diff --git a/.github/workflows/validate-schema.yml b/.github/workflows/validate-schema.yml index 5ad68193150..08f9c742cee 100644 --- a/.github/workflows/validate-schema.yml +++ b/.github/workflows/validate-schema.yml @@ -31,6 +31,6 @@ jobs: node "${CVE_SCHEMA_DIR}/support/schema2markmap/schema-bundle.js" "${CVE_SCHEMA_DIR}/cve-schema.json" > "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" - name: Validate JSON schema run: | - ajv compile -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" - ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/basic-example.json" - ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/advanced-example.json" + ajv compile -c ajv-keywords -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" + ajv validate -c ajv-keywords -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/basic-example.json" + ajv validate -c ajv-keywords -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/advanced-example.json" diff --git a/schema/v5.0/CVE_JSON_5.0.schema b/schema/v5.0/CVE_JSON_5.0.schema index 09b635176cd..b688741a60b 100644 --- a/schema/v5.0/CVE_JSON_5.0.schema +++ b/schema/v5.0/CVE_JSON_5.0.schema @@ -753,6 +753,7 @@ "description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].", "minItems": 1, "uniqueItems": true, + "uniqueItemProperties": ["lang"], "items": { "$ref": "#/definitions/description" }, diff --git a/schema/v5.0/docs/CVE_JSON_5.0_bundled.json b/schema/v5.0/docs/CVE_JSON_5.0_bundled.json index 35fc3ffd0d3..918cd90854a 100644 --- a/schema/v5.0/docs/CVE_JSON_5.0_bundled.json +++ b/schema/v5.0/docs/CVE_JSON_5.0_bundled.json @@ -856,6 +856,9 @@ "description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].", "minItems": 1, "uniqueItems": true, + "uniqueItemProperties": [ + "lang" + ], "items": { "$ref": "#/definitions/description" }, diff --git a/schema/v5.0/docs/index.html b/schema/v5.0/docs/index.html index de3e3faa413..5b303719590 100644 --- a/schema/v5.0/docs/index.html +++ b/schema/v5.0/docs/index.html @@ -1,4 +1,4 @@ -
cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE record. Some examples of CVE record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE records for community benefit. Learn more about the CVE program at the official website. This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema here.
When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.
No Additional PropertiesIndicates the type of information represented in the JSON instance.
The version of the schema being used. Used to support multiple versions of this format.
This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.
No Additional PropertiesThe CVE identifier that this record pertains to.
Must match regular expression:^CVE-[0-9]{4}-[0-9]{4,19}$
the UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service.
Must match regular expression:^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
the short name for the organization to which the CVE ID was originally assigned
Must be at least 3
characters long
Must be at most 12
characters long
the date/time the record was last updated
Must match regular expression:^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$
starts at 1, add 1 every time an entry is updated or changed
Value must be greater or equal to 1
The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Same definition as updatedThe date/time the CVE record was first published in the CVE List.
Same definition as updatedState of CVE - PUBLISHED, RESERVED, REJECTED
A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.
At minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.
There can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information and the 'cna' container requires the CNA include certain fields, while the 'adp' container does not.
An object containing the vulnerability information provided by a CVE Numbering Authority (CNA). There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.
No Additional Propertieswill be updated to coordinate with CVE user registry, current identifier is an email address.
the container provider's organizational short name
Same definition as assignerShortNameTimestamp to be set by the system of record at time of submission. If updated is provided to the system of record it will be replaced by the current timestamp at the time of submission. If a provider has multiple contributions, they shall be consolidated to a final single contribution before submission, or the system of record will reject the input with, Rejected – simultaneous contributions by a single provider.
Same definition as updatedThe date/time this CVE ID was associated with a vulnerability by a CNA.
Same definition as updatedif known, the date/time the vulnerability was disclosed publicly.
Same definition as updatedShort title - if the description is long we may want a short title to refer to
Must be at least 1
characters long
Must be at most 128
characters long
A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].
Same definition as descriptionsList of affected products.
Must contain a minimum of 1
items
Provides information about the set of products and services affected by this vulnerability.
Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.
Must be at least 1
characters long
Must be at most 512
characters long
Name of the affected product.
Must be at least 1
characters long
Must be at most 2058
characters long
URL identifying a package collection (determines meaning of packageName).
Must be at least 1
characters long
Must be at most 2000
characters long
"https://access.redhat.com/downloads/content/package-browser"
+ CVE JSON record format CVE JSON record format
cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE record. Some examples of CVE record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE records for community benefit. Learn more about the CVE program at the official website. This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema here.
Type: object
When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.
No Additional Properties
Type: enum (of string)
Indicates the type of information represented in the JSON instance.
Must be one of:
- "CVE_RECORD"
Type: enum (of string)
The version of the schema being used. Used to support multiple versions of this format.
Must be one of:
- "5.0"
Type: object
This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.
No Additional Properties
Type: string
The CVE identifier that this record pertains to.
Must match regular expression: ^CVE-[0-9]{4}-[0-9]{4,19}$
Type: string
the UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service.
Must match regular expression: ^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
Type: string
the short name for the organization to which the CVE ID was originally assigned
Must be at least 3
characters long
Must be at most 12
characters long
Type: string
the date/time the record was last updated
Must match regular expression: ^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$
Type: integer
starts at 1, add 1 every time an entry is updated or changed
Value must be greater or equal to 1
Type: string
The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Same definition as updated
Type: string
The date/time the CVE record was first published in the CVE List.
Same definition as updated
Type: enum (of string)
State of CVE - PUBLISHED, RESERVED, REJECTED
Must be one of:
- "PUBLISHED"
Type: object
A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.
At minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.
There can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information and the 'cna' container requires the CNA include certain fields, while the 'adp' container does not.
No Additional Properties
Type: object
An object containing the vulnerability information provided by a CVE Numbering Authority (CNA). There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.
No Additional Properties
Type: object
will be updated to coordinate with CVE user registry, current identifier is an email address.
Type: string
the container provider's organizational short name
Same definition as assignerShortName
Type: string
Timestamp to be set by the system of record at time of submission. If updated is provided to the system of record it will be replaced by the current timestamp at the time of submission. If a provider has multiple contributions, they shall be consolidated to a final single contribution before submission, or the system of record will reject the input with, Rejected – simultaneous contributions by a single provider.
Same definition as updated
Type: string
The date/time this CVE ID was associated with a vulnerability by a CNA.
Same definition as updated
Type: string
if known, the date/time the vulnerability was disclosed publicly.
Same definition as updated
Type: string
Short title - if the description is long we may want a short title to refer to
Must be at least 1
characters long
Must be at most 128
characters long
Type: array
A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].
Same definition as descriptions
Type: array
List of affected products.
Must contain a minimum of 1
items
Each item of this array must be:
Type: object
Provides information about the set of products and services affected by this vulnerability.
Type: object
The following properties are required:
- product
- vendor
Type: object
The following properties are required:
- collectionURL
- packageName
Type: object
The following properties are required:
- versions
Type: object
The following properties are required:
- defaultStatus
Type: string
Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.
Must be at least 1
characters long
Must be at most 512
characters long
Type: string
Name of the affected product.
Must be at least 1
characters long
Must be at most 2058
characters long
Type: string
URL identifying a package collection (determines meaning of packageName).
Must be at least 1
characters long
Must be at most 2000
characters long
Examples:
"https://access.redhat.com/downloads/content/package-browser"
"https://addons.mozilla.org"
"https://addons.thunderbird.net"
"https://anaconda.org/anaconda/repo"
@@ -88,7 +88,7 @@
}
}
return product.defaultStatus
-
Type: object
The following properties are required:
- status
- version
Type: object
The following properties are required:
- lessThan
Type: object
The following properties are required:
- lessThanOrEqual
The following properties are required:
- status
- versionType
- version
Type: string
The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.
Must be at least 1
characters long
Must be at most 1024
characters long
Type: enum (of string)
The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.
Same definition as defaultStatus
Type: string
The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.
Must be at least 1
characters long
Must be at most 128
characters long
Examples:
"custom"
+
Type: object
The following properties are required:
- status
- version
Type: object
The following properties are required:
- lessThan
Type: object
The following properties are required:
- lessThanOrEqual
The following properties are required:
- status
- version
- versionType
Type: string
The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.
Must be at least 1
characters long
Must be at most 1024
characters long
Type: enum (of string)
The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.
Same definition as defaultStatus
Type: string
The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.
Must be at least 1
characters long
Must be at most 128
characters long
Examples:
"custom"
"git"
"maven"
"python"
@@ -99,4 +99,4 @@
"image/png"
"image/svg"
"audio/mp3"
-
Type: boolean Default: false
If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.
Type: string
Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.
Must be at least 1
characters long
Must be at most 16384
characters long
At least one of the items must be:
Type: object
A description with lang set to an English language (en, enUS, enUK, and so on).
Type: string
BCP 47 language code, language-region, required to be English
Must match regular expression: ^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$
Type: object
If the CVE ID and associated CVE Record should no longer be used, the CVE Record is placed in the Rejected state. A Rejected CVE Record remains on the CVE List so that users can know when it is invalid.
No Additional Properties
Type: enum (of string)
Indicates the type of information represented in the JSON instance.
Same definition as dataType
Type: enum (of string)
The version of the schema being used. Used to support multiple versions of this format.
Same definition as dataVersion
Type: object
This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.
No Additional Properties
Type: string
the UUID for the organization to which the CVE ID was originally assigned
Same definition as assigner
Type: string
the short name for the organization to which the CVE ID was originally assigned
Same definition as assignerShortName
Type: integer
starts at 1, add 1 every time an entry is updated or changed
Value must be greater or equal to 1
Type: string
The date/time the CVE record was first published in the CVE List.
Same definition as updated
Type: enum (of string)
State of CVE - PUBLISHED, RESERVED, REJECTED
Must be one of:
- "REJECTED"
Type: string
The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Same definition as updated
Type: array
A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].
Same definition as descriptions
Type: array
Contains an array of CVE IDs that this CVE ID was rejected in favor of because the this CVE ID was assigned to the vulnerabilities
Must contain a minimum of 1
items
All items must be unique
Each item of this array must be:
\ No newline at end of file
+
Type: boolean Default: false
If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.
Type: string
Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.
Must be at least 1
characters long
Must be at most 16384
characters long
A description with lang set to an English language (en, enUS, enUK, and so on).
BCP 47 language code, language-region, required to be English
Must match regular expression:^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$
If the CVE ID and associated CVE Record should no longer be used, the CVE Record is placed in the Rejected state. A Rejected CVE Record remains on the CVE List so that users can know when it is invalid.
No Additional PropertiesIndicates the type of information represented in the JSON instance.
Same definition as dataTypeThe version of the schema being used. Used to support multiple versions of this format.
Same definition as dataVersionThis is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.
No Additional Propertiesthe UUID for the organization to which the CVE ID was originally assigned
Same definition as assignerthe short name for the organization to which the CVE ID was originally assigned
Same definition as assignerShortNamestarts at 1, add 1 every time an entry is updated or changed
Value must be greater or equal to 1
The date/time the CVE record was first published in the CVE List.
Same definition as updatedState of CVE - PUBLISHED, RESERVED, REJECTED
The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Same definition as updatedA list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].
Same definition as descriptionsContains an array of CVE IDs that this CVE ID was rejected in favor of because the this CVE ID was assigned to the vulnerabilities
Must contain a minimum of 1
items
All items must be unique