Skip to content

CVE JSON Record Format version 5.1.0 Release Candidate 2

Pre-release
Pre-release
Compare
Choose a tag to compare
@chandanbn chandanbn released this 06 Nov 21:12
· 37 commits to 5.1.0 since this release
v5.1.0-rc2
2aa608b
This commit was signed with the committer’s verified signature.
chandanbn Chandan
GPG key ID: 76A1F9BB8C9E02F5
Learn about vigilant mode.

Changes in CVE JSON 5.1.0:

  1. Enable versionType field to be used for single instances of a product version.

    • This allows identifying products associated with the vulnerability for hardware identifiers eg., UPC, GTIN, GMN, Package URLs, SKUs.

  2. Prevent typos in optional field names.

    • This ensures typos in field names or misplaced fields in CVE record are identified prior to a record's acceptance by the services.
    • Prevents unexpected fields in the CVE Record.

  3. Add support CVSS v4.0 object.

    • Add support for optional CVSS 4.0 object under metrics. In addition to a numerical score and a qualitative severity rating, a CVSS 4.0 provides several new attributes related to the vulnerability that include urgency, safety impact, and effort required to respond to the vulnerability.

  4. Other changes include: Added clarity to multiple field definitions in the schema, improved examples and bugs in schema syntax.

Compatibility considerations:

⚠️ A CVE 5.0 record may fail validation with the 5.1.0 schema if it contains unexpected extra fields or if field names have typos.
Suggested solution: Please remove the extra fields or fix the field names to resolve this error.

⚠️ A CVE 5.1 record may fail validation with the 5.0.0 schema if it contains additional data such a CVSS v4 object, or a versionType associated with a single version.
Suggested solution: Please use the 5.1.0 schema to perform the validation.

As of Nov 6th about 287 (about 0.12%) of existing CVE Records are not compliant to CVE-JSON 5.1.0 specification due to presence of typos, or extra fields. Full list is at https://cveproject.github.io/quality-workgroup/report-5.1.0 for potential CNA tooling problems.

CVE JSON producing tools or CVE client implementation considerations:

✅ If a tool is producing a CVE 5.0.0 record that also validate with the CVE 5.1.0 schema, then no changes to client side tooling are required.

⚠️ If a tool is producing a CVE 5.0.0 record that fails validation with the CVE 5.1.0 schema, then appropriate fixes are required to ensure uninterrupted use of CVE services. Please check https://cveproject.github.io/quality-workgroup/report-5.1.0

⚠️ If a CVE services client if performing schema validation prior to submission, please use the 5.1.0 schema to validate the record.

CVE data consumer considerations:

✅ If a CVE data consumer is not validating the JSON data against the schema, then no changes may be required to consumer side code.

⚠️ If a CVE data consumer is validating the JSON data against the 5.0.0 schema, then please use the 5.1.0 schema to validate records.

Fixes since RC1:

Relax dataVersion to be a semver starting with 5
Refactor bundling to remove version from the file name.
Add flattened CNA container published, rejected schemas to help services adoption or clients submitting container objects to services.
Added example of rejected CNA container object.

Assets 2
Loading