diff --git a/.github/workflows/validate-schema.yml b/.github/workflows/validate-schema.yml index 5ad68193150..08f9c742cee 100644 --- a/.github/workflows/validate-schema.yml +++ b/.github/workflows/validate-schema.yml @@ -31,6 +31,6 @@ jobs: node "${CVE_SCHEMA_DIR}/support/schema2markmap/schema-bundle.js" "${CVE_SCHEMA_DIR}/cve-schema.json" > "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" - name: Validate JSON schema run: | - ajv compile -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" - ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/basic-example.json" - ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/advanced-example.json" + ajv compile -c ajv-keywords -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" + ajv validate -c ajv-keywords -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/basic-example.json" + ajv validate -c ajv-keywords -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/advanced-example.json" diff --git a/schema/v5.0/CVE_JSON_5.0.schema b/schema/v5.0/CVE_JSON_5.0.schema index 09b635176cd..b688741a60b 100644 --- a/schema/v5.0/CVE_JSON_5.0.schema +++ b/schema/v5.0/CVE_JSON_5.0.schema @@ -753,6 +753,7 @@ "description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].", "minItems": 1, "uniqueItems": true, + "uniqueItemProperties": ["lang"], "items": { "$ref": "#/definitions/description" }, diff --git a/schema/v5.0/docs/CVE_JSON_5.0_bundled.json b/schema/v5.0/docs/CVE_JSON_5.0_bundled.json index 35fc3ffd0d3..918cd90854a 100644 --- a/schema/v5.0/docs/CVE_JSON_5.0_bundled.json +++ b/schema/v5.0/docs/CVE_JSON_5.0_bundled.json @@ -856,6 +856,9 @@ "description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].", "minItems": 1, "uniqueItems": true, + "uniqueItemProperties": [ + "lang" + ], "items": { "$ref": "#/definitions/description" }, diff --git a/schema/v5.0/docs/index.html b/schema/v5.0/docs/index.html index de3e3faa413..5b303719590 100644 --- a/schema/v5.0/docs/index.html +++ b/schema/v5.0/docs/index.html @@ -1,4 +1,4 @@ - CVE JSON record format

CVE JSON record format


cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE record. Some examples of CVE record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE records for community benefit. Learn more about the CVE program at the official website. This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema here.

Type: object

When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.

No Additional Properties

Type: enum (of string)

Indicates the type of information represented in the JSON instance.

Must be one of:

  • "CVE_RECORD"

Type: enum (of string)

The version of the schema being used. Used to support multiple versions of this format.

Must be one of:

  • "5.0"

Type: object

This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.

No Additional Properties

Type: string

The CVE identifier that this record pertains to.

Must match regular expression: ^CVE-[0-9]{4}-[0-9]{4,19}$

Type: string

the UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service.

Must match regular expression: ^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

Type: string

the short name for the organization to which the CVE ID was originally assigned

Must be at least 3 characters long

Must be at most 12 characters long

Type: string

the user that requested the CVE identifier

Same definition as assigner

Type: string

the date/time the record was last updated

Must match regular expression: ^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$

Type: integer

starts at 1, add 1 every time an entry is updated or changed

Value must be greater or equal to 1

Type: string

The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Same definition as updated

Type: string

The date/time the CVE record was first published in the CVE List.

Same definition as updated

Type: enum (of string)

State of CVE - PUBLISHED, RESERVED, REJECTED

Must be one of:

  • "PUBLISHED"

Type: object

A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.

At minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.

There can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information and the 'cna' container requires the CNA include certain fields, while the 'adp' container does not.

No Additional Properties

Type: object

An object containing the vulnerability information provided by a CVE Numbering Authority (CNA). There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.

No Additional Properties

Type: object

will be updated to coordinate with CVE user registry, current identifier is an email address.

Type: string

the container provider's organizational UUID

Same definition as assigner

Type: string

the container provider's organizational short name

Same definition as assignerShortName

Type: string

Timestamp to be set by the system of record at time of submission. If updated is provided to the system of record it will be replaced by the current timestamp at the time of submission. If a provider has multiple contributions, they shall be consolidated to a final single contribution before submission, or the system of record will reject the input with, Rejected – simultaneous contributions by a single provider.

Same definition as updated

Type: string

The date/time this CVE ID was associated with a vulnerability by a CNA.

Same definition as updated

Type: string

if known, the date/time the vulnerability was disclosed publicly.

Same definition as updated

Type: string

Short title - if the description is long we may want a short title to refer to

Must be at least 1 characters long

Must be at most 128 characters long

Type: array

A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].

Same definition as descriptions

Type: array

List of affected products.

Must contain a minimum of 1 items

Each item of this array must be:

Type: object

Provides information about the set of products and services affected by this vulnerability.


Type: object

The following properties are required:

  • product
  • vendor
Type: object

The following properties are required:

  • packageName
  • collectionURL

Type: object

The following properties are required:

  • versions
Type: object

The following properties are required:

  • defaultStatus

Type: string

Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.

Must be at least 1 characters long

Must be at most 512 characters long

Type: string

Name of the affected product.

Must be at least 1 characters long

Must be at most 2058 characters long

Type: string

URL identifying a package collection (determines meaning of packageName).

Must be at least 1 characters long

Must be at most 2000 characters long


Examples:

"https://access.redhat.com/downloads/content/package-browser"
+ CVE JSON record format 

CVE JSON record format


cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE record. Some examples of CVE record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE records for community benefit. Learn more about the CVE program at the official website. This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema here.

Type: object

When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.

No Additional Properties

Type: enum (of string)

Indicates the type of information represented in the JSON instance.

Must be one of:

  • "CVE_RECORD"

Type: enum (of string)

The version of the schema being used. Used to support multiple versions of this format.

Must be one of:

  • "5.0"

Type: object

This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.

No Additional Properties

Type: string

The CVE identifier that this record pertains to.

Must match regular expression: ^CVE-[0-9]{4}-[0-9]{4,19}$

Type: string

the UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service.

Must match regular expression: ^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

Type: string

the short name for the organization to which the CVE ID was originally assigned

Must be at least 3 characters long

Must be at most 12 characters long

Type: string

the user that requested the CVE identifier

Same definition as assigner

Type: string

the date/time the record was last updated

Must match regular expression: ^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$

Type: integer

starts at 1, add 1 every time an entry is updated or changed

Value must be greater or equal to 1

Type: string

The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Same definition as updated

Type: string

The date/time the CVE record was first published in the CVE List.

Same definition as updated

Type: enum (of string)

State of CVE - PUBLISHED, RESERVED, REJECTED

Must be one of:

  • "PUBLISHED"

Type: object

A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.

At minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.

There can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information and the 'cna' container requires the CNA include certain fields, while the 'adp' container does not.

No Additional Properties

Type: object

An object containing the vulnerability information provided by a CVE Numbering Authority (CNA). There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.

No Additional Properties

Type: object

will be updated to coordinate with CVE user registry, current identifier is an email address.

Type: string

the container provider's organizational UUID

Same definition as assigner

Type: string

the container provider's organizational short name

Same definition as assignerShortName

Type: string

Timestamp to be set by the system of record at time of submission. If updated is provided to the system of record it will be replaced by the current timestamp at the time of submission. If a provider has multiple contributions, they shall be consolidated to a final single contribution before submission, or the system of record will reject the input with, Rejected – simultaneous contributions by a single provider.

Same definition as updated

Type: string

The date/time this CVE ID was associated with a vulnerability by a CNA.

Same definition as updated

Type: string

if known, the date/time the vulnerability was disclosed publicly.

Same definition as updated

Type: string

Short title - if the description is long we may want a short title to refer to

Must be at least 1 characters long

Must be at most 128 characters long

Type: array

A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].

Same definition as descriptions

Type: array

List of affected products.

Must contain a minimum of 1 items

Each item of this array must be:

Type: object

Provides information about the set of products and services affected by this vulnerability.


Type: object

The following properties are required:

  • product
  • vendor
Type: object

The following properties are required:

  • collectionURL
  • packageName

Type: object

The following properties are required:

  • versions
Type: object

The following properties are required:

  • defaultStatus

Type: string

Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.

Must be at least 1 characters long

Must be at most 512 characters long

Type: string

Name of the affected product.

Must be at least 1 characters long

Must be at most 2058 characters long

Type: string

URL identifying a package collection (determines meaning of packageName).

Must be at least 1 characters long

Must be at most 2000 characters long


Examples:

"https://access.redhat.com/downloads/content/package-browser"
 
"https://addons.mozilla.org"
 
"https://addons.thunderbird.net"
 
"https://anaconda.org/anaconda/repo"
@@ -88,7 +88,7 @@
     }
 }
 return product.defaultStatus
-

Type: object

The following properties are required:

  • status
  • version

Type: object

The following properties are required:

  • lessThan
Type: object

The following properties are required:

  • lessThanOrEqual

The following properties are required:

  • status
  • versionType
  • version

Type: string

The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.

Must be at least 1 characters long

Must be at most 1024 characters long

Type: enum (of string)

The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.

Same definition as defaultStatus

Type: string

The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.

Must be at least 1 characters long

Must be at most 128 characters long


Examples:

"custom"
+

Type: object

The following properties are required:

  • status
  • version

Type: object

The following properties are required:

  • lessThan
Type: object

The following properties are required:

  • lessThanOrEqual

The following properties are required:

  • status
  • version
  • versionType

Type: string

The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.

Must be at least 1 characters long

Must be at most 1024 characters long

Type: enum (of string)

The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.

Same definition as defaultStatus

Type: string

The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.

Must be at least 1 characters long

Must be at most 128 characters long


Examples:

"custom"
 
"git"
 
"maven"
 
"python"
@@ -99,4 +99,4 @@
 
"image/png"
 
"image/svg"
 
"audio/mp3"
-

Type: boolean Default: false

If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.

Type: string

Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.

Must be at least 1 characters long

Must be at most 16384 characters long

At least one of the items must be:

Type: object

A description with lang set to an English language (en, enUS, enUK, and so on).

Type: string

BCP 47 language code, language-region, required to be English

Must match regular expression: ^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$
Type: object

If the CVE ID and associated CVE Record should no longer be used, the CVE Record is placed in the Rejected state. A Rejected CVE Record remains on the CVE List so that users can know when it is invalid.

No Additional Properties

Type: enum (of string)

Indicates the type of information represented in the JSON instance.

Same definition as dataType

Type: enum (of string)

The version of the schema being used. Used to support multiple versions of this format.

Same definition as dataVersion

Type: object

This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.

No Additional Properties

Type: string

The CVE identifier that this record pertains to

Same definition as id

Type: string

the UUID for the organization to which the CVE ID was originally assigned

Same definition as assigner

Type: string

the short name for the organization to which the CVE ID was originally assigned

Same definition as assignerShortName

Type: integer

starts at 1, add 1 every time an entry is updated or changed

Value must be greater or equal to 1

Type: string

the date/time the record was last updated

Same definition as updated

Type: string

The date/time the CVE record was first published in the CVE List.

Same definition as updated

Type: string

The date/time the CVE ID was rejected.

Same definition as updated

Type: enum (of string)

State of CVE - PUBLISHED, RESERVED, REJECTED

Must be one of:

  • "REJECTED"

Type: string

The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Same definition as updated

Type: array

A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].

Same definition as descriptions

Type: array

Contains an array of CVE IDs that this CVE ID was rejected in favor of because the this CVE ID was assigned to the vulnerabilities

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

\ No newline at end of file +

Type: boolean Default: false

If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.

Type: string

Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.

Must be at least 1 characters long

Must be at most 16384 characters long

At least one of the items must be:

Type: object

A description with lang set to an English language (en, enUS, enUK, and so on).

Type: string

BCP 47 language code, language-region, required to be English

Must match regular expression: ^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$
Type: object

If the CVE ID and associated CVE Record should no longer be used, the CVE Record is placed in the Rejected state. A Rejected CVE Record remains on the CVE List so that users can know when it is invalid.

No Additional Properties

Type: enum (of string)

Indicates the type of information represented in the JSON instance.

Same definition as dataType

Type: enum (of string)

The version of the schema being used. Used to support multiple versions of this format.

Same definition as dataVersion

Type: object

This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.

No Additional Properties

Type: string

The CVE identifier that this record pertains to

Same definition as id

Type: string

the UUID for the organization to which the CVE ID was originally assigned

Same definition as assigner

Type: string

the short name for the organization to which the CVE ID was originally assigned

Same definition as assignerShortName

Type: integer

starts at 1, add 1 every time an entry is updated or changed

Value must be greater or equal to 1

Type: string

the date/time the record was last updated

Same definition as updated

Type: string

The date/time the CVE record was first published in the CVE List.

Same definition as updated

Type: string

The date/time the CVE ID was rejected.

Same definition as updated

Type: enum (of string)

State of CVE - PUBLISHED, RESERVED, REJECTED

Must be one of:

  • "REJECTED"

Type: string

The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Same definition as updated

Type: array

A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].

Same definition as descriptions

Type: array

Contains an array of CVE IDs that this CVE ID was rejected in favor of because the this CVE ID was assigned to the vulnerabilities

Must contain a minimum of 1 items

All items must be unique

Each item of this array must be:

\ No newline at end of file