The defined assumptions, goals, and capabilities of an adversary.
from enum value: EXTERNAL_REFERENCE_TYPE_ADVERSARY_MODEL = 18;
Security advisories
from enum value: EXTERNAL_REFERENCE_TYPE_ADVISORIES = 4;
Human or machine-readable statements containing facts, evidence, or testimony
from enum value: EXTERNAL_REFERENCE_TYPE_ATTESTATION = 16;
Bill-of-material document (CycloneDX, SPDX, SWID, etc)
from enum value: EXTERNAL_REFERENCE_TYPE_BOM = 5;
Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)
from enum value: EXTERNAL_REFERENCE_TYPE_BUILD_META = 13;
URL to an automated build system
from enum value: EXTERNAL_REFERENCE_TYPE_BUILD_SYSTEM = 14;
Industry, regulatory, or other certification from an accredited (if applicable) certification body
from enum value: EXTERNAL_REFERENCE_TYPE_CERTIFICATION_REPORT = 29;
Real-time chat platform
from enum value: EXTERNAL_REFERENCE_TYPE_CHAT = 8;
Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC)
from enum value: EXTERNAL_REFERENCE_TYPE_CODIFIED_INFRASTRUCTURE = 31;
Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis
from enum value: EXTERNAL_REFERENCE_TYPE_COMPONENT_ANALYSIS_REPORT = 27;
Parameters or settings that may be used by other components or services.
from enum value: EXTERNAL_REFERENCE_TYPE_CONFIGURATION = 35;
A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.
from enum value: EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE = 40;
Direct or repository download location
from enum value: EXTERNAL_REFERENCE_TYPE_DISTRIBUTION = 11;
The location where a component was published. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary
from enum value: EXTERNAL_REFERENCE_TYPE_DISTRIBUTION_INTAKE = 20;
Documentation, guides, or how-to instructions
from enum value: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION = 9;
Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations
from enum value: EXTERNAL_REFERENCE_TYPE_DYNAMIC_ANALYSIS_REPORT = 25;
An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.
from enum value: EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE = 39;
Information used to substantiate a claim.
from enum value: EXTERNAL_REFERENCE_TYPE_EVIDENCE = 36;
A Vulnerability Exploitability eXchange (VEX) asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally, the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization
from enum value: EXTERNAL_REFERENCE_TYPE_EXPLOITABILITY_STATEMENT = 22;
Describes how a component or service was manufactured or deployed.
from enum value: EXTERNAL_REFERENCE_TYPE_FORMULATION = 37;
Issue, defect tracking system, or an Application Lifecycle Management (ALM) system
from enum value: EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER = 2;
The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness
from enum value: EXTERNAL_REFERENCE_TYPE_LICENSE = 12;
A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.
from enum value: EXTERNAL_REFERENCE_TYPE_LOG = 34;
Mailing list or discussion group
from enum value: EXTERNAL_REFERENCE_TYPE_MAILING_LIST = 6;
Report containing a formal assessment of an organization, business unit, or team against a maturity model
from enum value: EXTERNAL_REFERENCE_TYPE_MATURITY_REPORT = 28;
A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.
from enum value: EXTERNAL_REFERENCE_TYPE_MODEL_CARD = 32;
Use this if no other types accurately describe the purpose of the external reference
buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- other is our fallback, doubling unspecified
from enum value: EXTERNAL_REFERENCE_TYPE_OTHER = 0;
Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test
from enum value: EXTERNAL_REFERENCE_TYPE_PENTEST_REPORT = 23;
Plans of Action and Milestones (POAM) complement an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones".
from enum value: EXTERNAL_REFERENCE_TYPE_POAM = 33;
Report or system in which quality metrics can be obtained
from enum value: EXTERNAL_REFERENCE_TYPE_QUALITY_METRICS = 30;
Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure)
from enum value: EXTERNAL_REFERENCE_TYPE_RFC_9116 = 41;
Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.
from enum value: EXTERNAL_REFERENCE_TYPE_RISK_ASSESSMENT = 19;
Report generated by analyzing the call stack of a running application
from enum value: EXTERNAL_REFERENCE_TYPE_RUNTIME_ANALYSIS_REPORT = 26;
Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.
from enum value: EXTERNAL_REFERENCE_TYPE_SECURITY_CONTACT = 15;
Social media account
from enum value: EXTERNAL_REFERENCE_TYPE_SOCIAL = 7;
The location where the source code distributable can be obtained. This is often an archive format such as zip or tar.gz. The source-distribution type complements the use of the version control (vcs) type.
from enum value: EXTERNAL_REFERENCE_TYPE_SOURCE_DISTRIBUTION = 38;
SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code
from enum value: EXTERNAL_REFERENCE_TYPE_STATIC_ANALYSIS_REPORT = 24;
Community or commercial support
from enum value: EXTERNAL_REFERENCE_TYPE_SUPPORT = 10;
An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format
from enum value: EXTERNAL_REFERENCE_TYPE_THREAT_MODEL = 17;
Version Control System
from enum value: EXTERNAL_REFERENCE_TYPE_VCS = 1;
A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product
from enum value: EXTERNAL_REFERENCE_TYPE_VULNERABILITY_ASSERTION = 21;
Website
from enum value: EXTERNAL_REFERENCE_TYPE_WEBSITE = 3;
Generated
from enum cyclonedx.v1_6.ExternalReferenceType