Instead of displaying the affected products as part of the CVE node (as it is handled in the original source), we have decided to integrate them as a separate node and then link them to the CVE node.
It provides information about the set of products and services affected by the related vulnerability.
The information is extracted from the CVE object and created as a separate node. The definition can be found here in the product section.
Property | Data type | Comment |
product | string | Name of the affected product. |
collectionURL | string | URL identifying a package collection (determines the meaning of packageName). |
packageName | string | Name or identifier of the affected software package as used in the package collection. |
modules | list of strings | A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional). |
programFiles | list of strings | A list of the affected source code files (optional) where each entry is a string of the name or path or location of the affected source code file. |
programRoutines | list of objects | A list of the affected source code functions, methods, subroutines, or procedures (optional). The object has only one property “name” which is the name of the affected source code file, function, method, subroutine, or procedure as a string. |
platforms | list of strings | List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field or an empty array implies that the other fields are applicable to all relevant platforms. Examples: ["iOS", "Android", "Windows", "macOS", "x86", "ARM", "64 bit", "Big Endian", "iPad", "Chromebook", "Docker", "Model T"] |
repo | string | The URL of the source code repository, for informational purposes and/or to resolve git hash version ranges. |
defaultStatus | string | The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both. |
versions | list of objects | Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both. An entry with only 'version' and 'status' indicates the status of a single version. Otherwise, an entry describes a range; it must include the 'versionType' property, to define the version numbering semantics in use, and 'limit', to indicate the non-inclusive upper limit of the range. The object describes the status for versions V such that 'version' <= V and V < 'limit', using the <= and < semantics defined for the specific kind of 'versionType'. Status changes within the range can be specified by an optional 'changes' list. |
CVE
CPE
Vendor