CVE Record Format version 5.1.1 Release Candidate 2

Changes in CVE Record Format 5.1.1:

1. Add new and expanded support for Common Platform Enumeration (CPE) Identifiers using the CPE Applicability Language.

   • Both CNA and ADP containers support a new cpeApplicability block that allows one or more CPE Identifier Names, CPE Match Strings, or CPE Match String Ranges to be defined.
   • The cpeApplicability block is optional. If provided, it is recommended that the CNA ensure that the data provided matches as closely as possible to the product data provided within the affected block.
   • The syntax and format of the cpeApplicability block matches that used by the NIST NVD CVE API JSON v2.0 schema (configurations). NOTE: The “matchCriteriaId” property is optional in the CVE Record Format.
   • The new cpeApplicability block supports CPE 2.3 names only.

2. Example CVE Records (in docs) have been updated to use CVE-1900-xxxx example IDs.

CVE JSON producing tools or CVE client implementation considerations:

✅ If a tool is producing CVE 5.1.0 Records then no changes to client-side tooling are required. However, it is recommended to upgrade to the CVE Record Format 5.1.1 to support the new features listed above.

⚠️ If a CVE services client is performing schema validation prior to submission, please use the CVE Record Format 5.1.1 schema to validate the Record.

CVE data consumer considerations:

✅ If a CVE data consumer is not validating the JSON data against the CVE Record Format schema, then no changes are required to the consumer side code.

⚠️ If a CVE data consumer is validating the JSON data against the CVE Record Format schema, then it is recommended that they begin using the CVE Record Format 5.1.1 schema to validate Records.