Affected Software Package

affected_package

The Affected Package object describes details about a software package identified as affected by a vulnerability/vulnerabilities.

Attributes

CaptionNameTypeDescription
ArchitecturearchitectureStringArchitecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on.
The product CPE identifiercpe_nameStringThe Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a🍎safari:16.2.
EpochepochIntegerThe software package epoch. Epoch is a way to define weighted dependencies based on version numbers.
Fixed In Versionfixed_in_versionStringThe software package version in which a reported vulnerability was patched/fixed.
HashhashFingerprint[]Entity:FINGERPRINT

Cryptographic hash to identify the binary instance of a software component. This can include any component such file, package, or library.
Software LicenselicenseStringThe software license applied to this package.
Software License URLlicense_urlURL StringEntity:URL_STRING

The URL pointing to the license applied on package or software. This is typically a LICENSE.md file within a repository.
NamenameStringThe software package name.
Package Managerpackage_managerStringThe software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc.
Package Manager URLpackage_manager_urlURL StringEntity:URL_STRING

The URL of the package or library at the package manager, or the specific URL or URI of an internal package manager link such as AWS CodeArtifact or Artifactory.
PathpathFile PathEntity:FILE_PATH

The installation path of the affected package.
Package URLpurlStringA purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.
Raw Dataraw_dataJSONGroup:context

The event data as received from the event source.
Record IDrecord_idStringGroup:primary

Unique identifier for the object
Software Release DetailsreleaseStringRelease is the number of times a version of the software has been packaged.
Remediation GuidanceremediationRemediation[]Describes the recommended remediation steps to address identified issue(s).
Source URLsrc_urlURL StringEntity:URL_STRING

The link to the specific library or package such as within GitHub, this is different from the link to the package manager where the library or package is hosted.
TypetypeStringThe type of software package, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source.
Type IDtype_idIntegerThe type of software package.
  • 1: Application (APPLICATION)
  • 2: Operating System (OPERATING_SYSTEM)
  • 0: Unknown (UNKNOWN)
  • 99: Other (OTHER)
Package UIDuidStringA unique identifier for the package or library reported by the source tool. E.g., the libId within the sbom field of an OX Security Issue or the SPDX components.*.bom-ref.
UnmappedunmappedUnmapped[]Data from the source that was not mapped into the schema.
Vendor Namevendor_nameStringThe name of the vendor who published the software package.
VersionversionStringThe software package version.

Relationships

Affected Software Package shown in context

Inbound Relationships

These objects and events reference Affected Software Package in their attributes:

Outbound Relationships

Affected Software Package references the following objects and events in its attributes:

This page describes qdm-1.5.1+ocsf-1.6.0