound Relationships

Affected Software Package references the following objects and events in its attributes:

This page describes qdm-1.5.1+ocsf-1.6.0