File Coverage

blib/lib/SBOM/CycloneDX/Vulnerability.pm

Criterion	Covered	Total	%
statement	32	62	51.6
branch	0	42	0.0
condition			n/a
subroutine	11	12	91.6
pod	1	1	100.0
total	44	117	37.6

line	stmt	bran	sub	pod	time	code
1						package SBOM::CycloneDX::Vulnerability;
2
3	1		1		1303	use 5.010001;
	1				4
4	1		1		5	use strict;
	1				1
	1				32
5	1		1		4	use warnings;
	1				3
	1				42
6	1		1		4	use utf8;
	1				2
	1				13
7
8	1		1		25	use SBOM::CycloneDX::BomRef;
	1				2
	1				24
9	1		1		4	use SBOM::CycloneDX::List;
	1				2
	1				17
10	1		1		4	use SBOM::CycloneDX::Timestamp;
	1				2
	1				295
11
12	1		1		6	use Types::Standard qw(Str Int InstanceOf);
	1				2
	1				8
13	1		1		1885	use Types::TypeTiny qw(ArrayLike);
	1				2
	1				7
14
15	1		1		532	use Moo;
	1				2
	1				7
16	1		1		359	use namespace::autoclean;
	1				2
	1				9
17
18						extends 'SBOM::CycloneDX::Base';
19
20						has bom_ref => (
21						is => 'rw',
22						isa => InstanceOf ['SBOM::CycloneDX::BomRef'],
23						coerce => sub { ref($_[0]) ? $_[0] : SBOM::CycloneDX::BomRef->new($_[0]) }
24						);
25
26						has id => (is => 'rw', isa => Str);
27						has source => (is => 'rw', isa => InstanceOf ['SBOM::CycloneDX::Vulnerability::Source']);
28
29						has references => (
30						is => 'rw',
31						isa => ArrayLike [InstanceOf ['SBOM::CycloneDX::Vulnerability::Reference']],
32						default => sub { SBOM::CycloneDX::List->new }
33						);
34
35						has ratings => (
36						is => 'rw',
37						isa => ArrayLike [InstanceOf ['SBOM::CycloneDX::Vulnerability::Rating']],
38						default => sub { SBOM::CycloneDX::List->new }
39						);
40
41						has cwes => (is => 'rw', isa => ArrayLike [Int], default => sub { SBOM::CycloneDX::List->new });
42						has description => (is => 'rw', isa => Str);
43						has detail => (is => 'rw', isa => Str);
44						has recommendation => (is => 'rw', isa => Str);
45						has workaround => (is => 'rw', isa => Str);
46						has proof_of_concept => (is => 'rw', isa => InstanceOf ['SBOM::CycloneDX::Vulnerability::ProofOfConcept']);
47
48						has advisories => (
49						is => 'rw',
50						isa => ArrayLike [InstanceOf ['SBOM::CycloneDX::Advisory']],
51						default => sub { SBOM::CycloneDX::List->new }
52						);
53
54						has created => (
55						is => 'rw',
56						isa => InstanceOf ['SBOM::CycloneDX::Timestamp'],
57						coerce => sub { ref($_[0]) ? $_[0] : SBOM::CycloneDX::Timestamp->new($_[0]) }
58						);
59
60						has published => (
61						is => 'rw',
62						isa => InstanceOf ['SBOM::CycloneDX::Timestamp'],
63						coerce => sub { ref($_[0]) ? $_[0] : SBOM::CycloneDX::Timestamp->new($_[0]) }
64						);
65
66						has updated => (
67						is => 'rw',
68						isa => InstanceOf ['SBOM::CycloneDX::Timestamp'],
69						coerce => sub { ref($_[0]) ? $_[0] : SBOM::CycloneDX::Timestamp->new($_[0]) }
70						);
71
72						has rejected => (
73						is => 'rw',
74						isa => InstanceOf ['SBOM::CycloneDX::Timestamp'],
75						coerce => sub { ref($_[0]) ? $_[0] : SBOM::CycloneDX::Timestamp->new($_[0]) }
76						);
77
78						has credits => (is => 'rw', isa => InstanceOf ['SBOM::CycloneDX::Vulnerability::Credits']);
79
80						has tools =>
81						(is => 'rw', isa => InstanceOf ['SBOM::CycloneDX::Tools'] \| ArrayLike [InstanceOf ['SBOM::CycloneDX::Tool']]);
82
83						has analysis => (is => 'rw', isa => InstanceOf ['SBOM::CycloneDX::Vulnerability::Analysis']);
84
85						has affects => (
86						is => 'rw',
87						isa => ArrayLike [InstanceOf ['SBOM::CycloneDX::Vulnerability::Affect']],
88						default => sub { SBOM::CycloneDX::List->new }
89						);
90
91						has properties => (
92						is => 'rw',
93						isa => ArrayLike [InstanceOf ['SBOM::CycloneDX::Property']],
94						default => sub { SBOM::CycloneDX::List->new }
95						);
96
97						sub TO_JSON {
98
99	0		0	1		my $self = shift;
100
101	0					my $json = {};
102
103	0	0				$json->{'bom-ref'} = $self->bom_ref if $self->bom_ref;
104	0	0				$json->{id} = $self->id if $self->id;
105	0	0				$json->{source} = $self->source if $self->source;
106	0	0				$json->{references} = $self->references if @{$self->references};
	0
107	0	0				$json->{ratings} = $self->ratings if @{$self->ratings};
	0
108	0	0				$json->{cwes} = $self->cwes if @{$self->cwes};
	0
109	0	0				$json->{description} = $self->description if $self->description;
110	0	0				$json->{detail} = $self->detail if $self->detail;
111	0	0				$json->{recommendation} = $self->recommendation if $self->recommendation;
112	0	0				$json->{workaround} = $self->workaround if $self->workaround;
113	0	0				$json->{proofOfConcept} = $self->proof_of_concept if $self->proof_of_concept;
114	0	0				$json->{advisories} = $self->advisories if @{$self->advisories};
	0
115	0	0				$json->{created} = $self->created if $self->created;
116	0	0				$json->{published} = $self->published if $self->published;
117	0	0				$json->{updated} = $self->updated if $self->updated;
118	0	0				$json->{rejected} = $self->rejected if $self->rejected;
119	0	0				$json->{credits} = $self->credits if $self->credits;
120	0	0				$json->{tools} = $self->tools if $self->tools;
121	0	0				$json->{analysis} = $self->analysis if $self->analysis;
122	0	0				$json->{affects} = $self->affects if @{$self->affects};
	0
123	0	0				$json->{properties} = $self->properties if @{$self->properties};
	0
124
125	0					return $json;
126
127						}
128
129						1;
130
131						=encoding utf-8
132
133						=head1 NAME
134
135						SBOM::CycloneDX::Vulnerability - Vulnerability
136
137						=head1 SYNOPSIS
138
139						SBOM::CycloneDX::Vulnerability->new();
140
141
142						=head1 DESCRIPTION
143
144						L Defines a weakness in a component or
145						service that could be exploited or triggered by a threat source.
146
147						=head2 METHODS
148
149						L inherits all methods from L
150						and implements the following new ones.
151
152						=over
153
154						=item SBOM::CycloneDX::Vulnerability->new( %PARAMS )
155
156						Properties:
157
158						=over
159
160						=item * C, Published advisories of the vulnerability if provided.
161
162						=item * C, The components or services that are affected by the
163						vulnerability.
164
165						=item * C, An assessment of the impact and exploitability of the
166						vulnerability.
167
168						=item * C, An identifier which can be used to reference the
169						vulnerability elsewhere in the BOM. Every bom-ref must be unique within the
170						BOM.
171						Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid
172						conflicts with BOM-Links.
173
174						=item * C, The date and time (timestamp) when the vulnerability
175						record was created in the vulnerability database.
176
177						=item * C, Individuals or organizations credited with the discovery
178						of the vulnerability.
179
180						=item * C, List of Common Weaknesses Enumerations (CWEs) codes that
181						describes this vulnerability.
182
183						=item * C, A description of the vulnerability as provided by the
184						source.
185
186						=item * C, If available, an in-depth description of the vulnerability
187						as provided by the source organization. Details often include information
188						useful in understanding root cause.
189
190						=item * C, The identifier that uniquely identifies the vulnerability.
191
192						=item * C, Evidence used to reproduce the vulnerability.
193
194						=item * C, Provides the ability to document properties in a
195						name-value store. This provides flexibility to include data not officially
196						supported in the standard without having to use additional namespaces or
197						create extensions. Unlike key-value stores, properties support duplicate
198						names, each potentially having different values. Property names of interest
199						to the general public are encouraged to be registered in the CycloneDX
200						Property
201						Taxonomy (L). Formal
202						registration is optional.
203
204						=item * C, The date and time (timestamp) when the vulnerability
205						record was first published.
206
207						=item * C, List of vulnerability ratings
208
209						=item * C, Recommendations of how the vulnerability can be
210						remediated or mitigated.
211
212						=item * C, Zero or more pointers to vulnerabilities that are the
213						equivalent of the vulnerability specified. Often times, the same
214						vulnerability may exist in multiple sources of vulnerability intelligence,
215						but have different identifiers. References provide a way to correlate
216						vulnerabilities across multiple sources of vulnerability intelligence.
217
218						=item * C, The date and time (timestamp) when the vulnerability
219						record was rejected (if applicable).
220
221						=item * C, The source that published the vulnerability.
222
223						=item * C, The tool(s) used to identify, confirm, or score the
224						vulnerability.
225
226						=item * C, The date and time (timestamp) when the vulnerability
227						record was last updated.
228
229						=item * C, A bypass, usually temporary, of the vulnerability that
230						reduces its likelihood and/or impact. Workarounds often involve changes to
231						configuration or deployments.
232
233						=back
234
235						=item $vulnerability->advisories
236
237						=item $vulnerability->affects
238
239						=item $vulnerability->analysis
240
241						=item $vulnerability->bom_ref
242
243						=item $vulnerability->created
244
245						=item $vulnerability->credits
246
247						=item $vulnerability->cwes
248
249						=item $vulnerability->description
250
251						=item $vulnerability->detail
252
253						=item $vulnerability->id
254
255						=item $vulnerability->proof_of_concept
256
257						=item $vulnerability->properties
258
259						=item $vulnerability->published
260
261						=item $vulnerability->ratings
262
263						=item $vulnerability->recommendation
264
265						=item $vulnerability->references
266
267						=item $vulnerability->rejected
268
269						=item $vulnerability->source
270
271						=item $vulnerability->tools
272
273						=item $vulnerability->updated
274
275						=item $vulnerability->workaround
276
277						=back
278
279
280						=head1 SUPPORT
281
282						=head2 Bugs / Feature Requests
283
284						Please report any bugs or feature requests through the issue tracker
285						at L.
286						You will be notified automatically of any progress on your issue.
287
288						=head2 Source Code
289
290						This is open source software. The code repository is available for
291						public review and contribution under the terms of the license.
292
293						L
294
295						git clone https://github.com/giterlizzi/perl-SBOM-CycloneDX.git
296
297
298						=head1 AUTHOR
299
300						=over 4
301
302						=item * Giuseppe Di Terlizzi
303
304						=back
305
306
307						=head1 LICENSE AND COPYRIGHT
308
309						This software is copyright (c) 2025-2026 by Giuseppe Di Terlizzi.
310
311						This is free software; you can redistribute it and/or modify it under
312						the same terms as the Perl 5 programming language system itself.
313
314						=cut