Schema for the rl-cve report format

The Spectra Assure platform supports a special format for analysis reports called rl-cve. This format provides detailed information on all known vulnerabilities found in your software during analysis, and is particularly suitable for prioritizing the order of their resolution. It can be downloaded from the Vulnerabilities page in the Portal UI.

To generate reports in the rl-cve format:

• with rl-secure CLI, use the rl-secure report command
• with the Spectra Assure Portal APIs, use the "Export analysis report" endpoint

This page describes the full schema of the rl-cve report format.

How to read the schema?

The schema contents are displayed as a schema model and described in the order as they appear in the report.

The full rl-cve report example is displayed below the schema.

Desktop browsers: To make the schema easier to read, you can hide the navigation sidebar by selecting the << button at the bottom left of the page.

rl-cve report schema

id required	string Unique CVE identifier.
cvss-ver required	integer Version of the CVSS scoring system.
cvss-score required	integer Number determining the severity of a vulnerability found in the software.
marketing-name	string Commonly used marketing name for the detected CVE (e.g. 'log4shell').
file-path required	string Location of the affected file within the software package.
file-sha256 required	string Hash of the affected file within the software package.
type required	string Whether the affected file is a software package component or dependency.
cpe	string Software package name and version written according to the CPE naming standard.
purl required	string A URL string containing the information on the package location and its source. Consult the official format specification for details.
product-name	string Full name of the affected product.
product-ver required	string The affected product version.
introduced-ver required	string Product version in which the vulnerability was first seen.
introduced-at	string <date-time> Time when the vulnerability was first seen in the product version.
resolved-ver	string Product version in which the vulnerability was resolved.
resolved-at	string <date-time> Time when the vulnerability was resolved.
exploit-exists required	boolean Whether this vulnerability is targeted by malicious actors or easily misused.
exploit-malware required	boolean Whether malware actively takes advantage of this vulnerability.
patch-mandate required	boolean Whether CISA (Cybersecurity and Infrastructure Security Agency) requires this vulnerability to be patched within a given timeframe. This information can be found in the Known Exploited Vulnerabilities Catalog maintained by CISA.
fixable required	boolean Whether a fix version exists for this vulnerability.
triaged required	boolean Whether this vulnerability is triaged using Spectra Assure configuration.

{

• "id": "string",
• "cvss-ver": 0,
• "cvss-score": 0,
• "marketing-name": "string",
• "file-path": "string",
• "file-sha256": "string",
• "type": "string",
• "cpe": "string",
• "purl": "string",
• "product-name": "string",
• "product-ver": "string",
• "introduced-ver": "string",
• "introduced-at": null,
• "resolved-ver": "string",
• "resolved-at": null,
• "exploit-exists": true,
• "exploit-malware": true,
• "patch-mandate": true,
• "fixable": true,
• "triaged": true

}

rl-cve report example

| id                | cvss-ver | cvss-score | marketing-name | file-path                                                                            | file-sha256                                                      | type       | cpe                                                  | purl                                                 | product-name      | product-ver | introduced-ver | introduced-at            | resolved-ver | resolved-at              | exploit-exists | exploit-malware | patch-mandate | fixable | triaged        |
|-------------------|----------|------------|----------------|--------------------------------------------------------------------------------------|------------------------------------------------------------------|------------|------------------------------------------------------|------------------------------------------------------|-------------------|-------------|----------------|--------------------------|--------------|--------------------------|----------------|-----------------|---------------|---------|----------------|
| CVE-2016-2335     |        3 |        8.8 |                | %ProgramFiles32%/7-Zip/7z.dll                                                        | 7f47382791a5264eed7310706e105c1cfa0e727359102f14933d4927bd296640 | component  | cpe:2.3:a:7-zip:7-zip:15.05:beta:*:*:*:*:*:*         |                                                      | 7z DLL            | 15.14       | 4.59 beta      | 2024-02-20T14:21:43+0000 | 16           | 2024-02-20T14:21:43+0000 | TRUE           | FALSE           | FALSE         | TRUE    | FALSE          |
| CVE-2021-44228    |        3 |         10 | Log4Shell      | unpacked_files/0/solr-8.10.0/server/lib/ext/log4j-core-2.14.1.jar                    | ade7402a70667a727635d5c4c29495f4ff96f061f12539763f6f123973b465b0 | component  | cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*             | pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1 | Apache Log4j Core | 2.14.1      | 2.0-beta9      | 2024-02-20T14:21:43+0000 | 2.15.0       | 2024-02-20T14:21:43+0000 | TRUE           | TRUE            | TRUE          | TRUE    | FALSE          |
| CVE-2018-14721    |        3 |         10 |                | unpacked_files/0/solr-8.10.0/server/solr-webapp/webapp/WEB-INF/lib/spatial4j-0.7.jar | 9adccb1d87f7e0be70567b952c65552607e2dcbde32a1579a8a639bdcfa1a3c8 | dependency | cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* | pkg:maven/org.locationtech.spatial4j/spatial4j@0.7   | Spatial4J         | 0.7         | 2.7.0-rc1      | 2024-02-20T14:21:43+0000 | 2.9.7        | 2024-02-20T14:21:43+0000 | FALSE          | FALSE           | FALSE         | TRUE    | FALSE          |