Affected Software Package
affected_package
The Affected Package object describes details about a software package identified as affected by a vulnerability/vulnerabilities.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Architecture | architecture | String | Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. |
| The product CPE identifier | cpe_name | String | The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a🍎safari:16.2. |
| Epoch | epoch | Integer | The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. |
| Fixed In Version | fixed_in_version | String | The software package version in which a reported vulnerability was patched/fixed. |
| Hash | hash | Fingerprint[] | Entity:FINGERPRINTCryptographic hash to identify the binary instance of a software component. This can include any component such file, package, or library. |
| Software License | license | String | The software license applied to this package. |
| Software License URL | license_url | URL String | Entity:URL_STRINGThe URL pointing to the license applied on package or software. This is typically a LICENSE.md file within a repository. |
| Name | name | String | The software package name. |
| Package Manager | package_manager | String | The software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc. |
| Package Manager URL | package_manager_url | URL String | Entity:URL_STRINGThe URL of the package or library at the package manager, or the specific URL or URI of an internal package manager link such as AWS CodeArtifact or Artifactory. |
| Path | path | File Path | Entity:FILE_PATHThe installation path of the affected package. |
| Package URL | purl | String | A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases. |
| Raw Data | raw_data | JSON | Group:contextThe event data as received from the event source. |
| Record ID | record_id | String | Group:primaryUnique identifier for the object |
| Software Release Details | release | String | Release is the number of times a version of the software has been packaged. |
| Remediation Guidance | remediation | Remediation[] | Describes the recommended remediation steps to address identified issue(s). |
| Source URL | src_url | URL String | Entity:URL_STRINGThe link to the specific library or package such as within GitHub, this is different from the link to the package manager where the library or package is hosted. |
| Type | type | String | The type of software package, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source. |
| Type ID | type_id | Integer | The type of software package.
|
| Package UID | uid | String | A unique identifier for the package or library reported by the source tool. E.g., the libId within the sbom field of an OX Security Issue or the SPDX components.*.bom-ref. |
| Unmapped | unmapped | Unmapped[] | Data from the source that was not mapped into the schema. |
| Vendor Name | vendor_name | String | The name of the vendor who published the software package. |
| Version | version | String | The software package version. |
Relationships
Inbound Relationships
These objects and events reference Affected Software Package in their attributes:
Outbound Relationships
Affected Software Package references the following objects and events in its attributes:
This page describes qdm-1.5.1+ocsf-1.6.0