File Coverage

blib/lib/SBOM/CycloneDX/Vulnerability.pm

Criterion	Covered	Total	%
statement	32	62	51.6
branch	0	42	0.0
condition			n/a
subroutine	11	12	91.6
pod	1	1	100.0
total	44	117	37.6

line	stmt	bran	sub	pod	time	code
1						package SBOM::CycloneDX::Vulnerability;
2
3	1		1		1168	use 5.010001;
	1				3
4	1		1		5	use strict;
	1				1
	1				32
5	1		1		3	use warnings;
	1				2
	1				41
6	1		1		39	use utf8;
	1				2
	1				6
7
8	1		1		50	use SBOM::CycloneDX::BomRef;
	1				2
	1				25
9	1		1		4	use SBOM::CycloneDX::List;
	1				2
	1				16
10	1		1		3	use SBOM::CycloneDX::Timestamp;
	1				2
	1				37
11
12	1		1		4	use Types::Standard qw(Str Int InstanceOf);
	1				2
	1				6
13	1		1		1344	use Types::TypeTiny qw(ArrayLike);
	1				2
	1				6
14
15	1		1		405	use Moo;
	1				2
	1				7
16	1		1		321	use namespace::autoclean;
	1				1
	1				8
17
18						extends 'SBOM::CycloneDX::Base';
19
20						has bom_ref => (
21						is => 'rw',
22						isa => InstanceOf ['SBOM::CycloneDX::BomRef'],
23						coerce => sub { ref($_[0]) ? $_[0] : SBOM::CycloneDX::BomRef->new($_[0]) }
24						);
25
26						has id => (is => 'rw', isa => Str);
27						has source => (
28						is => 'rw',
29						isa => InstanceOf ['SBOM::CycloneDX::Source'] \| InstanceOf ['SBOM::CycloneDX::Vulnerability::Source']
30						);
31
32						has references => (
33						is => 'rw',
34						isa => ArrayLike [InstanceOf ['SBOM::CycloneDX::Vulnerability::Reference']],
35						default => sub { SBOM::CycloneDX::List->new }
36						);
37
38						has ratings => (
39						is => 'rw',
40						isa => ArrayLike [InstanceOf ['SBOM::CycloneDX::Vulnerability::Rating']],
41						default => sub { SBOM::CycloneDX::List->new }
42						);
43
44						has cwes => (is => 'rw', isa => ArrayLike [Int], default => sub { SBOM::CycloneDX::List->new });
45						has description => (is => 'rw', isa => Str);
46						has detail => (is => 'rw', isa => Str);
47						has recommendation => (is => 'rw', isa => Str);
48						has workaround => (is => 'rw', isa => Str);
49						has proof_of_concept => (is => 'rw', isa => InstanceOf ['SBOM::CycloneDX::Vulnerability::ProofOfConcept']);
50
51						has advisories => (
52						is => 'rw',
53						isa => ArrayLike [InstanceOf ['SBOM::CycloneDX::Advisory']],
54						default => sub { SBOM::CycloneDX::List->new }
55						);
56
57						has created => (
58						is => 'rw',
59						isa => InstanceOf ['SBOM::CycloneDX::Timestamp'],
60						coerce => sub { ref($_[0]) ? $_[0] : SBOM::CycloneDX::Timestamp->new($_[0]) }
61						);
62
63						has published => (
64						is => 'rw',
65						isa => InstanceOf ['SBOM::CycloneDX::Timestamp'],
66						coerce => sub { ref($_[0]) ? $_[0] : SBOM::CycloneDX::Timestamp->new($_[0]) }
67						);
68
69						has updated => (
70						is => 'rw',
71						isa => InstanceOf ['SBOM::CycloneDX::Timestamp'],
72						coerce => sub { ref($_[0]) ? $_[0] : SBOM::CycloneDX::Timestamp->new($_[0]) }
73						);
74
75						has rejected => (
76						is => 'rw',
77						isa => InstanceOf ['SBOM::CycloneDX::Timestamp'],
78						coerce => sub { ref($_[0]) ? $_[0] : SBOM::CycloneDX::Timestamp->new($_[0]) }
79						);
80
81						has credits => (is => 'rw', isa => InstanceOf ['SBOM::CycloneDX::Vulnerability::Credits']);
82
83						has tools =>
84						(is => 'rw', isa => InstanceOf ['SBOM::CycloneDX::Tools'] \| ArrayLike [InstanceOf ['SBOM::CycloneDX::Tool']]);
85
86						has analysis => (is => 'rw', isa => InstanceOf ['SBOM::CycloneDX::Vulnerability::Analysis']);
87
88						has affects => (
89						is => 'rw',
90						isa => ArrayLike [InstanceOf ['SBOM::CycloneDX::Vulnerability::Affect']],
91						default => sub { SBOM::CycloneDX::List->new }
92						);
93
94						has properties => (
95						is => 'rw',
96						isa => ArrayLike [InstanceOf ['SBOM::CycloneDX::Property']],
97						default => sub { SBOM::CycloneDX::List->new }
98						);
99
100						sub TO_JSON {
101
102	0		0	1		my $self = shift;
103
104	0					my $json = {};
105
106	0	0				$json->{'bom-ref'} = $self->bom_ref if $self->bom_ref;
107	0	0				$json->{id} = $self->id if $self->id;
108	0	0				$json->{source} = $self->source if $self->source;
109	0	0				$json->{references} = $self->references if @{$self->references};
	0
110	0	0				$json->{ratings} = $self->ratings if @{$self->ratings};
	0
111	0	0				$json->{cwes} = $self->cwes if @{$self->cwes};
	0
112	0	0				$json->{description} = $self->description if $self->description;
113	0	0				$json->{detail} = $self->detail if $self->detail;
114	0	0				$json->{recommendation} = $self->recommendation if $self->recommendation;
115	0	0				$json->{workaround} = $self->workaround if $self->workaround;
116	0	0				$json->{proofOfConcept} = $self->proof_of_concept if $self->proof_of_concept;
117	0	0				$json->{advisories} = $self->advisories if @{$self->advisories};
	0
118	0	0				$json->{created} = $self->created if $self->created;
119	0	0				$json->{published} = $self->published if $self->published;
120	0	0				$json->{updated} = $self->updated if $self->updated;
121	0	0				$json->{rejected} = $self->rejected if $self->rejected;
122	0	0				$json->{credits} = $self->credits if $self->credits;
123	0	0				$json->{tools} = $self->tools if $self->tools;
124	0	0				$json->{analysis} = $self->analysis if $self->analysis;
125	0	0				$json->{affects} = $self->affects if @{$self->affects};
	0
126	0	0				$json->{properties} = $self->properties if @{$self->properties};
	0
127
128	0					return $json;
129
130						}
131
132						1;
133
134						=encoding utf-8
135
136						=head1 NAME
137
138						SBOM::CycloneDX::Vulnerability - Vulnerability
139
140						=head1 SYNOPSIS
141
142						SBOM::CycloneDX::Vulnerability->new();
143
144
145						=head1 DESCRIPTION
146
147						L Defines a weakness in a component or
148						service that could be exploited or triggered by a threat source.
149
150						=head2 METHODS
151
152						L inherits all methods from L
153						and implements the following new ones.
154
155						=over
156
157						=item SBOM::CycloneDX::Vulnerability->new( %PARAMS )
158
159						Properties:
160
161						=over
162
163						=item * C, Published advisories of the vulnerability if provided.
164
165						=item * C, The components or services that are affected by the
166						vulnerability.
167
168						=item * C, An assessment of the impact and exploitability of the
169						vulnerability.
170
171						=item * C, An identifier which can be used to reference the
172						vulnerability elsewhere in the BOM. Every bom-ref must be unique within the
173						BOM.
174						Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid
175						conflicts with BOM-Links.
176
177						=item * C, The date and time (timestamp) when the vulnerability
178						record was created in the vulnerability database.
179
180						=item * C, Individuals or organizations credited with the discovery
181						of the vulnerability.
182
183						=item * C, List of Common Weaknesses Enumerations (CWEs) codes that
184						describes this vulnerability.
185
186						=item * C, A description of the vulnerability as provided by the
187						source.
188
189						=item * C, If available, an in-depth description of the vulnerability
190						as provided by the source organization. Details often include information
191						useful in understanding root cause.
192
193						=item * C, The identifier that uniquely identifies the vulnerability.
194
195						=item * C, Evidence used to reproduce the vulnerability.
196
197						=item * C, Provides the ability to document properties in a
198						name-value store. This provides flexibility to include data not officially
199						supported in the standard without having to use additional namespaces or
200						create extensions. Unlike key-value stores, properties support duplicate
201						names, each potentially having different values. Property names of interest
202						to the general public are encouraged to be registered in the CycloneDX
203						Property
204						Taxonomy (L). Formal
205						registration is optional.
206
207						=item * C, The date and time (timestamp) when the vulnerability
208						record was first published.
209
210						=item * C, List of vulnerability ratings
211
212						=item * C, Recommendations of how the vulnerability can be
213						remediated or mitigated.
214
215						=item * C, Zero or more pointers to vulnerabilities that are the
216						equivalent of the vulnerability specified. Often times, the same
217						vulnerability may exist in multiple sources of vulnerability intelligence,
218						but have different identifiers. References provide a way to correlate
219						vulnerabilities across multiple sources of vulnerability intelligence.
220
221						=item * C, The date and time (timestamp) when the vulnerability
222						record was rejected (if applicable).
223
224						=item * C, The source that published the vulnerability.
225
226						=item * C, The tool(s) used to identify, confirm, or score the
227						vulnerability.
228
229						=item * C, The date and time (timestamp) when the vulnerability
230						record was last updated.
231
232						=item * C, A bypass, usually temporary, of the vulnerability that
233						reduces its likelihood and/or impact. Workarounds often involve changes to
234						configuration or deployments.
235
236						=back
237
238						=item $vulnerability->advisories
239
240						=item $vulnerability->affects
241
242						=item $vulnerability->analysis
243
244						=item $vulnerability->bom_ref
245
246						=item $vulnerability->created
247
248						=item $vulnerability->credits
249
250						=item $vulnerability->cwes
251
252						=item $vulnerability->description
253
254						=item $vulnerability->detail
255
256						=item $vulnerability->id
257
258						=item $vulnerability->proof_of_concept
259
260						=item $vulnerability->properties
261
262						=item $vulnerability->published
263
264						=item $vulnerability->ratings
265
266						=item $vulnerability->recommendation
267
268						=item $vulnerability->references
269
270						=item $vulnerability->rejected
271
272						=item $vulnerability->source
273
274						=item $vulnerability->tools
275
276						=item $vulnerability->updated
277
278						=item $vulnerability->workaround
279
280						=back
281
282
283						=head1 SUPPORT
284
285						=head2 Bugs / Feature Requests
286
287						Please report any bugs or feature requests through the issue tracker
288						at L.
289						You will be notified automatically of any progress on your issue.
290
291						=head2 Source Code
292
293						This is open source software. The code repository is available for
294						public review and contribution under the terms of the license.
295
296						L
297
298						git clone https://github.com/giterlizzi/perl-SBOM-CycloneDX.git
299
300
301						=head1 AUTHOR
302
303						=over 4
304
305						=item * Giuseppe Di Terlizzi
306
307						=back
308
309
310						=head1 LICENSE AND COPYRIGHT
311
312						This software is copyright (c) 2025-2026 by Giuseppe Di Terlizzi.
313
314						This is free software; you can redistribute it and/or modify it under
315						the same terms as the Perl 5 programming language system itself.
316
317						=cut