Checkmarx · Schema
Checkmarx Vulnerability
A security vulnerability identified by Checkmarx scanning, including CVE details, severity scoring, affected packages, and remediation guidance for application security findings.
Application SecurityCode AnalysisDevSecOpsSASTSecurity TestingVulnerability Scanning
Properties
| Name | Type | Description |
|---|---|---|
| id | string | Vulnerability unique identifier |
| cveName | string | Common Vulnerabilities and Exposures identifier |
| cweId | integer | Common Weakness Enumeration identifier |
| cweName | string | CWE name describing the weakness type |
| description | string | Detailed description of the vulnerability |
| severity | string | Severity classification of the vulnerability |
| cvssScore | number | Common Vulnerability Scoring System v3 base score |
| cvssVector | string | CVSS v3 vector string detailing the scoring factors |
| publishDate | string | Date the vulnerability was publicly disclosed |
| lastModifiedDate | string | Date the vulnerability record was last updated |
| affectedPackage | object | |
| sourceLocation | object | |
| remediation | object | |
| exploitability | object | |
| compliance | array | Compliance framework mappings for this vulnerability |
| references | array | External reference URLs with additional information |
| isIgnored | boolean | Whether the vulnerability has been suppressed or ignored |
| state | string | Triage state of the vulnerability |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://checkmarx.com/schemas/checkmarx/vulnerability.json",
"title": "Checkmarx Vulnerability",
"description": "A security vulnerability identified by Checkmarx scanning, including CVE details, severity scoring, affected packages, and remediation guidance for application security findings.",
"type": "object",
"required": ["id", "severity"],
"properties": {
"id": {
"type": "string",
"description": "Vulnerability unique identifier"
},
"cveName": {
"type": "string",
"pattern": "^CVE-\\d{4}-\\d{4,}$",
"description": "Common Vulnerabilities and Exposures identifier"
},
"cweId": {
"type": "integer",
"description": "Common Weakness Enumeration identifier"
},
"cweName": {
"type": "string",
"description": "CWE name describing the weakness type"
},
"description": {
"type": "string",
"description": "Detailed description of the vulnerability"
},
"severity": {
"type": "string",
"enum": ["Critical", "High", "Medium", "Low", "Info"],
"description": "Severity classification of the vulnerability"
},
"cvssScore": {
"type": "number",
"format": "float",
"minimum": 0,
"maximum": 10,
"description": "Common Vulnerability Scoring System v3 base score"
},
"cvssVector": {
"type": "string",
"description": "CVSS v3 vector string detailing the scoring factors"
},
"publishDate": {
"type": "string",
"format": "date-time",
"description": "Date the vulnerability was publicly disclosed"
},
"lastModifiedDate": {
"type": "string",
"format": "date-time",
"description": "Date the vulnerability record was last updated"
},
"affectedPackage": {
"$ref": "#/$defs/AffectedPackage"
},
"sourceLocation": {
"$ref": "#/$defs/SourceLocation"
},
"remediation": {
"$ref": "#/$defs/Remediation"
},
"exploitability": {
"$ref": "#/$defs/Exploitability"
},
"compliance": {
"type": "array",
"items": {
"$ref": "#/$defs/ComplianceMapping"
},
"description": "Compliance framework mappings for this vulnerability"
},
"references": {
"type": "array",
"items": {
"type": "string",
"format": "uri"
},
"description": "External reference URLs with additional information"
},
"isIgnored": {
"type": "boolean",
"description": "Whether the vulnerability has been suppressed or ignored",
"default": false
},
"state": {
"type": "string",
"enum": ["TO_VERIFY", "NOT_EXPLOITABLE", "PROPOSED_NOT_EXPLOITABLE", "CONFIRMED", "URGENT"],
"description": "Triage state of the vulnerability"
}
},
"$defs": {
"AffectedPackage": {
"type": "object",
"description": "Open source package affected by the vulnerability (SCA findings)",
"properties": {
"packageName": {
"type": "string",
"description": "Package name"
},
"packageVersion": {
"type": "string",
"description": "Affected version of the package"
},
"packageRepository": {
"type": "string",
"enum": ["npm", "maven", "nuget", "pypi", "rubygems", "go", "packagist", "cargo"],
"description": "Package ecosystem or registry"
},
"isDirectDependency": {
"type": "boolean",
"description": "Whether this is a direct or transitive dependency"
},
"fixedVersions": {
"type": "array",
"items": {
"type": "string"
},
"description": "Versions of the package where this vulnerability is fixed"
}
}
},
"SourceLocation": {
"type": "object",
"description": "Source code location for SAST-detected vulnerabilities",
"properties": {
"fileName": {
"type": "string",
"description": "File path where the vulnerability was found"
},
"line": {
"type": "integer",
"minimum": 1,
"description": "Line number"
},
"column": {
"type": "integer",
"minimum": 1,
"description": "Column number"
},
"methodName": {
"type": "string",
"description": "Name of the method or function containing the vulnerability"
},
"className": {
"type": "string",
"description": "Name of the class containing the vulnerability"
}
}
},
"Remediation": {
"type": "object",
"description": "Remediation guidance for addressing the vulnerability",
"properties": {
"recommendation": {
"type": "string",
"description": "Recommended action to fix the vulnerability"
},
"fixedVersion": {
"type": "string",
"description": "Recommended package version that addresses the vulnerability"
},
"effort": {
"type": "string",
"enum": ["Low", "Medium", "High"],
"description": "Estimated effort required for remediation"
},
"references": {
"type": "array",
"items": {
"type": "string",
"format": "uri"
},
"description": "Links to remediation documentation"
}
}
},
"Exploitability": {
"type": "object",
"description": "Exploitability assessment of the vulnerability",
"properties": {
"epssScore": {
"type": "number",
"format": "float",
"minimum": 0,
"maximum": 1,
"description": "Exploit Prediction Scoring System score"
},
"hasExploit": {
"type": "boolean",
"description": "Whether a known public exploit exists"
},
"isExploitablePathConfirmed": {
"type": "boolean",
"description": "Whether the exploitable path from source to vulnerable package is confirmed"
},
"attackVector": {
"type": "string",
"enum": ["Network", "Adjacent", "Local", "Physical"],
"description": "CVSS attack vector"
}
}
},
"ComplianceMapping": {
"type": "object",
"description": "Mapping to a compliance standard or framework",
"properties": {
"standard": {
"type": "string",
"description": "Compliance standard name (e.g., OWASP Top 10, PCI DSS, HIPAA)"
},
"category": {
"type": "string",
"description": "Category within the standard"
},
"requirement": {
"type": "string",
"description": "Specific requirement identifier"
}
}
}
}
}