{
  "$defs": {
    "IsoDate": {
      "description": "ISO 8601 date (YYYY-MM-DD).",
      "format": "date",
      "type": "string"
    },
    "PathRef": {
      "description": "Path-based cross-reference relative to .corpospec/ root.\nPattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`",
      "pattern": "^[a-z0-9_-]+(/[a-z0-9_.-]+)+$",
      "type": "string"
    },
    "VulnerabilityStatus": {
      "description": "Remediation status.",
      "oneOf": [
        {
          "enum": [
            "triaging",
            "confirmed",
            "in_remediation",
            "mitigated",
            "patched"
          ],
          "type": "string"
        },
        {
          "const": "accepted",
          "description": "Risk accepted with approval.",
          "type": "string"
        },
        {
          "const": "dismissed",
          "description": "False positive, dismissed.",
          "type": "string"
        }
      ]
    }
  },
  "$id": "https://corpospec.com/schemas/v0.16.0/vulnerability.schema.json",
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "additionalProperties": false,
  "description": "Vulnerability record.",
  "properties": {
    "advisory_ref": {
      "anyOf": [
        {
          "$ref": "#/$defs/PathRef"
        },
        {
          "type": "null"
        }
      ],
      "description": "PathRef to vendor advisory / GHSA / NVD record."
    },
    "affected_components": {
      "description": "PathRefs to affected components (sbom.components[].purl).",
      "items": {
        "$ref": "#/$defs/PathRef"
      },
      "type": "array"
    },
    "cve_id": {
      "description": "CVE identifier (CVE-YYYY-NNNN).",
      "type": "string"
    },
    "cvss_base_score": {
      "description": "CVSS base score (0.0–10.0).",
      "format": "double",
      "type": "number"
    },
    "cvss_temporal_score": {
      "description": "Optional CVSS temporal score.",
      "format": "double",
      "type": [
        "number",
        "null"
      ]
    },
    "cvss_vector": {
      "description": "CVSS v3.1 vector string.",
      "type": "string"
    },
    "cwe_id": {
      "description": "CWE classifier (e.g. \"CWE-79\", \"CWE-20\").",
      "type": [
        "string",
        "null"
      ]
    },
    "discovered_at": {
      "$ref": "#/$defs/IsoDate",
      "description": "Discovery date (when we became aware)."
    },
    "id": {
      "$ref": "#/$defs/PathRef"
    },
    "kev_listed": {
      "description": "Whether the CVE is on the CISA KEV catalog.",
      "type": "boolean"
    },
    "mitigation": {
      "description": "Mitigation summary (compensating controls).",
      "type": [
        "string",
        "null"
      ]
    },
    "owner": {
      "$ref": "#/$defs/PathRef",
      "description": "Owner (engineer responsible for remediation)."
    },
    "patch_target_date": {
      "$ref": "#/$defs/IsoDate",
      "description": "SLA-derived target patch date."
    },
    "patched_at": {
      "anyOf": [
        {
          "$ref": "#/$defs/IsoDate"
        },
        {
          "type": "null"
        }
      ]
    },
    "published_at": {
      "$ref": "#/$defs/IsoDate",
      "description": "Published date (when vendor / MITRE published)."
    },
    "status": {
      "$ref": "#/$defs/VulnerabilityStatus"
    }
  },
  "required": [
    "id",
    "cve_id",
    "cvss_vector",
    "cvss_base_score",
    "kev_listed",
    "affected_components",
    "discovered_at",
    "published_at",
    "patch_target_date",
    "status",
    "owner"
  ],
  "title": "Vulnerability",
  "type": "object",
  "x-corpospec-pillar": "legal"
}