Vulnerability
avidtools.datamodels.vulnerability
A vulnerability (vuln) is a high-level evidence of an AI failure mode, in line with the NIST CVEs. These are linked to the taxonomy through multiple tags, denoting the AI risk domains (Security, Ethics, Performance) this vulnerability pertains to, (sub)categories under that domain, as well as AI lifecycle stages.
Class definitions for AVID vulnerability.
- pydantic model VulnMetadata[source]
Metadata class for a vulnerability.
Show JSON schema
{ "title": "VulnMetadata", "description": "Metadata class for a vulnerability.", "type": "object", "properties": { "vuln_id": { "title": "Vuln Id", "type": "string" } }, "required": [ "vuln_id" ] }
- Fields:
- field vuln_id: str [Required]
- pydantic model ReportSummary[source]
Summary of a report connected to a vuln.
Show JSON schema
{ "title": "ReportSummary", "description": "Summary of a report connected to a vuln.", "type": "object", "properties": { "report_id": { "title": "Report Id", "type": "string" }, "type": { "$ref": "#/definitions/TypeEnum" }, "name": { "title": "Name", "type": "string" } }, "required": [ "report_id", "type", "name" ], "definitions": { "TypeEnum": { "title": "TypeEnum", "description": "All report/vulnerability types.", "enum": [ "Issue", "Advisory", "Measurement", "Detection" ], "type": "string" } } }
- field report_id: str [Required]
- field name: str [Required]
- pydantic model Vulnerability[source]
Top-level class to store an AVID vulnerability.
Show JSON schema
{ "title": "Vulnerability", "description": "Top-level class to store an AVID vulnerability.", "type": "object", "properties": { "data_type": { "title": "Data Type", "default": "AVID", "type": "string" }, "data_version": { "title": "Data Version", "type": "string" }, "metadata": { "$ref": "#/definitions/VulnMetadata" }, "affects": { "$ref": "#/definitions/Affects" }, "problemtype": { "$ref": "#/definitions/Problemtype" }, "references": { "title": "References", "type": "array", "items": { "$ref": "#/definitions/Reference" } }, "description": { "$ref": "#/definitions/LangValue" }, "reports": { "title": "Reports", "type": "array", "items": { "$ref": "#/definitions/ReportSummary" } }, "impact": { "$ref": "#/definitions/Impact" }, "credit": { "title": "Credit", "type": "array", "items": { "$ref": "#/definitions/LangValue" } }, "published_date": { "title": "Published Date", "type": "string", "format": "date" }, "last_modified_date": { "title": "Last Modified Date", "type": "string", "format": "date" } }, "definitions": { "VulnMetadata": { "title": "VulnMetadata", "description": "Metadata class for a vulnerability.", "type": "object", "properties": { "vuln_id": { "title": "Vuln Id", "type": "string" } }, "required": [ "vuln_id" ] }, "ArtifactTypeEnum": { "title": "ArtifactTypeEnum", "description": "Whether the artifact is a dataset, model, or system.", "enum": [ "Dataset", "Model", "System" ], "type": "string" }, "Artifact": { "title": "Artifact", "description": "Type and name of an affected artifact.", "type": "object", "properties": { "type": { "$ref": "#/definitions/ArtifactTypeEnum" }, "name": { "title": "Name", "type": "string" } }, "required": [ "type", "name" ] }, "Affects": { "title": "Affects", "description": "Information on Artifact(s) affected by this report.", "type": "object", "properties": { "developer": { "title": "Developer", "type": "array", "items": { "type": "string" } }, "deployer": { "title": "Deployer", "type": "array", "items": { "type": "string" } }, "artifacts": { "title": "Artifacts", "type": "array", "items": { "$ref": "#/definitions/Artifact" } } }, "required": [ "developer", "deployer", "artifacts" ] }, "ClassEnum": { "title": "ClassEnum", "description": "All report/vulnerability classes.", "enum": [ "AIID Incident", "ATLAS Case Study", "CVE Entry", "LLM Evaluation", "Undefined" ], "type": "string" }, "TypeEnum": { "title": "TypeEnum", "description": "All report/vulnerability types.", "enum": [ "Issue", "Advisory", "Measurement", "Detection" ], "type": "string" }, "LangValue": { "title": "LangValue", "description": "Generic class to store a string with its language specified.", "type": "object", "properties": { "lang": { "title": "Lang", "type": "string" }, "value": { "title": "Value", "type": "string" } }, "required": [ "lang", "value" ] }, "Problemtype": { "title": "Problemtype", "description": "Description of the problem a report/vuln is concerned with.", "type": "object", "properties": { "classof": { "$ref": "#/definitions/ClassEnum" }, "type": { "$ref": "#/definitions/TypeEnum" }, "description": { "$ref": "#/definitions/LangValue" } }, "required": [ "classof", "description" ] }, "Reference": { "title": "Reference", "description": "Details for a reference of a report/vulnerability.", "type": "object", "properties": { "type": { "title": "Type", "type": "string" }, "label": { "title": "Label", "type": "string" }, "url": { "title": "Url", "type": "string" } }, "required": [ "label", "url" ] }, "ReportSummary": { "title": "ReportSummary", "description": "Summary of a report connected to a vuln.", "type": "object", "properties": { "report_id": { "title": "Report Id", "type": "string" }, "type": { "$ref": "#/definitions/TypeEnum" }, "name": { "title": "Name", "type": "string" } }, "required": [ "report_id", "type", "name" ] }, "SepEnum": { "title": "SepEnum", "description": "All (sub)categories of the SEP view of the AVID taxonomy.", "enum": [ "S0100: Software Vulnerability", "S0200: Supply Chain Compromise", "S0201: Model Compromise", "S0202: Software Compromise", "S0300: Over-permissive API", "S0301: Information Leak", "S0302: Excessive Queries", "S0400: Model Bypass", "S0401: Bad Features", "S0402: Insufficient Training Data", "S0403: Adversarial Example", "S0500: Exfiltration", "S0501: Model inversion", "S0502: Model theft", "S0600: Data Poisoning", "S0601: Ingest Poisoning", "E0100: Bias/ Discrimination", "E0101: Group fairness", "E0102: Individual fairness", "E0200: Explainability", "E0201: Global explanations", "E0202: Local explanations", "E0300: User actions", "E0301: Toxicity", "E0302: Polarization/ Exclusion", "E0400: Misinformation", "E0401: Deliberative Misinformation", "E0402: Generative Misinformation", "P0100: Data issues", "P0101: Data drift", "P0102: Concept drift", "P0103: Data entanglement", "P0104: Data quality issues", "P0105: Feedback loops", "P0200: Model issues", "P0201: Resilience/ Stability", "P0202: OOD generalization", "P0203: Scaling", "P0204: Accuracy", "P0300: Privacy", "P0301: Anonymization", "P0302: Randomization", "P0303: Encryption", "P0400: Safety", "P0401: Psychological Safety", "P0402: Physical safety", "P0403: Socioeconomic safety", "P0404: Environmental safety" ], "type": "string" }, "LifecycleEnum": { "title": "LifecycleEnum", "description": "All (sub)categories of the lifecycle view of the AVID taxonomy.", "enum": [ "L01: Business Understanding", "L02: Data Understanding", "L03: Data Preparation", "L04: Model Development", "L05: Evaluation", "L06: Deployment" ], "type": "string" }, "AvidTaxonomy": { "title": "AvidTaxonomy", "description": "AVID taxonomy mappings of a report/vulnerability.", "type": "object", "properties": { "vuln_id": { "title": "Vuln Id", "type": "string" }, "risk_domain": { "title": "Risk Domain", "type": "array", "items": { "type": "string" } }, "sep_view": { "type": "array", "items": { "$ref": "#/definitions/SepEnum" } }, "lifecycle_view": { "type": "array", "items": { "$ref": "#/definitions/LifecycleEnum" } }, "taxonomy_version": { "title": "Taxonomy Version", "type": "string" } }, "required": [ "risk_domain", "sep_view", "lifecycle_view", "taxonomy_version" ] }, "Impact": { "title": "Impact", "description": "Impact information of a report/vulnerability, e.g. different taxonomy mappings, harm and severity scores.", "type": "object", "properties": { "avid": { "$ref": "#/definitions/AvidTaxonomy" } }, "required": [ "avid" ] } } }
- Fields:
- field data_type: str = 'AVID'
Namespace for the report. Set to AVID by default, change this only if you’re adopting these datamodels to stand up your own vulnerability database.
- field data_version: str = None
Latest version of the data.
- field metadata: VulnMetadata = None
Metadata for the vuln.
- field problemtype: Problemtype = None
Description of the problem a report is concerned with.
- field reports: List[ReportSummary] = None
Brief summary of all reports connected to a vuln.
- field impact: Impact = None
Impact information, e.g. different taxonomy mappings, harm and severity scores.
- field published_date: date = None
Date published.
- field last_modified_date: date = None
Date last modified.