ܖiK*dZddlZddlZddlmZddlmZddlmZddlm Z ddl m Z m Z m Z ejdk\rdd lmZndd lmZddlZdd lmZd d lmZd d lmZd dlmZmZd dlm Z m!Z!m"Z"m#Z#ddl$m%Z%m&Z&ddl'm(Z(ddl)m*Z*m+Z+ddl,m-Z-m.Z.m/Z/m0Z0ddl1m2Z2m3Z3m4Z4ejjdGddZ6ejjdGddZ7ejjdGddZ8ejjdGddZ9ejjdGd d!Z:ejjdGd"d#Z;ejxGd$d%e=e Z>Gd&d'ej~jZAejxGd(d)e=e ZBejjdGd*d+ZCejjdGd,d-ZDejjdGd.d/ZEy)0a This set of classes represents the data that is possible about known Vulnerabilities. Prior to CycloneDX schema version 1.4, vulnerabilities were possible in XML versions ONLY of the standard through a schema extension: https://cyclonedx.org/ext/vulnerability. Since CycloneDX schema version 1.4, this has become part of the core schema. .. note:: See the CycloneDX Schema extension definition https://cyclonedx.org/docs/1.7/xml/#type_vulnerabilitiesType N)Iterable)datetime)Decimal)Enum)AnyOptionalUnion) ) deprecated) SortedSet)bom_ref_from_str)ComparableTuple)$MutuallyExclusivePropertiesExceptionNoPropertiesProvidedException)SchemaVersion1Dot4SchemaVersion1Dot5SchemaVersion1Dot6SchemaVersion1Dot7)PropertyXsUri)BomRef)OrganizationalContactOrganizationalEntity)ImpactAnalysisAffectedStatusImpactAnalysisJustificationImpactAnalysisResponseImpactAnalysisState)ToolToolRepository_ToolRepositoryHelperT)%ignore_unknown_during_deserializationc HeZdZdZdddddeedeedeeddfdZee jd e je jjdeefd Zejdeeddfd Zee jd deefd ZejdeeddfdZee jddeefdZejdeeddfdZdefdZdedefdZdedefdZdefdZdefdZy)BomTargetVersionRangea8 Class that represents either a version or version range and its affected status. `version` and `version_range` are mutually exclusive. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#tab-pane_vulnerabilities_items_affects_items_versions_items_oneOf_i0 Nversionrangestatusr(r)r*returncj|s |s td|r |r td||_||_||_y)NzVOne of version or range must be provided for BomTargetVersionRange - neither provided.zUEither version or range should be provided for BomTargetVersionRange - both provided.)rrr(r)r*)selfr(r)r*s a/var/www/html/content-pipeline/venv/lib/python3.12/site-packages/cyclonedx/model/vulnerability.py__init__zBomTargetVersionRange.__init__KsG u/h  u6g    rc|jS)z= A single version of a component or service. _versionr-s r.r(zBomTargetVersionRange.version]s}}r0c||_yNr2)r-r(s r.r(zBomTargetVersionRange.versionf  r0rc|jS)a A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst .. note:: The VERSION-RANGE-SPEC from Package URL is not a formalised standard at the time of writing and this no validation of conformance with this draft standard is performed. _ranger4s r.r)zBomTargetVersionRange.rangejs{{r0c||_yr6r9)r-r)s r.r)zBomTargetVersionRange.rangew  r0r c|jS)zP The vulnerability status for the version or range of versions. _statusr4s r.r*zBomTargetVersionRange.status{ ||r0c||_yr6r>)r-r*s r.r*zBomTargetVersionRange.status  r0cZt|j|j|jfSr6)_ComparableTupler(r)r*r4s r.__comparable_tuplez(BomTargetVersionRange.__comparable_tuples' LL$**dkk!   r0othercft|tr!|j|jk(SyNF) isinstancer&(_BomTargetVersionRange__comparable_tupler-rFs r.__eq__zBomTargetVersionRange.__eq__- e2 3**,0H0H0JJ Jr0cpt|tr!|j|jkStSr6)rIr&rJNotImplementedrKs r.__lt__zBomTargetVersionRange.__lt__0 e2 3**,u/G/G/II Ir0c4t|jSr6)hashrJr4s r.__hash__zBomTargetVersionRange.__hash__D++-..r0cVd|jd|jd|jdS)Nzr'r4s r.__repr__zBomTargetVersionRange.__repr__s00>NtzzlZcdhdodocppqrrr0)__name__ __module__ __qualname____doc__rstrrr/property serializable xml_sequence xml_stringXmlStringSerializationTypeNORMALIZED_STRINGr(setterr)r*rDrJobjectboolrLrrPintrTrXr0r.r&r&?s"&#9= #}56   $\q!\\DDVVW#X"  ^^ x}   \q! x} "  \\8C=T\q!!=>"  ]]X&BC $4 Ft CD /#/s#sr0r&ceZdZdZdddedeeeddfdZe e jddefd Z e jdeddfd Z e e je jj d e jd dd ZejdeeddfdZdefdZdedefdZdedefdZdefdZdefdZy) BomTargeta Class that represents referencing a Component or Service in a BOM. Aims to represent the sub-element `target` of the complex type `vulnerabilityType`. You can either create a `cyclonedx.model.bom.Bom` yourself programmatically, or generate a `cyclonedx.model.bom.Bom` from a `cyclonedx.parser.BaseParser` implementation. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_affects N)versionsrefrkr+c(||_|xsg|_yr6)rlrk)r-rlrks r.r/zBomTarget.__init__s  B r0rc|jS)zO Reference to a component or service by the objects `bom-ref`. _refr4s r.rlz BomTarget.ref yyr0c||_yr6ro)r-rls r.rlz BomTarget.ref  r0r(rc|jS)z Zero or more individual versions or range of versions. Returns: Set of `BomTargetVersionRange` ) _versionsr4s r.rkzBomTarget.versionss~~r0c$t||_yr6)r ru)r-rks r.rkzBomTarget.versionss"8,r0cVt|jt|jfSr6)rDrlrkr4s r.rEzBomTarget.__comparable_tuples' HH T]] +!   r0rFcft|tr!|j|jk(SyrH)rIrj_BomTarget__comparable_tuplerKs r.rLzBomTarget.__eq__s, eY '**,0H0H0JJ Jr0cpt|tr!|j|jkStSr6)rIrjryrOrKs r.rPzBomTarget.__lt__s/ eY '**,u/G/G/II Ir0c4t|jSr6)rSryr4s r.rTzBomTarget.__hash__rUr0c"d|jdS)Nz The source that published the vulnerability. _sourcer4s r.rzVulnerabilityReference.source)r@r0c||_yr6rr-rs r.rzVulnerabilityReference.source1rBr0cDt|j|jfSr6)rDrrr4s r.rEz)VulnerabilityReference.__comparable_tuple5s! GGT[[!   r0rFcft|tr!|j|jk(SyrH)rIr)_VulnerabilityReference__comparable_tuplerKs r.rLzVulnerabilityReference.__eq__:s- e3 4**,0H0H0JJ Jr0cpt|tr!|j|jkStSr6)rIrrrOrKs r.rPzVulnerabilityReference.__lt__?s0 e3 4**,u/G/G/II Ir0c4t|jSr6)rSrr4s r.rTzVulnerabilityReference.__hash__DrUr0c<d|jd|jdS)NzY^a(s(%d<+@+@&AB( (%((( (c($T,*?*?%@A(($'(( +C+$<++r0rcreZdZdZdZdZdZdZdZdZ dZ e e d d e eed fed fd dfdZy )VulnerabilitySeverityz Class that defines the permissible severities for a Vulnerability. .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/xml/#type_severityType noneinfolowmediumhighcriticalunknownzQDeprecated - use cyclonedx.contrib.vulnerability.cvss.vs_from_cvss_scores insteadscores.Nr+cddlm}||S)u+Deprecated — Alias of :func:`cyclonedx.contrib.vulnerability.cvss.vs_from_cvss_scores()`. Derives the Severity of a Vulnerability from it's declared CVSS scores. .. deprecated:: next Use ``cyclonedx.contrib.vulnerability.cvss.vs_from_cvss_scores()`` instead. r)vs_from_cvss_scores)contrib.vulnerability.cvssr:)r8r:s r.get_from_cvss_scoresz*VulnerabilitySeverity.get_from_cvss_scoress E"6**r0)rYrZr[r\NONEINFOLOWMEDIUMHIGHCRITICALUNKNOWNrr r tuplefloatr<rhr0r.r0r0sq D D C F DHGcd +U5+= 1.4). This class also provides data support for schema versions < 1.4 where Vulnerabilites were possible through a schema extension (in XML only). .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_credits N organizations individualsrmrnr+c0|xsg|_|xsg|_yr6rl)r-rmrns r.r/zVulnerabilityCredits.__init__s +0b&,"r0 organizationrc|jS)z The organizations credited with vulnerability discovery. Returns: Set of `OrganizationalEntity` )_organizationsr4s r.rmz"VulnerabilityCredits.organizationss"""r0c$t||_yr6)r rr)r-rms r.rmz"VulnerabilityCredits.organizationss' 6r0 individualrc|jS)z The individuals, not associated with organizations, that are credited with vulnerability discovery. Returns: Set of `OrganizationalContact` ) _individualsr4s r.rnz VulnerabilityCredits.individualss   r0c$t||_yr6)r rv)r-rns r.rnz VulnerabilityCredits.individualss%k2r0chtt|jt|jfSr6)rDrmrnr4s r.rEz'VulnerabilityCredits.__comparable_tuples0 T// 0 T-- .!   r0rFcft|tr!|j|jk(SyrH)rIrk'_VulnerabilityCredits__comparable_tuplerKs r.rLzVulnerabilityCredits.__eq__s- e1 2**,0H0H0JJ Jr0cpt|tr!|j|jkStSr6)rIrkrzrOrKs r.rPzVulnerabilityCredits.__lt__s0 e1 2**,u/G/G/II Ir0c4t|jSr6)rSrzr4s r.rTzVulnerabilityCredits.__hash__rUr0c dt|dS)Nz?-h'<=>-  -\LBBII>Z\q!#"[#784H+I7d77\LBBII<X\q!!"Y!3x0E'F3433 $4 Ft CD /#/7#7r0rkc)eZdZdZdddddddddddddddddddddeeeefdeedeedee e dee e d ee e d eed eed eed eedee e deedeedeedeedeee eefdeedee edee eddf(dZeej0dej2eej4ej6ddefdZeej:dej<ej>j@deefdZ!e!jDdeeddfdZ!eej:ddeefdZ#e#jDdeeddfd Z#eejHejJjLd!ej:d"d^d#Z'e'jDde e ddfd$Z'eejHejJjLd%ej:d&d_d'Z(e(jDde e ddfd(Z(eejHejJjLd)ej:d*d`d+Z)e)jDd e e ddfd,Z)eej:d-deefd.Z*e*jDd eeddfd/Z*eej:d0deefd1Z+e+jDd eeddfd2Z+eej:d3deefd4Z,e,jDd eeddfd5Z,eejZe.ejZe/ejZe0ej:d6deefd7Z1e1jDd eeddfd8Z1eejHejJjLd9ej:d:dad;Z2e2jDde e ddfd<Z2eej2ejfjhej:d=deefd>Z5e5jDdeeddfd?Z5eej2ejfjhej:d@deefdAZ6e6jDdeeddfdBZ6eej2ejfjhej:dCdeefdDZ7e7jDdeeddfdEZ7eej:dFdeefdGZ8e8jDdeeddfdHZ8eej2e9ej:dIdefdJZ:e:jDdee eefddfdKZ:eej:dLdeefdMZ;e;jDdeeddfdNZ;eejHejJjLdOej:dPdbdQZfdXZ?dYe@deAfdZZBdYeCdeAfd[ZDde fd\ZEdefd]ZFy)d Vulnerabilityal Class that models the `vulnerabilityType` complex type in the CycloneDX schema (version >= 1.4). This class also provides data support for schema versions < 1.4 where Vulnerabilites were possible through a schema extension (in XML only). .. note:: See the CycloneDX schema: https://cyclonedx.org/docs/1.7/xml/#type_vulnerabilityType N)bom_refrr referencesratingscwes descriptionrrecommendation workaround advisoriescreated publishedupdatedcreditstoolsanalysisaffects propertiesrrrrrrrrrrrrrrrrrrrr+cXt||_||_||_|xsg|_|xsg|_|xsg|_||_||_| |_ | |_ | xsg|_ | |_ | |_ ||_||_|xsg|_||_|xsg|_|xsg|_yr6)_bom_ref_from_str_bom_refrrrrrrrrrrrrrrrrrr)r-rrrrrrrrrrrrrrrrrrrs r.r/zVulnerability.__init__s,*'2  $*}" JB & ,$$* "  [b   }" $*r0zbom-refc|jS)zt Get the unique reference for this Vulnerability in this BOM. Returns: `BomRef` )rr4s r.rzVulnerability.bom_refs}}r0rc|jS)z The identifier that uniquely identifies the vulnerability. For example: CVE-2021-39182. Returns: `str` if set else `None` rr4s r.rzVulnerability.ids xxr0c||_yr6rrs r.rzVulnerability.idrr0rc|jS)z The source that published the vulnerability. Returns: `VulnerabilitySource` if set else `None` rr4s r.rzVulnerability.sources||r0c||_yr6rrs r.rzVulnerability.sourcerBr0 referencer c|jS)a Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provides a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. Returns: Set of `VulnerabilityReference` ) _referencesr4s r.rzVulnerability.references"r0c$t||_yr6)r r)r-rs r.rzVulnerability.references1$Z0r0ratingrc|jS)zk List of vulnerability ratings. Returns: Set of `VulnerabilityRating` )_ratingsr4s r.rzVulnerability.ratings5}}r0c$t||_yr6)r r)r-rs r.rzVulnerability.ratingsAs!'* r0cwerc|jS)z A list of CWE (Common Weakness Enumeration) identifiers. .. note:: See https://cwe.mitre.org/ Returns: Set of `int` )_cwesr4s r.rzVulnerability.cwesEszzr0c$t||_yr6)r r)r-rs r.rzVulnerability.cwesTs t_ r0rc|jS)z A description of the vulnerability as provided by the source. Returns: `str` if set else `None`  _descriptionr4s r.rzVulnerability.descriptionXs   r0c||_yr6r)r-rs r.rzVulnerability.descriptioncs 'r0c|jS)a  If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause. Returns: `str` if set else `None` rr4s r.rzVulnerability.detailgs||r0c||_yr6rrs r.rzVulnerability.detailsrBr0c|jS)z Recommendations of how the vulnerability can be remediated or mitigated. Returns: `str` if set else `None` _recommendationr4s r.rzVulnerability.recommendationws###r0c||_yr6r)r-rs r.rzVulnerability.recommendations -r0 c|jS)z A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments. Returns: `str` if set else `None`  _workaroundr4s r.rzVulnerability.workaroundrr0c||_yr6r)r-rs r.rzVulnerability.workarounds %r0advisory c|jS)zx Advisories relating to the Vulnerability. Returns: Set of `VulnerabilityAdvisory` ) _advisoriesr4s r.rzVulnerability.advisoriessr0c$t||_yr6)r r)r-rs r.rzVulnerability.advisoriesrr0 c|jS)z The date and time (timestamp) when the vulnerability record was created in the vulnerability database. Returns: `datetime` if set else `None` _createdr4s r.rzVulnerability.createdrr0c||_yr6r)r-rs r.rzVulnerability.createdr7r0r c|jS)z The date and time (timestamp) when the vulnerability record was first published. Returns: `datetime` if set else `None`  _publishedr4s r.rzVulnerability.publishedsr0c||_yr6r)r-rs r.rzVulnerability.publisheds #r0c|jS)z The date and time (timestamp) when the vulnerability record was last updated. Returns: `datetime` if set else `None` _updatedr4s r.rzVulnerability.updatedrr0c||_yr6r)r-rs r.rzVulnerability.updatedr7r0c|jS)z Individuals or organizations credited with the discovery of the vulnerability. Returns: `VulnerabilityCredits` if set else `None` _creditsr4s r.rzVulnerability.creditss}}r0c||_yr6r)r-rs r.rzVulnerability.creditsr7r0c|jS)zn Tools used to create this BOM. Returns: :class:`ToolRepository` object. )_toolsr4s r.rzVulnerability.toolss{{r0cVt|tr||_yt||_y)N)r)rIr"r)r-rs r.rzVulnerability.toolss&%0 e, r0c|jS)z Analysis of the Vulnerability in your context. Returns: `VulnerabilityAnalysis` if set else `None`  _analysisr4s r.rzVulnerability.analysiss~~r0c||_yr6r)r-rs r.rzVulnerability.analysisrVr0targetc|jS)z The components or services that are affected by the vulnerability. Returns: Set of `BomTarget` )_affectsr4s r.rzVulnerability.affectsrr0affects_targetsc$t||_yr6)r r)r-rs r.rzVulnerability.affects)s!/2 r0r^c|jS)a Provides the ability to document properties in a key/value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Return: Set of `Property` ) _propertiesr4s r.rzVulnerability.properties-sr0c$t||_yr6)r r)r-rs r.rzVulnerability.properties:rr0c:t|j|jj|jt|j t|j t|j|j|j|j|jt|j|j|j|j|j |j"|j$t|j&t|j(fSr6)rDrrrrrrrrrrrrrrrrrrrrr4s r.rEz Vulnerability.__comparable_tuple>s GGT\\'' KK)$//: T\\ *, (+ (#678 (+x}%(+c](+ (+! (+SM(+X&;<=(+(#(+H%(+(#(+ ./!(+"htnn<=>#(+$01%(+&(9-.'(+(Xh/0)(+* +(+T\I&\v&\!\9%&"'' \q!\\DDVVWHSMX"YYXc]t\q!!45" ]]X&9:t\LBBII;W\q!  "X  1X.D%E1$11\LBBII8T\q!"U ^^+x(;<+++\LBBII5Q\q! "R  [[%#%4%%\q!!Xc]!"!(x}(((\q! " ]]Xc]t\q!$ $"$.Xc].t..\)*\)*\)*\q! HSM "+++  &Xc]&t&&\LBBII:V\r" #W 1X.C%D111\|33??@\r"(+#A ^^ x1 d  \|33??@\r"8H-#A$8H#5$$$$\|33??@\r"(+#A ^^ x1 d  \r""67# ^^ x(<= $  \45\r"~#6 \\-5$!?@-T-- \r"(#89#__"*?!@"T""\LBBII8T\r"#U ^^3x ':3t33\LBBII:V\r" #W 1Xh%71D11  $4  Ft CD /#/M#Mr0r)Fr\r syscollections.abcrrdecimalrenumrtypingrrr version_infowarningsr typing_extensionspy_serializabler_sortedcontainersr _internal.bom_refrr_internal.comparerrDexception.modelrr schema.schemarrrrr rrrrcontactrrimpact_analysisrrrr toolr!r"r#serializable_classr&rjrrrrserializable_enumr]rr BaseHelperrr0rGrkrrhr0r.rsY&  $''w#,&&ECajj@ >=!  tLZsZsMZsz!  tLE-E-ME-P!  tLJaJaMJaZ!  tL<M<MM<M~!  tL>K>KM>KB!  tLQNQNMQNhOsDO Od*+<3G3G3R3R*+Z+C+ +<!  tLF3F3MF3R!  tLG7G7MG7T!  tLXMXMMXMr0