Optional
associationsThe entities to associate the Security Vulnerability information with.
The identifier of the Container where this Vulnerability was found. Must be unique for a given Provider.
A description of the issue in Markdown format. Will be shown in the UI and used when creating Jira Issues.
The human-readable name for the Vulnerability. Will be shown in the UI.
If not provided, will use the ID for display.
The identifier for the Vulnerability. Must be unique for a given Provider.
Optional
identifiersThe identifying information for the Vulnerability.
The display name of the Vulnerability identified.
A URL users can use to link to the definition of the Vulnerability identified.
The timestamp to present to the user that shows when the Vulnerability was introduced.
Expected format is an RFC3339 formatted string.
The last-updated timestamp to present to the user the last time the Vulnerability was updated.
Expected format is an RFC3339 formatted string.
The VulnerabilityData schema version used for this vulnerability data.
Placeholder to support potential schema changes in the future.
Severity information for a single Vulnerability.
This is the severity information that will be presented to the user on e.g. the Jira Security screen.
The severity level of the Vulnerability.
The current status of the Vulnerability.
The type of Vulnerability detected.
An ID used to apply an ordering to updates for this Vulnerability in the case of out-of-order receipt of update requests.
This can be any monotonically increasing number. A suggested implementation is to use epoch millis from the Provider system, but other alternatives are valid (e.g. a Provider could store a counter against each Vulnerability and increment that on each update to Jira).
Updates for a Vulnerability that are received with an updateSqeuenceId lower than what is currently stored will be ignored.
A URL users can use to link to a summary view of this vulnerability, if appropriate.
This could be any location that makes sense in the Provider system (e.g. if the summary information comes from a specific project, it might make sense to link the user to the vulnerability in that project).
Data related to a specific vulnerability in a specific workspace that the vulnerability is present in. Must specify at least one association.