{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:23c54e26-d396-56bb-809e-779919f23a02",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:composer/kriswallsmith/assetic@1.4.0",
      "type": "library",
      "group": "kriswallsmith",
      "name": "assetic",
      "version": "1.4.0",
      "purl": "pkg:composer/kriswallsmith/assetic@1.4.0"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:88200534-0853-5358-8898-5eba23c6005a",
      "id": "CVE-2024-51736",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-51736 affects version 1.4.0 of kriswallsmith/assetic."
      },
      "affects": [
        {
          "ref": "pkg:composer/kriswallsmith/assetic@1.4.0"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:7e287722-7f6e-59d6-b2de-7bb09a51f28e",
      "id": "CVE-2026-24739",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-24739 does not affect version 1.4.0 of kriswallsmith/assetic. not_affected \u2014 The target repository (Assetic v1.4.0) is not affected by CVE-2026-24739. While Assetic uses Symfony ProcessBuilder to spawn processes and declares symfony/process as a dependency, the vulnerable code (ProcessBuilder's argument escaping logic) does not exist within this repository. The vulnerability is present only in the external symfony/process dependency package, not in Assetic's own codebase."
      },
      "affects": [
        {
          "ref": "pkg:composer/kriswallsmith/assetic@1.4.0"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:composer/kriswallsmith/assetic@1.4.0"
    }
  ]
}