From d310af5f20d4c3ab9663ba92a23b1fa70555b64a Mon Sep 17 00:00:00 2001 From: Zhenyu Zheng Date: Fri, 3 Jan 2025 23:56:44 +0800 Subject: [PATCH 1/4] Add Chinese translation for models - Part IV Add Chinese translation for Extension, Licensing, Lite and Security models Signed-off-by: Zhenyu Zheng --- .../Classes/CdxPropertiesExtension.md | 12 +++ model/Extension/Classes/CdxPropertyEntry.md | 12 +++ model/Extension/Classes/Extension.md | 22 +++++ model/Extension/Extension.md | 8 ++ model/Extension/Properties/cdxPropName.md | 10 +++ model/Extension/Properties/cdxPropValue.md | 10 +++ model/Extension/Properties/cdxProperty.md | 12 +++ model/Licensing/Licensing.md | 70 +++++++++++++++- model/Lite/Lite.md | 45 ++++++++++ .../CvssV2VulnAssessmentRelationship.md | 56 +++++++++++++ .../CvssV3VulnAssessmentRelationship.md | 57 +++++++++++++ .../CvssV4VulnAssessmentRelationship.md | 57 +++++++++++++ .../Classes/EpssVulnAssessmentRelationship.md | 30 +++++++ ...xploitCatalogVulnAssessmentRelationship.md | 29 +++++++ .../Classes/SsvcVulnAssessmentRelationship.md | 30 +++++++ .../VexAffectedVulnAssessmentRelationship.md | 30 +++++++ .../VexFixedVulnAssessmentRelationship.md | 30 +++++++ ...exNotAffectedVulnAssessmentRelationship.md | 33 ++++++++ ...InvestigationVulnAssessmentRelationship.md | 30 +++++++ .../Classes/VexVulnAssessmentRelationship.md | 19 +++++ .../Classes/VulnAssessmentRelationship.md | 8 ++ model/Security/Classes/Vulnerability.md | 83 +++++++++++++++++++ model/Security/Properties/actionStatement.md | 8 ++ .../Properties/actionStatementTime.md | 8 ++ model/Security/Properties/assessedElement.md | 8 ++ model/Security/Properties/catalogType.md | 8 ++ model/Security/Properties/decisionType.md | 8 ++ model/Security/Properties/exploited.md | 8 ++ model/Security/Properties/impactStatement.md | 9 ++ .../Properties/impactStatementTime.md | 8 ++ .../Security/Properties/justificationType.md | 10 +++ model/Security/Properties/locator.md | 8 ++ model/Security/Properties/modifiedTime.md | 8 ++ model/Security/Properties/percentile.md | 8 ++ model/Security/Properties/probability.md | 8 ++ model/Security/Properties/publishedTime.md | 8 ++ model/Security/Properties/score.md | 8 ++ model/Security/Properties/severity.md | 8 ++ model/Security/Properties/statusNotes.md | 8 ++ model/Security/Properties/vectorString.md | 14 ++++ model/Security/Properties/vexVersion.md | 8 ++ model/Security/Properties/withdrawnTime.md | 8 ++ model/Security/Security.md | 8 ++ .../Security/Vocabularies/CvssSeverityType.md | 22 +++++ .../Vocabularies/ExploitCatalogType.md | 13 +++ .../Security/Vocabularies/SsvcDecisionType.md | 15 ++++ .../Vocabularies/VexJustificationType.md | 16 ++++ 47 files changed, 935 insertions(+), 1 deletion(-) diff --git a/model/Extension/Classes/CdxPropertiesExtension.md b/model/Extension/Classes/CdxPropertiesExtension.md index 0983b947d..8ec422390 100644 --- a/model/Extension/Classes/CdxPropertiesExtension.md +++ b/model/Extension/Classes/CdxPropertiesExtension.md @@ -27,3 +27,15 @@ This is intended to be compatible with the CycloneDX property `properties`. - cdxProperty - type: CdxPropertyEntry - minCount: 1 + +## Summary @zh-Hans + +一种扩展类型,由名值对的列表组成。 + +## Description @zh-Hans + +此扩展采用名值方法,提供了更结构化的扩展。 + +与键值存储不同,`CdxPropertiesExtension`中的属性支持重名,每个属性可以具有不同的值。 + +目的是与CycloneDX属性`properties`兼容。 diff --git a/model/Extension/Classes/CdxPropertyEntry.md b/model/Extension/Classes/CdxPropertyEntry.md index b7856acc1..363d543b7 100644 --- a/model/Extension/Classes/CdxPropertyEntry.md +++ b/model/Extension/Classes/CdxPropertyEntry.md @@ -30,3 +30,15 @@ This class can be used to implement CycloneDX compatible properties. - cdxPropValue - type: xsd:string - maxCount: 1 + +## Summary @zh-Hans + +一个属性名称及其关联的值。 + +## Description @zh-Hans + +每个`CdxPropertyEntry`都包含一个名值对,将名称映射到其关联的值。 + +与键值存储不同,`CdxPropertiesExtension`中的属性支持重名,每个属性可以具有不同的值。 + +此类可用于实现与CycloneDX兼容的属性。 \ No newline at end of file diff --git a/model/Extension/Classes/Extension.md b/model/Extension/Classes/Extension.md index fa1fc546f..2bd595761 100644 --- a/model/Extension/Classes/Extension.md +++ b/model/Extension/Classes/Extension.md @@ -29,3 +29,25 @@ This approach serves multiple purposes: - name: Extension - Instantiability: Abstract + +## Summary @zh-Hans + +`Element`某个方面的特征描述,以广义的方式与`Element`关联。 + +## Description @zh-Hans + +`Extension`是对某个`Element`某个方面的特征描述,以广义的方式与该`Element`关联。 + +`Extension`并不是通过特定目的的对象属性与某个特定`Element`关联,而是通过一个共同的广义对象属性与它所描述的`Element`关联。 + +此方法有多种用途: +1. 支持基于配置文件的`Element`扩展特征描述。允许在任何SPDX配置文件和命名空间内指定和表达`Element`特征描述扩展,无需对其他配置文件或命名空间进行更改,也无需对远程类进行本地子类化(在某些情况下可能会阻碍生态系统的互操作性)。 + +2. 通过采用具有特定上下文的`Element`特征细节的个人或社区,支持SPDX的扩展。这使得这些个人或社区能够利用SPDX的表达能力,同时表达更专业的`Element`特征化细节,这些细节不适合在SPDX中进行标准化。 + +3. 支持结构化捕捉现实应用中SPDX未覆盖的表达方案。允许采用的个人或社区表达他们所需的`Element`特征化细节,这些细节目前在SPDX中尚未定义,但应该被定义。实现一个实用的流水线,能够: + + - 识别SPDX中需要填补的缺口, + - 提供以某种方式表达这些缺口的方案,使采用者能够在不与当前SPDX冲突的情况下使用扩展方案, + - 在SPDX内容交换生态系统中清晰识别, + - 为缺口方案提供一个清晰、结构化的定义,可提交作为对SPDX标准的修订。 diff --git a/model/Extension/Extension.md b/model/Extension/Extension.md index c845327bf..8ef848a34 100644 --- a/model/Extension/Extension.md +++ b/model/Extension/Extension.md @@ -15,3 +15,11 @@ base for all defined extension subclasses. - id: https://spdx.org/rdf/3.0.1/terms/Extension - name: Extension + +## Summary @zh-Hans + +与SPDX扩展有关的内容。 + +## Description @zh-Hans + +`Extension`命名空间定义了抽象扩展类,作为所有定义的扩展子类的基础。 diff --git a/model/Extension/Properties/cdxPropName.md b/model/Extension/Properties/cdxPropName.md index e30398849..0150a7a54 100644 --- a/model/Extension/Properties/cdxPropName.md +++ b/model/Extension/Properties/cdxPropName.md @@ -18,3 +18,13 @@ names, each potentially having different values. - name: cdxPropName - Nature: DataProperty - Range: xsd:string + +## Summary @zh-Hans + +`CdxPropertyEntry`名值对中使用的名称。 + +## Description @zh-Hans + +`cdxPropName`用于`CdxPropertyEntry`名值对。 + +与键值存储不同,`CdxPropertiesExtension`中的属性支持重名,每个属性可以具有不同的值。 diff --git a/model/Extension/Properties/cdxPropValue.md b/model/Extension/Properties/cdxPropValue.md index 83415923c..7ca628fb7 100644 --- a/model/Extension/Properties/cdxPropValue.md +++ b/model/Extension/Properties/cdxPropValue.md @@ -18,3 +18,13 @@ names, each potentially having different values. - name: cdxPropValue - Nature: DataProperty - Range: xsd:string + +## Summary @zh-Hans + +`CdxPropertyEntry`名值对中使用的值。 + +## Description @zh-Hans + +`cdxPropValue`用于`CdxPropertyEntry`名值对。 + +与键值存储不同,`CdxPropertiesExtension`中的属性支持重名,每个属性可以具有不同的值。 diff --git a/model/Extension/Properties/cdxProperty.md b/model/Extension/Properties/cdxProperty.md index 2e56483eb..34682e1a7 100644 --- a/model/Extension/Properties/cdxProperty.md +++ b/model/Extension/Properties/cdxProperty.md @@ -20,3 +20,15 @@ names, each potentially having different values. - name: cdxProperty - Nature: ObjectProperty - Range: CdxPropertyEntry + +## Summary @zh-Hans + +提供属性名称与值的映射。 + +## Description @zh-Hans + +此字段提供名称与值的映射。 + +目的是与CycloneDX属性`properties`兼容。 + +与键值存储不同,`CdxPropertiesExtension`中的属性支持重名,每个属性可以具有不同的值。 diff --git a/model/Licensing/Licensing.md b/model/Licensing/Licensing.md index 516f58060..bfb0628d0 100644 --- a/model/Licensing/Licensing.md +++ b/model/Licensing/Licensing.md @@ -112,7 +112,7 @@ can be made from a missing hasConcludedLicense relationship. - id: https://spdx.org/rdf/3.0.1/terms/Licensing - name: Licensing -## Profile conformance +## Profile conformance For an element collection to be conformant with this profile, the following has to hold: @@ -121,3 +121,71 @@ the following has to hold: `/Core/Relationship` of type `hasConcludedLicense` having that element as its `from` property and a `/SimpleLicensing/AnyLicenseInfo` as its `to` property. + +## Summary @zh-Hans + +许可配置文件定义了一组许可信息的最低要求,以促进遵从典型许可证用例。 + +## Description @zh-Hans + +许可配置文件仅包含一个附加要求,即任何软件工件必须具有类型为`hasConcludedLicense`的`Relationship`。 + +类和属性的限制在 `SimpleLicensingProfile`(与[许可表达字符串](../../annexes/spdx-license-expressions.md)相关的类和属性)和`ExpandedLicensingProfile`(用于许可表达式的完全解析语法树的类和属性)中定义。 + +与许可相关的关系类型有两种 -`hasDeclaredLicense`and`hasConcludedLicense`。 + +如果软件工件的`hasConcludedLicense`与其`hasDeclaredLicense`不同,则**应当**在`hasConcludedLicense`关系的`comment`字段中提供书面解释。 + +**可以**在关系的`comment`字段中提供与`NoAssertionLicense`的关系的书面解释。 + +*hasDeclaredLicense* + +`hasDeclaredLicense`识别了在软件工件中实际找到的许可信息,例如通过自动化工具检测到的许可信息。 + +此字段不打算捕获外部来源(例如软件包的官方网站)的许可信息。这类信息可以根据需要包含在`hasConcludedLicense`字段中。 + +`hasDeclaredLicense`在实际应用中可能会因不同类型的软件工件而有所不同。例如: + +- 对于软件包 + - 包括在软件包本身中找到的软件包的所有许可信息(例如,LICENSE文件,README文件,软件包中的元数据等) + - 不包括不在软件包本身中的任何许可信息(例如,项目网站或第三方代码仓库或网站的许可信息) + +- 对于文件 + - 包括在文件本身中找到的许可信息(例如,许可标题或声明,指示许可的注释,SPDX-License-Identifier表达式) + - 不包括在不同文件中找到的许可信息(例如,代码仓库顶层目录中的LICENSE文件) + +- 对于代码片段 + - 包括在代码片段本身中找到的许可信息(例如,许可声明,注释,SPDX-License-Identifier表达式) + - 不包括在文件的其他地方或不同文件中找到的许可信息(例如,对于不在代码片段内的内容,在文件顶部的注释;在代码仓库顶层目录中的LICENSE文件) + +对于`NoAssertionLicense`的`hasDeclaredLicense`关系表明相应的软件包、文件或代码片段不包含任何许可信息。 + +对于`NoAssertionLicense`的`hasDeclaredLicense`关系表明以下之一适用: +- SPDX数据创建者已尝试但无法得出合理的客观结论; +- SPDX数据创建者没有尝试确定该字段;或者 +- SPDX数据创建者故意未提供任何信息(不应因此推断出任何意义)。 + +如果不存在`hasDeclaredLicense`关系,则无法对是否存在`hasDeclaredLicense`做出任何假设。 + +请注意,缺少`hasDeclaredLicense`与缺少对`NoAssertionLicense`关系不同,因为后者是“已知的未知”,而缺少`hasDeclaredLicense`关系则无法做出任何假设。 + +*hasConcludedLicense* + +`hasConcludedLicense`是SPDX数据创建者根据分析软件工件中的许可信息和其他信息得出的合理客观结论,确定的软件工件所适用的许可证。 + +对于`NoneLicense`的`hasConcludedLicense`关系表明SPDX数据创建者已查找但未找到此软件工件的任何许可信息。 + +对于`NoneLicense`的`hasConcludedLicense`关系表明以下之一适用: +- SPDX数据创建者已尝试但无法得出合理的客观结论; +- SPDX数据创建者没有尝试确定此字段;或者 +- SPDX数据创建者故意未提供任何信息(不应因此推断出任何意义)。 + +如果不存在`hasConcludedLicense`,则无法对是否存在`hasConcludedLicense`做出任何假设。 + +请注意,缺少`hasConcludedLicense`与缺少对`NoAssertionLicense`的关系不同,因为后者是“已知的未知”,而缺少`hasConcludedLicense`关系则无法做出任何假设。 + +## Profile conformance @zh-Hans + +要使元素集符合此配置文件,必须满足以下条件: + +1.对于每个`/Software/SoftwareArtifact`,**必须**存在一个类型为`hasConcludedLicense`的`/Core/Relationship`,其`from`属性为该元素,`to`属性为`/SimpleLicensing/AnyLicenseInfo`。 diff --git a/model/Lite/Lite.md b/model/Lite/Lite.md index 327a2b32c..d6a53abee 100644 --- a/model/Lite/Lite.md +++ b/model/Lite/Lite.md @@ -60,3 +60,48 @@ For a `/Software/Sbom` to be conformant with this profile, the following has to Finally, for a `/Core/Agent` to be conformant with this profile, the following has to hold: 1. The minCount for `name` is 1 + +## Summary @zh-Hans + +SPDX Lite(SPDX 轻量版)配置文件从某些行业用例的角度定义了 SPDX 数据的简要视图。 + +## Description @zh-Hans + +SPDX `Lite` 配置文件包括强制性和建议性信息。 + +SPDX `Lite` 中的强制性信息是基础性的,但有助于遵守许可证。 +通过阅读 SPDX `Lite` 文件,可以轻松理解许可证信息。 + +SPDX `Lite` 力求在全量 SPDX 数据模型和某些行业的实际工作流程之间寻求一种平衡。 + +SPDX `Lite` 文档可以在软件供应链中与其他 SPDX 文档并行使用。 + +## Profile conformance @zh-Hans + +除了以下强制性信息外,请参考相应的附录,了解符合 Lite 配置文件的文档应包含的元素。 + +一个 `/Software/Package` 类要符合此配置文件,必须满足以下条件: + +1. `copyrightText` 的 `minCount` 为 1。 +2. `packageVersion` 的 `minCount` 为 1。 +3. `suppliedBy` 的 `minCount` 为 1。 +4. 必须至少存在一个 `downloadLocation` 或 `packageUrl`。 + +此外: + +1. 对于每个 `/Software/Package`,必须存在一个 `/Core/Relationship`,其类型为 `hasConcludedLicense`,该元素作为其 `from` 属性,`/SimpleLicensing/AnyLicenseInfo` 作为其 `to` 属性。 +2. 对于每个 `/Software/Package`,必须存在一个 `/Core/Relationship`,其类型为 `hasDeclaredLicense`,该元素作为其 `from` 属性, `/SimpleLicensing/AnyLicenseInfo` 作为其 `to` 属性。 + +一个 `/Core/SpdxDocument` 类要符合这个配置文件,必须满足以下条件: + +1. `element` 的 `minCount` 为 1。 +2. `rootElement` 的 `minCount` 为 1。 + +一个 `/Software/Sbom` 类要符合这个配置文件,必须满足以下条件: + +1. `element` 的 `minCount` 为 1。 +2. `rootElement` 的 `minCount` 为 1。 + +最后,一个 `/Core/Agent` 类要符合这个配置文件,必须满足以下条件: + +1. `name` 的 `minCount` 为 1。 diff --git a/model/Security/Classes/CvssV2VulnAssessmentRelationship.md b/model/Security/Classes/CvssV2VulnAssessmentRelationship.md index 3fbeef772..2ca08aa5e 100644 --- a/model/Security/Classes/CvssV2VulnAssessmentRelationship.md +++ b/model/Security/Classes/CvssV2VulnAssessmentRelationship.md @@ -76,3 +76,59 @@ It is intended to communicate the results of using a CVSS calculator. - type: xsd:string - minCount: 1 - maxCount: 1 + +## Summary @zh-Hans + +提供漏洞的CVSS v2.0评估。 + +## Description @zh-Hans + +`CvssV2VulnAssessmentRelationship`关系描述根据[CVSS v2.0完整指南](https://www.first.org/cvss/v2/guide)定义的漏洞评分和向量。 + +其目的是传达CVSS计算器的结果。 + +*约束条件* + +- 关系类型必须设置为`hasAssessmentFor`。 + +*示例* + +```json +{ + "type": "CvssV2VulnAssessmentRelationship", + "spdxId": "urn:spdx.dev:cvssv2-cve-2020-28498", + "relationshipType": "hasAssessmentFor", + "security_score": "4.3", + "security_vectorString": "(AV:N/AC:M/Au:N/C:P/I:N/A:N)", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "security_assessedElement": "urn:npm-elliptic-6.5.2", + "externalRef": [ + { + "type": "ExternalRef", + "externalRefType": "securityAdvisory", + "locator": "https://nvd.nist.gov/vuln/detail/CVE-2020-28498" + }, + { + "type": "ExternalRef", + "externalRefType": "securityAdvisory", + "locator": "https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899" + }, + { + "type": "ExternalRef", + "externalRefType": "securityFix", + "locator": "https://github.com/indutny/elliptic/commit/441b742" + } + ], + "suppliedBy": ["urn:spdx.dev:agent-my-security-vendor"], + "publishedTime": "2023-05-06T10:06:13Z" +}, +{ + "type": "Relationship", + "spdxId": "urn:spdx.dev:vulnAgentRel-1", + "relationshipType": "publishedBy", + "from": "urn:spdx.dev:cvssv2-cve-2020-28498", + "to": ["urn:spdx.dev:agent-snyk"], + "startTime": "2021-03-08T16:06:50Z" +} +``` diff --git a/model/Security/Classes/CvssV3VulnAssessmentRelationship.md b/model/Security/Classes/CvssV3VulnAssessmentRelationship.md index 7c18a206b..5dc3f610f 100644 --- a/model/Security/Classes/CvssV3VulnAssessmentRelationship.md +++ b/model/Security/Classes/CvssV3VulnAssessmentRelationship.md @@ -83,3 +83,60 @@ It is intended to communicate the results of using a CVSS calculator. - type: xsd:string - minCount: 1 - maxCount: 1 + +## Summary @zh-Hans + +提供漏洞的CVSS v3.0评估。 + +## Description @zh-Hans + +`CvssV3VulnAssessmentRelationship`关系描述根据[CVSS v3.0 规范文档](https://www.first.org/cvss/v3.0/specification-document)或[CVSS v3.1 规范文档](https://www.first.org/cvss/v3.1/specification-document)定义的漏洞评分、严重性和向量。 + +其目的是传达CVSS计算器的结果。 + +*约束条件* + +- 关系类型必须设置为`hasAssessmentFor`。 + +*示例* + +```json +{ + "type": "CvssV3VulnAssessmentRelationship", + "spdxId": "urn:spdx.dev:cvssv3-cve-2020-28498", + "relationshipType": "hasAssessmentFor", + "security_score": "6.8", + "security_severity": "medium", + "security_vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "security_assessedElement": "urn:npm-elliptic-6.5.2", + "externalRef": [ + { + "type": "ExternalRef", + "externalRefType": "securityAdvisory", + "locator": "https://nvd.nist.gov/vuln/detail/CVE-2020-28498" + }, + { + "type": "ExternalRef", + "externalRefType": "securityAdvisory", + "locator": "https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899" + }, + { + "type": "ExternalRef", + "externalRefType": "securityFix", + "locator": "https://github.com/indutny/elliptic/commit/441b742" + } + ], + "suppliedBy": ["urn:spdx.dev:agent-my-security-vendor"], + "publishedTime": "2023-05-06T10:06:13Z" +}, +{ + "type": "Relationship", + "spdxId": "urn:spdx.dev:vulnAgentRel-1", + "relationshipType": "publishedBy", + "from": "urn:spdx.dev:cvssv3-cve-2020-28498", + "to": ["urn:spdx.dev:agent-snyk"], + "startTime": "2021-03-08T16:06:50Z" +} +``` diff --git a/model/Security/Classes/CvssV4VulnAssessmentRelationship.md b/model/Security/Classes/CvssV4VulnAssessmentRelationship.md index dc2a739bb..c4918f807 100644 --- a/model/Security/Classes/CvssV4VulnAssessmentRelationship.md +++ b/model/Security/Classes/CvssV4VulnAssessmentRelationship.md @@ -81,3 +81,60 @@ It is intended to communicate the results of using a CVSS calculator. - type: xsd:string - minCount: 1 - maxCount: 1 + +## Summary @zh-Hans + +提供漏洞的CVSS v4.0评估。 + +## Description @zh-Hans + +`CvssV4VulnAssessmentRelationship`关系描述根据[CVSS v4.0 规范文档](https://www.first.org/cvss/v4.0/specification-document)定义的漏洞评分、严重性和向量。 + +其目的是传达CVSS计算器的结果。 + +*约束条件* + +- 关系类型必须设置为`hasAssessmentFor`。 + +*示例* + +```json +{ + "type": "CvssV4VulnAssessmentRelationship", + "spdxId": "urn:spdx.dev:cvssv4-cve-2021-44228", + "relationshipType": "hasAssessmentFor", + "security_severity": "medium", + "security_score": "10.0", + "security_vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/AR:N/UI:N/VCH/VI:H/VA:H/SC:H/SI:H/SA:H/E:A", + "from": "urn:spdx.dev:vuln-cve-2021-44228", + "to": ["urn:product-acme-application-1.3"], + "security_assessedElement": "urn:apache-log4j-2.14.1", + "externalRef": [ + { + "@type": "ExternalRef", + "externalRefType": "securityAdvisory", + "locator": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" + }, + { + "@type": "ExternalRef", + "externalRefType": "securityAdvisory", + "locator": "https://logging.apache.org/log4j/2.x/security.html" + }, + { + "@type": "ExternalRef", + "externalRefType": "securityOther", + "locator": "https://www.first.org/cvss/v4.0/examples#Apache-log4j-Vulnerability-CVE-2021-44228" + }, + ], + "suppliedBy": ["urn:spdx.dev:agent-my-security-vendor"], + "publishedTime": "2023-10-05T23:09:13Z" +}, +{ + "type": "Relationship", + "spdxId": "urn:spdx.dev:vulnAgentRel-1", + "relationshipType": "publishedBy", + "from": "urn:spdx.dev:cvssv4-cve-2021-44228", + "to": ["urn:spdx.dev:agent-apache.org"], + "startTime": "2021-12-11T18:39:00Z" +} +``` diff --git a/model/Security/Classes/EpssVulnAssessmentRelationship.md b/model/Security/Classes/EpssVulnAssessmentRelationship.md index b3263a9d1..6e02df431 100644 --- a/model/Security/Classes/EpssVulnAssessmentRelationship.md +++ b/model/Security/Classes/EpssVulnAssessmentRelationship.md @@ -57,3 +57,33 @@ scores, using the Exploit Prediction Scoring System (EPSS) as defined at - /Security/VulnAssessmentRelationship/publishedTime - minCount: 1 + +## Summary @zh-Hans + +提供漏洞的EPSS评估。 + +## Description @zh-Hans + +根据[EPSS模型](https://www.first.org/epss/model)中定义的漏洞利用预测评分系统(EPSS),`EpssVulnAssessmentRelationship`关系描述漏洞在实际环境中被利用的可能性或概率,以及相对于所有其他漏洞的EPSS评分的百分位排名。 + +*约束条件* + +- 关系类型必须设置为`hasAssessmentFor`。 +- 概率范围为0到1。 +- 百分位数范围为0到1。 + +*示例* + +```json +{ + "type": "EpssVulnAssessmentRelationship", + "spdxId": "urn:spdx.dev:epss-CVE-2020-28498", + "relationshipType": "hasAssessmentFor", + "security_probability": "0.00105", + "security_percentile": "0.42356", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2023-10-05T00:00:30Z" +} +``` diff --git a/model/Security/Classes/ExploitCatalogVulnAssessmentRelationship.md b/model/Security/Classes/ExploitCatalogVulnAssessmentRelationship.md index 72e409d2e..80b8b75cd 100644 --- a/model/Security/Classes/ExploitCatalogVulnAssessmentRelationship.md +++ b/model/Security/Classes/ExploitCatalogVulnAssessmentRelationship.md @@ -53,3 +53,32 @@ listed in any exploit catalog such as the - type: xsd:anyURI - minCount: 1 - maxCount: 1 + +## Summary @zh-Hans + +提供漏洞利用评估。 + +## Description @zh-Hans + +`ExploitCatalogVulnAssessmentRelationship`描述漏洞是否被任何利用目录列出,例如[CISA已知被利用漏洞(KEV)目录](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)。 + +*约束条件* + +- 关系类型必须设置为`hasAssessmentFor`。 + +*示例* + +```json +{ + "type": "ExploitCatalogVulnAssessmentRelationship", + "spdxId": "urn:spdx.dev:exploit-catalog-1", + "relationshipType": "hasAssessmentFor", + "security_catalogType": "kev", + "locator": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "security_exploited": "true", + "from": "urn:spdx.dev:vuln-cve-2023-2136", + "to": ["urn:product-google-chrome-112.0.5615.136"], + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" +} +``` diff --git a/model/Security/Classes/SsvcVulnAssessmentRelationship.md b/model/Security/Classes/SsvcVulnAssessmentRelationship.md index 3f49c92af..0efc50561 100644 --- a/model/Security/Classes/SsvcVulnAssessmentRelationship.md +++ b/model/Security/Classes/SsvcVulnAssessmentRelationship.md @@ -47,3 +47,33 @@ It is intended to communicate the results of using the CISA SSVC Calculator. - type: SsvcDecisionType - minCount: 1 - maxCount: 1 + +## Summary @zh-Hans + +提供漏洞的SSVC评估。 + +## Description @zh-Hans + +`SsvcVulnAssessmentRelationship`描述根据[CISA利益相关者特定漏洞分类(SSVC)指南](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc)使用SSVC决策树做出的决策。 + +其目的是传达CISA SSVC计算器的结果。 + +*约束条件* + +- 关系类型必须设置为`hasAssessmentFor`。 + +*示例* + +```json +{ + "@type": "SsvcVulnAssessmentRelationship", + "@id": "urn:spdx.dev:ssvc-1", + "relationshipType": "hasAssessmentFor", + "security_decisionType": "act", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "security_assessedElement": "urn:npm-elliptic-6.5.2", + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" +} +``` diff --git a/model/Security/Classes/VexAffectedVulnAssessmentRelationship.md b/model/Security/Classes/VexAffectedVulnAssessmentRelationship.md index d3d6093ed..5d2332ca5 100644 --- a/model/Security/Classes/VexAffectedVulnAssessmentRelationship.md +++ b/model/Security/Classes/VexAffectedVulnAssessmentRelationship.md @@ -53,3 +53,33 @@ following requirements must be observed: - type: /Core/DateTime - minCount: 0 - maxCount: 1 + +## Summary @zh-Hans + +将漏洞与某个元素关联,此元素指定受漏洞影响的产品。 + +## Description @zh-Hans + +`VexAffectedVulnAssessmentRelationship`将一个漏洞与多个元素关联。此关系将这些元素标记为受漏洞影响的产品,对应VEX的已受影响(affected)状态。 + +*约束条件* + +使用`VexAffectedVulnAssessmentRelationship`关联元素时,必须遵循以下要求: + +- 与`VulnVexAffectedAssessmentRelationship`关联的元素必须使用`affects`关系类型。 + +*示例* + +```json +{ + "type": "VexAffectedVulnAssessmentRelationship", + "spdxId": "urn:spdx.dev:vex-affected-1", + "relationshipType": "affects", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "security_assessedElement": "urn:npm-elliptic-6.5.2", + "security_actionStatement": "Upgrade to version 1.4 of ACME application.", + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" +} +``` diff --git a/model/Security/Classes/VexFixedVulnAssessmentRelationship.md b/model/Security/Classes/VexFixedVulnAssessmentRelationship.md index 239f2a591..1c4866d7b 100644 --- a/model/Security/Classes/VexFixedVulnAssessmentRelationship.md +++ b/model/Security/Classes/VexFixedVulnAssessmentRelationship.md @@ -43,3 +43,33 @@ requirements must be observed: - name: VexFixedVulnAssessmentRelationship - SubclassOf: VexVulnAssessmentRelationship - Instantiability: Concrete + +## Summary @zh-Hans + +将漏洞与代表产品(根据VEX定义)的元素关联,这些产品已修复漏洞且不再受影响。 + +## Description @zh-Hans + +`VexFixedVulnAssessmentRelationship`将一个漏洞与多个代表VEX产品的元素关联,这些产品已修复漏洞且不再受影响。此关系对应VEX的已修复(fixed)状态。 + +*约束条件* + +使用`VexFixedVulnAssessmentRelationship`关联元素时,必须遵循以下要求: + +- 与`VulnVexFixedAssessmentRelationship`关联的元素必须使用`fixedIn`关系类型。 +- 关系的`from:`端必须为一个`/Security/Vulnerability`类型的元素。 + +*示例* + +```json +{ + "type": "VexFixedVulnAssessmentRelationship", + "spdxId": "urn:spdx.dev:vex-fixed-in-1", + "relationshipType": "fixedIn", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "security_assessedElement": "urn:npm-elliptic-6.5.4", + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" +} +``` diff --git a/model/Security/Classes/VexNotAffectedVulnAssessmentRelationship.md b/model/Security/Classes/VexNotAffectedVulnAssessmentRelationship.md index 0bbe5ed08..4ec119431 100644 --- a/model/Security/Classes/VexNotAffectedVulnAssessmentRelationship.md +++ b/model/Security/Classes/VexNotAffectedVulnAssessmentRelationship.md @@ -64,3 +64,36 @@ following requirements must be observed: - type: /Core/DateTime - minCount: 0 - maxCount: 1 + +## Summary @zh-Hans + +将漏洞与一个或多个元素关联,指定后者为不受漏洞影响的产品。 + +## Description @zh-Hans + +`VexNotAffectedVulnAssessmentRelationship`将一个漏洞与多个元素关联,这些元素指定未受漏洞影响的产品。此关系对应VEX的未受影响(not_affected)状态。 + +*约束条件* + +使用`VexNotVulnAffectedAssessmentRelationship`关联元素时,必须遵循以下要求: + +- 与`VexNotAffectedVulnAssessmentRelationship`关联的元素必须使用`doesNotAffect`关系类型。 +- 关系的`from:`端必须为一个`/Security/Vulnerability`类型的元素。 +- `impactStatement`和`justificationType`属性的基数均为`0..1`,意味着它们是可选属性。但是,要生成有效的VEX not_affected语句,二者必须定义其一。这在VEX的最小元素规范中有所规定。 + +*示例* + +```json +{ + "type": "VexNotAffectedVulnAssessmentRelationship", + "spdxId": "urn:spdx.dev:vex-not-affected-1", + "relationshipType": "doesNotAffect", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "security_assessedElement": "urn:npm-elliptic-6.5.2", + "security_justificationType": "componentNotPresent", + "security_impactStatement": "Not using this vulnerable part of this library.", + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" +} +``` diff --git a/model/Security/Classes/VexUnderInvestigationVulnAssessmentRelationship.md b/model/Security/Classes/VexUnderInvestigationVulnAssessmentRelationship.md index f32071349..8bd19e8de 100644 --- a/model/Security/Classes/VexUnderInvestigationVulnAssessmentRelationship.md +++ b/model/Security/Classes/VexUnderInvestigationVulnAssessmentRelationship.md @@ -43,3 +43,33 @@ the following requirements must be observed: - name: VexUnderInvestigationVulnAssessmentRelationship - SubclassOf: VexVulnAssessmentRelationship - Instantiability: Concrete + +## Summary @zh-Hans + +将元素指定为正在调查漏洞影响的产品。 + +## Description @zh-Hans + +`VexUnderInvestigationVulnAssessmentRelationship`将一个漏洞与多个产品关联,表示漏洞对这些产品的影响正在调查中。此关系对应VEX的调查中(under_investigation)状态。 + +*约束条件* + +使用`VexUnderInvestigationVulnAssessmentRelationship`关联元素时,必须遵循以下要求: + +- 与`VexUnderInvestigationVulnAssessmentRelationship`关联的元素必须使用`underInvestigationFor`关系类型。 +- 关系的`from:`端必须为一个`/Security/Vulnerability`类型的元素。 + +*示例* + +```json +{ + "type": "VexUnderInvestigationVulnAssessmentRelationship", + "spdxId": "urn:spdx.dev:vex-underInvestigation-1", + "relationshipType": "underInvestigationFor", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "security_assessedElement": "urn:npm-elliptic-6.5.2", + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" +} +``` diff --git a/model/Security/Classes/VexVulnAssessmentRelationship.md b/model/Security/Classes/VexVulnAssessmentRelationship.md index 49644fb24..eef4166e8 100644 --- a/model/Security/Classes/VexVulnAssessmentRelationship.md +++ b/model/Security/Classes/VexVulnAssessmentRelationship.md @@ -47,3 +47,22 @@ the document's date must be considered as authoritative. - type: xsd:string - minCount: 0 - maxCount: 1 + +## Summary @zh-Hans + +所有VEX关系的抽象祖先类。 + +## Description @zh-Hans + +`VexVulnAssessmentRelationship`是一个抽象子类,定义了所有SPDX-VEX状态关系共享的公共属性。 + +*约束条件* + +使用`VexVulnAssessmentRelationship`关联元素时,必须遵循以下要求: + +- `from:`端必须为一个`/Security/Vulnerability`类型的元素。 +- `to:`端必须指向表示VEX产品的元素。 + +要指定检测到漏洞的其他元素,VEX关系可以选择使用`assessedElement`属性指定子组件。 + +VEX从文档级别继承信息到其语句。当语句缺少信息时,可通过读取包含文档中的等效字段来补充。例如,如果VEX关系的`createdBy`属性中缺失数据,工具将文档`CreationInfo`部分中列出的实体视为VEX作者。同理,当VEX关系没有`created`属性时,文档的日期应被视为权威信息。 diff --git a/model/Security/Classes/VulnAssessmentRelationship.md b/model/Security/Classes/VulnAssessmentRelationship.md index e9d917c3a..d4e35d2ae 100644 --- a/model/Security/Classes/VulnAssessmentRelationship.md +++ b/model/Security/Classes/VulnAssessmentRelationship.md @@ -39,3 +39,11 @@ assessment relationships. It factors out the common properties shared by them. - type: /Core/DateTime - minCount: 0 - maxCount: 1 + +## Summary @zh-Hans + +所有漏洞评估的抽象祖先类。 + +## Description @zh-Hans + +`VulnAssessmentRelationship`是所有漏洞评估关系的祖先类,提取它们共享的公共属性。 diff --git a/model/Security/Classes/Vulnerability.md b/model/Security/Classes/Vulnerability.md index c08c2678c..8b4cfbefb 100644 --- a/model/Security/Classes/Vulnerability.md +++ b/model/Security/Classes/Vulnerability.md @@ -105,3 +105,86 @@ Specifies a vulnerability and its associated information. - type: /Core/DateTime - minCount: 0 - maxCount: 1 + +## Summary @zh-Hans + +指定一个漏洞及其关联信息。 + +## Description @zh-Hans + +指定一个漏洞及其关联信息。 + +*示例* + +```json +{ + "type": "Vulnerability", + "spdxId": "urn:spdx.dev:vuln-1", + "summary": "Use of a Broken or Risky Cryptographic Algorithm", + "description": "The package `elliptic` before version 6.5.4 are vulnerable to ..." + "modifiedTime": "2021-03-08T16:06:43Z", + "publishedTime": "2021-03-08T16:02:50Z", + "externalIdentifier": [ + { + "type": "ExternalIdentifier", + "externalIdentifierType": "cve", + "identifier": "CVE-2020-2849", + "identifierLocator": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498", + "https://www.cve.org/CVERecord?id=CVE-2020-28498" + ], + "issuingAuthority": "urn:spdx.dev:agent-cve.org" + }, + { + "type": "ExternalIdentifier", + "externalIdentifierType": "securityOther", + "identifier": "GHSA-r9p9-mrjm-926w", + "identifierLocator": "https://github.com/advisories/GHSA-r9p9-mrjm-926w" + }, + { + "type": "ExternalIdentifier", + "externalIdentifierType": "securityOther", + "identifier": "SNYK-JS-ELLIPTIC-1064899", + "identifierLocator": "https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899" + } + ], + "externalRef": [ + { + "type": "ExternalRef", + "externalRefType": "securityAdvisory", + "locator": "https://nvd.nist.gov/vuln/detail/CVE-2020-28498" + }, + { + "type": "ExternalRef", + "externalRefType": "securityAdvisory", + "locator": "https://ubuntu.com/security/CVE-2020-28498" + }, + { + "type": "ExternalRef", + "externalRefType": "securityOther", + "locator": "https://github.com/indutny/elliptic/pull/244/commits" + }, + { + "type": "ExternalRef", + "externalRefType": "securityOther", + "locator": "https://github.com/christianlundkvist/blog/2020_05_26_secp256k1_twist_attacks.md" + } + ] +}, +{ + "type": "Relationship", + "spdxId": "urn:spdx.dev:vulnRelationship-1", + "relationshipType": "hasAssociatedVulnerability", + "from": "urn:npm-elliptic-6.5.2", + "to": ["urn:spdx.dev:vuln-1"], + "startTime": "2021-03-08T16:06:50Z" +}, +{ + "type": "Relationship", + "spdxId": "urn:spdx.dev:vulnAgentRel-1", + "relationshipType": "publishedBy", + "from": "urn:spdx.dev:vuln-1", + "to": ["urn:spdx.dev:agent-snyk"], + "startTime": "2021-03-08T16:06:50Z" +} +``` diff --git a/model/Security/Properties/actionStatement.md b/model/Security/Properties/actionStatement.md index 68bd05d2a..6a590b887 100644 --- a/model/Security/Properties/actionStatement.md +++ b/model/Security/Properties/actionStatement.md @@ -18,3 +18,11 @@ to remediate or mitigate the vulnerability. - name: actionStatement - Nature: DataProperty - Range: xsd:string + +## Summary @zh-Hans + +提供关于在VEX产品受漏洞影响时如何缓解或修复漏洞的建议。 + +## Description @zh-Hans + +使用`VexAffectedVulnAssessmentRelationship`引用元素时,**必须**包含一个`actionStatement`,**应当**描述缓解或修复漏洞的措施。 diff --git a/model/Security/Properties/actionStatementTime.md b/model/Security/Properties/actionStatementTime.md index b038ef9f9..7cef55abc 100644 --- a/model/Security/Properties/actionStatementTime.md +++ b/model/Security/Properties/actionStatementTime.md @@ -19,3 +19,11 @@ when the action statement was first communicated. - name: actionStatementTime - Nature: DataProperty - Range: /Core/DateTime + +## Summary @zh-Hans + +记录在VEX语句中传达的缓解漏洞建议措施的时间。 + +## Description @zh-Hans + +当VEX语句传达已受影响(affected)状态时,作者必须包含一个措施语句,提供建议措施帮助减轻漏洞影响。`actionStatementTime`属性记录措施语句首次传达的时间。 diff --git a/model/Security/Properties/assessedElement.md b/model/Security/Properties/assessedElement.md index 54679a8ab..2c039a818 100644 --- a/model/Security/Properties/assessedElement.md +++ b/model/Security/Properties/assessedElement.md @@ -17,3 +17,11 @@ to specify the precise location where a vulnerability was found. - name: assessedElement - Nature: ObjectProperty - Range: /Software/SoftwareArtifact + +## Summary @zh-Hans + +指定发现漏洞的软件中包含的元素。 + +## Description @zh-Hans + +指定安全评估引用的子包、文件或代码段,以明确漏洞发现的具体位置。 diff --git a/model/Security/Properties/catalogType.md b/model/Security/Properties/catalogType.md index e941cff93..83f08f0ef 100644 --- a/model/Security/Properties/catalogType.md +++ b/model/Security/Properties/catalogType.md @@ -16,3 +16,11 @@ in the [`ExploitCatalogType`](../Vocabularies/ExploitCatalogType.md) vocabulary. - name: catalogType - Nature: ObjectProperty - Range: ExploitCatalogType + +## Summary @zh-Hans + +指定漏洞利用目录类型。 + +## Description @zh-Hans + +`catalogType`是必填值,必须从[`ExploitCatalogType`](../Vocabularies/ExploitCatalogType.md)词汇表中选择一个现有条目。 diff --git a/model/Security/Properties/decisionType.md b/model/Security/Properties/decisionType.md index ed66bb44d..e5700d414 100644 --- a/model/Security/Properties/decisionType.md +++ b/model/Security/Properties/decisionType.md @@ -17,3 +17,11 @@ the [`SsvcDecisionType`](../Vocabularies/SsvcDecisionType.md) vocabulary. - name: decisionType - Nature: ObjectProperty - Range: SsvcDecisionType + +## Summary @zh-Hans + +枚举[利益相关者特定漏洞分类(SSVC)决策树](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc)中可能的决策。 + +## Description @zh-Hans + +`decisionType`是必填值,必须选择[`SsvcDecisionType`](../Vocabularies/SsvcDecisionType.md)词汇表中的四个条目之一。 \ No newline at end of file diff --git a/model/Security/Properties/exploited.md b/model/Security/Properties/exploited.md index 95ca6d6ed..6b7a96a35 100644 --- a/model/Security/Properties/exploited.md +++ b/model/Security/Properties/exploited.md @@ -15,3 +15,11 @@ This field is set when a CVE is listed in an exploit catalog. - name: exploited - Nature: DataProperty - Range: xsd:boolean + +## Summary @zh-Hans + +描述一个CVE已知被利用漏洞,因为它已被列入漏洞利用目录。 + +## Description @zh-Hans + +当CVE被列入漏洞利用目录时,设置此字段。 diff --git a/model/Security/Properties/impactStatement.md b/model/Security/Properties/impactStatement.md index 89426a33c..48c8e5f50 100644 --- a/model/Security/Properties/impactStatement.md +++ b/model/Security/Properties/impactStatement.md @@ -20,3 +20,12 @@ must be provided. - name: impactStatement - Nature: DataProperty - Range: xsd:string + +## Summary @zh-Hans + +解释VEX产品不受漏洞影响的原因。它是`VexNotAffectedVulnAssessmentRelationship`中机器可读证明标签的替代方案。 + +## Description @zh-Hans + +当VEX产品元素与`VexNotAffectedVulnAssessmentRelationship`关联且未提供机器可读证明标签时,必须提供一个`impactStatement`,进一步解释产品如何或为何不受漏洞影响。 + diff --git a/model/Security/Properties/impactStatementTime.md b/model/Security/Properties/impactStatementTime.md index f6e516a7f..56f7cd52c 100644 --- a/model/Security/Properties/impactStatementTime.md +++ b/model/Security/Properties/impactStatementTime.md @@ -15,3 +15,11 @@ Specifies the time when the impact statement was recorded. - name: impactStatementTime - Nature: DataProperty - Range: /Core/DateTime + +## Summary @zh-Hans + +影响语句的时间戳。 + +## Description @zh-Hans + +指定记录影响语句的时间。 diff --git a/model/Security/Properties/justificationType.md b/model/Security/Properties/justificationType.md index 3086eda1b..c468d0feb 100644 --- a/model/Security/Properties/justificationType.md +++ b/model/Security/Properties/justificationType.md @@ -22,3 +22,13 @@ complementary to the justification label, but one of both MUST be defined. - name: justificationType - Nature: ObjectProperty - Range: VexJustificationType + +## Summary @zh-Hans + +用于将漏洞与代表VEX产品的元素(具有`VexNotAffectedVulnAssessmentRelationship`关系)关联时使用的影响证明标签。 + +## Description @zh-Hans + +当声明某个元素不受漏洞影响时,`VexNotAffectedVulnAssessmentRelationship`必须包含机器可读标签目录中的证明,说明此元素不受影响的原因。 + +`impactStatement`是一个英文文本字符串,可以替代或作为证明标签的补充,但二者必须定义其一。 diff --git a/model/Security/Properties/locator.md b/model/Security/Properties/locator.md index 690e102e4..f98d0bfc7 100644 --- a/model/Security/Properties/locator.md +++ b/model/Security/Properties/locator.md @@ -15,3 +15,11 @@ A locator provides the location of an exploit catalog. - name: locator - Nature: DataProperty - Range: xsd:anyURI + +## Summary @zh-Hans + +提供漏洞利用目录的位置。 + +## Description @zh-Hans + +定位器提供漏洞利用目录的位置。 diff --git a/model/Security/Properties/modifiedTime.md b/model/Security/Properties/modifiedTime.md index 18dcbaaca..dfe7996d9 100644 --- a/model/Security/Properties/modifiedTime.md +++ b/model/Security/Properties/modifiedTime.md @@ -15,3 +15,11 @@ Specifies a time when a vulnerability assessment was last modified. - name: modifiedTime - Nature: DataProperty - Range: /Core/DateTime + +## Summary @zh-Hans + +指定漏洞评估修改时间。 + +## Description @zh-Hans + +指定漏洞评估的最后修改时间。 diff --git a/model/Security/Properties/percentile.md b/model/Security/Properties/percentile.md index f6de3ca54..3ca4afeca 100644 --- a/model/Security/Properties/percentile.md +++ b/model/Security/Properties/percentile.md @@ -18,3 +18,11 @@ probability score. The definition follows "percentile" in - name: percentile - Nature: DataProperty - Range: xsd:decimal + +## Summary @zh-Hans + +当前概率分数的百分位数。 + +## Description @zh-Hans + +当前概率分数的百分位数,范围为0到1(0到100%),表示所有得分漏洞中具有相同或更低概率得分的比例。此定义参照[EPSS数据](https://www.first.org/epss/data_stats)中的“percentile”定义。 diff --git a/model/Security/Properties/probability.md b/model/Security/Properties/probability.md index 232f8a5c9..6e42aac87 100644 --- a/model/Security/Properties/probability.md +++ b/model/Security/Properties/probability.md @@ -18,3 +18,11 @@ The definition follows "epss" in - name: probability - Nature: DataProperty - Range: xsd:decimal + +## Summary @zh-Hans + +漏洞被利用的概率分数,范围为0到1。 + +## Description @zh-Hans + +预估未来30天(发布评分后)漏洞在实际环境中被利用的概率分数,范围为0到1(0%到100%)。此定义参照[EPSS数据](https://www.first.org/epss/data_stats)中的“epss”定义。 diff --git a/model/Security/Properties/publishedTime.md b/model/Security/Properties/publishedTime.md index 54585b98f..d2683e1a2 100644 --- a/model/Security/Properties/publishedTime.md +++ b/model/Security/Properties/publishedTime.md @@ -15,3 +15,11 @@ Specifies the time when a vulnerability was first published. - name: publishedTime - Nature: DataProperty - Range: /Core/DateTime + +## Summary @zh-Hans + +指定漏洞发布时间。 + +## Description @zh-Hans + +指定漏洞首次发布的时间。 diff --git a/model/Security/Properties/score.md b/model/Security/Properties/score.md index 5f7552a53..cd4e44409 100644 --- a/model/Security/Properties/score.md +++ b/model/Security/Properties/score.md @@ -17,3 +17,11 @@ Common Vulnerability Scoring System as defined by - name: score - Nature: DataProperty - Range: xsd:decimal + +## Summary @zh-Hans + +提供漏洞严重性级别的数值(0-10)表示。 + +## Description @zh-Hans + +此评分根据[事件响应和安全团队论坛](https://www.first.org/cvss/)定义的通用漏洞评分系统(CVSS)提供有关漏洞严重性的信息。 diff --git a/model/Security/Properties/severity.md b/model/Security/Properties/severity.md index 07125af3b..8af152a20 100644 --- a/model/Security/Properties/severity.md +++ b/model/Security/Properties/severity.md @@ -15,3 +15,11 @@ The severity field provides a human readable string of the resulting numerical C - name: severity - Nature: ObjectProperty - Range: CvssSeverityType + +## Summary @zh-Hans + +指定与某软件相关的漏洞的CVSS定性严重性评级。 + +## Description @zh-Hans + +`severity`字段提供一个人类可读字符串,表示CVSS分数。 diff --git a/model/Security/Properties/statusNotes.md b/model/Security/Properties/statusNotes.md index 0401da5d9..9a78040ce 100644 --- a/model/Security/Properties/statusNotes.md +++ b/model/Security/Properties/statusNotes.md @@ -15,3 +15,11 @@ A VEX statement may convey information about how status was determined and may r - name: statusNotes - Nature: DataProperty - Range: xsd:string + +## Summary @zh-Hans + +提供有关VEX状态如何确定的信息。 + +## Description @zh-Hans + +VEX语句可以传递有关状态如何确定的信息,也可以引用其他VEX信息。 diff --git a/model/Security/Properties/vectorString.md b/model/Security/Properties/vectorString.md index e7af8e897..4f5f50089 100644 --- a/model/Security/Properties/vectorString.md +++ b/model/Security/Properties/vectorString.md @@ -24,3 +24,17 @@ of metric names specified in CVSS specifications, e.g. - name: vectorString - Nature: DataProperty - Range: xsd:string + +## Summary @zh-Hans + +指定漏洞的CVSS向量字符串。 + +## Description @zh-Hans + +指定漏洞的CVSS基本、时态、威胁、环境和/或补充向量字符串值的任意组合。 + +支持所有CVSS版本中指定的`vectorString`。 + +*约束条件* + +`vectorString`范围内的字符串值只能包含CVSS规范中,例如[通用漏洞评分系统(CVSS)矢量字符串](https://www.first.org/cvss/v4.0/specification-document#Vector-String),指定的度量名称的缩写形式,。 diff --git a/model/Security/Properties/vexVersion.md b/model/Security/Properties/vexVersion.md index e9da5ab6b..3055b85b6 100644 --- a/model/Security/Properties/vexVersion.md +++ b/model/Security/Properties/vexVersion.md @@ -15,3 +15,11 @@ The statement version default value is zero. When any VEX-related content change - name: vexVersion - Nature: DataProperty - Range: xsd:string + +## Summary @zh-Hans + +指定VEX语句的版本。 + +## Description @zh-Hans + +语句版本默认值为0。当任何与VEX相关的内容发生变更时,版本递增。 diff --git a/model/Security/Properties/withdrawnTime.md b/model/Security/Properties/withdrawnTime.md index 15b9a5616..4a287d749 100644 --- a/model/Security/Properties/withdrawnTime.md +++ b/model/Security/Properties/withdrawnTime.md @@ -15,3 +15,11 @@ Specified the time and date when a vulnerability was withdrawn. - name: withdrawnTime - Nature: DataProperty - Range: /Core/DateTime + +## Summary @zh-Hans + +指定漏洞撤回的时间和日期。 + +## Description @zh-Hans + +指定漏洞撤回的时间和日期。 diff --git a/model/Security/Security.md b/model/Security/Security.md index a25da2efd..4fcce982c 100644 --- a/model/Security/Security.md +++ b/model/Security/Security.md @@ -14,3 +14,11 @@ The Security Profile captures security related information. - id: https://spdx.org/rdf/3.0.1/terms/Security - name: Security + +## Summary @zh-Hans + +`Security`配置文件捕获与安全相关的信息。 + +## Description @zh-Hans + +`Security`配置文件捕获与安全相关的信息。 diff --git a/model/Security/Vocabularies/CvssSeverityType.md b/model/Security/Vocabularies/CvssSeverityType.md index b9e6d8d01..ffc6b94bf 100644 --- a/model/Security/Vocabularies/CvssSeverityType.md +++ b/model/Security/Vocabularies/CvssSeverityType.md @@ -37,3 +37,25 @@ severity. - medium: When a CVSS score is between 4.0 - 6.9 - low: When a CVSS score is between 0.1 - 3.9 - none: When a CVSS score is 0.0 + +## Summary @zh-Hans + +指定CVSS基本、时态、威胁或环境严重性级别。 + +## Description @zh-Hans + +`CvssSeverityType`指定通用漏洞评分系统(CVSS)严重级别,在CVSS规范中定义为CVSS分数的文本表示。 + +严重性级别条目包含并适用于[CVSS v3.0 规范文档](https://www.first.org/cvss/v3.0/specification-document#Qualitative-Severity-Rating-Scale)和[CVSS v4.0 规范文档](https://www.first.org/cvss/v4.0/specification-document#Qualitative-Severity-Rating-Scale)中的列举。 + +`CvssSeverityType`是必填字段,因为[CVSS 3.0 模式](https://www.first.org/cvss/cvss-v3.0.json)、[CVSS 3.1 模式](https://www.first.org/cvss/cvss-v3.1.json)和[CVSS 4.0 模式](https://www.first.org/cvss/cvss-v4.0.json)中需要`baseSeverity`。 + +此字段可用于记录基本、时态、威胁或环境严重性级别。 + +## Entries @zh-Hans + +- critical: CVSS分数在9.0到10.0之间 +- high: CVSS分数在7.0到8.9之间 +- medium: CVSS分数在4.0到6.9之间 +- low: CVSS分数在0.1到3.9之间 +- none: CVSS分数为0.0 diff --git a/model/Security/Vocabularies/ExploitCatalogType.md b/model/Security/Vocabularies/ExploitCatalogType.md index 6b6b9e61d..8ee8fdd67 100644 --- a/model/Security/Vocabularies/ExploitCatalogType.md +++ b/model/Security/Vocabularies/ExploitCatalogType.md @@ -18,3 +18,16 @@ ExploitCatalogType specifies the type of exploit catalog that a vulnerability is - kev: CISA's Known Exploited Vulnerability (KEV) Catalog - other: Other exploit catalogs + +## Summary @zh-Hans + +指定漏洞利用目录类型。 + +## Description @zh-Hans + +`ExploitCatalogType`指定漏洞利用目录类型。 + +## Entries @zh-Hans + +- kev: CISA已知被利用漏洞(KEV)目录。 +- other: 其他漏洞利用目录。 diff --git a/model/Security/Vocabularies/SsvcDecisionType.md b/model/Security/Vocabularies/SsvcDecisionType.md index 667a7218d..0f4943c91 100644 --- a/model/Security/Vocabularies/SsvcDecisionType.md +++ b/model/Security/Vocabularies/SsvcDecisionType.md @@ -22,3 +22,18 @@ the - attend: The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the vulnerability, and may involve publishing a notification either internally and/or externally. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines. - track: The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines. - trackStar: ("Track\*" in the SSVC spec) The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track\* vulnerabilities within standard update timelines. + +## Summary @zh-Hans + +指定SSVC决策类型。 + +## Description @zh-Hans + +`SsvcDecisionType`指定根据[利益相关者特定漏洞分类(SSVC)指南](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc)做出的决策类型。 + +## Entries @zh-Hans + +- act: 此漏洞需要组织内部、监管层和领导层的人员关注。必要的措施包括请求对此漏洞的帮助或信息,并在内部和/或外部发布通知。通常,内部团队会召开会议确定整体响应,然后执行商定的措施。CISA建议尽快修复Act类漏洞。 +- attend: 此漏洞需要组织内部和监管层的人员关注。必要的措施包括请求对此漏洞的帮助或信息,可能需要在内部和/或外部发布通知。CISA建议尽早修复Attend类漏洞,先于标准更新时间表。 +- track: 此漏洞目前无需采取任何措施。组织将继续跟踪漏洞,并在获得新信息时重新评估漏洞。CISA建议在标准更新时间表内修复Track类漏洞。 +- trackStar: (SSVC规范中为“Track\*”)此漏洞具有特定特征,可能需要更密切地监控其变化。CISA建议在标准更新时间表内修复Track\*类漏洞。 diff --git a/model/Security/Vocabularies/VexJustificationType.md b/model/Security/Vocabularies/VexJustificationType.md index 27cb8214c..fffd87e03 100644 --- a/model/Security/Vocabularies/VexJustificationType.md +++ b/model/Security/Vocabularies/VexJustificationType.md @@ -21,3 +21,19 @@ VexJustificationType specifies the type of Vulnerability Exploitability eXchange - vulnerableCodeCannotBeControlledByAdversary: The vulnerable component is present, and the component contains the vulnerable code. However, vulnerable code is used in such a way that an attacker cannot mount any anticipated attack. - vulnerableCodeNotInExecutePath: The affected code is not reachable through the execution of the code, including non-anticipated states of the product. - inlineMitigationsAlreadyExist: Built-in inline controls or mitigations prevent an adversary from leveraging the vulnerability. + +## Summary @zh-Hans + +指定VEX证明类型。 + +## Description @zh-Hans + +`VexJustificationType`指定漏洞可利用性交换(VEX)证明的类型。 + +## Entries @zh-Hans + +- componentNotPresent: 软件未受影响,因为产品中不包含易受攻击的组件。 +- vulnerableCodeNotPresent: 产品未受影响,因为产品中不包含导致漏洞的代码。 +- vulnerableCodeCannotBeControlledByAdversary: 存在易受攻击的组件,且该组件包含易受攻击的代码,但易受攻击的代码的使用方式使攻击者无法发起预期攻击。 +- vulnerableCodeNotInExecutePath: 受影响的代码无法通过代码执行访问,包括产品的非预期状态。 +- inlineMitigationsAlreadyExist: 内置的内联控制或缓解措施可防止攻击者利用漏洞。 From cafbd57a7aaab30bd012bdf3bd27ea65c5b27705 Mon Sep 17 00:00:00 2001 From: Zhenyu Zheng Date: Sun, 5 Jan 2025 10:14:40 +0800 Subject: [PATCH 2/4] Apply suggestions from code review Co-authored-by: Arthit Suriyawongkul Signed-off-by: Zhenyu Zheng --- model/Extension/Classes/CdxPropertiesExtension.md | 4 ++-- model/Extension/Classes/CdxPropertyEntry.md | 4 ++-- model/Extension/Classes/Extension.md | 5 +++-- model/Extension/Extension.md | 4 ++-- model/Extension/Properties/cdxPropName.md | 4 ++-- model/Extension/Properties/cdxPropValue.md | 4 ++-- model/Extension/Properties/cdxProperty.md | 4 ++-- 7 files changed, 15 insertions(+), 14 deletions(-) diff --git a/model/Extension/Classes/CdxPropertiesExtension.md b/model/Extension/Classes/CdxPropertiesExtension.md index 8ec422390..4c3bcb462 100644 --- a/model/Extension/Classes/CdxPropertiesExtension.md +++ b/model/Extension/Classes/CdxPropertiesExtension.md @@ -28,11 +28,11 @@ This is intended to be compatible with the CycloneDX property `properties`. - type: CdxPropertyEntry - minCount: 1 -## Summary @zh-Hans +## Summary @zh-Hans 一种扩展类型,由名值对的列表组成。 -## Description @zh-Hans +## Description @zh-Hans 此扩展采用名值方法,提供了更结构化的扩展。 diff --git a/model/Extension/Classes/CdxPropertyEntry.md b/model/Extension/Classes/CdxPropertyEntry.md index 363d543b7..5db3e846f 100644 --- a/model/Extension/Classes/CdxPropertyEntry.md +++ b/model/Extension/Classes/CdxPropertyEntry.md @@ -31,11 +31,11 @@ This class can be used to implement CycloneDX compatible properties. - type: xsd:string - maxCount: 1 -## Summary @zh-Hans +## Summary @zh-Hans 一个属性名称及其关联的值。 -## Description @zh-Hans +## Description @zh-Hans 每个`CdxPropertyEntry`都包含一个名值对,将名称映射到其关联的值。 diff --git a/model/Extension/Classes/Extension.md b/model/Extension/Classes/Extension.md index 2bd595761..de0e7b220 100644 --- a/model/Extension/Classes/Extension.md +++ b/model/Extension/Classes/Extension.md @@ -30,17 +30,18 @@ This approach serves multiple purposes: - name: Extension - Instantiability: Abstract -## Summary @zh-Hans +## Summary @zh-Hans `Element`某个方面的特征描述,以广义的方式与`Element`关联。 -## Description @zh-Hans +## Description @zh-Hans `Extension`是对某个`Element`某个方面的特征描述,以广义的方式与该`Element`关联。 `Extension`并不是通过特定目的的对象属性与某个特定`Element`关联,而是通过一个共同的广义对象属性与它所描述的`Element`关联。 此方法有多种用途: + 1. 支持基于配置文件的`Element`扩展特征描述。允许在任何SPDX配置文件和命名空间内指定和表达`Element`特征描述扩展,无需对其他配置文件或命名空间进行更改,也无需对远程类进行本地子类化(在某些情况下可能会阻碍生态系统的互操作性)。 2. 通过采用具有特定上下文的`Element`特征细节的个人或社区,支持SPDX的扩展。这使得这些个人或社区能够利用SPDX的表达能力,同时表达更专业的`Element`特征化细节,这些细节不适合在SPDX中进行标准化。 diff --git a/model/Extension/Extension.md b/model/Extension/Extension.md index 8ef848a34..780ddb9cf 100644 --- a/model/Extension/Extension.md +++ b/model/Extension/Extension.md @@ -16,10 +16,10 @@ base for all defined extension subclasses. - id: https://spdx.org/rdf/3.0.1/terms/Extension - name: Extension -## Summary @zh-Hans +## Summary @zh-Hans 与SPDX扩展有关的内容。 -## Description @zh-Hans +## Description @zh-Hans `Extension`命名空间定义了抽象扩展类,作为所有定义的扩展子类的基础。 diff --git a/model/Extension/Properties/cdxPropName.md b/model/Extension/Properties/cdxPropName.md index 0150a7a54..c10addcf5 100644 --- a/model/Extension/Properties/cdxPropName.md +++ b/model/Extension/Properties/cdxPropName.md @@ -19,11 +19,11 @@ names, each potentially having different values. - Nature: DataProperty - Range: xsd:string -## Summary @zh-Hans +## Summary @zh-Hans `CdxPropertyEntry`名值对中使用的名称。 -## Description @zh-Hans +## Description @zh-Hans `cdxPropName`用于`CdxPropertyEntry`名值对。 diff --git a/model/Extension/Properties/cdxPropValue.md b/model/Extension/Properties/cdxPropValue.md index 7ca628fb7..c98a2b9b9 100644 --- a/model/Extension/Properties/cdxPropValue.md +++ b/model/Extension/Properties/cdxPropValue.md @@ -19,11 +19,11 @@ names, each potentially having different values. - Nature: DataProperty - Range: xsd:string -## Summary @zh-Hans +## Summary @zh-Hans `CdxPropertyEntry`名值对中使用的值。 -## Description @zh-Hans +## Description @zh-Hans `cdxPropValue`用于`CdxPropertyEntry`名值对。 diff --git a/model/Extension/Properties/cdxProperty.md b/model/Extension/Properties/cdxProperty.md index 34682e1a7..5a02e25e6 100644 --- a/model/Extension/Properties/cdxProperty.md +++ b/model/Extension/Properties/cdxProperty.md @@ -21,11 +21,11 @@ names, each potentially having different values. - Nature: ObjectProperty - Range: CdxPropertyEntry -## Summary @zh-Hans +## Summary @zh-Hans 提供属性名称与值的映射。 -## Description @zh-Hans +## Description @zh-Hans 此字段提供名称与值的映射。 From 999f9fc0c33dddeeb2110ebda437bb0bb783d4f1 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Sun, 5 Jan 2025 04:01:47 +0000 Subject: [PATCH 3/4] One one line before and after the list Signed-off-by: Arthit Suriyawongkul --- model/Licensing/Licensing.md | 1 + 1 file changed, 1 insertion(+) diff --git a/model/Licensing/Licensing.md b/model/Licensing/Licensing.md index bfb0628d0..18922e7df 100644 --- a/model/Licensing/Licensing.md +++ b/model/Licensing/Licensing.md @@ -161,6 +161,7 @@ the following has to hold: 对于`NoAssertionLicense`的`hasDeclaredLicense`关系表明相应的软件包、文件或代码片段不包含任何许可信息。 对于`NoAssertionLicense`的`hasDeclaredLicense`关系表明以下之一适用: + - SPDX数据创建者已尝试但无法得出合理的客观结论; - SPDX数据创建者没有尝试确定该字段;或者 - SPDX数据创建者故意未提供任何信息(不应因此推断出任何意义)。 From 7653fb5a28e580263e73a84542eb9761f34cae71 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Sun, 5 Jan 2025 04:02:00 +0000 Subject: [PATCH 4/4] One one line before and after the list Signed-off-by: Arthit Suriyawongkul --- model/Licensing/Licensing.md | 1 + 1 file changed, 1 insertion(+) diff --git a/model/Licensing/Licensing.md b/model/Licensing/Licensing.md index 18922e7df..0dcd82af4 100644 --- a/model/Licensing/Licensing.md +++ b/model/Licensing/Licensing.md @@ -177,6 +177,7 @@ the following has to hold: 对于`NoneLicense`的`hasConcludedLicense`关系表明SPDX数据创建者已查找但未找到此软件工件的任何许可信息。 对于`NoneLicense`的`hasConcludedLicense`关系表明以下之一适用: + - SPDX数据创建者已尝试但无法得出合理的客观结论; - SPDX数据创建者没有尝试确定此字段;或者 - SPDX数据创建者故意未提供任何信息(不应因此推断出任何意义)。