From 03c244747c6301868584e600875e3bafa99d2288 Mon Sep 17 00:00:00 2001 From: Chandan Date: Tue, 25 May 2021 13:10:48 -0700 Subject: [PATCH 1/3] Remove extraneous description field from Rejected cveMetadata --- schema/v5.0/CVE_JSON_5.0.schema | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/schema/v5.0/CVE_JSON_5.0.schema b/schema/v5.0/CVE_JSON_5.0.schema index dc8c6df0873..d9e53029d59 100644 --- a/schema/v5.0/CVE_JSON_5.0.schema +++ b/schema/v5.0/CVE_JSON_5.0.schema @@ -400,8 +400,7 @@ "description": "State of CVE - PUBLISHED, RESERVED, REJECTED", "enum": ["REJECTED"] - }, - "descriptions": {"$ref": "#/definitions/descriptions"} + } }, "additionalProperties": false }, From 56e38ed951b59863c4cc4a97991a61862980e512 Mon Sep 17 00:00:00 2001 From: Chandan Date: Tue, 25 May 2021 14:58:17 -0700 Subject: [PATCH 2/3] Update example --- schema/v5.0/docs/basic-example.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/v5.0/docs/basic-example.json b/schema/v5.0/docs/basic-example.json index e05baae5703..b3ab7d67397 100644 --- a/schema/v5.0/docs/basic-example.json +++ b/schema/v5.0/docs/basic-example.json @@ -5,7 +5,7 @@ "id": "CVE-2015-3000", "assigner": "9a527a5d-c98f-4910-8fa2-f6a927fa3ce3", "assignerShortName": "mitre", - "state": "PUBLIC" + "state": "PUBLISHED" }, "containers": { "cna": { From be20690297c12f48f958540edfa5770e940f554f Mon Sep 17 00:00:00 2001 From: Chandan Date: Tue, 25 May 2021 14:58:29 -0700 Subject: [PATCH 3/3] Update docs --- schema/v5.0/docs/index.html | 8 ++++---- schema/v5.0/docs/mindmap.html | 25 +++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 4 deletions(-) create mode 100644 schema/v5.0/docs/mindmap.html diff --git a/schema/v5.0/docs/index.html b/schema/v5.0/docs/index.html index ecc4d5ec790..c4aa7c20954 100644 --- a/schema/v5.0/docs/index.html +++ b/schema/v5.0/docs/index.html @@ -1,4 +1,4 @@ - CVE JSON record format

CVE JSON record format


cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE record. Some examples of CVE record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE records for community benefit. Learn more about the CVE program at the official website. This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema here.

Type: object

When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.

No Additional Properties

Type: enum (of string)

Indicates the type of information represented in the JSON instance.

Must be one of:

  • "CVE_RECORD"

Type: enum (of string)

The version of the schema being used. Used to support multiple versions of this format.

Must be one of:

  • "5.0"

Type: object

This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, when it was assigned, the current state (PUBLIC, REJECT, etc.) and so on.

No Additional Properties

Type: string

The CVE identifier that this record pertains to.

Must match regular expression: ^CVE-[0-9]{4}-[0-9]{4,19}$

Type: string

the UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service.

Must match regular expression: ^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

Type: string

the short name for the organization to which the CVE ID was originally assigned

Must be at least 3 characters long

Must be at most 12 characters long

Type: string

the user that requested the CVE identifier

Same definition as assigner

Type: string

the date/time the record was last updated

Must match regular expression: ^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$

Type: integer

starts at 1, add 1 every time an entry is updated or changed

Value must be greater or equal to 1

Type: string

the date/time this issue was requested

Same definition as updated

Type: string

the date/time this was assigned

Same definition as updated

Type: string

if known, the date/time the vulnerability was disclosed publicly.

Same definition as updated

Type: array

an array of CVE IDs

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: enum (of string)

State of CVE - PUBLIC, RESERVED, REJECT

Must be one of:

  • "PUBLIC"

Type: string

Short title - if the description is long we may want a short title to refer to

Must be at least 1 characters long

Must be at most 128 characters long

Type: object

A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.

At minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.

There can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information and the 'cna' container requires the CNA include certain fields, while the 'adp' container does not.

No Additional Properties

Type: object

An object containing the vulnerability information provided by a CVE Numbering Authority (CNA). There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.

Type: object

will be updated to coordinate with CVE user registry, current identifier is an email address.

Type: string

the container provider's organizational UUID

Same definition as assigner

Type: string

the container provider's organizational short name

Same definition as assignerShortName

Type: string

Timestamp to be set by the system of record at time of submission. If updated is provided to the system of record it will be replaced by the current timestamp at the time of submission. If a provider has multiple contributions, they shall be consolidated to a final single contribution before submission, or the system of record will reject the input with, Rejected – simultaneous contributions by a single provider.

Same definition as updated

Type: array of object

multi-lingual description of the vulnerability

Same definition as descriptions

Type: object

CVE affects, there must be at least one defined vulnerable product either in the form of a text description (via data defined in vendors, product, version) OR a affectsCpe.

No Additional Properties

Type: array of object

This is the container for affected vendors, it only goes in the affects container.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Type: string

Name of the vendor that produced this product.

Must be at least 1 characters long

Must be at most 512 characters long

Type: array

This is the container for affected technologies, products, hardware, etc.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Provides information about the set of products and services affected by this vulnerability.

Type: string

Name of the affected product.

Must be at least 1 characters long

Must be at most 2058 characters long

Type: array of string

A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional)

All items must be unique

Each item of this array must be:

Type: string

Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).

Must be at least 1 characters long

Must be at most 4000 characters long

Type: array

A list of the affected source code files (optional)

All items must be unique

Each item of this array must be:

Type: string

Name or path or location of the affected source code file in RFC3986 compliant format (optional).

Same definition as collectionURL

Type: array of string

A list of the affected source code functions, methods, subroutines, or procedures (optional).

All items must be unique

Each item of this array must be:

Type: string

Name of the affected source code file, function, method, subroutine, or procedure (optional).

Must be at least 1 characters long

Must be at most 4000 characters long

Type: string

Name or identifier of the affected software package as used in the package collection (optional).

Must be at least 1 characters long

Must be at most 2058 characters long

Type: string

A URL that, among the users of the software package collection, is considered the most popular starting point for accessing the collection (optional).

Must be at least 1 characters long


Examples:

"https://access.redhat.com/downloads/content/package-browser"
+ CVE JSON record format 

CVE JSON record format


cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE record. Some examples of CVE record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE records for community benefit. Learn more about the CVE program at the official website. This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema here.

Type: object

When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.

No Additional Properties

Type: enum (of string)

Indicates the type of information represented in the JSON instance.

Must be one of:

  • "CVE_RECORD"

Type: enum (of string)

The version of the schema being used. Used to support multiple versions of this format.

Must be one of:

  • "5.0"

Type: object

This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, when it was assigned, the current state (RESERVED, PUBLISHED, or REJECTED) and so on.

No Additional Properties

Type: string

The CVE identifier that this record pertains to.

Must match regular expression: ^CVE-[0-9]{4}-[0-9]{4,19}$

Type: string

the UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service.

Must match regular expression: ^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

Type: string

the short name for the organization to which the CVE ID was originally assigned

Must be at least 3 characters long

Must be at most 12 characters long

Type: string

the user that requested the CVE identifier

Same definition as assigner

Type: string

the date/time the record was last updated

Must match regular expression: ^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$

Type: integer

starts at 1, add 1 every time an entry is updated or changed

Value must be greater or equal to 1

Type: string

the date/time this issue was requested

Same definition as updated

Type: string

the date/time this was assigned

Same definition as updated

Type: string

if known, the date/time the vulnerability was disclosed publicly.

Same definition as updated

Type: array

an array of CVE IDs

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: enum (of string)

State of CVE - PUBLISHED, RESERVED, REJECTED

Must be one of:

  • "PUBLISHED"

Type: string

Short title - if the description is long we may want a short title to refer to

Must be at least 1 characters long

Must be at most 128 characters long

Type: object

A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.

At minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.

There can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information and the 'cna' container requires the CNA include certain fields, while the 'adp' container does not.

No Additional Properties

Type: object

An object containing the vulnerability information provided by a CVE Numbering Authority (CNA). There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.

Type: object

will be updated to coordinate with CVE user registry, current identifier is an email address.

Type: string

the container provider's organizational UUID

Same definition as assigner

Type: string

the container provider's organizational short name

Same definition as assignerShortName

Type: string

Timestamp to be set by the system of record at time of submission. If updated is provided to the system of record it will be replaced by the current timestamp at the time of submission. If a provider has multiple contributions, they shall be consolidated to a final single contribution before submission, or the system of record will reject the input with, Rejected – simultaneous contributions by a single provider.

Same definition as updated

Type: array

A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].

Same definition as descriptions

Type: object

CVE affects, there must be at least one defined vulnerable product either in the form of a text description (via data defined in vendors, product, version) OR a affectsCpe.

No Additional Properties

Type: array of object

This is the container for affected vendors, it only goes in the affects container.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Type: string

Name of the vendor that produced this product.

Must be at least 1 characters long

Must be at most 512 characters long

Type: array

This is the container for affected technologies, products, hardware, etc.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Provides information about the set of products and services affected by this vulnerability.

Type: string

Name of the affected product.

Must be at least 1 characters long

Must be at most 2058 characters long

Type: array of string

A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional)

All items must be unique

Each item of this array must be:

Type: string

Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).

Must be at least 1 characters long

Must be at most 4000 characters long

Type: array

A list of the affected source code files (optional)

All items must be unique

Each item of this array must be:

Type: string

Name or path or location of the affected source code file in RFC3986 compliant format (optional).

Same definition as collectionURL

Type: array of string

A list of the affected source code functions, methods, subroutines, or procedures (optional).

All items must be unique

Each item of this array must be:

Type: string

Name of the affected source code file, function, method, subroutine, or procedure (optional).

Must be at least 1 characters long

Must be at most 4000 characters long

Type: string

Name or identifier of the affected software package as used in the package collection (optional).

Must be at least 1 characters long

Must be at most 2058 characters long

Type: string

A URL that, among the users of the software package collection, is considered the most popular starting point for accessing the collection (optional).

Must be at least 1 characters long


Examples:

"https://access.redhat.com/downloads/content/package-browser"
 
"https://addons.mozilla.org"
 
"https://addons.thunderbird.net"
 
"https://anaconda.org/anaconda/repo"
@@ -61,7 +61,7 @@
 
"https://search.nixos.org/packages"
 
"https://sourceforge.net"
 
"https://wordpress.org/plugins"
-

Type: array of object

Set of product versions related to the vulnerability. The versions satisfy the CNA Rules 8.1.2 requirement.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Affected/non-affected/fixed versions of a given technology, product, hardware, etc.

Type: string

A string that represents a version branch, group, or a major version (e.g. 10.0, 3.1.*) where all version values are typically sequential or versionAffected comparisons are meaningful (optional).

Must be at least 1 characters long

Must be at most 1024 characters long

Type: string

The version name/value (e.g. 10.0.1, 3.1.2, "IceHouse")

Must be at least 1 characters long

Must be at most 1024 characters long

Type: enum (of string)

A string value:
"=" (affects versionValue),
"<" (affects versions prior to versionValue),
">" (affects versions later than versionValue),
"<=" (affects versionValue and prior versions),
">=" (affects versionValue and later versions),
"!" (doesn't affect versionValue),
"!<" (doesn't affect versions prior to versionValue),
"!>" (doesn't affect versions later than versionValue),
"!<=" (doesn't affect versionValue and prior versions),
"!>=" (doesn't affect versionValue and later versions),
"?" (status of versionValue is unknown),
"?<" (status of versions prior to versionValue is unknown),
"?>" (status of versions later than versionValue is unknown),
"?<=" (status of versionValue and prior versions is unknown),
"?>=" (status of versionValue and later versions is unknown)

Must be one of:

  • "="
  • "<"
  • ">"
  • "<="
  • ">="
  • "!"
  • "!<"
  • "!>"
  • "!<="
  • "!>="
  • "?"
  • "?<"
  • "?>"
  • "?<="
  • "?>="

Type: array of string

List of specific platforms if the versionValue and versionAffected are only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technolgies, hardware models, or computing architectures. Lack of this field or an empty array implies that the other fields are applicable for all relevant platforms.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: string

Must be at most 1024 characters long


Examples:

"iOS"
+

Type: array of object

Set of product versions related to the vulnerability. The versions satisfy the CNA Rules 8.1.2 requirement.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Affected/non-affected/fixed versions of a given technology, product, hardware, etc.

Type: string

A string that represents a version branch, group, or a major version (e.g. 10.0, 3.1.*) where all version values are typically sequential or versionAffected comparisons are meaningful (optional).

Must be at least 1 characters long

Must be at most 1024 characters long

Type: string

The version name/value (e.g. 10.0.1, 3.1.2, "IceHouse")

Must be at least 1 characters long

Must be at most 1024 characters long

Type: enum (of string)

A string value:
"=" (affects versionValue),
"<" (affects versions prior to versionValue),
">" (affects versions later than versionValue),
"<=" (affects versionValue and prior versions),
">=" (affects versionValue and later versions),
"!" (doesn't affect versionValue),
"!<" (doesn't affect versions prior to versionValue),
"!>" (doesn't affect versions later than versionValue),
"!<=" (doesn't affect versionValue and prior versions),
"!>=" (doesn't affect versionValue and later versions),
"?" (status of versionValue is unknown),
"?<" (status of versions prior to versionValue is unknown),
"?>" (status of versions later than versionValue is unknown),
"?<=" (status of versionValue and prior versions is unknown),
"?>=" (status of versionValue and later versions is unknown)

Must be one of:

  • "="
  • "<"
  • ">"
  • "<="
  • ">="
  • "!"
  • "!<"
  • "!>"
  • "!<="
  • "!>="
  • "?"
  • "?<"
  • "?>"
  • "?<="
  • "?>="

Type: array of string

List of specific platforms if the versionValue and versionAffected are only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technolgies, hardware models, or computing architectures. Lack of this field or an empty array implies that the other fields are applicable for all relevant platforms.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: string

Must be at most 1024 characters long


Examples:

"iOS"
 
"Android"
 
"Windows"
 
"macOS"
@@ -72,9 +72,9 @@
 
"iPad"
 
"Chromebook"
 
"Docker"
-

Type: array

This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").

Same definition as references

Type: array of object

Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as "Product X between versions 10.2 and 10.8" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: array of object

This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE])

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

text, OWASP, or CWE

Type: array of object

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

problem type description

Type: string Default: "en"

BCP 47 language code, language-region

Same definition as lang

Type: string

string description of problemType, or title from CWE, OWASP

Must be at least 1 characters long

Must be at most 4000 characters long

Type: string

CWE ID of the CWE that best describes this problemType entry

Must match regular expression: ^CWE-[1-9][0-9]+$

Must be at least 5 characters long

Must be at most 9 characters long

Type: string

problemtype source, text, OWASP, CWE, etc

Must be at least 1 characters long

Must be at most 128 characters long

Type: array

This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").

Same definition as references

Type: array

This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").

Must contain a minimum of 1 items

Must contain a maximum of 500 items

All items must be unique

Each item of this array must be:

Type: object

Type: string

The uniform resource locator (URL), according to RFC 3986, that can be used to retrieve the referenced resource.

Same definition as collectionURL

Type: string

User created name for the reference, often the title of the page.

Must be at least 1 characters long

Must be at most 500 characters long

Type: array

an array of one or more tags that describe the resource referenced by 'url'.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:


Type: enum (of string)

Must be one of:

  • "broken-link"
  • "customer-entitlement"
  • "exploit"
  • "government-resource"
  • "issue-tracking"
  • "mailing-list"
  • "mitigation"
  • "not-applicable"
  • "patch"
  • "permissions-required"
  • "media-coverage"
  • "product"
  • "release-notes"
  • "signature"
  • "technical-description"
  • "third-party-advisory"
  • "vendor-advisory"
  • "vdb-entry"

Type: array of object

collection of impact scores with attribution

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

This is impact type information (e.g. a text description

Type: string

CAPEC ID that best relates to this impact

Must match regular expression: ^CAPEC-[1-9][0-9]{0,4}$

Must be at least 7 characters long

Must be at most 11 characters long

Type: array of object

Prose description of the impact scenario. At a minimum provide the description given by CAPEC

Same definition as descriptions

Type: array of object

collection of impact scores with attribution

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:


This is impact type information (e.g. a text description, CVSSv2, CVSSv3, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added

Type: object

The following properties are required:

  • cvssV3_1
Type: object

The following properties are required:

  • cvssV3_0
Type: object

The following properties are required:

  • cvssV2_0
Type: object

The following properties are required:

  • other

Type: string

Name of the score format. This provides a bit future proofing. Additional properties are not prohibitied, so this will support inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 json object. In the future the other properties can be converted to score properties when they become part of the schema.

Must be at least 1 characters long

Must be at most 64 characters long

Type: array

Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Type: string Default: "en"

BCP 47 language code, language-region

Same definition as lang

Type: string Default: "GENERAL"

Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.

Must be at least 1 characters long

Must be at most 4000 characters long

Type: object

Type: enum (of string)

CVSS Version

Must be one of:

  • "3.1"

Type: string
Must match regular expression: ^CVSS:3.1/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$

Type: enum (of string)

Must be one of:

  • "NETWORK"
  • "ADJACENT_NETWORK"
  • "LOCAL"
  • "PHYSICAL"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "LOW"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "LOW"
  • "NONE"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "REQUIRED"

Type: enum (of string)

Must be one of:

  • "UNCHANGED"
  • "CHANGED"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "LOW"
  • "HIGH"

Type: number

Value must be greater or equal to 0 and lesser or equal to 10

Type: enum (of string)

Must be one of:

  • "NONE"
  • "LOW"
  • "MEDIUM"
  • "HIGH"
  • "CRITICAL"

Type: enum (of string)

Must be one of:

  • "UNPROVEN"
  • "PROOF_OF_CONCEPT"
  • "FUNCTIONAL"
  • "HIGH"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "OFFICIAL_FIX"
  • "TEMPORARY_FIX"
  • "WORKAROUND"
  • "UNAVAILABLE"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "UNKNOWN"
  • "REASONABLE"
  • "CONFIRMED"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "LOW"
  • "MEDIUM"
  • "HIGH"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "NETWORK"
  • "ADJACENT_NETWORK"
  • "LOCAL"
  • "PHYSICAL"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "LOW"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "LOW"
  • "NONE"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "REQUIRED"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "UNCHANGED"
  • "CHANGED"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "LOW"
  • "HIGH"
  • "NOT_DEFINED"

Type: object

Type: enum (of string)

CVSS Version

Must be one of:

  • "3.0"

Type: string
Must match regular expression: ^CVSS:3.0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$

Type: enum (of string)

Must be one of:

  • "NETWORK"
  • "ADJACENT_NETWORK"
  • "LOCAL"
  • "PHYSICAL"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "LOW"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "LOW"
  • "NONE"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "REQUIRED"

Type: enum (of string)

Must be one of:

  • "UNCHANGED"
  • "CHANGED"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "LOW"
  • "HIGH"

Type: number

Value must be greater or equal to 0 and lesser or equal to 10

Type: enum (of string)

Must be one of:

  • "NONE"
  • "LOW"
  • "MEDIUM"
  • "HIGH"
  • "CRITICAL"

Type: enum (of string)

Must be one of:

  • "UNPROVEN"
  • "PROOF_OF_CONCEPT"
  • "FUNCTIONAL"
  • "HIGH"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "OFFICIAL_FIX"
  • "TEMPORARY_FIX"
  • "WORKAROUND"
  • "UNAVAILABLE"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "UNKNOWN"
  • "REASONABLE"
  • "CONFIRMED"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "LOW"
  • "MEDIUM"
  • "HIGH"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "NETWORK"
  • "ADJACENT_NETWORK"
  • "LOCAL"
  • "PHYSICAL"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "LOW"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "LOW"
  • "NONE"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "REQUIRED"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "UNCHANGED"
  • "CHANGED"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "LOW"
  • "HIGH"
  • "NOT_DEFINED"

Type: object

Type: enum (of string)

CVSS Version

Must be one of:

  • "2.0"

Type: string
Must match regular expression: ^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$

Type: enum (of string)

Must be one of:

  • "NETWORK"
  • "ADJACENT_NETWORK"
  • "LOCAL"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "MEDIUM"
  • "LOW"

Type: enum (of string)

Must be one of:

  • "MULTIPLE"
  • "SINGLE"
  • "NONE"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "PARTIAL"
  • "COMPLETE"

Type: number

Value must be greater or equal to 0 and lesser or equal to 10

Type: enum (of string)

Must be one of:

  • "UNPROVEN"
  • "PROOF_OF_CONCEPT"
  • "FUNCTIONAL"
  • "HIGH"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "OFFICIAL_FIX"
  • "TEMPORARY_FIX"
  • "WORKAROUND"
  • "UNAVAILABLE"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "UNCONFIRMED"
  • "UNCORROBORATED"
  • "CONFIRMED"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "LOW"
  • "LOW_MEDIUM"
  • "MEDIUM_HIGH"
  • "HIGH"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "LOW"
  • "MEDIUM"
  • "HIGH"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "LOW"
  • "MEDIUM"
  • "HIGH"
  • "NOT_DEFINED"

Type: object

a non-standard impact description, may be prose or JSON block

Type: string

Must be at least 1 characters long

Must be at most 128 characters long

Type: object

JSON object not covered by another metrics format

Type: array

This is configuration information. It is generally meant to contain additional containers (e.g. cveDescription, cveImpact). Must contain: At least one configuration

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Type: string Default: "en"

The language used when describing the configuration. The language field is included so that CVE records can support translations. The value must be a BCP 47 language code.

Same definition as lang

Type: string

Configurations required for exploiting this vulnerability.

Must be at least 1 characters long

Must be at most 4000 characters long

Type: array

Workarounds and mitigations for this vulnerability.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Type: string Default: "en"

The language used when describing the workaround. The language field is included so that CVE records can support translations. The value must be a BCP 47 language code.

Same definition as lang

Type: string

A description of how to work around or mitigate the vulnerability.

Must be at least 1 characters long

Must be at most 4000 characters long

Type: array

Information about exploits of the vulnerability

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Type: string Default: "en"

The language used when describing the exploit. The language field is included so that CVE records can support translations. The value must be a BCP 47 language code.

Same definition as lang

Type: string

A description of how to exploit the vulnerability.

Must be at least 1 characters long

Must be at most 4000 characters long

Type: array of object

This is timeline information for significant events about this vulnerability or changes to CVE entry

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Type: string

Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ssZZZZ - if the timezone offset is not given, GMT (0000) is assumed.

Same definition as updated

Type: string Default: "en"

The language used in the description of the event. The language field is included so that CVE records can support translations. The value must be a BCP 47 language code.

Same definition as lang

Type: string

A summary of the event.

Must be at least 1 characters long

Must be at most 4000 characters long

Type: array of object

Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Type: string Default: "en"

The language used when describing the credits. The language field is included so that CVE records can support translations. The value must be a BCP 47 language code.

Same definition as lang

Type: string

Must be at least 1 characters long

Must be at most 4000 characters long

Type: string

UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.

Same definition as assigner

Type: enum (of string) Default: "finder"

Type or role of the entity being credited (optional). finder: identifies the vulnerability.
reporter: notifies the vendor of the vulnerability to a CNA.
analyst: validates the vulnerability to ensure accuracy or severity.
coordinator: facilitates the coordinated response process.
remediation developer: prepares a code change or other remediation plans.
remediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness.
remediation verifier: tests and verifies the vulnerability or its remediation.
tool: names of tools used in vulnerability discovery or identification.
sponsor: supports the vulnerability identification or remediation activities.

Must be one of:

  • "finder"
  • "reporter"
  • "analyst"
  • "coordinator"
  • "remediation developer"
  • "remediation reviewer"
  • "remediation verifier"
  • "tool"
  • "sponsor"
  • "other"

Type: object

This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).
Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.

Type: array

Tags describing the CVE entry

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:


Type: string
Must match regular expression: ^x_.*$

Must be at least 2 characters long

Must be at most 128 characters long

Type: enum (of string)

exclusively-hosted-service: All known software and/or hardware affected by this CVE Record is known to exist only in the affected hosted service. If the vulnerability affects both hosted and on-prem software and/or hardware, then the tag should not be used.

unsupported-when-assigned: Used by the assigning CNA to indicate that when a request for a CVE assignment was received, the product was already end-of-life (EOL) or a product or specific version was deemed not to be supported by the vendor. This tag should only be applied to a CVE Record when all affected products or version lines referenced in the CVE-Record are EOL.

disputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.

Must be one of:

  • "unsupported-when-assigned"
  • "exclusively-hosted-service"
  • "disputed"

Each additional property must conform to the following schema

Type: object

All property whose name matches the following regular expression must respect the following conditions

Property name regular expression: ^x_
Type: object

Type: array

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

An object containing the vulnerability information provided by an Authorized Data Publisher (ADP). Since multiple ADPs can provide information for a CVE ID, an ADP container must indicate which ADP is the source of the information in the object.

Type: object

will be updated to coordinate with CVE user registry, current identifier is an email address.

Same definition as providerMetadata

Type: array of object

multi-lingual description of the vulnerability

Same definition as descriptions

Type: object

CVE affects, there must be at least one defined vulnerable product either in the form of a text description (via data defined in vendors, product, version) OR a affectsCpe.

Same definition as affected

Type: array of object

This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE])

Same definition as problemTypes

Type: array

This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").

Same definition as references

Type: array of object

collection of impact scores with attribution

Same definition as impacts

Type: array of object

collection of impact scores with attribution

Same definition as metrics

Type: array

This is configuration information. It is generally meant to contain additional containers (e.g. cveDescription, cveImpact). Must contain: At least one configuration

Same definition as configurations

Type: array

Workarounds and mitigations for this vulnerability.

Same definition as workarounds

Type: array

Information about exploits of the vulnerability

Same definition as exploits

Type: array of object

This is timeline information for significant events about this vulnerability or changes to CVE entry

Same definition as timeline

Type: array of object

Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.

Same definition as credits

Type: object

This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).
Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.

Same definition as source

Type: array

Tags describing the CVE entry

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:


Type: enum (of string)

disputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.

Must be one of:

  • "disputed"

Each additional property must conform to the following schema

Type: object

All property whose name matches the following regular expression must respect the following conditions

Property name regular expression: ^x_
Type: object
Type: object

The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.

No Additional Properties

Type: enum (of string)

Indicates the type of information represented in the JSON instance.

Same definition as dataType

Type: enum (of string)

The version of the schema being used. Used to support multiple versions of this format.

Same definition as dataVersion

Type: object

This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, when it was assigned, the current state (PUBLIC, REJECT, etc.) and so on.

No Additional Properties

Type: string

The CVE identifier that this record pertains to

Same definition as id

Type: string

the UUID for the organization to which the CVE ID was originally assigned

Same definition as assigner

Type: string

the short name for the organization to which the CVE ID was originally assigned

Same definition as assignerShortName

Type: enum (of string)

State of CVE - PUBLIC, RESERVED, REJECT

Must be one of:

  • "RESERVED"

Type: string

Anticipated date for public release (YYYY-MM-DD).

Must match regular expression: ^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$

Type: array of object

multi-lingual description of the vulnerability

Same definition as descriptions

Type: array of object

multi-lingual description of the vulnerability

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object
No Additional Properties

Type: string Default: "en"

BCP 47 language code, language-region

Must match regular expression: ^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$

Type: string

Plain text description of the vulnerability. Eg., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].

Must be at least 1 characters long

Must be at most 4000 characters long

Type: array of object

Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.

The following properties are required:

  • type
  • value

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Type: string

RFC2046 compliant IANA Media type for eg., text/markdown, text/html.

Must be at least 1 characters long

Must be at most 255 characters long


Examples:

"text/markdown"
+

Type: array

This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").

Same definition as references

Type: array of object

Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as "Product X between versions 10.2 and 10.8" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: array of object

This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE])

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

text, OWASP, or CWE

Type: array of object

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

problem type description

Type: string Default: "en"

BCP 47 language code, language-region

Same definition as lang

Type: string

string description of problemType, or title from CWE, OWASP

Must be at least 1 characters long

Must be at most 4000 characters long

Type: string

CWE ID of the CWE that best describes this problemType entry

Must match regular expression: ^CWE-[1-9][0-9]+$

Must be at least 5 characters long

Must be at most 9 characters long

Type: string

problemtype source, text, OWASP, CWE, etc

Must be at least 1 characters long

Must be at most 128 characters long

Type: array

This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").

Same definition as references

Type: array

This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").

Must contain a minimum of 1 items

Must contain a maximum of 500 items

All items must be unique

Each item of this array must be:

Type: object

Type: string

The uniform resource locator (URL), according to RFC 3986, that can be used to retrieve the referenced resource.

Same definition as collectionURL

Type: string

User created name for the reference, often the title of the page.

Must be at least 1 characters long

Must be at most 500 characters long

Type: array

an array of one or more tags that describe the resource referenced by 'url'.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:


Type: enum (of string)

Must be one of:

  • "broken-link"
  • "customer-entitlement"
  • "exploit"
  • "government-resource"
  • "issue-tracking"
  • "mailing-list"
  • "mitigation"
  • "not-applicable"
  • "patch"
  • "permissions-required"
  • "media-coverage"
  • "product"
  • "release-notes"
  • "signature"
  • "technical-description"
  • "third-party-advisory"
  • "vendor-advisory"
  • "vdb-entry"

Type: array of object

collection of impact scores with attribution

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

This is impact type information (e.g. a text description

Type: string

CAPEC ID that best relates to this impact

Must match regular expression: ^CAPEC-[1-9][0-9]{0,4}$

Must be at least 7 characters long

Must be at most 11 characters long

Type: array

Prose description of the impact scenario. At a minimum provide the description given by CAPEC

Same definition as descriptions

Type: array of object

collection of impact scores with attribution

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:


This is impact type information (e.g. a text description, CVSSv2, CVSSv3, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added

Type: object

The following properties are required:

  • cvssV3_1
Type: object

The following properties are required:

  • cvssV3_0
Type: object

The following properties are required:

  • cvssV2_0
Type: object

The following properties are required:

  • other

Type: string

Name of the score format. This provides a bit future proofing. Additional properties are not prohibitied, so this will support inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 json object. In the future the other properties can be converted to score properties when they become part of the schema.

Must be at least 1 characters long

Must be at most 64 characters long

Type: array

Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Type: string Default: "en"

BCP 47 language code, language-region

Same definition as lang

Type: string Default: "GENERAL"

Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.

Must be at least 1 characters long

Must be at most 4000 characters long

Type: object

Type: enum (of string)

CVSS Version

Must be one of:

  • "3.1"

Type: string
Must match regular expression: ^CVSS:3.1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$

Type: enum (of string)

Must be one of:

  • "NETWORK"
  • "ADJACENT_NETWORK"
  • "LOCAL"
  • "PHYSICAL"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "LOW"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "LOW"
  • "NONE"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "REQUIRED"

Type: enum (of string)

Must be one of:

  • "UNCHANGED"
  • "CHANGED"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "LOW"
  • "HIGH"

Type: number

Value must be greater or equal to 0 and lesser or equal to 10

Type: enum (of string)

Must be one of:

  • "NONE"
  • "LOW"
  • "MEDIUM"
  • "HIGH"
  • "CRITICAL"

Type: enum (of string)

Must be one of:

  • "UNPROVEN"
  • "PROOF_OF_CONCEPT"
  • "FUNCTIONAL"
  • "HIGH"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "OFFICIAL_FIX"
  • "TEMPORARY_FIX"
  • "WORKAROUND"
  • "UNAVAILABLE"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "UNKNOWN"
  • "REASONABLE"
  • "CONFIRMED"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "LOW"
  • "MEDIUM"
  • "HIGH"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "NETWORK"
  • "ADJACENT_NETWORK"
  • "LOCAL"
  • "PHYSICAL"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "LOW"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "LOW"
  • "NONE"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "REQUIRED"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "UNCHANGED"
  • "CHANGED"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "LOW"
  • "HIGH"
  • "NOT_DEFINED"

Type: object

Type: enum (of string)

CVSS Version

Must be one of:

  • "3.0"

Type: string
Must match regular expression: ^CVSS:3.0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$

Type: enum (of string)

Must be one of:

  • "NETWORK"
  • "ADJACENT_NETWORK"
  • "LOCAL"
  • "PHYSICAL"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "LOW"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "LOW"
  • "NONE"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "REQUIRED"

Type: enum (of string)

Must be one of:

  • "UNCHANGED"
  • "CHANGED"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "LOW"
  • "HIGH"

Type: number

Value must be greater or equal to 0 and lesser or equal to 10

Type: enum (of string)

Must be one of:

  • "NONE"
  • "LOW"
  • "MEDIUM"
  • "HIGH"
  • "CRITICAL"

Type: enum (of string)

Must be one of:

  • "UNPROVEN"
  • "PROOF_OF_CONCEPT"
  • "FUNCTIONAL"
  • "HIGH"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "OFFICIAL_FIX"
  • "TEMPORARY_FIX"
  • "WORKAROUND"
  • "UNAVAILABLE"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "UNKNOWN"
  • "REASONABLE"
  • "CONFIRMED"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "LOW"
  • "MEDIUM"
  • "HIGH"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "NETWORK"
  • "ADJACENT_NETWORK"
  • "LOCAL"
  • "PHYSICAL"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "LOW"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "LOW"
  • "NONE"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "REQUIRED"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "UNCHANGED"
  • "CHANGED"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "LOW"
  • "HIGH"
  • "NOT_DEFINED"

Type: object

Type: enum (of string)

CVSS Version

Must be one of:

  • "2.0"

Type: string
Must match regular expression: ^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$

Type: enum (of string)

Must be one of:

  • "NETWORK"
  • "ADJACENT_NETWORK"
  • "LOCAL"

Type: enum (of string)

Must be one of:

  • "HIGH"
  • "MEDIUM"
  • "LOW"

Type: enum (of string)

Must be one of:

  • "MULTIPLE"
  • "SINGLE"
  • "NONE"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "PARTIAL"
  • "COMPLETE"

Type: number

Value must be greater or equal to 0 and lesser or equal to 10

Type: enum (of string)

Must be one of:

  • "UNPROVEN"
  • "PROOF_OF_CONCEPT"
  • "FUNCTIONAL"
  • "HIGH"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "OFFICIAL_FIX"
  • "TEMPORARY_FIX"
  • "WORKAROUND"
  • "UNAVAILABLE"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "UNCONFIRMED"
  • "UNCORROBORATED"
  • "CONFIRMED"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "LOW"
  • "LOW_MEDIUM"
  • "MEDIUM_HIGH"
  • "HIGH"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "NONE"
  • "LOW"
  • "MEDIUM"
  • "HIGH"
  • "NOT_DEFINED"

Type: enum (of string)

Must be one of:

  • "LOW"
  • "MEDIUM"
  • "HIGH"
  • "NOT_DEFINED"

Type: object

a non-standard impact description, may be prose or JSON block

Type: string

Must be at least 1 characters long

Must be at most 128 characters long

Type: object

JSON object not covered by another metrics format

Type: array

Configurations required for exploiting this vulnerability.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.

Same definition as description

Type: array

Workarounds and mitigations for this vulnerability.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.

Same definition as description

Type: array

Information about solutions or remediations available for this vulnerability.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.

Same definition as description

Type: array

Information about exploits of the vulnerability.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.

Same definition as description

Type: array of object

This is timeline information for significant events about this vulnerability or changes to CVE entry

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Type: string

Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ssZZZZ - if the timezone offset is not given, GMT (0000) is assumed.

Same definition as updated

Type: string Default: "en"

The language used in the description of the event. The language field is included so that CVE records can support translations. The value must be a BCP 47 language code.

Same definition as lang

Type: string

A summary of the event.

Must be at least 1 characters long

Must be at most 4000 characters long

Type: array of object

Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Type: string Default: "en"

The language used when describing the credits. The language field is included so that CVE records can support translations. The value must be a BCP 47 language code.

Same definition as lang

Type: string

Must be at least 1 characters long

Must be at most 4000 characters long

Type: string

UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.

Same definition as assigner

Type: enum (of string) Default: "finder"

Type or role of the entity being credited (optional). finder: identifies the vulnerability.
reporter: notifies the vendor of the vulnerability to a CNA.
analyst: validates the vulnerability to ensure accuracy or severity.
coordinator: facilitates the coordinated response process.
remediation developer: prepares a code change or other remediation plans.
remediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness.
remediation verifier: tests and verifies the vulnerability or its remediation.
tool: names of tools used in vulnerability discovery or identification.
sponsor: supports the vulnerability identification or remediation activities.

Must be one of:

  • "finder"
  • "reporter"
  • "analyst"
  • "coordinator"
  • "remediation developer"
  • "remediation reviewer"
  • "remediation verifier"
  • "tool"
  • "sponsor"
  • "other"

Type: object

This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).
Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.

Type: array

Tags describing the CVE entry

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:


Type: string
Must match regular expression: ^x_.*$

Must be at least 2 characters long

Must be at most 128 characters long

Type: enum (of string)

exclusively-hosted-service: All known software and/or hardware affected by this CVE Record is known to exist only in the affected hosted service. If the vulnerability affects both hosted and on-prem software and/or hardware, then the tag should not be used.

unsupported-when-assigned: Used by the assigning CNA to indicate that when a request for a CVE assignment was received, the product was already end-of-life (EOL) or a product or specific version was deemed not to be supported by the vendor. This tag should only be applied to a CVE Record when all affected products or version lines referenced in the CVE-Record are EOL.

disputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.

Must be one of:

  • "unsupported-when-assigned"
  • "exclusively-hosted-service"
  • "disputed"

Type: array of object

List of taxonomy items related to the vulnerability

All items must be unique

Each item of this array must be:

Type: object

Type: string

The name of the taxonomy

Must be at least 1 characters long

Must be at most 128 characters long

Type: string

The version of taxonomy the identifiers come from.

Must be at least 1 characters long

Must be at most 128 characters long

Type: array of object

All items must be unique

Each item of this array must be:

Type: object

List of relationships to the taxonomy for the vulnerability. Relationships can be between the taxonomy and the CVE or two taxonomy items

Type: string

Identifier of the item in the taxonomy. Used as the subject of the relationship.

Must be at least 1 characters long

Must be at most 2000 characters long

Type: string

A description of the relationship

Must be at least 1 characters long

Must be at most 128 characters long

Type: string

The target of the relationship. Can be the CVE ID or another taxonomy identifier

Must be at least 1 characters long

Must be at most 2000 characters long

Each additional property must conform to the following schema

Type: object

All property whose name matches the following regular expression must respect the following conditions

Property name regular expression: ^x_
Type: object

Type: array

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

An object containing the vulnerability information provided by an Authorized Data Publisher (ADP). Since multiple ADPs can provide information for a CVE ID, an ADP container must indicate which ADP is the source of the information in the object.

Type: object

will be updated to coordinate with CVE user registry, current identifier is an email address.

Same definition as providerMetadata

Type: array

A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].

Same definition as descriptions

Type: object

CVE affects, there must be at least one defined vulnerable product either in the form of a text description (via data defined in vendors, product, version) OR a affectsCpe.

Same definition as affected

Type: array of object

This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE])

Same definition as problemTypes

Type: array

This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").

Same definition as references

Type: array of object

collection of impact scores with attribution

Same definition as impacts

Type: array of object

collection of impact scores with attribution

Same definition as metrics

Type: array

Configurations required for exploiting this vulnerability.

Same definition as configurations

Type: array

Workarounds and mitigations for this vulnerability.

Same definition as workarounds

Type: array

Information about solutions or remediations available for this vulnerability.

Same definition as solutions

Type: array

Information about exploits of the vulnerability.

Same definition as exploits

Type: array of object

This is timeline information for significant events about this vulnerability or changes to CVE entry

Same definition as timeline

Type: array of object

Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.

Same definition as credits

Type: object

This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).
Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.

Same definition as source

Type: array

Tags describing the CVE entry

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:


Type: enum (of string)

disputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.

Must be one of:

  • "disputed"

Type: array of object

List of taxonomy items related to the vulnerability

Same definition as taxonomyMappings

Each additional property must conform to the following schema

Type: object

All property whose name matches the following regular expression must respect the following conditions

Property name regular expression: ^x_
Type: object
Type: object

The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.

No Additional Properties

Type: enum (of string)

Indicates the type of information represented in the JSON instance.

Same definition as dataType

Type: enum (of string)

The version of the schema being used. Used to support multiple versions of this format.

Same definition as dataVersion

Type: object

This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, when it was assigned, the current state (PUBLISHED, REJECTED, etc.) and so on.

No Additional Properties

Type: string

The CVE identifier that this record pertains to

Same definition as id

Type: string

the UUID for the organization to which the CVE ID was originally assigned

Same definition as assigner

Type: string

the short name for the organization to which the CVE ID was originally assigned

Same definition as assignerShortName

Type: enum (of string)

State of CVE - PUBLISHED, RESERVED, REJECTED

Must be one of:

  • "RESERVED"

Type: string

Anticipated date for public release (YYYY-MM-DD).

Must match regular expression: ^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$

Type: array

A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.

No Additional Properties

Type: string Default: "en"

BCP 47 language code, language-region

Must match regular expression: ^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$

Type: string

Plain text description.

Must be at least 1 characters long

Must be at most 4000 characters long

Type: array of object

Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.

The following properties are required:

  • value
  • type

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

Type: object

Type: string

RFC2046 compliant IANA Media type for eg., text/markdown, text/html.

Must be at least 1 characters long

Must be at most 255 characters long


Examples:

"text/markdown"
 
"text/html"
 
"image/png"
 
"image/svg"
 
"audio/mp3"
-

Type: boolean Default: false

If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.

Type: string

Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.

Must be at least 1 characters long

Must be at most 16384 characters long

Type: object

If the CVE ID and associated CVE Record should no longer be used, the CVE Record is placed in the Rejected state. A Rejected CVE Record remains on the CVE List so that users can know when it is invalid.

No Additional Properties

Type: enum (of string)

Indicates the type of information represented in the JSON instance.

Same definition as dataType

Type: enum (of string)

The version of the schema being used. Used to support multiple versions of this format.

Same definition as dataVersion

Type: object

This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, when it was assigned, the current state (PUBLIC, REJECT, etc.) and so on.

No Additional Properties

Type: string

The CVE identifier that this record pertains to

Same definition as id

Type: string

the UUID for the organization to which the CVE ID was originally assigned

Same definition as assigner

Type: string

the short name for the organization to which the CVE ID was originally assigned

Same definition as assignerShortName

Type: enum (of string)

State of CVE - PUBLIC, RESERVED, REJECT

Must be one of:

  • "REJECT"

Type: array of object

multi-lingual description of the vulnerability

Same definition as descriptions

Type: array of object

multi-lingual description of the vulnerability

Same definition as descriptions
\ No newline at end of file +

Type: boolean Default: false

If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.

Type: string

Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.

Must be at least 1 characters long

Must be at most 16384 characters long

Type: object

If the CVE ID and associated CVE Record should no longer be used, the CVE Record is placed in the Rejected state. A Rejected CVE Record remains on the CVE List so that users can know when it is invalid.

No Additional Properties

Type: enum (of string)

Indicates the type of information represented in the JSON instance.

Same definition as dataType

Type: enum (of string)

The version of the schema being used. Used to support multiple versions of this format.

Same definition as dataVersion

Type: object

This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, when it was assigned, the current state (RESERVED, PUBLISHED, or REJECTED) and so on.

No Additional Properties

Type: string

The CVE identifier that this record pertains to

Same definition as id

Type: string

the UUID for the organization to which the CVE ID was originally assigned

Same definition as assigner

Type: string

the short name for the organization to which the CVE ID was originally assigned

Same definition as assignerShortName

Type: enum (of string)

State of CVE - PUBLISHED, RESERVED, REJECTED

Must be one of:

  • "REJECTED"

Type: array

A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].

Same definition as descriptions
\ No newline at end of file diff --git a/schema/v5.0/docs/mindmap.html b/schema/v5.0/docs/mindmap.html new file mode 100644 index 00000000000..ec277547d21 --- /dev/null +++ b/schema/v5.0/docs/mindmap.html @@ -0,0 +1,25 @@ + + + + + + +CVE JSON Record Format version 5 - Mindmap + + + + + + + +