CycloneDX
diff --git a/‎schema/bom-1.5.proto‎
Lines changed: 14 additions & 1 deletion b/‎schema/bom-1.5.proto‎
Lines changed: 14 additions & 1 deletion
diff --git a/‎schema/bom-1.5.schema.json‎
Lines changed: 30 additions & 2 deletions b/‎schema/bom-1.5.schema.json‎
Lines changed: 30 additions & 2 deletions
diff --git a/‎schema/bom-1.5.xsd‎
Lines changed: 37 additions & 2 deletions b/‎schema/bom-1.5.xsd‎
Lines changed: 37 additions & 2 deletions
@@ -701,7 +701,7 @@ message Vulnerability {
   repeated int32 cwes = 6;
   // A description of the vulnerability as provided by the source.
   optional string description = 7;
-  // If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause.
+  // If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause.
   optional string detail = 8;
   // Recommendations of how the vulnerability can be remediated or mitigated.
   optional string recommendation = 9;
@@ -725,6 +725,19 @@ message Vulnerability {
   repeated Property properties = 18;
   // The date and time (timestamp) when the vulnerability record was rejected (if applicable).
   optional google.protobuf.Timestamp rejected = 19;
+  // Evidence used to reproduce the vulnerability.
+  optional ProofOfConcept proofOfConcept = 20;
+  // A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments.
+  optional string workaround = 21;
+}
+
+message ProofOfConcept {
+  // Precise steps to reproduce the vulnerability.
+  optional string reproductionSteps = 1;
+  // A description of the environment in which reproduction was possible.
+  optional string environment = 2;
+  // Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.
+  repeated AttachedText supportingMaterial = 3;
 }
 
 message VulnerabilityReference {
 
@@ -1912,13 +1912,41 @@
         "detail": {
           "type": "string",
           "title": "Details",
-          "description": "If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause."
+          "description": "If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."
         },
         "recommendation": {
           "type": "string",
-          "title": "Details",
+          "title": "Recommendation",
           "description": "Recommendations of how the vulnerability can be remediated or mitigated."
         },
+        "workaround": {
+          "type": "string",
+          "title": "Workarounds",
+          "description": "A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."
+        },
+        "proofOfConcept": {
+          "type": "object",
+          "title": "Proof of Concept",
+          "description": "Evidence used to reproduce the vulnerability.",
+          "properties": {
+            "reproductionSteps": {
+              "type": "string",
+              "title": "Steps to Reproduce",
+              "description": "Precise steps to reproduce the vulnerability."
+            },
+            "environment": {
+              "type": "string",
+              "title": "Environment",
+              "description": "A description of the environment in which reproduction was possible."
+            },
+            "supportingMaterial": {
+              "type": "array",
+              "title": "Supporting Material",
+              "description": "Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.",
+              "items": { "$ref": "#/definitions/attachment" }
+            }
+          }
+        },
         "advisories": {
           "type": "array",
           "title": "Advisories",
 
@@ -2477,15 +2477,50 @@ limitations under the License.
             <xs:element name="detail" type="xs:string" minOccurs="0" maxOccurs="1">
                 <xs:annotation>
                     <xs:documentation>If available, an in-depth description of the vulnerability as provided by the
-                        source organization. Details often include examples, proof-of-concepts, and other information
-                        useful in understanding root cause.</xs:documentation>
+                        source organization. Details often include information useful in understanding root cause.</xs:documentation>
                 </xs:annotation>
             </xs:element>
             <xs:element name="recommendation" type="xs:string" minOccurs="0" maxOccurs="1">
                 <xs:annotation>
                     <xs:documentation>Recommendations of how the vulnerability can be remediated or mitigated.</xs:documentation>
                 </xs:annotation>
             </xs:element>
+            <xs:element name="workaround" type="xs:string" minOccurs="0" maxOccurs="1">
+                <xs:annotation>
+                    <xs:documentation>A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments.</xs:documentation>
+                </xs:annotation>
+            </xs:element>
+            <xs:element name="proofOfConcept" minOccurs="0" maxOccurs="1">
+                <xs:complexType>
+                    <xs:annotation>
+                        <xs:documentation xml:lang="en">
+                            Evidence used to reproduce the vulnerability.
+                        </xs:documentation>
+                    </xs:annotation>
+                    <xs:sequence>
+                        <xs:element name="reproductionSteps" type="xs:string" minOccurs="0" maxOccurs="1">
+                                <xs:annotation>
+                                    <xs:documentation>Precise steps to reproduce the vulnerability.</xs:documentation>
+                                </xs:annotation>
+                        </xs:element>
+                        <xs:element name="environment" type="xs:string" minOccurs="0" maxOccurs="1">
+                            <xs:annotation>
+                                <xs:documentation>A description of the environment in which reproduction was possible.</xs:documentation>
+                            </xs:annotation>
+                        </xs:element>
+                        <xs:element name="supportingMaterial" minOccurs="0" maxOccurs="1">
+                            <xs:annotation>
+                                <xs:documentation>Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.</xs:documentation>
+                            </xs:annotation>
+                            <xs:complexType>
+                                <xs:sequence>
+                                    <xs:element name="attachment" type="bom:attachedTextType" minOccurs="0" maxOccurs="unbounded" />
+                                </xs:sequence>
+                            </xs:complexType>
+                        </xs:element>
+                    </xs:sequence>
+                </xs:complexType>
+            </xs:element>
             <xs:element name="advisories" minOccurs="0" maxOccurs="1">
                 <xs:complexType>
                     <xs:annotation>