From 868b769f169b9ff6f29f7755e775e5a9a70f0cd6 Mon Sep 17 00:00:00 2001 From: ccoffin Date: Wed, 2 Oct 2024 11:19:50 -0500 Subject: [PATCH 01/12] adding SSVC v1.0.1 production schema to the CVE Record metrics block. --- schema/CVE_Record_Format.json | 4 ++ schema/imports/ssvc/ssvc-v1.0.1.json | 101 +++++++++++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 schema/imports/ssvc/ssvc-v1.0.1.json diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index f74450c32c..2501321685 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -859,6 +859,9 @@ { "required": ["cvssV2_0"] }, + { + "required": ["ssvcV1_0_1"] + }, { "required": ["other"] } @@ -898,6 +901,7 @@ "cvssV3_1": {"$ref": "file:imports/cvss/cvss-v3.1.json"}, "cvssV3_0": {"$ref": "file:imports/cvss/cvss-v3.0.json"}, "cvssV2_0": {"$ref": "file:imports/cvss/cvss-v2.0.json"}, + "ssvcV1_0_1": {"$ref": "file:imports/ssvc/ssvc-v1.0.1.json"}, "other": { "type": "object", "description": "A non-standard impact description, may be prose or JSON block.", diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json new file mode 100644 index 0000000000..b15800d872 --- /dev/null +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -0,0 +1,101 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", + "definitions": { + "id": { + "type": "string", + "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": ["CVE-2024-101010","VU#11111","GHSA-11a1-22b2-33c3"] + }, + "role": { + "type": "string", + "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": ["Supplier","Deployer","Coordinator"] + }, + "timestamp" : { + "description": "Date and time in ISO format ISO 8601 format", + "type": "string", + "format": "date-time" + }, + "schemaVersion": { + "description": "Schema version used to represent this evaluation", + "type": "string", + "enum": ["1-0-1"] + }, + "SsvcdecisionpointselectionSchema": { + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "properties": { + "name": { + "description": "Name of the Decision Point that were evaluated", + "title": "name", + "type": "string", + "examples": ["Automatable", "Exploitation"] + }, + "namespace": { + "description": "SSVC Namespace that were used for defining the evaluated Decision Points", + "title": "namespace", + "type": "string", + "examples": ["ssvc","cvvsv4"] + }, + "values": { + "description": "Evaluated values of the Decision Point", + "title": "values", + "type": "array", + "minItems": 1, + "items": { + "description": "Each value that were down-selected for a Decision Point", + "title": "values", + "type": "string" + } + }, + "version": { + "description": "Version of the Decision Points that were evaluated", + "title": "version", + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "namespace", + "values", + "version" + ], + "additionalProperties": false + }, + "SsvcdecisionpointgroupselectionSchema": { + "properties": { + "id": { + "$ref": "#/definitions/id" + }, + "role": { + "$ref": "#/definitions/role" + }, + "schemaVersion": { + "$ref": "#/definitions/schemaVersion" + }, + "timestamp": { + "$ref": "#/definitions/timestamp" + }, + "selections": { + "description" : "An array of Decision Points and their Values that were down-selected or evaluated ", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/SsvcdecisionpointselectionSchema" + } + } + }, + "type": "object", + "required": [ + "selections", + "id", + "timestamp", + "schemaVersion" + ], + "additionalProperties": false + } + }, + "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" +} From 54fbea8afc49f2375bb9e858552d40427ae3a977 Mon Sep 17 00:00:00 2001 From: ccoffin Date: Fri, 4 Oct 2024 10:30:44 -0500 Subject: [PATCH 02/12] added properties to root of schema to fix definition reference issue. --- schema/imports/ssvc/ssvc-v1.0.1.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index b15800d872..77f9b5adb6 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -97,5 +97,9 @@ "additionalProperties": false } }, - "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" + "properties": { + "SsvcdecisionpointgroupselectionSchema": { + "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" + } + } } From 54f561c4fc8d1595de9039314b5dd43979cbe4a3 Mon Sep 17 00:00:00 2001 From: ccoffin Date: Fri, 4 Oct 2024 10:48:57 -0500 Subject: [PATCH 03/12] added object type to properties. --- schema/imports/ssvc/ssvc-v1.0.1.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index 77f9b5adb6..f5b1ae3e98 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -99,7 +99,10 @@ }, "properties": { "SsvcdecisionpointgroupselectionSchema": { - "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" + "type": "object", + "items": { + "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" + } } } } From 1b1ae14c9d7be95f8919feb32ce4ce1cdc6dd6da Mon Sep 17 00:00:00 2001 From: ccoffin Date: Fri, 4 Oct 2024 11:22:07 -0500 Subject: [PATCH 04/12] removed and value and added type object to root. --- schema/imports/ssvc/ssvc-v1.0.1.json | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index f5b1ae3e98..4643a01f17 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -1,6 +1,5 @@ { "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", "definitions": { "id": { "type": "string", @@ -97,12 +96,10 @@ "additionalProperties": false } }, + "type": "object", "properties": { "SsvcdecisionpointgroupselectionSchema": { - "type": "object", - "items": { - "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" - } + "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" } } } From 9e5c220a49c509590fdd7037a24912c8cf8c9f96 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Fri, 4 Oct 2024 15:22:16 -0400 Subject: [PATCH 05/12] Updated SSVC schema with examples due to bug in json-schema-parser for root circular reference --- schema/docs/CVE_Record_Format_bundled.json | 120 +++++++++++++++++- schema/docs/full-record-advanced-example.json | 38 +++++- schema/imports/ssvc/ssvc-v1.0.1.json | 17 +-- .../support/schema2markmap/schema-bundle.js | 2 +- 4 files changed, 156 insertions(+), 21 deletions(-) diff --git a/schema/docs/CVE_Record_Format_bundled.json b/schema/docs/CVE_Record_Format_bundled.json index 4b8f98b4cf..b4447e1ebe 100644 --- a/schema/docs/CVE_Record_Format_bundled.json +++ b/schema/docs/CVE_Record_Format_bundled.json @@ -973,6 +973,11 @@ "cvssV2_0" ] }, + { + "required": [ + "ssvcV1_0_1" + ] + }, { "required": [ "other" @@ -3057,6 +3062,119 @@ ], "additionalProperties": false }, + "ssvcV1_0_1": { + "$schema": "http://json-schema.org/draft-07/schema#", + "definitions": { + "id": { + "type": "string", + "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": [ + "CVE-2024-101010", + "VU#11111", + "GHSA-11a1-22b2-33c3" + ] + }, + "role": { + "type": "string", + "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": [ + "Supplier", + "Deployer", + "Coordinator" + ] + }, + "timestamp": { + "description": "Date and time in ISO format ISO 8601 format", + "type": "string", + "format": "date-time" + }, + "schemaVersion": { + "description": "Schema version used to represent this evaluation", + "type": "string", + "enum": [ + "1-0-1" + ] + }, + "SsvcdecisionpointselectionSchema": { + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "properties": { + "name": { + "description": "Name of the Decision Point that were evaluated", + "title": "name", + "type": "string", + "examples": [ + "Automatable", + "Exploitation" + ] + }, + "namespace": { + "description": "SSVC Namespace that were used for defining the evaluated Decision Points", + "title": "namespace", + "type": "string", + "examples": [ + "ssvc", + "cvvsv4" + ] + }, + "values": { + "description": "Evaluated values of the Decision Point", + "title": "values", + "type": "array", + "minItems": 1, + "items": { + "description": "Each value that were down-selected for a Decision Point", + "title": "values", + "type": "string" + } + }, + "version": { + "description": "Version of the Decision Points that were evaluated", + "title": "version", + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "namespace", + "values", + "version" + ], + "additionalProperties": false + } + }, + "properties": { + "id": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/id" + }, + "role": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/role" + }, + "schemaVersion": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/schemaVersion" + }, + "timestamp": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/timestamp" + }, + "selections": { + "description": "An array of Decision Points and their Values that were down-selected or evaluated ", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/SsvcdecisionpointselectionSchema" + } + } + }, + "type": "object", + "required": [ + "selections", + "id", + "timestamp", + "schemaVersion" + ], + "additionalProperties": false + }, "other": { "type": "object", "description": "A non-standard impact description, may be prose or JSON block.", @@ -3414,4 +3532,4 @@ "additionalProperties": false } ] -} \ No newline at end of file +} diff --git a/schema/docs/full-record-advanced-example.json b/schema/docs/full-record-advanced-example.json index da1532278c..cce1ba7938 100644 --- a/schema/docs/full-record-advanced-example.json +++ b/schema/docs/full-record-advanced-example.json @@ -14,7 +14,7 @@ "providerMetadata": { "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", "shortName": "example", - "dateUpdated": "2021-09-08T16:24:00.000Z" + "dateUpdated": "2021-09-08T16:24:00.000Z" }, "title": "Buffer overflow in Example Enterprise allows Privilege Escalation.", "datePublic": "2021-09-08T16:24:00.000Z", @@ -111,15 +111,15 @@ }, { "lang": "eo", - "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise ĉe Windows, macOS kaj XT-4500 permesas al malproksimaj neaŭtentikigitaj atakantoj eskaladi privilegiojn. Ĉi tiu afero efikas: 1.0-versioj antaŭ 1.0.6, 2.1-versioj de 2.16 ĝis 2.1.9.", + "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise \u0109e Windows, macOS kaj XT-4500 permesas al malproksimaj nea\u016dtentikigitaj atakantoj eskaladi privilegiojn. \u0108i tiu afero efikas: 1.0-versioj anta\u016d 1.0.6, 2.1-versioj de 2.16 \u011dis 2.1.9.", "supportingMedia": [ { "type": "text/html", "base64": false, - "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise ĉe Windows, macOS kaj XT-4500 permesas al malproksimaj neaŭtentikigitaj atakantoj eskaladi privilegiojn.

Ĉi tiu afero efikas:
  • 1.0-versioj antaŭ 1.0.6
  • 2.1-versioj de 2.16 ĝis 2.1.9.
" + "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise \u0109e Windows, macOS kaj XT-4500 permesas al malproksimaj nea\u016dtentikigitaj atakantoj eskaladi privilegiojn.

\u0108i tiu afero efikas:
  • 1.0-versioj anta\u016d 1.0.6
  • 2.1-versioj de 2.16 \u011dis 2.1.9.
" } ] - } + } ], "metrics": [ { @@ -130,11 +130,35 @@ "value": "GENERAL" } ], - "cvssV4_0": { + "ssvcV1_0_1": { + "id": "CVE-1337-1234", + "selections": [ + { + "namespace": "ssvc", + "name": "Exploitation", + "values": [ + "Public PoC", + "Active" + ], + "version": "1.1.0" + }, + { + "namespace": "ssvc", + "name": "Technical Impact", + "values": [ + "Total" + ], + "version": "1.0.0" + } + ], + "timestamp": "1999-04-23T18:25:43.511Z", + "schemaVersion": "1-0-1" + }, + "cvssV4_0": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L", - "version":"4.0" + "version": "4.0" }, "cvssV3_1": { "version": "3.1", @@ -313,4 +337,4 @@ ] } } -} +} \ No newline at end of file diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index 4643a01f17..41f55cd7eb 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -1,5 +1,6 @@ { "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Group_Selection-1-0-1.schema.json", "definitions": { "id": { "type": "string", @@ -61,9 +62,9 @@ "version" ], "additionalProperties": false - }, - "SsvcdecisionpointgroupselectionSchema": { - "properties": { + } + }, + "properties": { "id": { "$ref": "#/definitions/id" }, @@ -85,7 +86,7 @@ "$ref": "#/definitions/SsvcdecisionpointselectionSchema" } } - }, + }, "type": "object", "required": [ "selections", @@ -94,12 +95,4 @@ "schemaVersion" ], "additionalProperties": false - } - }, - "type": "object", - "properties": { - "SsvcdecisionpointgroupselectionSchema": { - "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema" - } - } } diff --git a/schema/support/schema2markmap/schema-bundle.js b/schema/support/schema2markmap/schema-bundle.js index 7409ce807b..f001d51813 100644 --- a/schema/support/schema2markmap/schema-bundle.js +++ b/schema/support/schema2markmap/schema-bundle.js @@ -21,7 +21,7 @@ async function schemaBundle() { delete metricProperties.cvssV3_1.license; delete metricProperties.cvssV3_0.license; delete metricProperties.cvssV2_0.license; - + delete metricProperties.ssvcV1_0_1.$id; fs.writeFile(`${dirName}/CVE_Record_Format.json`, JSON.stringify(cveSchemaBundle, null, 2), From 00989854805b16889a3f7692d2cb809a9eb2f37d Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Thu, 24 Oct 2024 12:29:51 -0400 Subject: [PATCH 06/12] Mistake in ID field of SSVC schema JSON --- schema/imports/ssvc/ssvc-v1.0.1.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index 41f55cd7eb..6475c100a0 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -1,6 +1,6 @@ { "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Group_Selection-1-0-1.schema.json", + "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", "definitions": { "id": { "type": "string", From bfe48973c30d8427dc62b419ea2eade777f59e23 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Thu, 24 Oct 2024 12:33:17 -0400 Subject: [PATCH 07/12] Fix the earlier CVE_Record_Format to CVE_Record_Form_bundled --- schema/support/schema2markmap/schema-bundle.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/support/schema2markmap/schema-bundle.js b/schema/support/schema2markmap/schema-bundle.js index f001d51813..8c59a9bf7b 100644 --- a/schema/support/schema2markmap/schema-bundle.js +++ b/schema/support/schema2markmap/schema-bundle.js @@ -23,7 +23,7 @@ async function schemaBundle() { delete metricProperties.cvssV2_0.license; delete metricProperties.ssvcV1_0_1.$id; - fs.writeFile(`${dirName}/CVE_Record_Format.json`, + fs.writeFile(`${dirName}/CVE_Record_Format_bundled.json`, JSON.stringify(cveSchemaBundle, null, 2), err => { if(err) From cf19848ae57b2aea15f77861499e6864d058d021 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Thu, 19 Dec 2024 17:09:56 -0500 Subject: [PATCH 08/12] Fixed spelling mistake in cvss feeback from @ElectricNroff --- schema/imports/ssvc/ssvc-v1.0.1.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index 6475c100a0..ca86032e49 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -35,7 +35,7 @@ "description": "SSVC Namespace that were used for defining the evaluated Decision Points", "title": "namespace", "type": "string", - "examples": ["ssvc","cvvsv4"] + "examples": ["ssvc","cvssv4"] }, "values": { "description": "Evaluated values of the Decision Point", From 42a70583ada12165cb2cd2a1a4f463194c8c0646 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Thu, 9 Jan 2025 16:29:40 -0500 Subject: [PATCH 09/12] Merge with cepApplicability that was added --- README.md | 22 ++-- schema/CVE_Record_Format.json | 118 ++++++++++++++++- schema/docs/CVE_Record_Format_bundled.json | 118 ++++++++++++++++- ...d_Format_bundled_cnaRejectedContainer.json | 120 ++++++++++++++++-- .../docs/cnaContainer-advanced-example.json | 43 +++++++ schema/docs/full-record-advanced-example.json | 45 ++++++- schema/support/bundling-scripts/README.md | 47 +++++++ .../bundling-scripts/bundle-script-linux.sh | 14 ++ .../bundling-scripts/bundle-script-win.sh | 13 ++ 9 files changed, 507 insertions(+), 33 deletions(-) create mode 100644 schema/support/bundling-scripts/README.md create mode 100644 schema/support/bundling-scripts/bundle-script-linux.sh create mode 100644 schema/support/bundling-scripts/bundle-script-win.sh diff --git a/README.md b/README.md index 629a16c209..e191b53e73 100644 --- a/README.md +++ b/README.md @@ -1,24 +1,26 @@ # Current Version of CVE Record Format -Major changes to cve-schema repo architecture!! if you have integrations that rely on the cve-schema repo structure, please review the changes here. The latest version of the CVE JSON record format is 5.1.0. A single schema file with bundled dependencies is available [here](https://github.com/CVEProject/cve-schema/blob/master/schema/docs/CVE_Record_Format_bundled.json). +Update to cve-schema to provide better support for CPE!! if you have integrations that rely on the cve-schema repo structure, please review the changes here. The latest version of the CVE JSON Record Format is 5.1.1. A single schema file with bundled dependencies is available [here](https://github.com/CVEProject/cve-schema/blob/master/schema/docs/CVE_Record_Format_bundled.json). -Note: The ADP functionality in the current schema is not yet deployed in CVE Services. The ADP functionality is currently under development and is for future use. +Note: The CVE Record Format now supports Authorized Data Publisher (ADP) containers there is one active ADP currently. The CVE Program uses a separate ADP container to provide additional CVE information (e.g., references) for some records. Access this README.md page [here]( +https://github.com/CVEProject/cvelistV5/blob/main/README.md) +for more information about the CVE Program Container. Note: Please refer to the CVE Services page [here](https://www.cve.org/AllResources/CveServices) for known issues with the schema. # CVE Record Format Overview -cve-schema specifies the CVE record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE record. Some examples of CVE record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE records for community benefit. +cve-schema specifies the CVE Record Format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. ### Learn Learn more about the CVE program at: https://www.cve.org/ -This CVE record format is defined using JSON Schema. Learn more about JSON Schema at: https://json-schema.org/ . +This CVE Record Format is defined using JSON Schema. Learn more about JSON Schema at: https://json-schema.org/ . ### Latest -The latest version of the record format is 5.1.0. It is specified in the JSON schema at https://github.com/CVEProject/cve-schema/blob/master/schema/CVE_Record_Format.json +The latest version of the CVE Record Format is 5.1.1. It is specified in the JSON schema at https://github.com/CVEProject/cve-schema/blob/master/schema/CVE_Record_Format.json A single schema file with bundled dependencies is at https://github.com/CVEProject/cve-schema/blob/master/schema/docs/CVE_Record_Format_bundled.json @@ -26,16 +28,16 @@ A single schema file with bundled dependencies is at https://github.com/CVEProje Documentation about this format is available at https://cveproject.github.io/cve-schema/schema/docs/ -A mindmap version of the CVE record structure is at https://cveproject.github.io/cve-schema/schema/docs/mindmap.html +A mindmap version of the CVE Record structure is at https://cveproject.github.io/cve-schema/schema/docs/mindmap.html -More details about Product and Version Encodings in CVE JSON 5.1.0 record is at https://github.com/CVEProject/cve-schema/blob/master/schema/docs/versions.md +More details about Product and Version Encodings in the CVE Record Format are at https://github.com/CVEProject/cve-schema/blob/master/schema/docs/versions.md ### Examples -A basic example of a full record in 5.1.0 format with minimally required fields is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/full-record-basic-example.json +A basic example of a full record in the 5.1.1 format with minimally required fields is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/full-record-basic-example.json -An advanced example of a full record in 5.1.0 format is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/full-record-advanced-example.json +An advanced example of a full record in the 5.1.1 format is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/full-record-advanced-example.json A basic example of a cnaContainer, to be used with CVE Services, is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/cnaContainer-basic-example.json -An advanced example of a cnaContainer, to be used with CVE Services, is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/cnaContainer-advanced-example.json \ No newline at end of file +An advanced example of a cnaContainer, to be used with CVE Services, is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/cnaContainer-advanced-example.json diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 2501321685..b6e5ad60c8 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -53,6 +53,20 @@ "type": "string", "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$" }, + "cpe22and23": { + "type": "string", + "description":"Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", + "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", + "minLength": 1, + "maxLength": 2048 + }, + "cpe23": { + "type": "string", + "description":"Common Platform Enumeration (CPE) Name in 2.3 format", + "pattern": "(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", + "minLength": 1, + "maxLength": 2048 + }, "orgId": { "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.", "$ref": "#/definitions/uuidType" @@ -196,15 +210,12 @@ }, "cpes": { "type": "array", - "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.", + "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here. NOTE: Consider using the newer cpeApplicability block for defining CPE data using the CPE Applicability Language which includes more options for defining CPE Names.", "uniqueItems": true, "items": { "title": "CPE Name", - "type": "string", "description":"Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", - "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", - "minLength": 1, - "maxLength": 2048 + "$ref": "#/definitions/cpe22and23" } }, "modules": { @@ -364,7 +375,7 @@ "description": "The version of the CVE schema used for validating this record. Used to support multiple versions of this format.", "type": "string", "pattern": "^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$", - "default": "5.1.0" + "default": "5.1.1" }, "cveMetadataPublished": { "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.", @@ -487,6 +498,87 @@ "required": ["orgId"], "additionalProperties": false }, + "cpeApplicabilityElement": { + "description": "Affected products defined using an implementation of the CPE Applicability Language, mostly copied/forked from the NIST NVD CVE API v2.0 schema (optional). An operator property allows AND or OR logic between CPEs or combinations of CPEs. The negate and vulnerable Boolean properties allow CPEs to be inverted and/or defined as vulnerable or not. Multiple version fields are provided for capturing ranges of products when defining a CPE Match String Range. NOTE: When defining a cpeApplicability block, it is recommended that it align with (as much as possible) the product data provided within the affected block.", + "properties": { + "operator": { + "type": "string", + "enum": [ + "AND", + "OR" + ] + }, + "negate": { + "type": "boolean" + }, + "nodes": { + "type": "array", + "items": { + "$ref": "#/definitions/cpe_node" + } + } + }, + "required": [ + "nodes" + ] + }, + "cpe_node": { + "description": "Defines a CPE configuration node in an applicability statement.", + "properties": { + "operator": { + "type": "string", + "enum": [ + "AND", + "OR" + ] + }, + "negate": { + "type": "boolean" + }, + "cpeMatch": { + "type": "array", + "items": { + "$ref": "#/definitions/cpe_match" + } + } + }, + "required": [ + "operator", + "cpeMatch" + ] + }, + "cpe_match": { + "description": "CPE match string or range", + "type": "object", + "properties": { + "vulnerable": { + "type": "boolean" + }, + "criteria": { + "$ref": "#/definitions/cpe23" + }, + "matchCriteriaId": { + "$ref": "#/definitions/uuidType" + }, + "versionStartExcluding": { + "$ref": "#/definitions/version" + }, + "versionStartIncluding": { + "$ref": "#/definitions/version" + }, + "versionEndExcluding": { + "$ref": "#/definitions/version" + }, + "versionEndIncluding": { + "$ref": "#/definitions/version" + } + }, + "required": [ + "vulnerable", + "criteria" + ], + "additionalProperties": false + }, "cnaPublishedContainer": { "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.", "type": "object", @@ -514,6 +606,12 @@ "affected": { "$ref": "#/definitions/affected" }, + "cpeApplicability": { + "type": "array", + "items": { + "$ref": "#/definitions/cpeApplicabilityElement" + } + }, "problemTypes": { "$ref": "#/definitions/problemTypes" }, @@ -620,6 +718,12 @@ "affected": { "$ref": "#/definitions/affected" }, + "cpeApplicability": { + "type": "array", + "items": { + "$ref": "#/definitions/cpeApplicabilityElement" + } + }, "problemTypes": { "$ref": "#/definitions/problemTypes" }, @@ -901,7 +1005,7 @@ "cvssV3_1": {"$ref": "file:imports/cvss/cvss-v3.1.json"}, "cvssV3_0": {"$ref": "file:imports/cvss/cvss-v3.0.json"}, "cvssV2_0": {"$ref": "file:imports/cvss/cvss-v2.0.json"}, - "ssvcV1_0_1": {"$ref": "file:imports/ssvc/ssvc-v1.0.1.json"}, + "ssvcV1_0_1": {"$ref": "file:imports/ssvc/ssvc-v1.0.1.json"}, "other": { "type": "object", "description": "A non-standard impact description, may be prose or JSON block.", diff --git a/schema/docs/CVE_Record_Format_bundled.json b/schema/docs/CVE_Record_Format_bundled.json index b4447e1ebe..56df60fad5 100644 --- a/schema/docs/CVE_Record_Format_bundled.json +++ b/schema/docs/CVE_Record_Format_bundled.json @@ -1,6 +1,6 @@ { "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled.json", + "$id": "https://cveproject.github.io/cve-schema/schema/CVE_Record_Format.json", "title": "CVE JSON record format", "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).", "definitions": { @@ -79,6 +79,20 @@ "type": "string", "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$" }, + "cpe22and23": { + "type": "string", + "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", + "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", + "minLength": 1, + "maxLength": 2048 + }, + "cpe23": { + "type": "string", + "description": "Common Platform Enumeration (CPE) Name in 2.3 format", + "pattern": "(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", + "minLength": 1, + "maxLength": 2048 + }, "orgId": { "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.", "$ref": "#/definitions/uuidType" @@ -244,15 +258,12 @@ }, "cpes": { "type": "array", - "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.", + "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here. NOTE: Consider using the newer cpeApplicability block for defining CPE data using the CPE Applicability Language which includes more options for defining CPE Names.", "uniqueItems": true, "items": { "title": "CPE Name", - "type": "string", "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", - "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", - "minLength": 1, - "maxLength": 2048 + "$ref": "#/definitions/cpe22and23" } }, "modules": { @@ -445,7 +456,7 @@ "description": "The version of the CVE schema used for validating this record. Used to support multiple versions of this format.", "type": "string", "pattern": "^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$", - "default": "5.1.0" + "default": "5.1.1" }, "cveMetadataPublished": { "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.", @@ -573,6 +584,87 @@ ], "additionalProperties": false }, + "cpeApplicabilityElement": { + "description": "Affected products defined using an implementation of the CPE Applicability Language, mostly copied/forked from the NIST NVD CVE API v2.0 schema (optional). An operator property allows AND or OR logic between CPEs or combinations of CPEs. The negate and vulnerable Boolean properties allow CPEs to be inverted and/or defined as vulnerable or not. Multiple version fields are provided for capturing ranges of products when defining a CPE Match String Range. NOTE: When defining a cpeApplicability block, it is recommended that it align with (as much as possible) the product data provided within the affected block.", + "properties": { + "operator": { + "type": "string", + "enum": [ + "AND", + "OR" + ] + }, + "negate": { + "type": "boolean" + }, + "nodes": { + "type": "array", + "items": { + "$ref": "#/definitions/cpe_node" + } + } + }, + "required": [ + "nodes" + ] + }, + "cpe_node": { + "description": "Defines a CPE configuration node in an applicability statement.", + "properties": { + "operator": { + "type": "string", + "enum": [ + "AND", + "OR" + ] + }, + "negate": { + "type": "boolean" + }, + "cpeMatch": { + "type": "array", + "items": { + "$ref": "#/definitions/cpe_match" + } + } + }, + "required": [ + "operator", + "cpeMatch" + ] + }, + "cpe_match": { + "description": "CPE match string or range", + "type": "object", + "properties": { + "vulnerable": { + "type": "boolean" + }, + "criteria": { + "$ref": "#/definitions/cpe23" + }, + "matchCriteriaId": { + "$ref": "#/definitions/uuidType" + }, + "versionStartExcluding": { + "$ref": "#/definitions/version" + }, + "versionStartIncluding": { + "$ref": "#/definitions/version" + }, + "versionEndExcluding": { + "$ref": "#/definitions/version" + }, + "versionEndIncluding": { + "$ref": "#/definitions/version" + } + }, + "required": [ + "vulnerable", + "criteria" + ], + "additionalProperties": false + }, "cnaPublishedContainer": { "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.", "type": "object", @@ -600,6 +692,12 @@ "affected": { "$ref": "#/definitions/affected" }, + "cpeApplicability": { + "type": "array", + "items": { + "$ref": "#/definitions/cpeApplicabilityElement" + } + }, "problemTypes": { "$ref": "#/definitions/problemTypes" }, @@ -706,6 +804,12 @@ "affected": { "$ref": "#/definitions/affected" }, + "cpeApplicability": { + "type": "array", + "items": { + "$ref": "#/definitions/cpeApplicabilityElement" + } + }, "problemTypes": { "$ref": "#/definitions/problemTypes" }, diff --git a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json index 7a404c3af0..bfb1d9e476 100644 --- a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json +++ b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json @@ -1,8 +1,8 @@ { "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json", - "title": "CVE JSON cnaRejectedContainer sub schema", - "description": "CVE JSON cnaRejectedContainer format", + "title": "CVE Record Format cnaRejectedContainer sub schema", + "description": "CVE Record Format cnaRejectedContainer format", "definitions": { "uriType": { "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).", @@ -79,6 +79,20 @@ "type": "string", "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$" }, + "cpe22and23": { + "type": "string", + "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", + "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", + "minLength": 1, + "maxLength": 2048 + }, + "cpe23": { + "type": "string", + "description": "Common Platform Enumeration (CPE) Name in 2.3 format", + "pattern": "(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", + "minLength": 1, + "maxLength": 2048 + }, "orgId": { "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.", "$ref": "#/definitions/uuidType" @@ -244,15 +258,12 @@ }, "cpes": { "type": "array", - "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.", + "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here. NOTE: Consider using the newer cpeApplicability block for defining CPE data using the CPE Applicability Language which includes more options for defining CPE Names.", "uniqueItems": true, "items": { "title": "CPE Name", - "type": "string", "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", - "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", - "minLength": 1, - "maxLength": 2048 + "$ref": "#/definitions/cpe22and23" } }, "modules": { @@ -445,7 +456,7 @@ "description": "The version of the CVE schema used for validating this record. Used to support multiple versions of this format.", "type": "string", "pattern": "^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$", - "default": "5.1.0" + "default": "5.1.1" }, "cveMetadataPublished": { "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.", @@ -573,6 +584,87 @@ ], "additionalProperties": false }, + "cpeApplicabilityElement": { + "description": "Affected products defined using an implementation of the CPE Applicability Language, mostly copied/forked from the NIST NVD CVE API v2.0 schema (optional). An operator property allows AND or OR logic between CPEs or combinations of CPEs. The negate and vulnerable Boolean properties allow CPEs to be inverted and/or defined as vulnerable or not. Multiple version fields are provided for capturing ranges of products when defining a CPE Match String Range. NOTE: When defining a cpeApplicability block, it is recommended that it align with (as much as possible) the product data provided within the affected block.", + "properties": { + "operator": { + "type": "string", + "enum": [ + "AND", + "OR" + ] + }, + "negate": { + "type": "boolean" + }, + "nodes": { + "type": "array", + "items": { + "$ref": "#/definitions/cpe_node" + } + } + }, + "required": [ + "nodes" + ] + }, + "cpe_node": { + "description": "Defines a CPE configuration node in an applicability statement.", + "properties": { + "operator": { + "type": "string", + "enum": [ + "AND", + "OR" + ] + }, + "negate": { + "type": "boolean" + }, + "cpeMatch": { + "type": "array", + "items": { + "$ref": "#/definitions/cpe_match" + } + } + }, + "required": [ + "operator", + "cpeMatch" + ] + }, + "cpe_match": { + "description": "CPE match string or range", + "type": "object", + "properties": { + "vulnerable": { + "type": "boolean" + }, + "criteria": { + "$ref": "#/definitions/cpe23" + }, + "matchCriteriaId": { + "$ref": "#/definitions/uuidType" + }, + "versionStartExcluding": { + "$ref": "#/definitions/version" + }, + "versionStartIncluding": { + "$ref": "#/definitions/version" + }, + "versionEndExcluding": { + "$ref": "#/definitions/version" + }, + "versionEndIncluding": { + "$ref": "#/definitions/version" + } + }, + "required": [ + "vulnerable", + "criteria" + ], + "additionalProperties": false + }, "cnaPublishedContainer": { "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.", "type": "object", @@ -600,6 +692,12 @@ "affected": { "$ref": "#/definitions/affected" }, + "cpeApplicability": { + "type": "array", + "items": { + "$ref": "#/definitions/cpeApplicabilityElement" + } + }, "problemTypes": { "$ref": "#/definitions/problemTypes" }, @@ -706,6 +804,12 @@ "affected": { "$ref": "#/definitions/affected" }, + "cpeApplicability": { + "type": "array", + "items": { + "$ref": "#/definitions/cpeApplicabilityElement" + } + }, "problemTypes": { "$ref": "#/definitions/problemTypes" }, diff --git a/schema/docs/cnaContainer-advanced-example.json b/schema/docs/cnaContainer-advanced-example.json index c255d81b33..096da2bd21 100644 --- a/schema/docs/cnaContainer-advanced-example.json +++ b/schema/docs/cnaContainer-advanced-example.json @@ -84,6 +84,49 @@ "defaultStatus": "unaffected" } ], + "cpeApplicability": [ + { + "operator": "AND", + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:example_org:example_enterprise:*:*:*:*:*:*:*:*", + "versionStartIncluding": "1.0.0", + "versionEndExcluding": "1.0.6" + }, + { + "vulnerable": true, + "criteria": "cpe:2.3:a:example_org:example_enterprise:*:*:*:*:*:*:*:*", + "versionStartIncluding": "2.1.6", + "versionEndExcluding": "2.1.9" + } + ] + }, + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": false, + "criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*" + }, + { + "vulnerable": false, + "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*" + }, + { + "vulnerable": false, + "criteria": "cpe:2.3:h:some_company:xt-4500:*:*:*:*:*:*:*:*" + } + ] + } + ] + } + ], "descriptions": [ { "lang": "en", diff --git a/schema/docs/full-record-advanced-example.json b/schema/docs/full-record-advanced-example.json index cce1ba7938..c0f18c272b 100644 --- a/schema/docs/full-record-advanced-example.json +++ b/schema/docs/full-record-advanced-example.json @@ -97,6 +97,49 @@ "defaultStatus": "unaffected" } ], + "cpeApplicability": [ + { + "operator": "AND", + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:example_org:example_enterprise:*:*:*:*:*:*:*:*", + "versionStartIncluding": "1.0.0", + "versionEndExcluding": "1.0.6" + }, + { + "vulnerable": true, + "criteria": "cpe:2.3:a:example_org:example_enterprise:*:*:*:*:*:*:*:*", + "versionStartIncluding": "2.1.6", + "versionEndExcluding": "2.1.9" + } + ] + }, + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": false, + "criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*" + }, + { + "vulnerable": false, + "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*" + }, + { + "vulnerable": false, + "criteria": "cpe:2.3:h:some_company:xt-4500:*:*:*:*:*:*:*:*" + } + ] + } + ] + } + ], "descriptions": [ { "lang": "en", @@ -337,4 +380,4 @@ ] } } -} \ No newline at end of file +} diff --git a/schema/support/bundling-scripts/README.md b/schema/support/bundling-scripts/README.md new file mode 100644 index 0000000000..53613b736f --- /dev/null +++ b/schema/support/bundling-scripts/README.md @@ -0,0 +1,47 @@ +# Creating the bundled CVE Record Format JSON schema files +Use the scripts in this directory to create the bundled CVE Record Format JSON schema files. + +## Steps +1. Create a directory structure where all of these files, and no others, exist and +the files correspond to the current version of the CVE Record Format: +- schema/tags/reference-tags.json +- schema/tags/adp-tags.json +- schema/tags/cna-tags.json +- schema/CVE_Record_Format.json +- schema/imports/cvss/cvss-v4.0.json +- schema/imports/cvss/cvss-v2.0.json +- schema/imports/cvss/cvss-v3.0.json +- schema/imports/cvss/cvss-v3.1.json +- schema/docs/cnaContainer-rejected-example.json +- schema/docs/full-record-advanced-example.json +- schema/docs/full-record-basic-example.json +- schema/docs/cnaContainer-basic-example.json +- schema/docs/cnaContainer-advanced-example.json +- schema/support/schema2markmap/package.json +- schema/support/schema2markmap/schema-bundle.js + +2. Run the Linux or Windows Bash script + +5. Observe that the bundled files are created in schema/docs/, and that all of the example files are valid according to the schema files. + +6. In the process, several types of error messages will occur, which can be ignored at least temporarily. There should be no other distinct types of errors: + +- A. Complaints about EOL software packages: + npm warn deprecated json-schema-ref-parser@9.0.9: Please switch to @apidevtools/json-schema-ref-parser + +- B. Complaints about unfixed vulnerabiliies: + 11 vulnerabilities (2 moderate, 9 high) + +- C. Complaints about performance/usability: + npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. + +- D. Complains about EOL versions: + npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported + +- E. "strict mode" errors related to https://github.com/CVEProject/cve-schema/issues/272 such as: + strict mode: missing type "object" for keyword "additionalProperties" at "https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json#" (strictTypes) + strict mode: missing type "object" for keyword "properties" at "https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json#" (strictTypes) + strict mode: missing type "object" for keyword "required" at "https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json#" (strictTypes) + strict mode: missing type "object" for keyword "properties" at "https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json#" (strictTypes) + strict mode: missing type "object" for keyword "required" at "https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json#" (strictTypes) + strict mode: missing type "object" for keyword "properties" at "https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json#" (strictTypes) diff --git a/schema/support/bundling-scripts/bundle-script-linux.sh b/schema/support/bundling-scripts/bundle-script-linux.sh new file mode 100644 index 0000000000..bae0a6e24a --- /dev/null +++ b/schema/support/bundling-scripts/bundle-script-linux.sh @@ -0,0 +1,14 @@ +export CVE_SCHEMA_DIR=schema +export CVE_SCHEMA_FILENAME=CVE_Record_Format.json +mkdir ~/.npm-global +npm config set prefix ~/.npm-global +export PATH=~/.npm-global/bin:$PATH +npm --prefix "${CVE_SCHEMA_DIR}/support/schema2markmap" install "${CVE_SCHEMA_DIR}/support/schema2markmap" +npm install --loglevel verbose -g yargs ajv-formats@"^1.5.x" ajv-cli@"^4.0.x" +sed 's/file\://g' "${CVE_SCHEMA_DIR}/${CVE_SCHEMA_FILENAME}" > "${CVE_SCHEMA_DIR}/cve-schema.json" +node "${CVE_SCHEMA_DIR}/support/schema2markmap/schema-bundle.js" "${CVE_SCHEMA_DIR}/cve-schema.json" "${CVE_SCHEMA_DIR}/docs/" +ajv compile -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" +ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-basic-example.json" +ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-advanced-example.json" +ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-advanced-example.json" +ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-basic-example.json" diff --git a/schema/support/bundling-scripts/bundle-script-win.sh b/schema/support/bundling-scripts/bundle-script-win.sh new file mode 100644 index 0000000000..8f3474d31f --- /dev/null +++ b/schema/support/bundling-scripts/bundle-script-win.sh @@ -0,0 +1,13 @@ +export CVE_SCHEMA_DIR=$(pwd)/schema +export CVE_SCHEMA_FILENAME=CVE_Record_Format.json +npm install --loglevel verbose -g yargs ajv-formats@"^1.5.x" ajv-cli@"^4.0.x" +pushd "${CVE_SCHEMA_DIR}/support/schema2markmap" +npm install +popd +sed 's/file\://g' "${CVE_SCHEMA_DIR}/${CVE_SCHEMA_FILENAME}" > "${CVE_SCHEMA_DIR}/cve-schema.json" +node "${CVE_SCHEMA_DIR}/support/schema2markmap/schema-bundle.js" "${CVE_SCHEMA_DIR}/cve-schema.json" "${CVE_SCHEMA_DIR}/docs/" +ajv compile -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" +ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-basic-example.json" +ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-advanced-example.json" +ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-advanced-example.json" +ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-basic-example.json" From eb0b3690e04c59afb33dd10a81fc44f4cfcdad10 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Thu, 16 Jan 2025 15:25:16 -0500 Subject: [PATCH 10/12] Update CVE-1337 to CVE-1900 PR #349 --- schema/archive/v5.0/docs/cnaContainer-advanced-example.json | 2 +- schema/archive/v5.0/docs/cnaContainer-basic-example.json | 2 +- schema/archive/v5.0/docs/full-record-advanced-example.json | 6 +++--- schema/archive/v5.0/docs/full-record-basic-example.json | 6 +++--- schema/docs/cnaContainer-advanced-example.json | 2 +- schema/docs/cnaContainer-basic-example.json | 2 +- schema/docs/full-record-advanced-example.json | 6 +++--- schema/docs/full-record-basic-example.json | 6 +++--- 8 files changed, 16 insertions(+), 16 deletions(-) diff --git a/schema/archive/v5.0/docs/cnaContainer-advanced-example.json b/schema/archive/v5.0/docs/cnaContainer-advanced-example.json index 32fa56edad..ab7326d86b 100644 --- a/schema/archive/v5.0/docs/cnaContainer-advanced-example.json +++ b/schema/archive/v5.0/docs/cnaContainer-advanced-example.json @@ -241,7 +241,7 @@ ], "references": [ { - "url": "https://example.org/ESA-22-11-CVE-1337-1234", + "url": "https://example.org/ESA-22-11-CVE-1900-1234", "name": "ESA-22-11", "tags": [ "vendor-advisory" diff --git a/schema/archive/v5.0/docs/cnaContainer-basic-example.json b/schema/archive/v5.0/docs/cnaContainer-basic-example.json index 803654a5c8..c03bf2f77f 100644 --- a/schema/archive/v5.0/docs/cnaContainer-basic-example.json +++ b/schema/archive/v5.0/docs/cnaContainer-basic-example.json @@ -33,7 +33,7 @@ ], "references": [ { - "url": "https://example.org/ESA-22-11-CVE-1337-1234" + "url": "https://example.org/ESA-22-11-CVE-1900-1234" } ] } diff --git a/schema/archive/v5.0/docs/full-record-advanced-example.json b/schema/archive/v5.0/docs/full-record-advanced-example.json index b4087335c3..78fd527905 100644 --- a/schema/archive/v5.0/docs/full-record-advanced-example.json +++ b/schema/archive/v5.0/docs/full-record-advanced-example.json @@ -2,7 +2,7 @@ "dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": { - "cveId": "CVE-1337-1234", + "cveId": "CVE-1900-1234", "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", "assignerShortName": "example", "requesterUserId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", @@ -257,7 +257,7 @@ ], "references": [ { - "url": "https://example.org/ESA-22-11-CVE-1337-1234", + "url": "https://example.org/ESA-22-11-CVE-1900-1234", "name": "ESA-22-11", "tags": [ "vendor-advisory" @@ -307,4 +307,4 @@ ] } } - } \ No newline at end of file + } diff --git a/schema/archive/v5.0/docs/full-record-basic-example.json b/schema/archive/v5.0/docs/full-record-basic-example.json index d50177fecb..6be9c631f9 100644 --- a/schema/archive/v5.0/docs/full-record-basic-example.json +++ b/schema/archive/v5.0/docs/full-record-basic-example.json @@ -2,7 +2,7 @@ "dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": { - "cveId": "CVE-1337-1234", + "cveId": "CVE-1900-1234", "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", "state": "PUBLISHED" }, @@ -44,9 +44,9 @@ ], "references": [ { - "url": "https://example.org/ESA-22-11-CVE-1337-1234" + "url": "https://example.org/ESA-22-11-CVE-1900-1234" } ] } } - } \ No newline at end of file + } diff --git a/schema/docs/cnaContainer-advanced-example.json b/schema/docs/cnaContainer-advanced-example.json index 096da2bd21..a13495937d 100644 --- a/schema/docs/cnaContainer-advanced-example.json +++ b/schema/docs/cnaContainer-advanced-example.json @@ -293,7 +293,7 @@ ], "references": [ { - "url": "https://example.org/ESA-22-11-CVE-1337-1234", + "url": "https://example.org/ESA-22-11-CVE-1900-1234", "name": "ESA-22-11", "tags": [ "vendor-advisory" diff --git a/schema/docs/cnaContainer-basic-example.json b/schema/docs/cnaContainer-basic-example.json index 0b474d3e5f..04ca59c65f 100644 --- a/schema/docs/cnaContainer-basic-example.json +++ b/schema/docs/cnaContainer-basic-example.json @@ -36,7 +36,7 @@ ], "references": [ { - "url": "https://example.org/ESA-22-11-CVE-1337-1234" + "url": "https://example.org/ESA-22-11-CVE-1900-1234" } ] } diff --git a/schema/docs/full-record-advanced-example.json b/schema/docs/full-record-advanced-example.json index c0f18c272b..89ce394fe1 100644 --- a/schema/docs/full-record-advanced-example.json +++ b/schema/docs/full-record-advanced-example.json @@ -2,7 +2,7 @@ "dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": { - "cveId": "CVE-1337-1234", + "cveId": "CVE-1900-1234", "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", "assignerShortName": "example", "requesterUserId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", @@ -174,7 +174,7 @@ } ], "ssvcV1_0_1": { - "id": "CVE-1337-1234", + "id": "CVE-1900-1234", "selections": [ { "namespace": "ssvc", @@ -330,7 +330,7 @@ ], "references": [ { - "url": "https://example.org/ESA-22-11-CVE-1337-1234", + "url": "https://example.org/ESA-22-11-CVE-1900-1234", "name": "ESA-22-11", "tags": [ "vendor-advisory" diff --git a/schema/docs/full-record-basic-example.json b/schema/docs/full-record-basic-example.json index b1c3f5eaac..2d111dcd56 100644 --- a/schema/docs/full-record-basic-example.json +++ b/schema/docs/full-record-basic-example.json @@ -2,7 +2,7 @@ "dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": { - "cveId": "CVE-1337-1234", + "cveId": "CVE-1900-1234", "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", "state": "PUBLISHED" }, @@ -44,9 +44,9 @@ ], "references": [ { - "url": "https://example.org/ESA-22-11-CVE-1337-1234" + "url": "https://example.org/ESA-22-11-CVE-1900-1234" } ] } } -} \ No newline at end of file +} From 6a536334fcfce4fdb11644419f12f5a1327c86f2 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Fri, 17 Jan 2025 13:11:50 -0500 Subject: [PATCH 11/12] Updated ssvc schema from recommendations of @tschmidt --- schema/cve-schema.json | 1342 +++++++++++++++++ schema/docs/CVE_Record_Format_bundled.json | 20 +- ...VE_Record_Format_bundled_adpContainer.json | 238 ++- ..._Format_bundled_cnaPublishedContainer.json | 238 ++- ...d_Format_bundled_cnaRejectedContainer.json | 118 ++ schema/imports/ssvc/ssvc-v1.0.1.json | 64 +- tools/cve-schema-test.sh | 15 + 7 files changed, 1977 insertions(+), 58 deletions(-) create mode 100644 schema/cve-schema.json create mode 100644 tools/cve-schema-test.sh diff --git a/schema/cve-schema.json b/schema/cve-schema.json new file mode 100644 index 0000000000..9ffe5b574f --- /dev/null +++ b/schema/cve-schema.json @@ -0,0 +1,1342 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cveproject.github.io/cve-schema/schema/CVE_Record_Format.json", + "title": "CVE JSON record format", + "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).", + "definitions": { + "uriType": { + "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).", + "type": "string", + "format": "uri", + "minLength": 1, + "maxLength": 2048 + }, + "uuidType": { + "description": "A version 4 (random) universally unique identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122#section-4.1.3).", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "reference": { + "type": "object", + "required": ["url"], + "properties": { + "url": { + "description": "The uniform resource locator (URL), according to [RFC 3986](https://tools.ietf.org/html/rfc3986#section-1.1.3), that can be used to retrieve the referenced resource.", + "$ref": "#/definitions/uriType" + }, + "name": { + "description": "User created name for the reference, often the title of the page.", + "type": "string", + "maxLength": 512, + "minLength": 1 + }, + "tags": { + "description": "An array of one or more tags that describe the resource referenced by 'url'.", + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$ref": "tags/reference-tags.json" + } + ] + } + } + }, + "additionalProperties": false + }, + "cveId": { + "type": "string", + "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$" + }, + "cpe22and23": { + "type": "string", + "description":"Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", + "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", + "minLength": 1, + "maxLength": 2048 + }, + "cpe23": { + "type": "string", + "description":"Common Platform Enumeration (CPE) Name in 2.3 format", + "pattern": "(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", + "minLength": 1, + "maxLength": 2048 + }, + "orgId": { + "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.", + "$ref": "#/definitions/uuidType" + }, + "userId": { + "description": "A UUID for a user participating in the CVE program. This UUID can be used to lookup the user record in the user registry service.", + "$ref": "#/definitions/uuidType" + }, + "shortName": { + "description": "A 2-32 character name that can be used to complement an organization's UUID.", + "type": "string", + "minLength": 2, + "maxLength": 32 + }, + "datestamp": { + "description": "Date/time format based on RFC3339 and ISO ISO8601.", + "type": "string", + "format": "date", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$" + }, + "timestamp": { + "type": "string", + "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.", + "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$" + }, + "version": { + "description": "A single version of a product, as expressed in its own version numbering scheme.", + "type": "string", + "minLength": 1, + "maxLength": 1024 + }, + "status": { + "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.", + "type": "string", + "enum": ["affected", "unaffected", "unknown"] + }, + "product": { + "type": "object", + "description": "Provides information about the set of products and services affected by this vulnerability.", + "allOf": [ + { + "anyOf": [ + {"required": ["vendor", "product"]}, + {"required": ["collectionURL", "packageName"]} + ] + }, + { + "anyOf": [ + {"required": ["versions"]}, + {"required": ["defaultStatus"]} + ] + } + ], + "properties": { + "vendor": { + "type": "string", + "description": "Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.", + "minLength": 1, + "maxLength": 512 + }, + "product": { + "type": "string", + "description": "Name of the affected product.", + "minLength": 1, + "maxLength": 2048 + }, + "collectionURL": { + "description": "URL identifying a package collection (determines the meaning of packageName).", + "$ref": "#/definitions/uriType", + "examples": [ + "https://access.redhat.com/downloads/content/package-browser", + "https://addons.mozilla.org", + "https://addons.thunderbird.net", + "https://anaconda.org/anaconda/repo", + "https://app.vagrantup.com/boxes/search", + "https://apps.apple.com", + "https://archlinux.org/packages", + "https://atmospherejs.meteor.com", + "https://atom.io/packages", + "https://bitbucket.org", + "https://bower.io", + "https://brew.sh/", + "https://chocolatey.org/packages", + "https://chrome.google.com/webstore", + "https://clojars.org", + "https://cocoapods.org", + "https://code.dlang.org", + "https://conan.io/center", + "https://cpan.org/modules", + "https://cran.r-project.org", + "https://crates.io", + "https://ctan.org/pkg", + "https://drupal.org", + "https://exchange.adobe.com", + "https://forge.puppet.com/modules", + "https://github.com", + "https://gitlab.com/explore", + "https://golang.org/pkg", + "https://guix.gnu.org/packages", + "https://hackage.haskell.org", + "https://helm.sh", + "https://hub.docker.com", + "https://juliahub.com", + "https://lib.haxe.org", + "https://luarocks.org", + "https://marketplace.visualstudio.com", + "https://melpa.org", + "https://microsoft.com/en-us/store/apps", + "https://nimble.directory", + "https://nuget.org/packages", + "https://opam.ocaml.org/packages", + "https://openwrt.org/packages/index", + "https://package.elm-lang.org", + "https://packagecontrol.io", + "https://packages.debian.org", + "https://packages.gentoo.org", + "https://packagist.org", + "https://pear.php.net/packages.php", + "https://pecl.php.net", + "https://platformio.org/lib", + "https://play.google.com/store", + "https://plugins.gradle.org", + "https://projects.eclipse.org", + "https://pub.dev", + "https://pypi.python.org", + "https://registry.npmjs.org", + "https://registry.terraform.io", + "https://repo.hex.pm", + "https://repo.maven.apache.org/maven2", + "https://rubygems.org", + "https://search.nixos.org/packages", + "https://sourceforge.net", + "https://wordpress.org/plugins" + ] + }, + "packageName": { + "type": "string", + "description": "Name or identifier of the affected software package as used in the package collection.", + "minLength": 1, + "maxLength": 2048 + }, + "cpes": { + "type": "array", + "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here. NOTE: Consider using the newer cpeApplicability block for defining CPE data using the CPE Applicability Language which includes more options for defining CPE Names.", + "uniqueItems": true, + "items": { + "title": "CPE Name", + "description":"Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", + "$ref": "#/definitions/cpe22and23" + } + }, + "modules": { + "type": "array", + "description": "A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional).", + "uniqueItems": true, + "items": { + "type": "string", + "description": "Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).", + "minLength": 1, + "maxLength": 4096 + } + }, + "programFiles": { + "type": "array", + "description": "A list of the affected source code files (optional).", + "uniqueItems": true, + "items": { + "description": "Name or path or location of the affected source code file.", + "type": "string", + "minLength": 1, + "maxLength": 1024 + } + }, + "programRoutines": { + "type": "array", + "description": "A list of the affected source code functions, methods, subroutines, or procedures (optional).", + "uniqueItems": true, + "items": { + "type": "object", + "description": "An object describing program routine.", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "description": "Name of the affected source code file, function, method, subroutine, or procedure.", + "minLength": 1, + "maxLength": 4096 + } + }, + "additionalProperties": false + } + }, + "platforms": { + "title": "Platforms", + "description": "List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field or an empty array implies that the other fields are applicable to all relevant platforms.", + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "string", + "examples": ["iOS", "Android", "Windows", "macOS", "x86", "ARM", "64 bit", "Big Endian", "iPad", "Chromebook", "Docker", "Model T"], + "maxLength": 1024 + } + }, + "repo": { + "description": "The URL of the source code repository, for informational purposes and/or to resolve git hash version ranges.", + "$ref": "#/definitions/uriType" + }, + "defaultStatus": { + "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.", + "$ref": "#/definitions/status" + }, + "versions": { + "type": "array", + "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "A single version or a range of versions, with vulnerability status.\n\nAn entry with only 'version' and 'status' indicates the status of a single version.\n\nOtherwise, an entry describes a range; it must include the 'versionType' property, to define the version numbering semantics in use, and 'limit', to indicate the non-inclusive upper limit of the range. The object describes the status for versions V such that 'version' <= V and V < 'limit', using the <= and < semantics defined for the specific kind of 'versionType'. Status changes within the range can be specified by an optional 'changes' list.\n\nThe algorithm to decide the status specified for a version V is:\n\n\tfor entry in product.versions {\n\t\tif entry.lessThan is not present and entry.lessThanOrEqual is not present and v == entry.version {\n\t\t\treturn entry.status\n\t\t}\n\t\tif (entry.lessThan is present and entry.version <= v and v < entry.lessThan) or\n\t\t (entry.lessThanOrEqual is present and entry.version <= v and v <= entry.lessThanOrEqual) { // <= and < defined by entry.versionType\n\t\t\tstatus = entry.status\n\t\t\tfor change in entry.changes {\n\t\t\t\tif change.at <= v {\n\t\t\t\t\tstatus = change.status\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn status\n\t\t}\n\t}\n\treturn product.defaultStatus\n\n.", + "oneOf": [ + { + "required": ["version", "status"], + "maxProperties": 2 + }, + { + "required": ["version", "status", "versionType"], + "maxProperties": 3 + }, + { + "required": ["version", "status", "versionType", "lessThan"] + }, + { + "required": ["version", "status", "versionType", "lessThanOrEqual"] + } + ], + "properties": { + "version": { + "description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.", + "$ref": "#/definitions/version" + }, + "status": { + "description": "The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.", + "$ref": "#/definitions/status" + }, + "versionType": { + "type": "string", + "description": "The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.", + "minLength": 1, + "maxLength": 128, + "examples": [ + "custom", + "git", + "maven", + "python", + "rpm", + "semver" + ] + }, + "lessThan": { + "description": "The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk `(*)`, indicating an arbitrarily large number in the version ordering. For example, `{version: 1.0 lessThan: 1.*}` would describe the entire 1.X branch for most range kinds, and `{version: 2.0, lessThan: *}` describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified.", + "$ref": "#/definitions/version" + }, + "lessThanOrEqual": { + "description": "The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, `{version: 1.0, lessThanOrEqual: 1.3}` covers all versions from 1.0 up to and including 1.3.", + "$ref": "#/definitions/version" + }, + "changes": { + "type": "array", + "description": "A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "The start of a single status change during the range.", + "required": ["at", "status"], + "additionalProperties": false, + "properties": { + "at": { + "description": "The version at which a status change occurs.", + "$ref": "#/definitions/version" + }, + "status": { + "description": "The new status in the range starting at the given version.", + "$ref": "#/definitions/status" + } + } + } + } + }, + "additionalProperties": false + } + } + } + }, + "dataType": { + "description": "Indicates the type of information represented in the JSON instance.", + "type": "string", + "enum": [ + "CVE_RECORD" + ] + }, + "dataVersion": { + "description": "The version of the CVE schema used for validating this record. Used to support multiple versions of this format.", + "type": "string", + "pattern": "^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$", + "default": "5.1.1" + }, + "cveMetadataPublished": { + "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.", + "type": "object", + "required": [ + "cveId", + "assignerOrgId", + "state" + ], + "properties": { + "cveId": { + "description": "The CVE identifier that this record pertains to.", + "$ref": "#/definitions/cveId" + }, + "assignerOrgId": { + "$ref": "#/definitions/orgId", + "description": "The UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service." + }, + "assignerShortName": { + "$ref": "#/definitions/shortName", + "description": "The short name for the organization to which the CVE ID was originally assigned." + }, + "requesterUserId": { + "$ref": "#/definitions/userId", + "description": "The user that requested the CVE identifier." + }, + "dateUpdated": { + "description": "The date/time the record was last updated.", + "$ref": "#/definitions/timestamp" + }, + "serial": { + "type": "integer", + "minimum": 1, + "description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition." + }, + "dateReserved": { + "$ref": "#/definitions/timestamp", + "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE." + }, + "datePublished": { + "$ref": "#/definitions/timestamp", + "description": "The date/time the CVE Record was first published in the CVE List." + }, + "state": { + "description": "State of CVE - PUBLISHED, REJECTED.", + "type": "string", + "enum": ["PUBLISHED"] + } + }, + "additionalProperties": false + }, + "cveMetadataRejected": { + "type": "object", + "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.", + "required": [ + "cveId", + "assignerOrgId", + "state" + ], + "properties": { + "cveId": { + "description": "The CVE identifier that this record pertains to.", + "$ref": "#/definitions/cveId" + }, + "assignerOrgId": { + "$ref": "#/definitions/orgId", + "description": "The UUID for the organization to which the CVE ID was originally assigned." + }, + "assignerShortName": { + "$ref": "#/definitions/shortName", + "description": "The short name for the organization to which the CVE ID was originally assigned." + }, + "serial": { + "type": "integer", + "minimum": 1, + "description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition." + }, + "dateUpdated": { + "description": "The date/time the record was last updated.", + "$ref": "#/definitions/timestamp" + }, + "datePublished": { + "$ref": "#/definitions/timestamp", + "description": "The date/time the CVE Record was first published in the CVE List." + }, + "dateRejected": { + "$ref": "#/definitions/timestamp", + "description": "The date/time the CVE ID was rejected." + }, + "state": { + "type": "string", + + "description": "State of CVE - PUBLISHED, REJECTED.", + "enum": ["REJECTED"] + }, + "dateReserved": { + "$ref": "#/definitions/timestamp", + "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE." + } + }, + "additionalProperties": false + }, + "providerMetadata": { + "type": "object", + "description": "Details related to the information container provider (CNA or ADP).", + "properties": { + "orgId": { + "$ref": "#/definitions/orgId", + "description": "The container provider's organizational UUID." + }, + "shortName": { + "$ref": "#/definitions/shortName", + "description": "The container provider's organizational short name." + }, + "dateUpdated": { + "$ref": "#/definitions/timestamp", + "description": "Timestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission." + } + }, + "required": ["orgId"], + "additionalProperties": false + }, + "cpeApplicabilityElement": { + "description": "Affected products defined using an implementation of the CPE Applicability Language, mostly copied/forked from the NIST NVD CVE API v2.0 schema (optional). An operator property allows AND or OR logic between CPEs or combinations of CPEs. The negate and vulnerable Boolean properties allow CPEs to be inverted and/or defined as vulnerable or not. Multiple version fields are provided for capturing ranges of products when defining a CPE Match String Range. NOTE: When defining a cpeApplicability block, it is recommended that it align with (as much as possible) the product data provided within the affected block.", + "properties": { + "operator": { + "type": "string", + "enum": [ + "AND", + "OR" + ] + }, + "negate": { + "type": "boolean" + }, + "nodes": { + "type": "array", + "items": { + "$ref": "#/definitions/cpe_node" + } + } + }, + "required": [ + "nodes" + ] + }, + "cpe_node": { + "description": "Defines a CPE configuration node in an applicability statement.", + "properties": { + "operator": { + "type": "string", + "enum": [ + "AND", + "OR" + ] + }, + "negate": { + "type": "boolean" + }, + "cpeMatch": { + "type": "array", + "items": { + "$ref": "#/definitions/cpe_match" + } + } + }, + "required": [ + "operator", + "cpeMatch" + ] + }, + "cpe_match": { + "description": "CPE match string or range", + "type": "object", + "properties": { + "vulnerable": { + "type": "boolean" + }, + "criteria": { + "$ref": "#/definitions/cpe23" + }, + "matchCriteriaId": { + "$ref": "#/definitions/uuidType" + }, + "versionStartExcluding": { + "$ref": "#/definitions/version" + }, + "versionStartIncluding": { + "$ref": "#/definitions/version" + }, + "versionEndExcluding": { + "$ref": "#/definitions/version" + }, + "versionEndIncluding": { + "$ref": "#/definitions/version" + } + }, + "required": [ + "vulnerable", + "criteria" + ], + "additionalProperties": false + }, + "cnaPublishedContainer": { + "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.", + "type": "object", + "properties": { + "providerMetadata": { + "$ref": "#/definitions/providerMetadata" + }, + "dateAssigned": { + "$ref": "#/definitions/timestamp", + "description": "The date/time this CVE ID was associated with a vulnerability by a CNA." + }, + "datePublic": { + "$ref": "#/definitions/timestamp", + "description": "If known, the date/time the vulnerability was disclosed publicly." + }, + "title": { + "type": "string", + "description": "A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.", + "minLength": 1, + "maxLength": 256 + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + }, + "affected": { + "$ref": "#/definitions/affected" + }, + "cpeApplicability": { + "type": "array", + "items": { + "$ref": "#/definitions/cpeApplicabilityElement" + } + }, + "problemTypes": { + "$ref": "#/definitions/problemTypes" + }, + "references": { + "$ref": "#/definitions/references" + }, + "impacts": { + "$ref": "#/definitions/impacts" + }, + "metrics": { + "$ref": "#/definitions/metrics" + }, + "configurations": { + "$ref": "#/definitions/configurations" + }, + "workarounds": { + "$ref": "#/definitions/workarounds" + }, + "solutions": { + "$ref": "#/definitions/solutions" + }, + "exploits": { + "$ref": "#/definitions/exploits" + }, + "timeline": { + "$ref": "#/definitions/timeline" + }, + "credits": { + "$ref": "#/definitions/credits" + }, + "source": { + "$ref": "#/definitions/source" + }, + "tags": { + "$ref": "#/definitions/cnaTags" + }, + "taxonomyMappings": { + "$ref": "#/definitions/taxonomyMappings" + } + }, + "required": [ + "providerMetadata", + "descriptions", + "affected", + "references" + ], + "patternProperties": { + "^x_[^.]*$": {} + }, + "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.", + "additionalProperties": false + }, + "cnaRejectedContainer": { + "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a rejected CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA.", + "type": "object", + "properties": { + "providerMetadata": { + "$ref": "#/definitions/providerMetadata" + }, + "rejectedReasons": { + "description": "Reasons for rejecting this CVE Record.", + "$ref": "#/definitions/descriptions" + }, + "replacedBy": { + "type": "array", + "description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/cveId" + } + } + }, + "required": [ + "providerMetadata", + "rejectedReasons" + ], + "patternProperties": { + "^x_[^.]*$": {} + }, + "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.", + "additionalProperties": false + }, + "adpContainer": { + "description": "An object containing the vulnerability information provided by an Authorized Data Publisher (ADP). Since multiple ADPs can provide information for a CVE ID, an ADP container must indicate which ADP is the source of the information in the object.", + "type": "object", + "properties": { + "providerMetadata": { + "$ref": "#/definitions/providerMetadata" + }, + "datePublic": { + "$ref": "#/definitions/timestamp", + "description": "If known, the date/time the vulnerability was disclosed publicly." + }, + "title": { + "type": "string", + "description": "A title, headline, or a brief phrase summarizing the information in an ADP container.", + "minLength": 1, + "maxLength": 256 + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + }, + "affected": { + "$ref": "#/definitions/affected" + }, + "cpeApplicability": { + "type": "array", + "items": { + "$ref": "#/definitions/cpeApplicabilityElement" + } + }, + "problemTypes": { + "$ref": "#/definitions/problemTypes" + }, + "references": { + "$ref": "#/definitions/references" + }, + "impacts": { + "$ref": "#/definitions/impacts" + }, + "metrics": { + "$ref": "#/definitions/metrics" + }, + "configurations": { + "$ref": "#/definitions/configurations" + }, + "workarounds": { + "$ref": "#/definitions/workarounds" + }, + "solutions": { + "$ref": "#/definitions/solutions" + }, + "exploits": { + "$ref": "#/definitions/exploits" + }, + "timeline": { + "$ref": "#/definitions/timeline" + }, + "credits": { + "$ref": "#/definitions/credits" + }, + "source": { + "$ref": "#/definitions/source" + }, + "tags": { + "$ref": "#/definitions/adpTags" + }, + "taxonomyMappings": { + "$ref": "#/definitions/taxonomyMappings" + } + }, + "required": [ + "providerMetadata" + ], + "minProperties": 2, + "patternProperties": { + "^x_[^.]*$": {} + }, + "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.", + "additionalProperties": false + }, + "affected": { + "type": "array", + "description": "List of affected products.", + "minItems": 1, + "items": {"$ref": "#/definitions/product"} + }, + "description": { + "type": "object", + "description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.", + "properties": { + "lang": {"$ref": "#/definitions/language"}, + "value": { + "type": "string", + "description": "Plain text description.", + "minLength": 1, + "maxLength": 4096 + }, + "supportingMedia": { + "type": "array", + "title": "Supporting media", + "description": "Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.", + "uniqueItems": true, + "minItems": 1, + "items": { + "type": "object", + "properties": { + "type": { + "type": "string", + "title": "Media type", + "minLength": 1, + "maxLength": 256, + "description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.", + "examples": [ + "text/markdown", + "text/html", + "image/png", + "image/svg", + "audio/mp3" + ] + }, + "base64": { + "type": "boolean", + "title": "Encoding", + "description": "If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.", + "default": false + }, + "value": { + "type": "string", + "description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.", + "minLength": 1, + "maxLength": 16384 + } + }, + "required": [ + "type", + "value" + ], + "additionalProperties": false + } + } + }, + "required": [ + "lang", + "value" + ], + "additionalProperties": false + }, + "englishLanguageDescription": { + "type": "object", + "description": "A description with lang set to an English language (en, en_US, en_UK, and so on).", + "properties": {"lang": {"$ref": "#/definitions/englishLanguage"}}, + "required": ["lang"], + "$comment": "Cannot use additionalProperties: false here, as this prevents the other properties used by /definitions/description." + }, + "descriptions": { + "type": "array", + "description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + }, + "contains": { + "$ref": "#/definitions/englishLanguageDescription" + } + }, + "problemTypes": { + "type": "array", + "description": "This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).", + "items": { + "type": "object", + "required": ["descriptions"], + "properties": { + "descriptions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "lang", + "description" + ], + "properties": { + "lang": {"$ref": "#/definitions/language"}, + "description": { + "type": "string", + "description": "Text description of problemType, or title from CWE or OWASP.", + "minLength": 1, + "maxLength": 4096 + }, + "cweId": { + "type": "string", + "description": "CWE ID of the CWE that best describes this problemType entry.", + "minLength": 5, + "maxLength": 9, + "pattern": "^CWE-[1-9][0-9]*$" + }, + "type": { + "type": "string", + "description": "Problemtype source, text, OWASP, CWE, etc.,", + "minLength": 1, + "maxLength": 128 + }, + "references": {"$ref": "#/definitions/references"} + }, + "additionalProperties": false + }, + "minItems": 1, + "uniqueItems": true + } + }, + "additionalProperties": false + }, + "minItems": 1, + "uniqueItems": true + }, + "references": { + "type": "array", + "description": "This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are \"dangerous\").", + "items": {"$ref": "#/definitions/reference"}, + "minItems": 1, + "maxItems": 512, + "uniqueItems": true + }, + "impacts": { + "type": "array", + "description": "Collection of impacts of this vulnerability.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "This is impact type information (e.g. a text description.", + "required": ["descriptions"], + "properties": { + "capecId": { + "type": "string", + "description": "CAPEC ID that best relates to this impact.", + "minLength": 7, + "maxLength": 11, + "pattern": "^CAPEC-[1-9][0-9]{0,4}$" + }, + "descriptions": { + "description": "Prose description of the impact scenario. At a minimum provide the description given by CAPEC.", + "$ref": "#/definitions/descriptions" + } + }, + "additionalProperties": false + } + }, + "metrics": { + "type": "array", + "description": "Collection of impact scores with attribution.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "This is impact type information (e.g. a text description, CVSSv2, CVSSv3, CVSSV4, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added.", + "anyOf": [ + { + "required": ["cvssV4_0"] + }, + { + "required": ["cvssV3_1"] + }, + { + "required": ["cvssV3_0"] + }, + { + "required": ["cvssV2_0"] + }, + { + "required": ["ssvcV1_0_1"] + }, + { + "required": ["other"] + } + ], + "properties": { + "format": { + "type": "string", + "description": "Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.", + "minLength": 1, + "maxLength": 64 + }, + "scenarios": { + "type": "array", + "description": "Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "properties": { + "lang": {"$ref": "#/definitions/language"}, + "value": { + "type": "string", + "default": "GENERAL", + "description": "Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.", + "minLength": 1, + "maxLength": 4096 + } + }, + "required": [ + "lang", + "value" + ], + "additionalProperties": false + } + }, + "cvssV4_0": {"$ref": "imports/cvss/cvss-v4.0.json"}, + "cvssV3_1": {"$ref": "imports/cvss/cvss-v3.1.json"}, + "cvssV3_0": {"$ref": "imports/cvss/cvss-v3.0.json"}, + "cvssV2_0": {"$ref": "imports/cvss/cvss-v2.0.json"}, + "ssvcV1_0_1": {"$ref": "imports/ssvc/ssvc-v1.0.1.json"}, + "other": { + "type": "object", + "description": "A non-standard impact description, may be prose or JSON block.", + "required": [ + "type", + "content" + ], + "properties": { + "type": { + "description": "Name of the non-standard impact metrics format used.", + "type": "string", + "minLength": 1, + "maxLength": 128 + }, + "content": { + "type": "object", + "$comment": "additionalProperties are allowed here, since this construct supports arbitrary JSON.", + "description": "JSON object not covered by another metrics format.", + "minProperties": 1 + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + } + }, + "configurations": { + "type": "array", + "description": "Configurations required for exploiting this vulnerability.", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "workarounds": { + "type": "array", + "description": "Workarounds and mitigations for this vulnerability.", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "solutions": { + "type": "array", + "description": "Information about solutions or remediations available for this vulnerability.", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "exploits": { + "type": "array", + "description": "Information about exploits of the vulnerability.", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "timeline": { + "type": "array", + "description": "This is timeline information for significant events about this vulnerability or changes to the CVE Record.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "time", + "lang", + "value" + ], + "properties": { + "time": { + "description": "Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00) is assumed.", + "$ref": "#/definitions/timestamp" + }, + "lang": { + "description": "The language used in the description of the event. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.", + "$ref": "#/definitions/language" + }, + "value": { + "description": "A summary of the event.", + "type": "string", + "minLength": 1, + "maxLength": 4096 + } + }, + "additionalProperties": false + } + }, + "credits": { + "type": "array", + "description": "Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "properties": { + "lang": { + "description": "The language used when describing the credits. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.", + "$ref": "#/definitions/language" + }, + "value": { + "type": "string", + "minLength": 1, + "maxLength": 4096 + }, + "user": { + "description": "UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.", + "$ref": "#/definitions/uuidType" + }, + "type": { + "type": "string", + "description": "Type or role of the entity being credited (optional). finder: identifies the vulnerability.\nreporter: notifies the vendor of the vulnerability to a CNA.\nanalyst: validates the vulnerability to ensure accuracy or severity.\ncoordinator: facilitates the coordinated response process.\nremediation developer: prepares a code change or other remediation plans.\nremediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness.\nremediation verifier: tests and verifies the vulnerability or its remediation.\ntool: names of tools used in vulnerability discovery or identification.\nsponsor: supports the vulnerability identification or remediation activities.", + "default": "finder", + "enum": [ + "finder", + "reporter", + "analyst", + "coordinator", + "remediation developer", + "remediation reviewer", + "remediation verifier", + "tool", + "sponsor", + "other" + ] + } + }, + "additionalProperties": false, + "required": [ + "lang", + "value" + ] + } + }, + "source": { + "type": "object", + "description": "This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.", + "minProperties": 1 + }, + "language": { + "type": "string", + "description": "BCP 47 language code, language-region.", + "default": "en", + "pattern": "^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$" + }, + "englishLanguage": { + "type": "string", + "description": "BCP 47 language code, language-region, required to be English.", + "pattern": "^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$" + }, + "taxonomyMappings": { + "type": "array", + "description": "List of taxonomy items related to the vulnerability.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "A taxonomy mapping object identifies the taxonomy by a name and version (eg., ATT&CK v13.1, CVSS 3.1, CWE 4.12) along with a list of relations relevant to this CVE.", + "required": [ + "taxonomyName", + "taxonomyRelations" + ], + "properties": { + "taxonomyName": { + "type": "string", + "description": "The name of the taxonomy, eg., ATT&CK, D3FEND, CWE, CVSS", + "minLength": 1, + "maxLength": 128 + }, + "taxonomyVersion": { + "type": "string", + "description": "The version of taxonomy the identifiers come from.", + "minLength": 1, + "maxLength": 128 + }, + "taxonomyRelations": { + "type": "array", + "description": "List of relationships to the taxonomy for the vulnerability.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "A relationship between the taxonomy and the CVE or two taxonomy items.", + "required": [ + "taxonomyId", + "relationshipName", + "relationshipValue" + ], + "properties": { + "taxonomyId": { + "type": "string", + "description": "Identifier of the item in the taxonomy. Used as the subject of the relationship.", + "minLength": 1, + "maxLength": 2048 + }, + "relationshipName": { + "type": "string", + "description": "A description of the relationship.", + "minLength": 1, + "maxLength": 128 + }, + "relationshipValue": { + "type": "string", + "description": "The target of the relationship. Can be the CVE ID or another taxonomy identifier.", + "minLength": 1, + "maxLength": 2048 + } + }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + } + }, + "tagExtension": { + "type": "string", + "minLength": 2, + "maxLength": 128, + "pattern": "^x_.*$", + "$comment": "These values are not used as JSON property names, so there is not a need to work-around property naming limitations in some common implementations." + }, + "cnaTags": { + "type": "array", + "description": "Tags provided by a CNA describing the CVE Record.", + "uniqueItems": true, + "minItems": 1, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$ref": "tags/cna-tags.json" + } + ] + } + }, + "adpTags": { + "type": "array", + "description": "Tags provided by an ADP describing the CVE Record.", + "uniqueItems": true, + "minItems": 1, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$ref": "tags/adp-tags.json" + } + ] + } + } + }, + "oneOf": [ + { + "title": "Published", + "description": "When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.", + "type": "object", + "properties": { + "dataType": { + "$ref": "#/definitions/dataType" + }, + "dataVersion": { + "$ref": "#/definitions/dataVersion" + }, + "cveMetadata": { + "$ref": "#/definitions/cveMetadataPublished" + }, + "containers": { + "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt a minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information. The 'cna' container requires the CNA to include certain fields, while the 'adp' container does not.", + "type": "object", + "properties": { + "cna": {"$ref": "#/definitions/cnaPublishedContainer"}, + "adp": { + "type": "array", + "items": {"$ref": "#/definitions/adpContainer"}, + "minItems": 1, + "uniqueItems": true + } + }, + "required": ["cna"], + "additionalProperties": false + } + }, + "required": [ + "dataType", + "dataVersion", + "cveMetadata", + "containers" + ], + "additionalProperties": false + }, + { + "title": "Rejected", + "description": "If the CVE ID and associated CVE Record should no longer be used, the CVE Record is placed in the Rejected state. A Rejected CVE Record remains on the CVE List so that users can know when it is invalid.", + "type": "object", + "properties": { + "dataType": { + "$ref": "#/definitions/dataType" + }, + "dataVersion": { + "$ref": "#/definitions/dataVersion" + }, + "cveMetadata": { + "$ref": "#/definitions/cveMetadataRejected" + }, + "containers": { + "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA.", + "type": "object", + "properties": { + "cna": {"$ref": "#/definitions/cnaRejectedContainer"} + }, + "required": ["cna"], + "additionalProperties": false + } + }, + "required": [ + "dataType", + "dataVersion", + "cveMetadata", + "containers" + ], + "additionalProperties": false + } + ] +} diff --git a/schema/docs/CVE_Record_Format_bundled.json b/schema/docs/CVE_Record_Format_bundled.json index 56df60fad5..f2345f1dfc 100644 --- a/schema/docs/CVE_Record_Format_bundled.json +++ b/schema/docs/CVE_Record_Format_bundled.json @@ -3167,13 +3167,13 @@ "additionalProperties": false }, "ssvcV1_0_1": { - "$schema": "http://json-schema.org/draft-07/schema#", - "definitions": { + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$defs": { "id": { "type": "string", "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", "examples": [ - "CVE-2024-101010", + "CVE-1900-1234", "VU#11111", "GHSA-11a1-22b2-33c3" ] @@ -3217,7 +3217,7 @@ "type": "string", "examples": [ "ssvc", - "cvvsv4" + "cvssv4" ] }, "values": { @@ -3249,16 +3249,16 @@ }, "properties": { "id": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/id" + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/id" }, "role": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/role" + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/role" }, "schemaVersion": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/schemaVersion" + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/schemaVersion" }, "timestamp": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/timestamp" + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/timestamp" }, "selections": { "description": "An array of Decision Points and their Values that were down-selected or evaluated ", @@ -3266,7 +3266,7 @@ "type": "array", "minItems": 1, "items": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/definitions/SsvcdecisionpointselectionSchema" + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/SsvcdecisionpointselectionSchema" } } }, @@ -3636,4 +3636,4 @@ "additionalProperties": false } ] -} +} \ No newline at end of file diff --git a/schema/docs/CVE_Record_Format_bundled_adpContainer.json b/schema/docs/CVE_Record_Format_bundled_adpContainer.json index c225c381d4..ed1d3dbf2c 100644 --- a/schema/docs/CVE_Record_Format_bundled_adpContainer.json +++ b/schema/docs/CVE_Record_Format_bundled_adpContainer.json @@ -1,8 +1,8 @@ { "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled_adpContainer.json", - "title": "CVE JSON adpContainer sub schema", - "description": "CVE JSON adpContainer format", + "title": "CVE Record Format adpContainer sub schema", + "description": "CVE Record Format adpContainer format", "definitions": { "uriType": { "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).", @@ -79,6 +79,20 @@ "type": "string", "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$" }, + "cpe22and23": { + "type": "string", + "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", + "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", + "minLength": 1, + "maxLength": 2048 + }, + "cpe23": { + "type": "string", + "description": "Common Platform Enumeration (CPE) Name in 2.3 format", + "pattern": "(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", + "minLength": 1, + "maxLength": 2048 + }, "orgId": { "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.", "$ref": "#/definitions/uuidType" @@ -244,15 +258,12 @@ }, "cpes": { "type": "array", - "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.", + "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here. NOTE: Consider using the newer cpeApplicability block for defining CPE data using the CPE Applicability Language which includes more options for defining CPE Names.", "uniqueItems": true, "items": { "title": "CPE Name", - "type": "string", "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", - "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", - "minLength": 1, - "maxLength": 2048 + "$ref": "#/definitions/cpe22and23" } }, "modules": { @@ -445,7 +456,7 @@ "description": "The version of the CVE schema used for validating this record. Used to support multiple versions of this format.", "type": "string", "pattern": "^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$", - "default": "5.1.0" + "default": "5.1.1" }, "cveMetadataPublished": { "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.", @@ -573,6 +584,87 @@ ], "additionalProperties": false }, + "cpeApplicabilityElement": { + "description": "Affected products defined using an implementation of the CPE Applicability Language, mostly copied/forked from the NIST NVD CVE API v2.0 schema (optional). An operator property allows AND or OR logic between CPEs or combinations of CPEs. The negate and vulnerable Boolean properties allow CPEs to be inverted and/or defined as vulnerable or not. Multiple version fields are provided for capturing ranges of products when defining a CPE Match String Range. NOTE: When defining a cpeApplicability block, it is recommended that it align with (as much as possible) the product data provided within the affected block.", + "properties": { + "operator": { + "type": "string", + "enum": [ + "AND", + "OR" + ] + }, + "negate": { + "type": "boolean" + }, + "nodes": { + "type": "array", + "items": { + "$ref": "#/definitions/cpe_node" + } + } + }, + "required": [ + "nodes" + ] + }, + "cpe_node": { + "description": "Defines a CPE configuration node in an applicability statement.", + "properties": { + "operator": { + "type": "string", + "enum": [ + "AND", + "OR" + ] + }, + "negate": { + "type": "boolean" + }, + "cpeMatch": { + "type": "array", + "items": { + "$ref": "#/definitions/cpe_match" + } + } + }, + "required": [ + "operator", + "cpeMatch" + ] + }, + "cpe_match": { + "description": "CPE match string or range", + "type": "object", + "properties": { + "vulnerable": { + "type": "boolean" + }, + "criteria": { + "$ref": "#/definitions/cpe23" + }, + "matchCriteriaId": { + "$ref": "#/definitions/uuidType" + }, + "versionStartExcluding": { + "$ref": "#/definitions/version" + }, + "versionStartIncluding": { + "$ref": "#/definitions/version" + }, + "versionEndExcluding": { + "$ref": "#/definitions/version" + }, + "versionEndIncluding": { + "$ref": "#/definitions/version" + } + }, + "required": [ + "vulnerable", + "criteria" + ], + "additionalProperties": false + }, "cnaPublishedContainer": { "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.", "type": "object", @@ -600,6 +692,12 @@ "affected": { "$ref": "#/definitions/affected" }, + "cpeApplicability": { + "type": "array", + "items": { + "$ref": "#/definitions/cpeApplicabilityElement" + } + }, "problemTypes": { "$ref": "#/definitions/problemTypes" }, @@ -706,6 +804,12 @@ "affected": { "$ref": "#/definitions/affected" }, + "cpeApplicability": { + "type": "array", + "items": { + "$ref": "#/definitions/cpeApplicabilityElement" + } + }, "problemTypes": { "$ref": "#/definitions/problemTypes" }, @@ -973,6 +1077,11 @@ "cvssV2_0" ] }, + { + "required": [ + "ssvcV1_0_1" + ] + }, { "required": [ "other" @@ -3057,6 +3166,119 @@ ], "additionalProperties": false }, + "ssvcV1_0_1": { + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$defs": { + "id": { + "type": "string", + "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": [ + "CVE-1900-1234", + "VU#11111", + "GHSA-11a1-22b2-33c3" + ] + }, + "role": { + "type": "string", + "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": [ + "Supplier", + "Deployer", + "Coordinator" + ] + }, + "timestamp": { + "description": "Date and time in ISO format ISO 8601 format", + "type": "string", + "format": "date-time" + }, + "schemaVersion": { + "description": "Schema version used to represent this evaluation", + "type": "string", + "enum": [ + "1-0-1" + ] + }, + "SsvcdecisionpointselectionSchema": { + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "properties": { + "name": { + "description": "Name of the Decision Point that were evaluated", + "title": "name", + "type": "string", + "examples": [ + "Automatable", + "Exploitation" + ] + }, + "namespace": { + "description": "SSVC Namespace that were used for defining the evaluated Decision Points", + "title": "namespace", + "type": "string", + "examples": [ + "ssvc", + "cvssv4" + ] + }, + "values": { + "description": "Evaluated values of the Decision Point", + "title": "values", + "type": "array", + "minItems": 1, + "items": { + "description": "Each value that were down-selected for a Decision Point", + "title": "values", + "type": "string" + } + }, + "version": { + "description": "Version of the Decision Points that were evaluated", + "title": "version", + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "namespace", + "values", + "version" + ], + "additionalProperties": false + } + }, + "properties": { + "id": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/id" + }, + "role": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/role" + }, + "schemaVersion": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/schemaVersion" + }, + "timestamp": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/timestamp" + }, + "selections": { + "description": "An array of Decision Points and their Values that were down-selected or evaluated ", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/SsvcdecisionpointselectionSchema" + } + } + }, + "type": "object", + "required": [ + "selections", + "id", + "timestamp", + "schemaVersion" + ], + "additionalProperties": false + }, "other": { "type": "object", "description": "A non-standard impact description, may be prose or JSON block.", diff --git a/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json index db7dffd02c..596b73e620 100644 --- a/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json +++ b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json @@ -1,8 +1,8 @@ { "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json", - "title": "CVE JSON cnaPublishedContainer sub schema", - "description": "CVE JSON cnaPublishedContainer format", + "title": "CVE Record Format cnaPublishedContainer sub schema", + "description": "CVE Record Format cnaPublishedContainer format", "definitions": { "uriType": { "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).", @@ -79,6 +79,20 @@ "type": "string", "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$" }, + "cpe22and23": { + "type": "string", + "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", + "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", + "minLength": 1, + "maxLength": 2048 + }, + "cpe23": { + "type": "string", + "description": "Common Platform Enumeration (CPE) Name in 2.3 format", + "pattern": "(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", + "minLength": 1, + "maxLength": 2048 + }, "orgId": { "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.", "$ref": "#/definitions/uuidType" @@ -244,15 +258,12 @@ }, "cpes": { "type": "array", - "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.", + "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here. NOTE: Consider using the newer cpeApplicability block for defining CPE data using the CPE Applicability Language which includes more options for defining CPE Names.", "uniqueItems": true, "items": { "title": "CPE Name", - "type": "string", "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", - "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", - "minLength": 1, - "maxLength": 2048 + "$ref": "#/definitions/cpe22and23" } }, "modules": { @@ -445,7 +456,7 @@ "description": "The version of the CVE schema used for validating this record. Used to support multiple versions of this format.", "type": "string", "pattern": "^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$", - "default": "5.1.0" + "default": "5.1.1" }, "cveMetadataPublished": { "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.", @@ -573,6 +584,87 @@ ], "additionalProperties": false }, + "cpeApplicabilityElement": { + "description": "Affected products defined using an implementation of the CPE Applicability Language, mostly copied/forked from the NIST NVD CVE API v2.0 schema (optional). An operator property allows AND or OR logic between CPEs or combinations of CPEs. The negate and vulnerable Boolean properties allow CPEs to be inverted and/or defined as vulnerable or not. Multiple version fields are provided for capturing ranges of products when defining a CPE Match String Range. NOTE: When defining a cpeApplicability block, it is recommended that it align with (as much as possible) the product data provided within the affected block.", + "properties": { + "operator": { + "type": "string", + "enum": [ + "AND", + "OR" + ] + }, + "negate": { + "type": "boolean" + }, + "nodes": { + "type": "array", + "items": { + "$ref": "#/definitions/cpe_node" + } + } + }, + "required": [ + "nodes" + ] + }, + "cpe_node": { + "description": "Defines a CPE configuration node in an applicability statement.", + "properties": { + "operator": { + "type": "string", + "enum": [ + "AND", + "OR" + ] + }, + "negate": { + "type": "boolean" + }, + "cpeMatch": { + "type": "array", + "items": { + "$ref": "#/definitions/cpe_match" + } + } + }, + "required": [ + "operator", + "cpeMatch" + ] + }, + "cpe_match": { + "description": "CPE match string or range", + "type": "object", + "properties": { + "vulnerable": { + "type": "boolean" + }, + "criteria": { + "$ref": "#/definitions/cpe23" + }, + "matchCriteriaId": { + "$ref": "#/definitions/uuidType" + }, + "versionStartExcluding": { + "$ref": "#/definitions/version" + }, + "versionStartIncluding": { + "$ref": "#/definitions/version" + }, + "versionEndExcluding": { + "$ref": "#/definitions/version" + }, + "versionEndIncluding": { + "$ref": "#/definitions/version" + } + }, + "required": [ + "vulnerable", + "criteria" + ], + "additionalProperties": false + }, "cnaPublishedContainer": { "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.", "type": "object", @@ -600,6 +692,12 @@ "affected": { "$ref": "#/definitions/affected" }, + "cpeApplicability": { + "type": "array", + "items": { + "$ref": "#/definitions/cpeApplicabilityElement" + } + }, "problemTypes": { "$ref": "#/definitions/problemTypes" }, @@ -706,6 +804,12 @@ "affected": { "$ref": "#/definitions/affected" }, + "cpeApplicability": { + "type": "array", + "items": { + "$ref": "#/definitions/cpeApplicabilityElement" + } + }, "problemTypes": { "$ref": "#/definitions/problemTypes" }, @@ -973,6 +1077,11 @@ "cvssV2_0" ] }, + { + "required": [ + "ssvcV1_0_1" + ] + }, { "required": [ "other" @@ -3057,6 +3166,119 @@ ], "additionalProperties": false }, + "ssvcV1_0_1": { + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$defs": { + "id": { + "type": "string", + "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": [ + "CVE-1900-1234", + "VU#11111", + "GHSA-11a1-22b2-33c3" + ] + }, + "role": { + "type": "string", + "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": [ + "Supplier", + "Deployer", + "Coordinator" + ] + }, + "timestamp": { + "description": "Date and time in ISO format ISO 8601 format", + "type": "string", + "format": "date-time" + }, + "schemaVersion": { + "description": "Schema version used to represent this evaluation", + "type": "string", + "enum": [ + "1-0-1" + ] + }, + "SsvcdecisionpointselectionSchema": { + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "properties": { + "name": { + "description": "Name of the Decision Point that were evaluated", + "title": "name", + "type": "string", + "examples": [ + "Automatable", + "Exploitation" + ] + }, + "namespace": { + "description": "SSVC Namespace that were used for defining the evaluated Decision Points", + "title": "namespace", + "type": "string", + "examples": [ + "ssvc", + "cvssv4" + ] + }, + "values": { + "description": "Evaluated values of the Decision Point", + "title": "values", + "type": "array", + "minItems": 1, + "items": { + "description": "Each value that were down-selected for a Decision Point", + "title": "values", + "type": "string" + } + }, + "version": { + "description": "Version of the Decision Points that were evaluated", + "title": "version", + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "namespace", + "values", + "version" + ], + "additionalProperties": false + } + }, + "properties": { + "id": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/id" + }, + "role": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/role" + }, + "schemaVersion": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/schemaVersion" + }, + "timestamp": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/timestamp" + }, + "selections": { + "description": "An array of Decision Points and their Values that were down-selected or evaluated ", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/SsvcdecisionpointselectionSchema" + } + } + }, + "type": "object", + "required": [ + "selections", + "id", + "timestamp", + "schemaVersion" + ], + "additionalProperties": false + }, "other": { "type": "object", "description": "A non-standard impact description, may be prose or JSON block.", diff --git a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json index bfb1d9e476..9935bc01da 100644 --- a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json +++ b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json @@ -1077,6 +1077,11 @@ "cvssV2_0" ] }, + { + "required": [ + "ssvcV1_0_1" + ] + }, { "required": [ "other" @@ -3161,6 +3166,119 @@ ], "additionalProperties": false }, + "ssvcV1_0_1": { + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$defs": { + "id": { + "type": "string", + "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": [ + "CVE-1900-1234", + "VU#11111", + "GHSA-11a1-22b2-33c3" + ] + }, + "role": { + "type": "string", + "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": [ + "Supplier", + "Deployer", + "Coordinator" + ] + }, + "timestamp": { + "description": "Date and time in ISO format ISO 8601 format", + "type": "string", + "format": "date-time" + }, + "schemaVersion": { + "description": "Schema version used to represent this evaluation", + "type": "string", + "enum": [ + "1-0-1" + ] + }, + "SsvcdecisionpointselectionSchema": { + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "properties": { + "name": { + "description": "Name of the Decision Point that were evaluated", + "title": "name", + "type": "string", + "examples": [ + "Automatable", + "Exploitation" + ] + }, + "namespace": { + "description": "SSVC Namespace that were used for defining the evaluated Decision Points", + "title": "namespace", + "type": "string", + "examples": [ + "ssvc", + "cvssv4" + ] + }, + "values": { + "description": "Evaluated values of the Decision Point", + "title": "values", + "type": "array", + "minItems": 1, + "items": { + "description": "Each value that were down-selected for a Decision Point", + "title": "values", + "type": "string" + } + }, + "version": { + "description": "Version of the Decision Points that were evaluated", + "title": "version", + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "namespace", + "values", + "version" + ], + "additionalProperties": false + } + }, + "properties": { + "id": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/id" + }, + "role": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/role" + }, + "schemaVersion": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/schemaVersion" + }, + "timestamp": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/timestamp" + }, + "selections": { + "description": "An array of Decision Points and their Values that were down-selected or evaluated ", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/SsvcdecisionpointselectionSchema" + } + } + }, + "type": "object", + "required": [ + "selections", + "id", + "timestamp", + "schemaVersion" + ], + "additionalProperties": false + }, "other": { "type": "object", "description": "A non-standard impact description, may be prose or JSON block.", diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index ca86032e49..59022e040b 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -1,11 +1,11 @@ { - "$schema": "http://json-schema.org/draft-07/schema#", + "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", - "definitions": { + "$defs": { "id": { "type": "string", "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", - "examples": ["CVE-2024-101010","VU#11111","GHSA-11a1-22b2-33c3"] + "examples": ["CVE-1900-1234","VU#11111","GHSA-11a1-22b2-33c3"] }, "role": { "type": "string", @@ -65,34 +65,34 @@ } }, "properties": { - "id": { - "$ref": "#/definitions/id" - }, - "role": { - "$ref": "#/definitions/role" - }, - "schemaVersion": { - "$ref": "#/definitions/schemaVersion" - }, - "timestamp": { - "$ref": "#/definitions/timestamp" - }, - "selections": { - "description" : "An array of Decision Points and their Values that were down-selected or evaluated ", - "title": "selections", - "type": "array", - "minItems": 1, - "items": { - "$ref": "#/definitions/SsvcdecisionpointselectionSchema" - } - } + "id": { + "$ref": "#/$defs/id" + }, + "role": { + "$ref": "#/$defs/role" + }, + "schemaVersion": { + "$ref": "#/$defs/schemaVersion" + }, + "timestamp": { + "$ref": "#/$defs/timestamp" + }, + "selections": { + "description" : "An array of Decision Points and their Values that were down-selected or evaluated ", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/$defs/SsvcdecisionpointselectionSchema" + } + } }, - "type": "object", - "required": [ - "selections", - "id", - "timestamp", - "schemaVersion" - ], - "additionalProperties": false + "type": "object", + "required": [ + "selections", + "id", + "timestamp", + "schemaVersion" + ], + "additionalProperties": false } diff --git a/tools/cve-schema-test.sh b/tools/cve-schema-test.sh new file mode 100644 index 0000000000..4fed61ba6a --- /dev/null +++ b/tools/cve-schema-test.sh @@ -0,0 +1,15 @@ +#!/bin/bash +set -e +npm install --loglevel verbose -g yargs ajv-formats@"^1.5.x" ajv-cli@"^4.0.x" +REPO_DIR=`pwd` +CVE_SCHEMA_DIR=$REPO_DIR/schema +CVE_SCHEMA_FILENAME=CVE_Record_Format.json +npm --prefix "${CVE_SCHEMA_DIR}/support/schema2markmap" install "${CVE_SCHEMA_DIR}/support/schema2markmap" +sed 's/file\://g' "${CVE_SCHEMA_DIR}/${CVE_SCHEMA_FILENAME}" > "${CVE_SCHEMA_DIR}/cve-schema.json" +node "${CVE_SCHEMA_DIR}/support/schema2markmap/schema-bundle.js" "${CVE_SCHEMA_DIR}/cve-schema.json" "${CVE_SCHEMA_DIR}/docs/" +ajv compile -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" +ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-basic-example.json" +ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-advanced-example.json" +ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-advanced-example.json" +ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-basic-example.json" + From 23f88a750ce967bc7dfda8bb452fe53b9050e415 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Fri, 17 Jan 2025 13:19:04 -0500 Subject: [PATCH 12/12] Updated README.MD --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index e191b53e73..7f094f0f1f 100644 --- a/README.md +++ b/README.md @@ -41,3 +41,10 @@ An advanced example of a full record in the 5.1.1 format is available at https:/ A basic example of a cnaContainer, to be used with CVE Services, is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/cnaContainer-basic-example.json An advanced example of a cnaContainer, to be used with CVE Services, is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/cnaContainer-advanced-example.json + +### Running Tests + +Before submitting a Pull Request (PR) with your proposed schema changes, it is recommended to run the tools/cve-schema-test.sh script (written in Bash) to ensure there are no errors. This helps prevent your PR from being rejected due to formatting issues when GitHub's workflow tools are executed. + +Please note that any files created by this script will be overwritten when GitHub's workflow runs on the PR. This step is mandatory before the CVE Schema Working Group can review your suggestions. +