Enumeration ExternalReferenceType

The defined assumptions, goals, and capabilities of an adversary.

Security advisories

Human or machine-readable statements containing facts, evidence, or testimony

Bill-of-material document (CycloneDX, SPDX, SWID, etc)

Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)

URL to an automated build system

Industry, regulatory, or other certification from an accredited (if applicable) certification body

Real-time chat platform

Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC)

Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis

Parameters or settings that may be used by other components or services.

Direct or repository download location

The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary

Documentation, guides, or how-to instructions

Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations

Information used to substantiate a claim.

A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization

Describes how a component or service was manufactured or deployed.

Issue or defect tracking system, or an Application Lifecycle Management (ALM) system

The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness

A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.

Mailing list or discussion group

Report containing a formal assessment of an organization, business unit, or team against a maturity model

A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.

Use this if no other types accurately describe the purpose of the external reference

Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test

Plans of Action and Milestones (POAM) compliment an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones".

Report or system in which quality metrics can be obtained

Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.

Report generated by analyzing the call stack of a running application

Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501]) that specifies the records containing DNS Security TXT.

Social media account

SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code

Community or commercial support

An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format

Version Control System

A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product

Website