Legal pillar · v0.16.0
vulnerability Vulnerability
Vulnerability record.
$id · https://corpospec.com/schemas/v0.16.0/vulnerability.schema.json
Fields
| Field | Type | Required | Description |
|---|---|---|---|
| affected_components | PathRef[] | yes | PathRefs to affected components (sbom.components[].purl). |
| cve_id | string | yes | CVE identifier (CVE-YYYY-NNNN). |
| cvss_base_score | number | yes | CVSS base score (0.0–10.0). |
| cvss_vector | string | yes | CVSS v3.1 vector string. |
| discovered_at | IsoDate | yes | Discovery date (when we became aware). |
| id | PathRef | yes | Path-based cross-reference relative to .corpospec/ root. Pattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$` |
| kev_listed | boolean | yes | Whether the CVE is on the CISA KEV catalog. |
| owner | PathRef | yes | Owner (engineer responsible for remediation). |
| patch_target_date | IsoDate | yes | SLA-derived target patch date. |
| published_at | IsoDate | yes | Published date (when vendor / MITRE published). |
| status | VulnerabilityStatus | yes | Remediation status. |
| advisory_ref | PathRef? | — | PathRef to vendor advisory / GHSA / NVD record. |
| cvss_temporal_score | number? | — | Optional CVSS temporal score. |
| cwe_id | string? | — | CWE classifier (e.g. "CWE-79", "CWE-20"). |
| mitigation | string? | — | Mitigation summary (compensating controls). |
| patched_at | IsoDate? | — |
Definitions
Shared types referenced within this schema.
IsoDate
ISO 8601 date (YYYY-MM-DD).
type: string
PathRef
Path-based cross-reference relative to .corpospec/ root.
Pattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`
pattern: ^[a-z0-9_-]+(/[a-z0-9_.-]+)+$
VulnerabilityStatus
Remediation status.
Reference in your YAML
# yaml-language-server: $schema=https://corpospec.com/schemas/v0.16.0/vulnerability.schema.json