{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:406e2fa1-e340-5bd3-86f7-6ed3857806b9",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:pypi/cryptography@3.4.8",
      "type": "library",
      "name": "cryptography",
      "version": "3.4.8",
      "purl": "pkg:pypi/cryptography@3.4.8"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:ceb81488-3d09-5c39-9781-2a24392fd715",
      "id": "CVE-2024-0727",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-0727 affects version 3.4.8 of cryptography."
      },
      "affects": [
        {
          "ref": "pkg:pypi/cryptography@3.4.8"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:7506bb52-a443-56af-afe6-012cae28d99f",
      "id": "CVE-2026-26007",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-26007 affects version 3.4.8 of cryptography."
      },
      "affects": [
        {
          "ref": "pkg:pypi/cryptography@3.4.8"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:56d5f361-c277-50f3-a6a4-2d45898b0d14",
      "id": "CVE-2026-34073",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-34073 affects version 3.4.8 of cryptography."
      },
      "affects": [
        {
          "ref": "pkg:pypi/cryptography@3.4.8"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2eec1a21-43d1-5283-ad1a-def4b034fe33",
      "id": "GHSA-537c-gmf6-5ccf",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability GHSA-537c-gmf6-5ccf does not affect version 3.4.8 of cryptography. not_affected \u2014 The CVE concerns vulnerable OpenSSL bundled in pre-built cryptography WHEELS (binary distributions), not the source code. The target repository (version 3.4.8.post5+tuxcare) contains only cryptography's source code and Python bindings to OpenSSL, but does NOT contain OpenSSL source code or binaries. The CVE explicitly states: 'If you are building cryptography source (sdist) then you are respons..."
      },
      "affects": [
        {
          "ref": "pkg:pypi/cryptography@3.4.8"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:99a7c0d3-03cf-5d45-81fd-72caa5f443ed",
      "id": "GHSA-5cpq-8wj7-hf2v",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-5cpq-8wj7-hf2v affects version 3.4.8 of cryptography."
      },
      "affects": [
        {
          "ref": "pkg:pypi/cryptography@3.4.8"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:0b7e0f43-eefb-5cea-813f-7dd87ed4e879",
      "id": "GHSA-jm77-qphf-c4w8",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-jm77-qphf-c4w8 affects version 3.4.8 of cryptography."
      },
      "affects": [
        {
          "ref": "pkg:pypi/cryptography@3.4.8"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:7e015663-d583-5d21-b94f-29b68461ed58",
      "id": "GHSA-v8gr-m533-ghj9",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-v8gr-m533-ghj9 affects version 3.4.8 of cryptography."
      },
      "affects": [
        {
          "ref": "pkg:pypi/cryptography@3.4.8"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:pypi/cryptography@3.4.8"
    }
  ]
}