diff --git a/.github/workflows/validate-schema.yml b/.github/workflows/validate-schema.yml
index 13b0e92c1c9..6545dee93b1 100644
--- a/.github/workflows/validate-schema.yml
+++ b/.github/workflows/validate-schema.yml
@@ -9,8 +9,8 @@ on:
branches:
- master
env:
- CVE_SCHEMA_DIR: schema/v5.0
- CVE_SCHEMA_FILENAME: CVE_JSON_5.0_schema.json
+ CVE_SCHEMA_DIR: schema
+ CVE_SCHEMA_FILENAME: CVE_Record_Format.json
jobs:
verify-json-validation:
runs-on: ubuntu-latest
@@ -28,9 +28,11 @@ jobs:
sed 's/file\://g' "${CVE_SCHEMA_DIR}/${CVE_SCHEMA_FILENAME}" > "${CVE_SCHEMA_DIR}/cve-schema.json"
- name: Bundle schema for AJV
run: |
- node "${CVE_SCHEMA_DIR}/support/schema2markmap/schema-bundle.js" "${CVE_SCHEMA_DIR}/cve-schema.json" > "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json"
+ node "${CVE_SCHEMA_DIR}/support/schema2markmap/schema-bundle.js" "${CVE_SCHEMA_DIR}/cve-schema.json" "${CVE_SCHEMA_DIR}/docs/"
- name: Validate JSON schema
run: |
- ajv compile -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json"
- ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-basic-example.json"
- ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-advanced-example.json"
+ ajv compile -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json"
+ ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-basic-example.json"
+ ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-advanced-example.json"
+ ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-advanced-example.json"
+ ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-basic-example.json"
diff --git a/README.md b/README.md
index 62ff16b1d10..629a16c209d 100644
--- a/README.md
+++ b/README.md
@@ -1,26 +1,41 @@
-# Current Version of CVE Schema
+# Current Version of CVE Record Format
-The latest version of the CVE JSON is 5.0. A single schema file with bundled dependencies is available [here](https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/docs/CVE_JSON_5.0_bundled.json).
+Major changes to cve-schema repo architecture!! if you have integrations that rely on the cve-schema repo structure, please review the changes here. The latest version of the CVE JSON record format is 5.1.0. A single schema file with bundled dependencies is available [here](https://github.com/CVEProject/cve-schema/blob/master/schema/docs/CVE_Record_Format_bundled.json).
-# CVE Schema Overview
-cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of CVE JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE records for community benefit.
+Note: The ADP functionality in the current schema is not yet deployed in CVE Services. The ADP functionality is currently under development and is for future use.
-Learn more about the CVE program at [cve.org](https://www.cve.org/)
+Note: Please refer to the CVE Services page [here](https://www.cve.org/AllResources/CveServices) for known issues with the schema.
-This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/)
+# CVE Record Format Overview
-A single schema file with bundled dependencies is at [CVE_JSON_5.0_bundled.json](https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/docs/CVE_JSON_5.0_bundled.json)
+cve-schema specifies the CVE record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE record. Some examples of CVE record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE records for community benefit.
-Documentation about this format is available in [docs](https://cveproject.github.io/cve-schema/schema/v5.0/docs/)
+### Learn
-A mindmap version of the CVE record structure is at [mindmap](https://cveproject.github.io/cve-schema/schema/v5.0/docs/mindmap.html)
+Learn more about the CVE program at: https://www.cve.org/
-A basic example of a full record in 5.0 format with minimally required fields is available at [full-record-basic-example.json](https://github.com/cveproject/cve-schema/blob/master/schema/v5.0/docs/full-record-basic-example.json)
+This CVE record format is defined using JSON Schema. Learn more about JSON Schema at: https://json-schema.org/ .
-An advanced example of a full record in 5.0 format is available at [full-record-advanced-example.json](https://github.com/cveproject/cve-schema/blob/master/schema/v5.0/docs/full-record-advanced-example.json)
+### Latest
-A basic example of a cnaContainer, to be used with CVE Services, is available at [cnaContainer-basic-example.json](https://github.com/cveproject/cve-schema/blob/master/schema/v5.0/docs/cnaContainer-basic-example.json)
+The latest version of the record format is 5.1.0. It is specified in the JSON schema at https://github.com/CVEProject/cve-schema/blob/master/schema/CVE_Record_Format.json
-An advanced example of a cnaContainer, to be used with CVE Services, is available at [cnaContainer-advanced-example.json](https://github.com/cveproject/cve-schema/blob/master/schema/v5.0/docs/cnaContainer-advanced-example.json)
+A single schema file with bundled dependencies is at https://github.com/CVEProject/cve-schema/blob/master/schema/docs/CVE_Record_Format_bundled.json
-More details about Product and Version Encodings in CVE JSON 5.0 record is at [versions.md](https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/docs/versions.md)
+### Documentation and Guidance
+
+Documentation about this format is available at https://cveproject.github.io/cve-schema/schema/docs/
+
+A mindmap version of the CVE record structure is at https://cveproject.github.io/cve-schema/schema/docs/mindmap.html
+
+More details about Product and Version Encodings in CVE JSON 5.1.0 record is at https://github.com/CVEProject/cve-schema/blob/master/schema/docs/versions.md
+
+### Examples
+
+A basic example of a full record in 5.1.0 format with minimally required fields is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/full-record-basic-example.json
+
+An advanced example of a full record in 5.1.0 format is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/full-record-advanced-example.json
+
+A basic example of a cnaContainer, to be used with CVE Services, is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/cnaContainer-basic-example.json
+
+An advanced example of a cnaContainer, to be used with CVE Services, is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/cnaContainer-advanced-example.json
\ No newline at end of file
diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json
new file mode 100644
index 00000000000..f74450c32c8
--- /dev/null
+++ b/schema/CVE_Record_Format.json
@@ -0,0 +1,1234 @@
+{
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cveproject.github.io/cve-schema/schema/CVE_Record_Format.json",
+ "title": "CVE JSON record format",
+ "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).",
+ "definitions": {
+ "uriType": {
+ "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).",
+ "type": "string",
+ "format": "uri",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "uuidType": {
+ "description": "A version 4 (random) universally unique identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122#section-4.1.3).",
+ "type": "string",
+ "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
+ },
+ "reference": {
+ "type": "object",
+ "required": ["url"],
+ "properties": {
+ "url": {
+ "description": "The uniform resource locator (URL), according to [RFC 3986](https://tools.ietf.org/html/rfc3986#section-1.1.3), that can be used to retrieve the referenced resource.",
+ "$ref": "#/definitions/uriType"
+ },
+ "name": {
+ "description": "User created name for the reference, often the title of the page.",
+ "type": "string",
+ "maxLength": 512,
+ "minLength": 1
+ },
+ "tags": {
+ "description": "An array of one or more tags that describe the resource referenced by 'url'.",
+ "type": "array",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "oneOf": [
+ {
+ "$ref": "#/definitions/tagExtension"
+ },
+ {
+ "$ref": "file:tags/reference-tags.json"
+ }
+ ]
+ }
+ }
+ },
+ "additionalProperties": false
+ },
+ "cveId": {
+ "type": "string",
+ "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
+ },
+ "orgId": {
+ "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.",
+ "$ref": "#/definitions/uuidType"
+ },
+ "userId": {
+ "description": "A UUID for a user participating in the CVE program. This UUID can be used to lookup the user record in the user registry service.",
+ "$ref": "#/definitions/uuidType"
+ },
+ "shortName": {
+ "description": "A 2-32 character name that can be used to complement an organization's UUID.",
+ "type": "string",
+ "minLength": 2,
+ "maxLength": 32
+ },
+ "datestamp": {
+ "description": "Date/time format based on RFC3339 and ISO ISO8601.",
+ "type": "string",
+ "format": "date",
+ "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$"
+ },
+ "timestamp": {
+ "type": "string",
+ "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.",
+ "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"
+ },
+ "version": {
+ "description": "A single version of a product, as expressed in its own version numbering scheme.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 1024
+ },
+ "status": {
+ "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.",
+ "type": "string",
+ "enum": ["affected", "unaffected", "unknown"]
+ },
+ "product": {
+ "type": "object",
+ "description": "Provides information about the set of products and services affected by this vulnerability.",
+ "allOf": [
+ {
+ "anyOf": [
+ {"required": ["vendor", "product"]},
+ {"required": ["collectionURL", "packageName"]}
+ ]
+ },
+ {
+ "anyOf": [
+ {"required": ["versions"]},
+ {"required": ["defaultStatus"]}
+ ]
+ }
+ ],
+ "properties": {
+ "vendor": {
+ "type": "string",
+ "description": "Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.",
+ "minLength": 1,
+ "maxLength": 512
+ },
+ "product": {
+ "type": "string",
+ "description": "Name of the affected product.",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "collectionURL": {
+ "description": "URL identifying a package collection (determines the meaning of packageName).",
+ "$ref": "#/definitions/uriType",
+ "examples": [
+ "https://access.redhat.com/downloads/content/package-browser",
+ "https://addons.mozilla.org",
+ "https://addons.thunderbird.net",
+ "https://anaconda.org/anaconda/repo",
+ "https://app.vagrantup.com/boxes/search",
+ "https://apps.apple.com",
+ "https://archlinux.org/packages",
+ "https://atmospherejs.meteor.com",
+ "https://atom.io/packages",
+ "https://bitbucket.org",
+ "https://bower.io",
+ "https://brew.sh/",
+ "https://chocolatey.org/packages",
+ "https://chrome.google.com/webstore",
+ "https://clojars.org",
+ "https://cocoapods.org",
+ "https://code.dlang.org",
+ "https://conan.io/center",
+ "https://cpan.org/modules",
+ "https://cran.r-project.org",
+ "https://crates.io",
+ "https://ctan.org/pkg",
+ "https://drupal.org",
+ "https://exchange.adobe.com",
+ "https://forge.puppet.com/modules",
+ "https://github.com",
+ "https://gitlab.com/explore",
+ "https://golang.org/pkg",
+ "https://guix.gnu.org/packages",
+ "https://hackage.haskell.org",
+ "https://helm.sh",
+ "https://hub.docker.com",
+ "https://juliahub.com",
+ "https://lib.haxe.org",
+ "https://luarocks.org",
+ "https://marketplace.visualstudio.com",
+ "https://melpa.org",
+ "https://microsoft.com/en-us/store/apps",
+ "https://nimble.directory",
+ "https://nuget.org/packages",
+ "https://opam.ocaml.org/packages",
+ "https://openwrt.org/packages/index",
+ "https://package.elm-lang.org",
+ "https://packagecontrol.io",
+ "https://packages.debian.org",
+ "https://packages.gentoo.org",
+ "https://packagist.org",
+ "https://pear.php.net/packages.php",
+ "https://pecl.php.net",
+ "https://platformio.org/lib",
+ "https://play.google.com/store",
+ "https://plugins.gradle.org",
+ "https://projects.eclipse.org",
+ "https://pub.dev",
+ "https://pypi.python.org",
+ "https://registry.npmjs.org",
+ "https://registry.terraform.io",
+ "https://repo.hex.pm",
+ "https://repo.maven.apache.org/maven2",
+ "https://rubygems.org",
+ "https://search.nixos.org/packages",
+ "https://sourceforge.net",
+ "https://wordpress.org/plugins"
+ ]
+ },
+ "packageName": {
+ "type": "string",
+ "description": "Name or identifier of the affected software package as used in the package collection.",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "cpes": {
+ "type": "array",
+ "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.",
+ "uniqueItems": true,
+ "items": {
+ "title": "CPE Name",
+ "type": "string",
+ "description":"Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format",
+ "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})",
+ "minLength": 1,
+ "maxLength": 2048
+ }
+ },
+ "modules": {
+ "type": "array",
+ "description": "A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional).",
+ "uniqueItems": true,
+ "items": {
+ "type": "string",
+ "description": "Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "programFiles": {
+ "type": "array",
+ "description": "A list of the affected source code files (optional).",
+ "uniqueItems": true,
+ "items": {
+ "description": "Name or path or location of the affected source code file.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 1024
+ }
+ },
+ "programRoutines": {
+ "type": "array",
+ "description": "A list of the affected source code functions, methods, subroutines, or procedures (optional).",
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "An object describing program routine.",
+ "required": [
+ "name"
+ ],
+ "properties": {
+ "name": {
+ "type": "string",
+ "description": "Name of the affected source code file, function, method, subroutine, or procedure.",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "platforms": {
+ "title": "Platforms",
+ "description": "List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field or an empty array implies that the other fields are applicable to all relevant platforms.",
+ "type": "array",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "string",
+ "examples": ["iOS", "Android", "Windows", "macOS", "x86", "ARM", "64 bit", "Big Endian", "iPad", "Chromebook", "Docker", "Model T"],
+ "maxLength": 1024
+ }
+ },
+ "repo": {
+ "description": "The URL of the source code repository, for informational purposes and/or to resolve git hash version ranges.",
+ "$ref": "#/definitions/uriType"
+ },
+ "defaultStatus": {
+ "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.",
+ "$ref": "#/definitions/status"
+ },
+ "versions": {
+ "type": "array",
+ "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "A single version or a range of versions, with vulnerability status.\n\nAn entry with only 'version' and 'status' indicates the status of a single version.\n\nOtherwise, an entry describes a range; it must include the 'versionType' property, to define the version numbering semantics in use, and 'limit', to indicate the non-inclusive upper limit of the range. The object describes the status for versions V such that 'version' <= V and V < 'limit', using the <= and < semantics defined for the specific kind of 'versionType'. Status changes within the range can be specified by an optional 'changes' list.\n\nThe algorithm to decide the status specified for a version V is:\n\n\tfor entry in product.versions {\n\t\tif entry.lessThan is not present and entry.lessThanOrEqual is not present and v == entry.version {\n\t\t\treturn entry.status\n\t\t}\n\t\tif (entry.lessThan is present and entry.version <= v and v < entry.lessThan) or\n\t\t (entry.lessThanOrEqual is present and entry.version <= v and v <= entry.lessThanOrEqual) { // <= and < defined by entry.versionType\n\t\t\tstatus = entry.status\n\t\t\tfor change in entry.changes {\n\t\t\t\tif change.at <= v {\n\t\t\t\t\tstatus = change.status\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn status\n\t\t}\n\t}\n\treturn product.defaultStatus\n\n.",
+ "oneOf": [
+ {
+ "required": ["version", "status"],
+ "maxProperties": 2
+ },
+ {
+ "required": ["version", "status", "versionType"],
+ "maxProperties": 3
+ },
+ {
+ "required": ["version", "status", "versionType", "lessThan"]
+ },
+ {
+ "required": ["version", "status", "versionType", "lessThanOrEqual"]
+ }
+ ],
+ "properties": {
+ "version": {
+ "description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.",
+ "$ref": "#/definitions/version"
+ },
+ "status": {
+ "description": "The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.",
+ "$ref": "#/definitions/status"
+ },
+ "versionType": {
+ "type": "string",
+ "description": "The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.",
+ "minLength": 1,
+ "maxLength": 128,
+ "examples": [
+ "custom",
+ "git",
+ "maven",
+ "python",
+ "rpm",
+ "semver"
+ ]
+ },
+ "lessThan": {
+ "description": "The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk `(*)`, indicating an arbitrarily large number in the version ordering. For example, `{version: 1.0 lessThan: 1.*}` would describe the entire 1.X branch for most range kinds, and `{version: 2.0, lessThan: *}` describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified.",
+ "$ref": "#/definitions/version"
+ },
+ "lessThanOrEqual": {
+ "description": "The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, `{version: 1.0, lessThanOrEqual: 1.3}` covers all versions from 1.0 up to and including 1.3.",
+ "$ref": "#/definitions/version"
+ },
+ "changes": {
+ "type": "array",
+ "description": "A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "The start of a single status change during the range.",
+ "required": ["at", "status"],
+ "additionalProperties": false,
+ "properties": {
+ "at": {
+ "description": "The version at which a status change occurs.",
+ "$ref": "#/definitions/version"
+ },
+ "status": {
+ "description": "The new status in the range starting at the given version.",
+ "$ref": "#/definitions/status"
+ }
+ }
+ }
+ }
+ },
+ "additionalProperties": false
+ }
+ }
+ }
+ },
+ "dataType": {
+ "description": "Indicates the type of information represented in the JSON instance.",
+ "type": "string",
+ "enum": [
+ "CVE_RECORD"
+ ]
+ },
+ "dataVersion": {
+ "description": "The version of the CVE schema used for validating this record. Used to support multiple versions of this format.",
+ "type": "string",
+ "pattern": "^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$",
+ "default": "5.1.0"
+ },
+ "cveMetadataPublished": {
+ "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.",
+ "type": "object",
+ "required": [
+ "cveId",
+ "assignerOrgId",
+ "state"
+ ],
+ "properties": {
+ "cveId": {
+ "description": "The CVE identifier that this record pertains to.",
+ "$ref": "#/definitions/cveId"
+ },
+ "assignerOrgId": {
+ "$ref": "#/definitions/orgId",
+ "description": "The UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service."
+ },
+ "assignerShortName": {
+ "$ref": "#/definitions/shortName",
+ "description": "The short name for the organization to which the CVE ID was originally assigned."
+ },
+ "requesterUserId": {
+ "$ref": "#/definitions/userId",
+ "description": "The user that requested the CVE identifier."
+ },
+ "dateUpdated": {
+ "description": "The date/time the record was last updated.",
+ "$ref": "#/definitions/timestamp"
+ },
+ "serial": {
+ "type": "integer",
+ "minimum": 1,
+ "description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition."
+ },
+ "dateReserved": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."
+ },
+ "datePublished": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time the CVE Record was first published in the CVE List."
+ },
+ "state": {
+ "description": "State of CVE - PUBLISHED, REJECTED.",
+ "type": "string",
+ "enum": ["PUBLISHED"]
+ }
+ },
+ "additionalProperties": false
+ },
+ "cveMetadataRejected": {
+ "type": "object",
+ "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.",
+ "required": [
+ "cveId",
+ "assignerOrgId",
+ "state"
+ ],
+ "properties": {
+ "cveId": {
+ "description": "The CVE identifier that this record pertains to.",
+ "$ref": "#/definitions/cveId"
+ },
+ "assignerOrgId": {
+ "$ref": "#/definitions/orgId",
+ "description": "The UUID for the organization to which the CVE ID was originally assigned."
+ },
+ "assignerShortName": {
+ "$ref": "#/definitions/shortName",
+ "description": "The short name for the organization to which the CVE ID was originally assigned."
+ },
+ "serial": {
+ "type": "integer",
+ "minimum": 1,
+ "description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition."
+ },
+ "dateUpdated": {
+ "description": "The date/time the record was last updated.",
+ "$ref": "#/definitions/timestamp"
+ },
+ "datePublished": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time the CVE Record was first published in the CVE List."
+ },
+ "dateRejected": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time the CVE ID was rejected."
+ },
+ "state": {
+ "type": "string",
+
+ "description": "State of CVE - PUBLISHED, REJECTED.",
+ "enum": ["REJECTED"]
+ },
+ "dateReserved": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."
+ }
+ },
+ "additionalProperties": false
+ },
+ "providerMetadata": {
+ "type": "object",
+ "description": "Details related to the information container provider (CNA or ADP).",
+ "properties": {
+ "orgId": {
+ "$ref": "#/definitions/orgId",
+ "description": "The container provider's organizational UUID."
+ },
+ "shortName": {
+ "$ref": "#/definitions/shortName",
+ "description": "The container provider's organizational short name."
+ },
+ "dateUpdated": {
+ "$ref": "#/definitions/timestamp",
+ "description": "Timestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission."
+ }
+ },
+ "required": ["orgId"],
+ "additionalProperties": false
+ },
+ "cnaPublishedContainer": {
+ "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.",
+ "type": "object",
+ "properties": {
+ "providerMetadata": {
+ "$ref": "#/definitions/providerMetadata"
+ },
+ "dateAssigned": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time this CVE ID was associated with a vulnerability by a CNA."
+ },
+ "datePublic": {
+ "$ref": "#/definitions/timestamp",
+ "description": "If known, the date/time the vulnerability was disclosed publicly."
+ },
+ "title": {
+ "type": "string",
+ "description": "A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.",
+ "minLength": 1,
+ "maxLength": 256
+ },
+ "descriptions": {
+ "$ref": "#/definitions/descriptions"
+ },
+ "affected": {
+ "$ref": "#/definitions/affected"
+ },
+ "problemTypes": {
+ "$ref": "#/definitions/problemTypes"
+ },
+ "references": {
+ "$ref": "#/definitions/references"
+ },
+ "impacts": {
+ "$ref": "#/definitions/impacts"
+ },
+ "metrics": {
+ "$ref": "#/definitions/metrics"
+ },
+ "configurations": {
+ "$ref": "#/definitions/configurations"
+ },
+ "workarounds": {
+ "$ref": "#/definitions/workarounds"
+ },
+ "solutions": {
+ "$ref": "#/definitions/solutions"
+ },
+ "exploits": {
+ "$ref": "#/definitions/exploits"
+ },
+ "timeline": {
+ "$ref": "#/definitions/timeline"
+ },
+ "credits": {
+ "$ref": "#/definitions/credits"
+ },
+ "source": {
+ "$ref": "#/definitions/source"
+ },
+ "tags": {
+ "$ref": "#/definitions/cnaTags"
+ },
+ "taxonomyMappings": {
+ "$ref": "#/definitions/taxonomyMappings"
+ }
+ },
+ "required": [
+ "providerMetadata",
+ "descriptions",
+ "affected",
+ "references"
+ ],
+ "patternProperties": {
+ "^x_[^.]*$": {}
+ },
+ "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
+ "additionalProperties": false
+ },
+ "cnaRejectedContainer": {
+ "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a rejected CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA.",
+ "type": "object",
+ "properties": {
+ "providerMetadata": {
+ "$ref": "#/definitions/providerMetadata"
+ },
+ "rejectedReasons": {
+ "description": "Reasons for rejecting this CVE Record.",
+ "$ref": "#/definitions/descriptions"
+ },
+ "replacedBy": {
+ "type": "array",
+ "description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/cveId"
+ }
+ }
+ },
+ "required": [
+ "providerMetadata",
+ "rejectedReasons"
+ ],
+ "patternProperties": {
+ "^x_[^.]*$": {}
+ },
+ "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
+ "additionalProperties": false
+ },
+ "adpContainer": {
+ "description": "An object containing the vulnerability information provided by an Authorized Data Publisher (ADP). Since multiple ADPs can provide information for a CVE ID, an ADP container must indicate which ADP is the source of the information in the object.",
+ "type": "object",
+ "properties": {
+ "providerMetadata": {
+ "$ref": "#/definitions/providerMetadata"
+ },
+ "datePublic": {
+ "$ref": "#/definitions/timestamp",
+ "description": "If known, the date/time the vulnerability was disclosed publicly."
+ },
+ "title": {
+ "type": "string",
+ "description": "A title, headline, or a brief phrase summarizing the information in an ADP container.",
+ "minLength": 1,
+ "maxLength": 256
+ },
+ "descriptions": {
+ "$ref": "#/definitions/descriptions"
+ },
+ "affected": {
+ "$ref": "#/definitions/affected"
+ },
+ "problemTypes": {
+ "$ref": "#/definitions/problemTypes"
+ },
+ "references": {
+ "$ref": "#/definitions/references"
+ },
+ "impacts": {
+ "$ref": "#/definitions/impacts"
+ },
+ "metrics": {
+ "$ref": "#/definitions/metrics"
+ },
+ "configurations": {
+ "$ref": "#/definitions/configurations"
+ },
+ "workarounds": {
+ "$ref": "#/definitions/workarounds"
+ },
+ "solutions": {
+ "$ref": "#/definitions/solutions"
+ },
+ "exploits": {
+ "$ref": "#/definitions/exploits"
+ },
+ "timeline": {
+ "$ref": "#/definitions/timeline"
+ },
+ "credits": {
+ "$ref": "#/definitions/credits"
+ },
+ "source": {
+ "$ref": "#/definitions/source"
+ },
+ "tags": {
+ "$ref": "#/definitions/adpTags"
+ },
+ "taxonomyMappings": {
+ "$ref": "#/definitions/taxonomyMappings"
+ }
+ },
+ "required": [
+ "providerMetadata"
+ ],
+ "minProperties": 2,
+ "patternProperties": {
+ "^x_[^.]*$": {}
+ },
+ "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
+ "additionalProperties": false
+ },
+ "affected": {
+ "type": "array",
+ "description": "List of affected products.",
+ "minItems": 1,
+ "items": {"$ref": "#/definitions/product"}
+ },
+ "description": {
+ "type": "object",
+ "description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.",
+ "properties": {
+ "lang": {"$ref": "#/definitions/language"},
+ "value": {
+ "type": "string",
+ "description": "Plain text description.",
+ "minLength": 1,
+ "maxLength": 4096
+ },
+ "supportingMedia": {
+ "type": "array",
+ "title": "Supporting media",
+ "description": "Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.",
+ "uniqueItems": true,
+ "minItems": 1,
+ "items": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "type": "string",
+ "title": "Media type",
+ "minLength": 1,
+ "maxLength": 256,
+ "description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.",
+ "examples": [
+ "text/markdown",
+ "text/html",
+ "image/png",
+ "image/svg",
+ "audio/mp3"
+ ]
+ },
+ "base64": {
+ "type": "boolean",
+ "title": "Encoding",
+ "description": "If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.",
+ "default": false
+ },
+ "value": {
+ "type": "string",
+ "description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.",
+ "minLength": 1,
+ "maxLength": 16384
+ }
+ },
+ "required": [
+ "type",
+ "value"
+ ],
+ "additionalProperties": false
+ }
+ }
+ },
+ "required": [
+ "lang",
+ "value"
+ ],
+ "additionalProperties": false
+ },
+ "englishLanguageDescription": {
+ "type": "object",
+ "description": "A description with lang set to an English language (en, en_US, en_UK, and so on).",
+ "properties": {"lang": {"$ref": "#/definitions/englishLanguage"}},
+ "required": ["lang"],
+ "$comment": "Cannot use additionalProperties: false here, as this prevents the other properties used by /definitions/description."
+ },
+ "descriptions": {
+ "type": "array",
+ "description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ },
+ "contains": {
+ "$ref": "#/definitions/englishLanguageDescription"
+ }
+ },
+ "problemTypes": {
+ "type": "array",
+ "description": "This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).",
+ "items": {
+ "type": "object",
+ "required": ["descriptions"],
+ "properties": {
+ "descriptions": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "required": [
+ "lang",
+ "description"
+ ],
+ "properties": {
+ "lang": {"$ref": "#/definitions/language"},
+ "description": {
+ "type": "string",
+ "description": "Text description of problemType, or title from CWE or OWASP.",
+ "minLength": 1,
+ "maxLength": 4096
+ },
+ "cweId": {
+ "type": "string",
+ "description": "CWE ID of the CWE that best describes this problemType entry.",
+ "minLength": 5,
+ "maxLength": 9,
+ "pattern": "^CWE-[1-9][0-9]*$"
+ },
+ "type": {
+ "type": "string",
+ "description": "Problemtype source, text, OWASP, CWE, etc.,",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "references": {"$ref": "#/definitions/references"}
+ },
+ "additionalProperties": false
+ },
+ "minItems": 1,
+ "uniqueItems": true
+ }
+ },
+ "additionalProperties": false
+ },
+ "minItems": 1,
+ "uniqueItems": true
+ },
+ "references": {
+ "type": "array",
+ "description": "This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are \"dangerous\").",
+ "items": {"$ref": "#/definitions/reference"},
+ "minItems": 1,
+ "maxItems": 512,
+ "uniqueItems": true
+ },
+ "impacts": {
+ "type": "array",
+ "description": "Collection of impacts of this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "This is impact type information (e.g. a text description.",
+ "required": ["descriptions"],
+ "properties": {
+ "capecId": {
+ "type": "string",
+ "description": "CAPEC ID that best relates to this impact.",
+ "minLength": 7,
+ "maxLength": 11,
+ "pattern": "^CAPEC-[1-9][0-9]{0,4}$"
+ },
+ "descriptions": {
+ "description": "Prose description of the impact scenario. At a minimum provide the description given by CAPEC.",
+ "$ref": "#/definitions/descriptions"
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "metrics": {
+ "type": "array",
+ "description": "Collection of impact scores with attribution.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "This is impact type information (e.g. a text description, CVSSv2, CVSSv3, CVSSV4, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added.",
+ "anyOf": [
+ {
+ "required": ["cvssV4_0"]
+ },
+ {
+ "required": ["cvssV3_1"]
+ },
+ {
+ "required": ["cvssV3_0"]
+ },
+ {
+ "required": ["cvssV2_0"]
+ },
+ {
+ "required": ["other"]
+ }
+ ],
+ "properties": {
+ "format": {
+ "type": "string",
+ "description": "Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.",
+ "minLength": 1,
+ "maxLength": 64
+ },
+ "scenarios": {
+ "type": "array",
+ "description": "Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "properties": {
+ "lang": {"$ref": "#/definitions/language"},
+ "value": {
+ "type": "string",
+ "default": "GENERAL",
+ "description": "Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "required": [
+ "lang",
+ "value"
+ ],
+ "additionalProperties": false
+ }
+ },
+ "cvssV4_0": {"$ref": "file:imports/cvss/cvss-v4.0.json"},
+ "cvssV3_1": {"$ref": "file:imports/cvss/cvss-v3.1.json"},
+ "cvssV3_0": {"$ref": "file:imports/cvss/cvss-v3.0.json"},
+ "cvssV2_0": {"$ref": "file:imports/cvss/cvss-v2.0.json"},
+ "other": {
+ "type": "object",
+ "description": "A non-standard impact description, may be prose or JSON block.",
+ "required": [
+ "type",
+ "content"
+ ],
+ "properties": {
+ "type": {
+ "description": "Name of the non-standard impact metrics format used.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "content": {
+ "type": "object",
+ "$comment": "additionalProperties are allowed here, since this construct supports arbitrary JSON.",
+ "description": "JSON object not covered by another metrics format.",
+ "minProperties": 1
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "configurations": {
+ "type": "array",
+ "description": "Configurations required for exploiting this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "workarounds": {
+ "type": "array",
+ "description": "Workarounds and mitigations for this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "solutions": {
+ "type": "array",
+ "description": "Information about solutions or remediations available for this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "exploits": {
+ "type": "array",
+ "description": "Information about exploits of the vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "timeline": {
+ "type": "array",
+ "description": "This is timeline information for significant events about this vulnerability or changes to the CVE Record.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "required": [
+ "time",
+ "lang",
+ "value"
+ ],
+ "properties": {
+ "time": {
+ "description": "Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00) is assumed.",
+ "$ref": "#/definitions/timestamp"
+ },
+ "lang": {
+ "description": "The language used in the description of the event. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.",
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "description": "A summary of the event.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "credits": {
+ "type": "array",
+ "description": "Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "properties": {
+ "lang": {
+ "description": "The language used when describing the credits. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.",
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 4096
+ },
+ "user": {
+ "description": "UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.",
+ "$ref": "#/definitions/uuidType"
+ },
+ "type": {
+ "type": "string",
+ "description": "Type or role of the entity being credited (optional). finder: identifies the vulnerability.\nreporter: notifies the vendor of the vulnerability to a CNA.\nanalyst: validates the vulnerability to ensure accuracy or severity.\ncoordinator: facilitates the coordinated response process.\nremediation developer: prepares a code change or other remediation plans.\nremediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness.\nremediation verifier: tests and verifies the vulnerability or its remediation.\ntool: names of tools used in vulnerability discovery or identification.\nsponsor: supports the vulnerability identification or remediation activities.",
+ "default": "finder",
+ "enum": [
+ "finder",
+ "reporter",
+ "analyst",
+ "coordinator",
+ "remediation developer",
+ "remediation reviewer",
+ "remediation verifier",
+ "tool",
+ "sponsor",
+ "other"
+ ]
+ }
+ },
+ "additionalProperties": false,
+ "required": [
+ "lang",
+ "value"
+ ]
+ }
+ },
+ "source": {
+ "type": "object",
+ "description": "This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.",
+ "minProperties": 1
+ },
+ "language": {
+ "type": "string",
+ "description": "BCP 47 language code, language-region.",
+ "default": "en",
+ "pattern": "^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"
+ },
+ "englishLanguage": {
+ "type": "string",
+ "description": "BCP 47 language code, language-region, required to be English.",
+ "pattern": "^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"
+ },
+ "taxonomyMappings": {
+ "type": "array",
+ "description": "List of taxonomy items related to the vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "A taxonomy mapping object identifies the taxonomy by a name and version (eg., ATT&CK v13.1, CVSS 3.1, CWE 4.12) along with a list of relations relevant to this CVE.",
+ "required": [
+ "taxonomyName",
+ "taxonomyRelations"
+ ],
+ "properties": {
+ "taxonomyName": {
+ "type": "string",
+ "description": "The name of the taxonomy, eg., ATT&CK, D3FEND, CWE, CVSS",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "taxonomyVersion": {
+ "type": "string",
+ "description": "The version of taxonomy the identifiers come from.",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "taxonomyRelations": {
+ "type": "array",
+ "description": "List of relationships to the taxonomy for the vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "A relationship between the taxonomy and the CVE or two taxonomy items.",
+ "required": [
+ "taxonomyId",
+ "relationshipName",
+ "relationshipValue"
+ ],
+ "properties": {
+ "taxonomyId": {
+ "type": "string",
+ "description": "Identifier of the item in the taxonomy. Used as the subject of the relationship.",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "relationshipName": {
+ "type": "string",
+ "description": "A description of the relationship.",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "relationshipValue": {
+ "type": "string",
+ "description": "The target of the relationship. Can be the CVE ID or another taxonomy identifier.",
+ "minLength": 1,
+ "maxLength": 2048
+ }
+ },
+ "additionalProperties": false
+ }
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "tagExtension": {
+ "type": "string",
+ "minLength": 2,
+ "maxLength": 128,
+ "pattern": "^x_.*$",
+ "$comment": "These values are not used as JSON property names, so there is not a need to work-around property naming limitations in some common implementations."
+ },
+ "cnaTags": {
+ "type": "array",
+ "description": "Tags provided by a CNA describing the CVE Record.",
+ "uniqueItems": true,
+ "minItems": 1,
+ "items": {
+ "oneOf": [
+ {
+ "$ref": "#/definitions/tagExtension"
+ },
+ {
+ "$ref": "file:tags/cna-tags.json"
+ }
+ ]
+ }
+ },
+ "adpTags": {
+ "type": "array",
+ "description": "Tags provided by an ADP describing the CVE Record.",
+ "uniqueItems": true,
+ "minItems": 1,
+ "items": {
+ "oneOf": [
+ {
+ "$ref": "#/definitions/tagExtension"
+ },
+ {
+ "$ref": "file:tags/adp-tags.json"
+ }
+ ]
+ }
+ }
+ },
+ "oneOf": [
+ {
+ "title": "Published",
+ "description": "When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.",
+ "type": "object",
+ "properties": {
+ "dataType": {
+ "$ref": "#/definitions/dataType"
+ },
+ "dataVersion": {
+ "$ref": "#/definitions/dataVersion"
+ },
+ "cveMetadata": {
+ "$ref": "#/definitions/cveMetadataPublished"
+ },
+ "containers": {
+ "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt a minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information. The 'cna' container requires the CNA to include certain fields, while the 'adp' container does not.",
+ "type": "object",
+ "properties": {
+ "cna": {"$ref": "#/definitions/cnaPublishedContainer"},
+ "adp": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/adpContainer"},
+ "minItems": 1,
+ "uniqueItems": true
+ }
+ },
+ "required": ["cna"],
+ "additionalProperties": false
+ }
+ },
+ "required": [
+ "dataType",
+ "dataVersion",
+ "cveMetadata",
+ "containers"
+ ],
+ "additionalProperties": false
+ },
+ {
+ "title": "Rejected",
+ "description": "If the CVE ID and associated CVE Record should no longer be used, the CVE Record is placed in the Rejected state. A Rejected CVE Record remains on the CVE List so that users can know when it is invalid.",
+ "type": "object",
+ "properties": {
+ "dataType": {
+ "$ref": "#/definitions/dataType"
+ },
+ "dataVersion": {
+ "$ref": "#/definitions/dataVersion"
+ },
+ "cveMetadata": {
+ "$ref": "#/definitions/cveMetadataRejected"
+ },
+ "containers": {
+ "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA.",
+ "type": "object",
+ "properties": {
+ "cna": {"$ref": "#/definitions/cnaRejectedContainer"}
+ },
+ "required": ["cna"],
+ "additionalProperties": false
+ }
+ },
+ "required": [
+ "dataType",
+ "dataVersion",
+ "cveMetadata",
+ "containers"
+ ],
+ "additionalProperties": false
+ }
+ ]
+}
diff --git a/schema/v1.0/JSON-file-format-v1.md b/schema/archive/v1.0/JSON-file-format-v1.md
similarity index 100%
rename from schema/v1.0/JSON-file-format-v1.md
rename to schema/archive/v1.0/JSON-file-format-v1.md
diff --git a/schema/v2.0/JSON-file-format-v2.md b/schema/archive/v2.0/JSON-file-format-v2.md
similarity index 100%
rename from schema/v2.0/JSON-file-format-v2.md
rename to schema/archive/v2.0/JSON-file-format-v2.md
diff --git a/schema/v3.1/CVE_JSON_example_full-3.1.json b/schema/archive/v3.1/CVE_JSON_example_full-3.1.json
similarity index 95%
rename from schema/v3.1/CVE_JSON_example_full-3.1.json
rename to schema/archive/v3.1/CVE_JSON_example_full-3.1.json
index 790f2036cae..d6f9937a59f 100644
--- a/schema/v3.1/CVE_JSON_example_full-3.1.json
+++ b/schema/archive/v3.1/CVE_JSON_example_full-3.1.json
@@ -1,218 +1,218 @@
-{
- "data_version": "3.1",
- "cve_id":"CVE-YYYY-XXXXXX",
- "updated":"DATE-TIMESTAMP",
- "serial":"INT",
- "date_requested":"DATE-TIMESTAMP",
- "date_assigned":"DATE-TIMESTAMP",
- "date_public":"DATE-TIMESTAMP",
- "requester":"Requester id String",
- "assigner": "Assigner id String",
- "state":"string of state of CVE",
- "replaced_by":"string replace by data",
- "title":[
- {
- "lang":"string ISO 639-2",
- "value":"string short title of issue"
- }
- ],
- "products": [
- {
- "vendor_name": "string",
- "product": [
- {
- "product_name": "string",
- "version": "string",
- "affects": "string =/>/<=/>=/!",
- "cpe":[
- {
- "cpe_value":"string"
- }
- ],
- "swid":[
- {
- "swid_value":"string"
- }
- ]
- }
- ]
- }
- ],
- "problem_types":[
- {
- "description":[
- {
- "lang":"string ISO 639-2",
- "value":"string description of problem_type"
- }
- ],
- "cwes":[
- "strings of cwes","strings separated by commas"
- ],
- "owasp":[
- "string of OWASP information","strings separated by commas"
- ]
- }
- ],
- "references":[
- {
- "url":"string for url location",
- "name":"string Name of reference i.e. if advisory has name",
- "publish_date":"DATE-TIMESTAMP of reference release to public"
- }
- ],
- "description":[
- {
- "lang":"string ISO 639-2",
- "value":"string description of vulnerability"
- }
- ],
- "attack":[
- {
- "attackers":[
- {
- "extent":"string explaining extent of vulnerability",
- "authentication":"string stating whether authentication is needed for vulnerability",
- "user_assistance":"string stating whether user assistance is needed for vulnerability"
- }
- ],
- "impacts":[
- "string of impacts","strings separated by commas"
- ],
- "attack_methods":[
- {
- "vectors":[
- "string list of vectors", "strings separated by commas"
- ],
- "components":[
- "string list of components", "strings separated by commas"
- ],
- "capecs":"string of repective capec"
- }
- ]
- }
- ],
- "files":[
- {
- "url":"url string",
- "import_time":"DATE-TIMESTAMP",
- "local_name":"string name of file"
- }
- ],
- "exploitation":{
- "lang":"string ISO 639-2",
- "value":"string description of issue"
- },
- "work_around":[
- {
- "lang":"string ISO 639-2",
- "value":"string description of issue"
- }
- ],
- "time_line":[
- {
- "time_stamp":"DATE-TIMESTAMP",
- "reference":{
- "reference_name":"string",
- "reference_value":"string"
- },
- "text":[
- {
- "lang":"string ISO 639-2",
- "value":"string decription of issue"
- }
- ]
- }
- ],
- "source":{
- "discovered_by":"name of discover",
- "discovered_with":"name of parties involved",
- "verification":"string",
- "cna_chain":[
- "string initial CNA",
- "string Parent CNA",
- "string root CNA"
- ]
- },
- "conditions":[
- "strings of conditions",
- "separated by commas"
- ],
- "notes":{
- "lang":"string ISO 639-2"
- },
- "credits":[
- {
- "id":"string to identify person recieving credit",
- "role":[
- {
- "discoverer":"string",
- "research_assist":"string",
- "exploit_code":"string"
- }
- ]
- }
- ],
- "impact_metrics":{
- "cvss2":{
- "vector":"string value for CVSS score ie. CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
- "bm":{
- "av":"string value",
- "ac":"string value",
- "au":"string value",
- "c":"string value",
- "i":"string value",
- "a":"string value",
- "score":"string value"
- },
- "tm":{
- "e":"string value",
- "rl":"string value",
- "rc":"string value",
- "score":"string value"
- },
- "em":{
- "cdp":"string value",
- "td":"string value",
- "cr":"string value",
- "ir":"string value",
- "ar":"string value",
- "score":"string value"
- }
- },
- "cvss3":{
- "vector":"string value for CVSS score ie. CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
- "bm":{
- "av":"string value",
- "ac":"string value",
- "pr":"string value",
- "ui":"string value",
- "scope":"string value",
- "c":"string value",
- "i":"string value",
- "a":"string value",
- "score":"string value"
- },
- "tm":{
- "e":"string value",
- "rl":"string value",
- "rc":"string value",
- "score":"string value"
- },
- "em":{
- "mav":"string value",
- "mac":"string value",
- "mpr":"string value",
- "mui":"string value",
- "ms":"string value",
- "mc":"string value",
- "mi":"string value",
- "ma":"string value",
- "cr":"string value",
- "ir":"string value",
- "ar":"string value",
- "score":"string value"
- }
- }
- }
+{
+ "data_version": "3.1",
+ "cve_id":"CVE-YYYY-XXXXXX",
+ "updated":"DATE-TIMESTAMP",
+ "serial":"INT",
+ "date_requested":"DATE-TIMESTAMP",
+ "date_assigned":"DATE-TIMESTAMP",
+ "date_public":"DATE-TIMESTAMP",
+ "requester":"Requester id String",
+ "assigner": "Assigner id String",
+ "state":"string of state of CVE",
+ "replaced_by":"string replace by data",
+ "title":[
+ {
+ "lang":"string ISO 639-2",
+ "value":"string short title of issue"
+ }
+ ],
+ "products": [
+ {
+ "vendor_name": "string",
+ "product": [
+ {
+ "product_name": "string",
+ "version": "string",
+ "affects": "string =/>/<=/>=/!",
+ "cpe":[
+ {
+ "cpe_value":"string"
+ }
+ ],
+ "swid":[
+ {
+ "swid_value":"string"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "problem_types":[
+ {
+ "description":[
+ {
+ "lang":"string ISO 639-2",
+ "value":"string description of problem_type"
+ }
+ ],
+ "cwes":[
+ "strings of cwes","strings separated by commas"
+ ],
+ "owasp":[
+ "string of OWASP information","strings separated by commas"
+ ]
+ }
+ ],
+ "references":[
+ {
+ "url":"string for url location",
+ "name":"string Name of reference i.e. if advisory has name",
+ "publish_date":"DATE-TIMESTAMP of reference release to public"
+ }
+ ],
+ "description":[
+ {
+ "lang":"string ISO 639-2",
+ "value":"string description of vulnerability"
+ }
+ ],
+ "attack":[
+ {
+ "attackers":[
+ {
+ "extent":"string explaining extent of vulnerability",
+ "authentication":"string stating whether authentication is needed for vulnerability",
+ "user_assistance":"string stating whether user assistance is needed for vulnerability"
+ }
+ ],
+ "impacts":[
+ "string of impacts","strings separated by commas"
+ ],
+ "attack_methods":[
+ {
+ "vectors":[
+ "string list of vectors", "strings separated by commas"
+ ],
+ "components":[
+ "string list of components", "strings separated by commas"
+ ],
+ "capecs":"string of repective capec"
+ }
+ ]
+ }
+ ],
+ "files":[
+ {
+ "url":"url string",
+ "import_time":"DATE-TIMESTAMP",
+ "local_name":"string name of file"
+ }
+ ],
+ "exploitation":{
+ "lang":"string ISO 639-2",
+ "value":"string description of issue"
+ },
+ "work_around":[
+ {
+ "lang":"string ISO 639-2",
+ "value":"string description of issue"
+ }
+ ],
+ "time_line":[
+ {
+ "time_stamp":"DATE-TIMESTAMP",
+ "reference":{
+ "reference_name":"string",
+ "reference_value":"string"
+ },
+ "text":[
+ {
+ "lang":"string ISO 639-2",
+ "value":"string decription of issue"
+ }
+ ]
+ }
+ ],
+ "source":{
+ "discovered_by":"name of discover",
+ "discovered_with":"name of parties involved",
+ "verification":"string",
+ "cna_chain":[
+ "string initial CNA",
+ "string Parent CNA",
+ "string root CNA"
+ ]
+ },
+ "conditions":[
+ "strings of conditions",
+ "separated by commas"
+ ],
+ "notes":{
+ "lang":"string ISO 639-2"
+ },
+ "credits":[
+ {
+ "id":"string to identify person recieving credit",
+ "role":[
+ {
+ "discoverer":"string",
+ "research_assist":"string",
+ "exploit_code":"string"
+ }
+ ]
+ }
+ ],
+ "impact_metrics":{
+ "cvss2":{
+ "vector":"string value for CVSS score ie. CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
+ "bm":{
+ "av":"string value",
+ "ac":"string value",
+ "au":"string value",
+ "c":"string value",
+ "i":"string value",
+ "a":"string value",
+ "score":"string value"
+ },
+ "tm":{
+ "e":"string value",
+ "rl":"string value",
+ "rc":"string value",
+ "score":"string value"
+ },
+ "em":{
+ "cdp":"string value",
+ "td":"string value",
+ "cr":"string value",
+ "ir":"string value",
+ "ar":"string value",
+ "score":"string value"
+ }
+ },
+ "cvss3":{
+ "vector":"string value for CVSS score ie. CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
+ "bm":{
+ "av":"string value",
+ "ac":"string value",
+ "pr":"string value",
+ "ui":"string value",
+ "scope":"string value",
+ "c":"string value",
+ "i":"string value",
+ "a":"string value",
+ "score":"string value"
+ },
+ "tm":{
+ "e":"string value",
+ "rl":"string value",
+ "rc":"string value",
+ "score":"string value"
+ },
+ "em":{
+ "mav":"string value",
+ "mac":"string value",
+ "mpr":"string value",
+ "mui":"string value",
+ "ms":"string value",
+ "mc":"string value",
+ "mi":"string value",
+ "ma":"string value",
+ "cr":"string value",
+ "ir":"string value",
+ "ar":"string value",
+ "score":"string value"
+ }
+ }
+ }
}
\ No newline at end of file
diff --git a/schema/v3.1/CVE_JSON_example_min-3.1.json b/schema/archive/v3.1/CVE_JSON_example_min-3.1.json
similarity index 94%
rename from schema/v3.1/CVE_JSON_example_min-3.1.json
rename to schema/archive/v3.1/CVE_JSON_example_min-3.1.json
index 63cd6906fcd..e7e6fcf6364 100644
--- a/schema/v3.1/CVE_JSON_example_min-3.1.json
+++ b/schema/archive/v3.1/CVE_JSON_example_min-3.1.json
@@ -1,37 +1,37 @@
-{
- "data_version": "3.1",
- "cve_id":"CVE-YYYY-XXXXXX",
- "products": [
- {
- "vendor_name": "string",
- "product": [
- {
- "product_name": "string",
- "version": "string",
- "affects": "string =/>/<=/>=/!"
- }
- ]
- }
- ],
- "problem_types":[
- {
- "description":[
- {
- "lang":"string ISO 639-2",
- "value":"string description of problem_type"
- }
- ]
- }
- ],
- "references":[
- {
- "url":"string for url location"
- }
- ],
- "description":[
- {
- "lang":"string ISO 639-2",
- "value":"string description of vulnerability"
- }
- ]
+{
+ "data_version": "3.1",
+ "cve_id":"CVE-YYYY-XXXXXX",
+ "products": [
+ {
+ "vendor_name": "string",
+ "product": [
+ {
+ "product_name": "string",
+ "version": "string",
+ "affects": "string =/>/<=/>=/!"
+ }
+ ]
+ }
+ ],
+ "problem_types":[
+ {
+ "description":[
+ {
+ "lang":"string ISO 639-2",
+ "value":"string description of problem_type"
+ }
+ ]
+ }
+ ],
+ "references":[
+ {
+ "url":"string for url location"
+ }
+ ],
+ "description":[
+ {
+ "lang":"string ISO 639-2",
+ "value":"string description of vulnerability"
+ }
+ ]
}
\ No newline at end of file
diff --git a/schema/v3.1/CVE_JSON_schema-3.1.json b/schema/archive/v3.1/CVE_JSON_schema-3.1.json
similarity index 95%
rename from schema/v3.1/CVE_JSON_schema-3.1.json
rename to schema/archive/v3.1/CVE_JSON_schema-3.1.json
index d32a917af71..f21ce28b3b8 100644
--- a/schema/v3.1/CVE_JSON_schema-3.1.json
+++ b/schema/archive/v3.1/CVE_JSON_schema-3.1.json
@@ -1,543 +1,543 @@
-{
- "$schema": "http://json-schema.org/draft-04/schema#",
- "type": "object",
- "properties": {
- "data_version":{
- "type": "string"
- },
- "cve_id": {
- "type": "string"
- },
- "updated":{
- "type":"string"
- },
- "serial":{
- "type":"integer"
- },
- "date_requested":{
- "type":"string"
- },
- "date_assigned":{
- "type":"string"
- },
- "date_public":{
- "type":"string"
- },
- "requester":{
- "type":"string"
- },
- "assigner":{
- "type":"string"
- },
- "state":{
- "type":"string"
- },
- "replaced_by":{
- "type":"string"
- },
- "title":{
- "type":"array",
- "items":{
- "type":"object",
- "properties":{
- "lang":{
- "type":"string"
- },
- "value":{
- "type":"string"
- }
- }
- }
- },
- "products": {
- "type":"array",
- "items":{
- "type":"object",
- "properties":{
- "vendor_name":{
- "type":"string"
- },
- "product":{
- "type":"array",
- "items":{
- "type":"object",
- "properties":{
- "product_name":{
- "type":"string"
- },
- "version":{
- "type":"string"
- },
- "affects":{
- "type":"string"
- },
- "cpe":{
- "type":"array",
- "items":{
- "type":"object",
- "properties":{
- "cpe_value":{
- "type":"string"
- }
- }
- }
- },
- "swid":{
- "type":"array",
- "items":{
- "type":"object",
- "properties":{
- "swid_value":{
- "type":"string"
- }
- }
- }
- }
- },"required": ["product_name","version"]
- }
- }
- }
- }
- },
- "problem_types": {
- "type": "array",
- "items": {
- "type":"object",
- "properties":{
- "description": {
- "type": "array",
- "items":{
- "type":"object",
- "properties":{
- "lang":{
- "type":"string"
- },
- "value":{
- "type":"string"
- }
- }
- }
- },
- "cwes": {
- "type": "array",
- "items": {
- "type": "string"
- }
- },
- "owasp":{
- "type":"array",
- "items":{
- "type":"string"
- }
- }
- }, "required":["description"]
- }
- },
- "references": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "url": {
- "type": "string"
- },
- "name": {
- "type": "string"
- },
- "publish_date": {
- "type": "string"
- }
- },"required": ["url"]
- }
- },
- "description": {
- "type": "array",
- "items":{
- "type":"object",
- "properties":{
- "lang":{
- "type":"string"
- },
- "value":{
- "type":"string"
- }
- }
- }
- },
- "attack": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "attackers": {
- "type": "array",
- "items":{
- "type":"object",
- "properties":{
- "extent":{
- "type":"string"
- },
- "authentication":{
- "type":"string"
- },
- "user_assistance":{
- "type":"string"
- }
- }
- }
- },
- "impacts": {
- "type": "array",
- "items": {
- "type":"string"
- }
- },
- "attack_methods": {
- "type": "array",
- "items":{
- "type":"object",
- "properties":{
- "vectors":{
- "type":"array",
- "items":{
- "type":"string"
- }
- },
- "components":{
- "type":"array",
- "items":{
- "type":"string"
- }
- },
- "capecs":{
- "type":"string"
- }
- }
- }
- }
- }
- }
- },
- "files":{
- "type":"array",
- "items":{
- "type":"object",
- "properties":{
- "url":{
- "type":"string"
- },
- "import_time":{
- "type":"string"
- },
- "local_name":{
- "type":"string"
- }
- }
- }
- },
- "exploitation":{
- "type":"object",
- "properties":{
- "lang":{
- "type":"string"
- },
- "value":{
- "type":"string"
- }
- }
- },
- "work_around":{
- "type":"array",
- "items":{
- "type":"object",
- "properties":{
- "lang":{
- "type":"string"
- },
- "value":{
- "type":"string"
- }
- }
- }
- },
- "time_line":{
- "type":"array",
- "items":{
- "type":"object",
- "properties":{
- "time_stamp":{
- "type":"string"
- },
- "reference":{
- "type":"object",
- "properties":{
- "reference_name":{
- "type":"string"
- },
- "reference":{
- "type":"string"
- }
- }
- },
- "text":{
- "type":"array",
- "items":{
- "type":"object",
- "properties":{
- "lang":{
- "type":"string"
- },
- "value":{
- "type":"string"
- }
- }
- }
- }
- }
- }
- },
- "source":{
- "type":"object",
- "properties":{
- "discovered_by":{
- "type":"string"
- },
- "discovered_with":{
- "type":"string"
- },
- "verification":{
- "type":"string"
- },
- "cna_chain":{
- "type":"array",
- "items":{
- "type":"string"
- }
- }
- }
- },
- "conditions":{
- "type":"array",
- "items":{
- "type":"string"
- }
- },
- "notes":{
- "type":"object",
- "properties":{
- "lang":{
- "type":"string"
- },
- "value":{
- "type":"string"
- }
- }
- },
- "credits":{
- "type":"array",
- "items":{
- "type":"object",
- "properties":{
- "id":{
- "type":"string"
- },
- "role":{
- "type":"array",
- "items":{
- "type":"object",
- "properties":{
- "discoverer":{
- "type":"string"
- },
- "research_assist":{
- "type":"string"
- },
- "exploit_code":{
- "type":"string"
- }
- }
- }
- }
- }
- }
- },
- "impact_metrics":{
- "type":"object",
- "properties":{
- "cvss2": {
- "type": "object",
- "properties": {
- "vector":{
- "type":"string"
- },
- "bm": {
- "type": "object",
- "properties": {
- "av":{
- "type":"string"
- },
- "ac":{
- "type":"string"
- },
- "au":{
- "type":"string"
- },
- "c":{
- "type":"string"
- },
- "i":{
- "type":"string"
- },
- "a":{
- "type":"string"
- },
- "score": {
- "type": "string"
- }
- }
- },
- "tm": {
- "type": "object",
- "properties": {
- "e":{
- "type":"string"
- },
- "rl":{
- "type":"string"
- },
- "rc":{
- "type":"string"
- },
- "score": {
- "type": "string"
- }
- }
- },
- "em": {
- "type": "object",
- "properties": {
- "cdp":{
- "type":"string"
- },
- "td":{
- "type":"string"
- },
- "cr":{
- "type":"string"
- },
- "ir":{
- "type":"string"
- },
- "ar":{
- "type":"string"
- },
- "score": {
- "type": "string"
- }
- }
- }
- }
- },
- "cvss3": {
- "type": "object",
- "properties": {
- "vector":{
- "type":"string"
- },
- "bm": {
- "type": "object",
- "properties": {
- "av":{
- "type":"string"
- },
- "ac":{
- "type":"string"
- },
- "pr":{
- "type":"string"
- },
- "ui":{
- "type":"string"
- },
- "scope":{
- "type":"string"
- },
- "c":{
- "type":"string"
- },
- "i":{
- "type":"string"
- },
- "a":{
- "type":"string"
- },
- "score": {
- "type": "string"
- }
- }
- },
- "tm": {
- "type": "object",
- "properties": {
- "e":{
- "type":"string"
- },
- "rl":{
- "type":"string"
- },
- "rc":{
- "type":"string"
- },
- "score": {
- "type": "string"
- }
- }
- },
- "em": {
- "type": "object",
- "properties": {
- "mav":{
- "type":"string"
- },
- "mac":{
- "type":"string"
- },
- "mpr":{
- "type":"string"
- },
- "mui":{
- "type":"string"
- },
- "ms":{
- "type":"string"
- },
- "mc":{
- "type":"string"
- },
- "mi":{
- "type":"string"
- },
- "ma":{
- "type":"string"
- },
- "cr":{
- "type":"string"
- },
- "ir":{
- "type":"string"
- },
- "ar":{
- "type":"string"
- },
- "score": {
- "type": "string"
- }
- }
- }
- }
- }
- }
- }
- },"required": ["data_version","cve_id", "products", "problem_types", "references", "description"]
-}
-
+{
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "type": "object",
+ "properties": {
+ "data_version":{
+ "type": "string"
+ },
+ "cve_id": {
+ "type": "string"
+ },
+ "updated":{
+ "type":"string"
+ },
+ "serial":{
+ "type":"integer"
+ },
+ "date_requested":{
+ "type":"string"
+ },
+ "date_assigned":{
+ "type":"string"
+ },
+ "date_public":{
+ "type":"string"
+ },
+ "requester":{
+ "type":"string"
+ },
+ "assigner":{
+ "type":"string"
+ },
+ "state":{
+ "type":"string"
+ },
+ "replaced_by":{
+ "type":"string"
+ },
+ "title":{
+ "type":"array",
+ "items":{
+ "type":"object",
+ "properties":{
+ "lang":{
+ "type":"string"
+ },
+ "value":{
+ "type":"string"
+ }
+ }
+ }
+ },
+ "products": {
+ "type":"array",
+ "items":{
+ "type":"object",
+ "properties":{
+ "vendor_name":{
+ "type":"string"
+ },
+ "product":{
+ "type":"array",
+ "items":{
+ "type":"object",
+ "properties":{
+ "product_name":{
+ "type":"string"
+ },
+ "version":{
+ "type":"string"
+ },
+ "affects":{
+ "type":"string"
+ },
+ "cpe":{
+ "type":"array",
+ "items":{
+ "type":"object",
+ "properties":{
+ "cpe_value":{
+ "type":"string"
+ }
+ }
+ }
+ },
+ "swid":{
+ "type":"array",
+ "items":{
+ "type":"object",
+ "properties":{
+ "swid_value":{
+ "type":"string"
+ }
+ }
+ }
+ }
+ },"required": ["product_name","version"]
+ }
+ }
+ }
+ }
+ },
+ "problem_types": {
+ "type": "array",
+ "items": {
+ "type":"object",
+ "properties":{
+ "description": {
+ "type": "array",
+ "items":{
+ "type":"object",
+ "properties":{
+ "lang":{
+ "type":"string"
+ },
+ "value":{
+ "type":"string"
+ }
+ }
+ }
+ },
+ "cwes": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "owasp":{
+ "type":"array",
+ "items":{
+ "type":"string"
+ }
+ }
+ }, "required":["description"]
+ }
+ },
+ "references": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "url": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "publish_date": {
+ "type": "string"
+ }
+ },"required": ["url"]
+ }
+ },
+ "description": {
+ "type": "array",
+ "items":{
+ "type":"object",
+ "properties":{
+ "lang":{
+ "type":"string"
+ },
+ "value":{
+ "type":"string"
+ }
+ }
+ }
+ },
+ "attack": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "attackers": {
+ "type": "array",
+ "items":{
+ "type":"object",
+ "properties":{
+ "extent":{
+ "type":"string"
+ },
+ "authentication":{
+ "type":"string"
+ },
+ "user_assistance":{
+ "type":"string"
+ }
+ }
+ }
+ },
+ "impacts": {
+ "type": "array",
+ "items": {
+ "type":"string"
+ }
+ },
+ "attack_methods": {
+ "type": "array",
+ "items":{
+ "type":"object",
+ "properties":{
+ "vectors":{
+ "type":"array",
+ "items":{
+ "type":"string"
+ }
+ },
+ "components":{
+ "type":"array",
+ "items":{
+ "type":"string"
+ }
+ },
+ "capecs":{
+ "type":"string"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "files":{
+ "type":"array",
+ "items":{
+ "type":"object",
+ "properties":{
+ "url":{
+ "type":"string"
+ },
+ "import_time":{
+ "type":"string"
+ },
+ "local_name":{
+ "type":"string"
+ }
+ }
+ }
+ },
+ "exploitation":{
+ "type":"object",
+ "properties":{
+ "lang":{
+ "type":"string"
+ },
+ "value":{
+ "type":"string"
+ }
+ }
+ },
+ "work_around":{
+ "type":"array",
+ "items":{
+ "type":"object",
+ "properties":{
+ "lang":{
+ "type":"string"
+ },
+ "value":{
+ "type":"string"
+ }
+ }
+ }
+ },
+ "time_line":{
+ "type":"array",
+ "items":{
+ "type":"object",
+ "properties":{
+ "time_stamp":{
+ "type":"string"
+ },
+ "reference":{
+ "type":"object",
+ "properties":{
+ "reference_name":{
+ "type":"string"
+ },
+ "reference":{
+ "type":"string"
+ }
+ }
+ },
+ "text":{
+ "type":"array",
+ "items":{
+ "type":"object",
+ "properties":{
+ "lang":{
+ "type":"string"
+ },
+ "value":{
+ "type":"string"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "source":{
+ "type":"object",
+ "properties":{
+ "discovered_by":{
+ "type":"string"
+ },
+ "discovered_with":{
+ "type":"string"
+ },
+ "verification":{
+ "type":"string"
+ },
+ "cna_chain":{
+ "type":"array",
+ "items":{
+ "type":"string"
+ }
+ }
+ }
+ },
+ "conditions":{
+ "type":"array",
+ "items":{
+ "type":"string"
+ }
+ },
+ "notes":{
+ "type":"object",
+ "properties":{
+ "lang":{
+ "type":"string"
+ },
+ "value":{
+ "type":"string"
+ }
+ }
+ },
+ "credits":{
+ "type":"array",
+ "items":{
+ "type":"object",
+ "properties":{
+ "id":{
+ "type":"string"
+ },
+ "role":{
+ "type":"array",
+ "items":{
+ "type":"object",
+ "properties":{
+ "discoverer":{
+ "type":"string"
+ },
+ "research_assist":{
+ "type":"string"
+ },
+ "exploit_code":{
+ "type":"string"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "impact_metrics":{
+ "type":"object",
+ "properties":{
+ "cvss2": {
+ "type": "object",
+ "properties": {
+ "vector":{
+ "type":"string"
+ },
+ "bm": {
+ "type": "object",
+ "properties": {
+ "av":{
+ "type":"string"
+ },
+ "ac":{
+ "type":"string"
+ },
+ "au":{
+ "type":"string"
+ },
+ "c":{
+ "type":"string"
+ },
+ "i":{
+ "type":"string"
+ },
+ "a":{
+ "type":"string"
+ },
+ "score": {
+ "type": "string"
+ }
+ }
+ },
+ "tm": {
+ "type": "object",
+ "properties": {
+ "e":{
+ "type":"string"
+ },
+ "rl":{
+ "type":"string"
+ },
+ "rc":{
+ "type":"string"
+ },
+ "score": {
+ "type": "string"
+ }
+ }
+ },
+ "em": {
+ "type": "object",
+ "properties": {
+ "cdp":{
+ "type":"string"
+ },
+ "td":{
+ "type":"string"
+ },
+ "cr":{
+ "type":"string"
+ },
+ "ir":{
+ "type":"string"
+ },
+ "ar":{
+ "type":"string"
+ },
+ "score": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "cvss3": {
+ "type": "object",
+ "properties": {
+ "vector":{
+ "type":"string"
+ },
+ "bm": {
+ "type": "object",
+ "properties": {
+ "av":{
+ "type":"string"
+ },
+ "ac":{
+ "type":"string"
+ },
+ "pr":{
+ "type":"string"
+ },
+ "ui":{
+ "type":"string"
+ },
+ "scope":{
+ "type":"string"
+ },
+ "c":{
+ "type":"string"
+ },
+ "i":{
+ "type":"string"
+ },
+ "a":{
+ "type":"string"
+ },
+ "score": {
+ "type": "string"
+ }
+ }
+ },
+ "tm": {
+ "type": "object",
+ "properties": {
+ "e":{
+ "type":"string"
+ },
+ "rl":{
+ "type":"string"
+ },
+ "rc":{
+ "type":"string"
+ },
+ "score": {
+ "type": "string"
+ }
+ }
+ },
+ "em": {
+ "type": "object",
+ "properties": {
+ "mav":{
+ "type":"string"
+ },
+ "mac":{
+ "type":"string"
+ },
+ "mpr":{
+ "type":"string"
+ },
+ "mui":{
+ "type":"string"
+ },
+ "ms":{
+ "type":"string"
+ },
+ "mc":{
+ "type":"string"
+ },
+ "mi":{
+ "type":"string"
+ },
+ "ma":{
+ "type":"string"
+ },
+ "cr":{
+ "type":"string"
+ },
+ "ir":{
+ "type":"string"
+ },
+ "ar":{
+ "type":"string"
+ },
+ "score": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },"required": ["data_version","cve_id", "products", "problem_types", "references", "description"]
+}
+
diff --git a/schema/v4.0/CVE_JSON_4.0_min_public.schema b/schema/archive/v4.0/CVE_JSON_4.0_min_public.schema
similarity index 100%
rename from schema/v4.0/CVE_JSON_4.0_min_public.schema
rename to schema/archive/v4.0/CVE_JSON_4.0_min_public.schema
diff --git a/schema/v4.0/CVE_JSON_4.0_min_reject.schema b/schema/archive/v4.0/CVE_JSON_4.0_min_reject.schema
similarity index 100%
rename from schema/v4.0/CVE_JSON_4.0_min_reject.schema
rename to schema/archive/v4.0/CVE_JSON_4.0_min_reject.schema
diff --git a/schema/v4.0/CVE_JSON_4.0_min_reserved.schema b/schema/archive/v4.0/CVE_JSON_4.0_min_reserved.schema
similarity index 100%
rename from schema/v4.0/CVE_JSON_4.0_min_reserved.schema
rename to schema/archive/v4.0/CVE_JSON_4.0_min_reserved.schema
diff --git a/schema/v4.0/DRAFT-JSON-file-format-v4.md b/schema/archive/v4.0/DRAFT-JSON-file-format-v4.md
similarity index 100%
rename from schema/v4.0/DRAFT-JSON-file-format-v4.md
rename to schema/archive/v4.0/DRAFT-JSON-file-format-v4.md
diff --git a/schema/v5.0/CVE_JSON_5.0_schema.json b/schema/archive/v5.0/CVE_JSON_5.0_schema.json
similarity index 100%
rename from schema/v5.0/CVE_JSON_5.0_schema.json
rename to schema/archive/v5.0/CVE_JSON_5.0_schema.json
diff --git a/schema/v5.0/docs/CVE_JSON_5.0_bundled.json b/schema/archive/v5.0/docs/CVE_JSON_5.0_bundled.json
similarity index 100%
rename from schema/v5.0/docs/CVE_JSON_5.0_bundled.json
rename to schema/archive/v5.0/docs/CVE_JSON_5.0_bundled.json
diff --git a/schema/v5.0/docs/cnaContainer-advanced-example.json b/schema/archive/v5.0/docs/cnaContainer-advanced-example.json
similarity index 100%
rename from schema/v5.0/docs/cnaContainer-advanced-example.json
rename to schema/archive/v5.0/docs/cnaContainer-advanced-example.json
diff --git a/schema/v5.0/docs/cnaContainer-basic-example.json b/schema/archive/v5.0/docs/cnaContainer-basic-example.json
similarity index 100%
rename from schema/v5.0/docs/cnaContainer-basic-example.json
rename to schema/archive/v5.0/docs/cnaContainer-basic-example.json
diff --git a/schema/v5.0/docs/full-record-advanced-example.json b/schema/archive/v5.0/docs/full-record-advanced-example.json
similarity index 100%
rename from schema/v5.0/docs/full-record-advanced-example.json
rename to schema/archive/v5.0/docs/full-record-advanced-example.json
diff --git a/schema/v5.0/docs/full-record-basic-example.json b/schema/archive/v5.0/docs/full-record-basic-example.json
similarity index 100%
rename from schema/v5.0/docs/full-record-basic-example.json
rename to schema/archive/v5.0/docs/full-record-basic-example.json
diff --git a/schema/v5.0/docs/index.html b/schema/archive/v5.0/docs/index.html
similarity index 100%
rename from schema/v5.0/docs/index.html
rename to schema/archive/v5.0/docs/index.html
diff --git a/schema/v5.0/docs/mindmap.html b/schema/archive/v5.0/docs/mindmap.html
similarity index 100%
rename from schema/v5.0/docs/mindmap.html
rename to schema/archive/v5.0/docs/mindmap.html
diff --git a/schema/v5.0/docs/schema_doc.css b/schema/archive/v5.0/docs/schema_doc.css
similarity index 100%
rename from schema/v5.0/docs/schema_doc.css
rename to schema/archive/v5.0/docs/schema_doc.css
diff --git a/schema/v5.0/docs/schema_doc.min.js b/schema/archive/v5.0/docs/schema_doc.min.js
similarity index 100%
rename from schema/v5.0/docs/schema_doc.min.js
rename to schema/archive/v5.0/docs/schema_doc.min.js
diff --git a/schema/v5.0/docs/versions.md b/schema/archive/v5.0/docs/versions.md
similarity index 100%
rename from schema/v5.0/docs/versions.md
rename to schema/archive/v5.0/docs/versions.md
diff --git a/schema/v5.0/imports/cvss/README.md b/schema/archive/v5.0/imports/cvss/README.md
similarity index 100%
rename from schema/v5.0/imports/cvss/README.md
rename to schema/archive/v5.0/imports/cvss/README.md
diff --git a/schema/v5.0/imports/cvss/cvss-v2.0.json b/schema/archive/v5.0/imports/cvss/cvss-v2.0.json
similarity index 100%
rename from schema/v5.0/imports/cvss/cvss-v2.0.json
rename to schema/archive/v5.0/imports/cvss/cvss-v2.0.json
diff --git a/schema/v5.0/imports/cvss/cvss-v3.0.json b/schema/archive/v5.0/imports/cvss/cvss-v3.0.json
similarity index 100%
rename from schema/v5.0/imports/cvss/cvss-v3.0.json
rename to schema/archive/v5.0/imports/cvss/cvss-v3.0.json
diff --git a/schema/v5.0/imports/cvss/cvss-v3.1.json b/schema/archive/v5.0/imports/cvss/cvss-v3.1.json
similarity index 100%
rename from schema/v5.0/imports/cvss/cvss-v3.1.json
rename to schema/archive/v5.0/imports/cvss/cvss-v3.1.json
diff --git a/schema/v5.0/support/CVE_4_to_5_converter/PUBLISHED_CVE_JSON_5.0_bundled.json b/schema/archive/v5.0/support/CVE_4_to_5_converter/PUBLISHED_CVE_JSON_5.0_bundled.json
similarity index 100%
rename from schema/v5.0/support/CVE_4_to_5_converter/PUBLISHED_CVE_JSON_5.0_bundled.json
rename to schema/archive/v5.0/support/CVE_4_to_5_converter/PUBLISHED_CVE_JSON_5.0_bundled.json
diff --git a/schema/v5.0/support/CVE_4_to_5_converter/convert.log b/schema/archive/v5.0/support/CVE_4_to_5_converter/convert.log
similarity index 100%
rename from schema/v5.0/support/CVE_4_to_5_converter/convert.log
rename to schema/archive/v5.0/support/CVE_4_to_5_converter/convert.log
diff --git a/schema/v5.0/support/CVE_4_to_5_converter/cve4to5up.py b/schema/archive/v5.0/support/CVE_4_to_5_converter/cve4to5up.py
similarity index 100%
rename from schema/v5.0/support/CVE_4_to_5_converter/cve4to5up.py
rename to schema/archive/v5.0/support/CVE_4_to_5_converter/cve4to5up.py
diff --git a/schema/v5.0/support/CVE_4_to_5_converter/cve_record_dates.json.example b/schema/archive/v5.0/support/CVE_4_to_5_converter/cve_record_dates.json.example
similarity index 100%
rename from schema/v5.0/support/CVE_4_to_5_converter/cve_record_dates.json.example
rename to schema/archive/v5.0/support/CVE_4_to_5_converter/cve_record_dates.json.example
diff --git a/schema/v5.0/support/CVE_4_to_5_converter/ref_tag_map.json b/schema/archive/v5.0/support/CVE_4_to_5_converter/ref_tag_map.json
similarity index 100%
rename from schema/v5.0/support/CVE_4_to_5_converter/ref_tag_map.json
rename to schema/archive/v5.0/support/CVE_4_to_5_converter/ref_tag_map.json
diff --git a/schema/v5.0/support/CVE_4_to_5_converter/settings_example.py b/schema/archive/v5.0/support/CVE_4_to_5_converter/settings_example.py
similarity index 100%
rename from schema/v5.0/support/CVE_4_to_5_converter/settings_example.py
rename to schema/archive/v5.0/support/CVE_4_to_5_converter/settings_example.py
diff --git a/schema/v5.0/support/CVE_4_to_5_converter/user_map_example.csv b/schema/archive/v5.0/support/CVE_4_to_5_converter/user_map_example.csv
similarity index 96%
rename from schema/v5.0/support/CVE_4_to_5_converter/user_map_example.csv
rename to schema/archive/v5.0/support/CVE_4_to_5_converter/user_map_example.csv
index b0ca60c1785..b5781b98fd0 100644
--- a/schema/v5.0/support/CVE_4_to_5_converter/user_map_example.csv
+++ b/schema/archive/v5.0/support/CVE_4_to_5_converter/user_map_example.csv
@@ -1,2 +1,2 @@
-manual@hack.bob,fake,fake,cnaShortName,notacna
-
+manual@hack.bob,fake,fake,cnaShortName,notacna
+
diff --git a/schema/v5.0/support/Node_Validator/.gitignore b/schema/archive/v5.0/support/Node_Validator/.gitignore
similarity index 100%
rename from schema/v5.0/support/Node_Validator/.gitignore
rename to schema/archive/v5.0/support/Node_Validator/.gitignore
diff --git a/schema/v5.0/support/Node_Validator/README.md b/schema/archive/v5.0/support/Node_Validator/README.md
similarity index 100%
rename from schema/v5.0/support/Node_Validator/README.md
rename to schema/archive/v5.0/support/Node_Validator/README.md
diff --git a/schema/v5.0/support/Node_Validator/build.js b/schema/archive/v5.0/support/Node_Validator/build.js
similarity index 100%
rename from schema/v5.0/support/Node_Validator/build.js
rename to schema/archive/v5.0/support/Node_Validator/build.js
diff --git a/schema/v5.0/support/Node_Validator/dist/cve5validator.js b/schema/archive/v5.0/support/Node_Validator/dist/cve5validator.js
similarity index 100%
rename from schema/v5.0/support/Node_Validator/dist/cve5validator.js
rename to schema/archive/v5.0/support/Node_Validator/dist/cve5validator.js
diff --git a/schema/v5.0/support/Node_Validator/package.json b/schema/archive/v5.0/support/Node_Validator/package.json
similarity index 100%
rename from schema/v5.0/support/Node_Validator/package.json
rename to schema/archive/v5.0/support/Node_Validator/package.json
diff --git a/schema/v5.0/support/Node_Validator/reportValidation.js b/schema/archive/v5.0/support/Node_Validator/reportValidation.js
similarity index 100%
rename from schema/v5.0/support/Node_Validator/reportValidation.js
rename to schema/archive/v5.0/support/Node_Validator/reportValidation.js
diff --git a/schema/v5.0/support/Node_Validator/validate.js b/schema/archive/v5.0/support/Node_Validator/validate.js
similarity index 100%
rename from schema/v5.0/support/Node_Validator/validate.js
rename to schema/archive/v5.0/support/Node_Validator/validate.js
diff --git a/schema/v5.0/support/Python3.x_Validator/D7Validator.py b/schema/archive/v5.0/support/Python3.x_Validator/D7Validator.py
similarity index 100%
rename from schema/v5.0/support/Python3.x_Validator/D7Validator.py
rename to schema/archive/v5.0/support/Python3.x_Validator/D7Validator.py
diff --git a/schema/v5.0/support/Python3.x_Validator/cvss-v2.0.json b/schema/archive/v5.0/support/Python3.x_Validator/cvss-v2.0.json
similarity index 100%
rename from schema/v5.0/support/Python3.x_Validator/cvss-v2.0.json
rename to schema/archive/v5.0/support/Python3.x_Validator/cvss-v2.0.json
diff --git a/schema/v5.0/support/Python3.x_Validator/cvss-v3.0.json b/schema/archive/v5.0/support/Python3.x_Validator/cvss-v3.0.json
similarity index 100%
rename from schema/v5.0/support/Python3.x_Validator/cvss-v3.0.json
rename to schema/archive/v5.0/support/Python3.x_Validator/cvss-v3.0.json
diff --git a/schema/v5.0/support/Python3.x_Validator/cvss-v3.1.json b/schema/archive/v5.0/support/Python3.x_Validator/cvss-v3.1.json
similarity index 100%
rename from schema/v5.0/support/Python3.x_Validator/cvss-v3.1.json
rename to schema/archive/v5.0/support/Python3.x_Validator/cvss-v3.1.json
diff --git a/schema/v5.0/support/docs/css_override.css b/schema/archive/v5.0/support/docs/css_override.css
similarity index 100%
rename from schema/v5.0/support/docs/css_override.css
rename to schema/archive/v5.0/support/docs/css_override.css
diff --git a/schema/v5.0/support/docs/docs.sh b/schema/archive/v5.0/support/docs/docs.sh
similarity index 100%
rename from schema/v5.0/support/docs/docs.sh
rename to schema/archive/v5.0/support/docs/docs.sh
diff --git a/schema/v5.0/support/schema2markmap/index.js b/schema/archive/v5.0/support/schema2markmap/index.js
similarity index 100%
rename from schema/v5.0/support/schema2markmap/index.js
rename to schema/archive/v5.0/support/schema2markmap/index.js
diff --git a/schema/v5.0/support/schema2markmap/package.json b/schema/archive/v5.0/support/schema2markmap/package.json
similarity index 100%
rename from schema/v5.0/support/schema2markmap/package.json
rename to schema/archive/v5.0/support/schema2markmap/package.json
diff --git a/schema/v5.0/support/schema2markmap/schema-bundle.js b/schema/archive/v5.0/support/schema2markmap/schema-bundle.js
similarity index 100%
rename from schema/v5.0/support/schema2markmap/schema-bundle.js
rename to schema/archive/v5.0/support/schema2markmap/schema-bundle.js
diff --git a/schema/v5.0/tags/adp-tags.json b/schema/archive/v5.0/tags/adp-tags.json
similarity index 100%
rename from schema/v5.0/tags/adp-tags.json
rename to schema/archive/v5.0/tags/adp-tags.json
diff --git a/schema/v5.0/tags/cna-tags.json b/schema/archive/v5.0/tags/cna-tags.json
similarity index 100%
rename from schema/v5.0/tags/cna-tags.json
rename to schema/archive/v5.0/tags/cna-tags.json
diff --git a/schema/v5.0/tags/reference-tags.json b/schema/archive/v5.0/tags/reference-tags.json
similarity index 100%
rename from schema/v5.0/tags/reference-tags.json
rename to schema/archive/v5.0/tags/reference-tags.json
diff --git a/schema/docs/CVE_Record_Format_bundled.json b/schema/docs/CVE_Record_Format_bundled.json
new file mode 100644
index 00000000000..4b8f98b4cf6
--- /dev/null
+++ b/schema/docs/CVE_Record_Format_bundled.json
@@ -0,0 +1,3417 @@
+{
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled.json",
+ "title": "CVE JSON record format",
+ "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).",
+ "definitions": {
+ "uriType": {
+ "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).",
+ "type": "string",
+ "format": "uri",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "uuidType": {
+ "description": "A version 4 (random) universally unique identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122#section-4.1.3).",
+ "type": "string",
+ "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
+ },
+ "reference": {
+ "type": "object",
+ "required": [
+ "url"
+ ],
+ "properties": {
+ "url": {
+ "description": "The uniform resource locator (URL), according to [RFC 3986](https://tools.ietf.org/html/rfc3986#section-1.1.3), that can be used to retrieve the referenced resource.",
+ "$ref": "#/definitions/uriType"
+ },
+ "name": {
+ "description": "User created name for the reference, often the title of the page.",
+ "type": "string",
+ "maxLength": 512,
+ "minLength": 1
+ },
+ "tags": {
+ "description": "An array of one or more tags that describe the resource referenced by 'url'.",
+ "type": "array",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "oneOf": [
+ {
+ "$ref": "#/definitions/tagExtension"
+ },
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/",
+ "type": "string",
+ "description": "broken-link: The reference link is returning a 404 error, or the site is no longer online.\n\ncustomer-entitlement: Similar to Privileges Required, but specific to references that require non-public/paid access for customers of the particular vendor.\n\nexploit: Reference contains an in-depth/detailed description of steps to exploit a vulnerability OR the reference contains any legitimate Proof of Concept (PoC) code or exploit kit.\n\ngovernment-resource: All reference links that are from a government agency or organization should be given the Government Resource tag.\n\nissue-tracking: The reference is a post from a bug tracking tool such as MantisBT, Bugzilla, JIRA, Github Issues, etc...\n\nmailing-list: The reference is from a mailing list -- often specific to a product or vendor.\n\nmitigation: The reference contains information on steps to mitigate against the vulnerability in the event a patch can't be applied or is unavailable or for EOL product situations.\n\nnot-applicable: The reference link is not applicable to the vulnerability and was likely associated by MITRE accidentally (should be used sparingly).\n\npatch: The reference contains an update to the software that fixes the vulnerability.\n\npermissions-required: The reference link provided is blocked by a logon page. If credentials are required to see any information this tag must be applied.\n\nmedia-coverage: The reference is from a media outlet such as a newspaper, magazine, social media, or weblog. This tag is not intended to apply to any individual's personal social media account. It is strictly intended for public media entities.\n\nproduct: A reference appropriate for describing a product for the purpose of CPE or SWID.\n\nrelated: A reference that is for a related (but not the same) vulnerability.\n\nrelease-notes: The reference is in the format of a vendor or open source project's release notes or change log.\n\nsignature: The reference contains a method to detect or prevent the presence or exploitation of the vulnerability.\n\ntechnical-description: The reference contains in-depth technical information about a vulnerability and its exploitation process, typically in the form of a presentation or whitepaper.\n\nthird-party-advisory: Advisory is from an organization that is not the vulnerable product's vendor/publisher/maintainer.\n\nvendor-advisory: Advisory is from the vendor/publisher/maintainer of the product or the parent organization.\n\nvdb-entry: VDBs are loosely defined as sites that provide information about this vulnerability, such as advisories, with identifiers. Included VDBs are free to access, substantially public, and have broad scope and coverage (not limited to a single vendor or research organization). See: https://www.first.org/global/sigs/vrdx/vdb-catalog",
+ "enum": [
+ "broken-link",
+ "customer-entitlement",
+ "exploit",
+ "government-resource",
+ "issue-tracking",
+ "mailing-list",
+ "mitigation",
+ "not-applicable",
+ "patch",
+ "permissions-required",
+ "media-coverage",
+ "product",
+ "related",
+ "release-notes",
+ "signature",
+ "technical-description",
+ "third-party-advisory",
+ "vendor-advisory",
+ "vdb-entry"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ "additionalProperties": false
+ },
+ "cveId": {
+ "type": "string",
+ "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
+ },
+ "orgId": {
+ "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.",
+ "$ref": "#/definitions/uuidType"
+ },
+ "userId": {
+ "description": "A UUID for a user participating in the CVE program. This UUID can be used to lookup the user record in the user registry service.",
+ "$ref": "#/definitions/uuidType"
+ },
+ "shortName": {
+ "description": "A 2-32 character name that can be used to complement an organization's UUID.",
+ "type": "string",
+ "minLength": 2,
+ "maxLength": 32
+ },
+ "datestamp": {
+ "description": "Date/time format based on RFC3339 and ISO ISO8601.",
+ "type": "string",
+ "format": "date",
+ "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$"
+ },
+ "timestamp": {
+ "type": "string",
+ "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.",
+ "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"
+ },
+ "version": {
+ "description": "A single version of a product, as expressed in its own version numbering scheme.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 1024
+ },
+ "status": {
+ "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.",
+ "type": "string",
+ "enum": [
+ "affected",
+ "unaffected",
+ "unknown"
+ ]
+ },
+ "product": {
+ "type": "object",
+ "description": "Provides information about the set of products and services affected by this vulnerability.",
+ "allOf": [
+ {
+ "anyOf": [
+ {
+ "required": [
+ "vendor",
+ "product"
+ ]
+ },
+ {
+ "required": [
+ "collectionURL",
+ "packageName"
+ ]
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "required": [
+ "versions"
+ ]
+ },
+ {
+ "required": [
+ "defaultStatus"
+ ]
+ }
+ ]
+ }
+ ],
+ "properties": {
+ "vendor": {
+ "type": "string",
+ "description": "Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.",
+ "minLength": 1,
+ "maxLength": 512
+ },
+ "product": {
+ "type": "string",
+ "description": "Name of the affected product.",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "collectionURL": {
+ "description": "URL identifying a package collection (determines the meaning of packageName).",
+ "$ref": "#/definitions/uriType",
+ "examples": [
+ "https://access.redhat.com/downloads/content/package-browser",
+ "https://addons.mozilla.org",
+ "https://addons.thunderbird.net",
+ "https://anaconda.org/anaconda/repo",
+ "https://app.vagrantup.com/boxes/search",
+ "https://apps.apple.com",
+ "https://archlinux.org/packages",
+ "https://atmospherejs.meteor.com",
+ "https://atom.io/packages",
+ "https://bitbucket.org",
+ "https://bower.io",
+ "https://brew.sh/",
+ "https://chocolatey.org/packages",
+ "https://chrome.google.com/webstore",
+ "https://clojars.org",
+ "https://cocoapods.org",
+ "https://code.dlang.org",
+ "https://conan.io/center",
+ "https://cpan.org/modules",
+ "https://cran.r-project.org",
+ "https://crates.io",
+ "https://ctan.org/pkg",
+ "https://drupal.org",
+ "https://exchange.adobe.com",
+ "https://forge.puppet.com/modules",
+ "https://github.com",
+ "https://gitlab.com/explore",
+ "https://golang.org/pkg",
+ "https://guix.gnu.org/packages",
+ "https://hackage.haskell.org",
+ "https://helm.sh",
+ "https://hub.docker.com",
+ "https://juliahub.com",
+ "https://lib.haxe.org",
+ "https://luarocks.org",
+ "https://marketplace.visualstudio.com",
+ "https://melpa.org",
+ "https://microsoft.com/en-us/store/apps",
+ "https://nimble.directory",
+ "https://nuget.org/packages",
+ "https://opam.ocaml.org/packages",
+ "https://openwrt.org/packages/index",
+ "https://package.elm-lang.org",
+ "https://packagecontrol.io",
+ "https://packages.debian.org",
+ "https://packages.gentoo.org",
+ "https://packagist.org",
+ "https://pear.php.net/packages.php",
+ "https://pecl.php.net",
+ "https://platformio.org/lib",
+ "https://play.google.com/store",
+ "https://plugins.gradle.org",
+ "https://projects.eclipse.org",
+ "https://pub.dev",
+ "https://pypi.python.org",
+ "https://registry.npmjs.org",
+ "https://registry.terraform.io",
+ "https://repo.hex.pm",
+ "https://repo.maven.apache.org/maven2",
+ "https://rubygems.org",
+ "https://search.nixos.org/packages",
+ "https://sourceforge.net",
+ "https://wordpress.org/plugins"
+ ]
+ },
+ "packageName": {
+ "type": "string",
+ "description": "Name or identifier of the affected software package as used in the package collection.",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "cpes": {
+ "type": "array",
+ "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.",
+ "uniqueItems": true,
+ "items": {
+ "title": "CPE Name",
+ "type": "string",
+ "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format",
+ "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})",
+ "minLength": 1,
+ "maxLength": 2048
+ }
+ },
+ "modules": {
+ "type": "array",
+ "description": "A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional).",
+ "uniqueItems": true,
+ "items": {
+ "type": "string",
+ "description": "Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "programFiles": {
+ "type": "array",
+ "description": "A list of the affected source code files (optional).",
+ "uniqueItems": true,
+ "items": {
+ "description": "Name or path or location of the affected source code file.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 1024
+ }
+ },
+ "programRoutines": {
+ "type": "array",
+ "description": "A list of the affected source code functions, methods, subroutines, or procedures (optional).",
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "An object describing program routine.",
+ "required": [
+ "name"
+ ],
+ "properties": {
+ "name": {
+ "type": "string",
+ "description": "Name of the affected source code file, function, method, subroutine, or procedure.",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "platforms": {
+ "title": "Platforms",
+ "description": "List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field or an empty array implies that the other fields are applicable to all relevant platforms.",
+ "type": "array",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "string",
+ "examples": [
+ "iOS",
+ "Android",
+ "Windows",
+ "macOS",
+ "x86",
+ "ARM",
+ "64 bit",
+ "Big Endian",
+ "iPad",
+ "Chromebook",
+ "Docker",
+ "Model T"
+ ],
+ "maxLength": 1024
+ }
+ },
+ "repo": {
+ "description": "The URL of the source code repository, for informational purposes and/or to resolve git hash version ranges.",
+ "$ref": "#/definitions/uriType"
+ },
+ "defaultStatus": {
+ "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.",
+ "$ref": "#/definitions/status"
+ },
+ "versions": {
+ "type": "array",
+ "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "A single version or a range of versions, with vulnerability status.\n\nAn entry with only 'version' and 'status' indicates the status of a single version.\n\nOtherwise, an entry describes a range; it must include the 'versionType' property, to define the version numbering semantics in use, and 'limit', to indicate the non-inclusive upper limit of the range. The object describes the status for versions V such that 'version' <= V and V < 'limit', using the <= and < semantics defined for the specific kind of 'versionType'. Status changes within the range can be specified by an optional 'changes' list.\n\nThe algorithm to decide the status specified for a version V is:\n\n\tfor entry in product.versions {\n\t\tif entry.lessThan is not present and entry.lessThanOrEqual is not present and v == entry.version {\n\t\t\treturn entry.status\n\t\t}\n\t\tif (entry.lessThan is present and entry.version <= v and v < entry.lessThan) or\n\t\t (entry.lessThanOrEqual is present and entry.version <= v and v <= entry.lessThanOrEqual) { // <= and < defined by entry.versionType\n\t\t\tstatus = entry.status\n\t\t\tfor change in entry.changes {\n\t\t\t\tif change.at <= v {\n\t\t\t\t\tstatus = change.status\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn status\n\t\t}\n\t}\n\treturn product.defaultStatus\n\n.",
+ "oneOf": [
+ {
+ "required": [
+ "version",
+ "status"
+ ],
+ "maxProperties": 2
+ },
+ {
+ "required": [
+ "version",
+ "status",
+ "versionType"
+ ],
+ "maxProperties": 3
+ },
+ {
+ "required": [
+ "version",
+ "status",
+ "versionType",
+ "lessThan"
+ ]
+ },
+ {
+ "required": [
+ "version",
+ "status",
+ "versionType",
+ "lessThanOrEqual"
+ ]
+ }
+ ],
+ "properties": {
+ "version": {
+ "description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.",
+ "$ref": "#/definitions/version"
+ },
+ "status": {
+ "description": "The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.",
+ "$ref": "#/definitions/status"
+ },
+ "versionType": {
+ "type": "string",
+ "description": "The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.",
+ "minLength": 1,
+ "maxLength": 128,
+ "examples": [
+ "custom",
+ "git",
+ "maven",
+ "python",
+ "rpm",
+ "semver"
+ ]
+ },
+ "lessThan": {
+ "description": "The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk `(*)`, indicating an arbitrarily large number in the version ordering. For example, `{version: 1.0 lessThan: 1.*}` would describe the entire 1.X branch for most range kinds, and `{version: 2.0, lessThan: *}` describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified.",
+ "$ref": "#/definitions/version"
+ },
+ "lessThanOrEqual": {
+ "description": "The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, `{version: 1.0, lessThanOrEqual: 1.3}` covers all versions from 1.0 up to and including 1.3.",
+ "$ref": "#/definitions/version"
+ },
+ "changes": {
+ "type": "array",
+ "description": "A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "The start of a single status change during the range.",
+ "required": [
+ "at",
+ "status"
+ ],
+ "additionalProperties": false,
+ "properties": {
+ "at": {
+ "description": "The version at which a status change occurs.",
+ "$ref": "#/definitions/version"
+ },
+ "status": {
+ "description": "The new status in the range starting at the given version.",
+ "$ref": "#/definitions/status"
+ }
+ }
+ }
+ }
+ },
+ "additionalProperties": false
+ }
+ }
+ }
+ },
+ "dataType": {
+ "description": "Indicates the type of information represented in the JSON instance.",
+ "type": "string",
+ "enum": [
+ "CVE_RECORD"
+ ]
+ },
+ "dataVersion": {
+ "description": "The version of the CVE schema used for validating this record. Used to support multiple versions of this format.",
+ "type": "string",
+ "pattern": "^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$",
+ "default": "5.1.0"
+ },
+ "cveMetadataPublished": {
+ "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.",
+ "type": "object",
+ "required": [
+ "cveId",
+ "assignerOrgId",
+ "state"
+ ],
+ "properties": {
+ "cveId": {
+ "description": "The CVE identifier that this record pertains to.",
+ "$ref": "#/definitions/cveId"
+ },
+ "assignerOrgId": {
+ "$ref": "#/definitions/orgId",
+ "description": "The UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service."
+ },
+ "assignerShortName": {
+ "$ref": "#/definitions/shortName",
+ "description": "The short name for the organization to which the CVE ID was originally assigned."
+ },
+ "requesterUserId": {
+ "$ref": "#/definitions/userId",
+ "description": "The user that requested the CVE identifier."
+ },
+ "dateUpdated": {
+ "description": "The date/time the record was last updated.",
+ "$ref": "#/definitions/timestamp"
+ },
+ "serial": {
+ "type": "integer",
+ "minimum": 1,
+ "description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition."
+ },
+ "dateReserved": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."
+ },
+ "datePublished": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time the CVE Record was first published in the CVE List."
+ },
+ "state": {
+ "description": "State of CVE - PUBLISHED, REJECTED.",
+ "type": "string",
+ "enum": [
+ "PUBLISHED"
+ ]
+ }
+ },
+ "additionalProperties": false
+ },
+ "cveMetadataRejected": {
+ "type": "object",
+ "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.",
+ "required": [
+ "cveId",
+ "assignerOrgId",
+ "state"
+ ],
+ "properties": {
+ "cveId": {
+ "description": "The CVE identifier that this record pertains to.",
+ "$ref": "#/definitions/cveId"
+ },
+ "assignerOrgId": {
+ "$ref": "#/definitions/orgId",
+ "description": "The UUID for the organization to which the CVE ID was originally assigned."
+ },
+ "assignerShortName": {
+ "$ref": "#/definitions/shortName",
+ "description": "The short name for the organization to which the CVE ID was originally assigned."
+ },
+ "serial": {
+ "type": "integer",
+ "minimum": 1,
+ "description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition."
+ },
+ "dateUpdated": {
+ "description": "The date/time the record was last updated.",
+ "$ref": "#/definitions/timestamp"
+ },
+ "datePublished": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time the CVE Record was first published in the CVE List."
+ },
+ "dateRejected": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time the CVE ID was rejected."
+ },
+ "state": {
+ "type": "string",
+ "description": "State of CVE - PUBLISHED, REJECTED.",
+ "enum": [
+ "REJECTED"
+ ]
+ },
+ "dateReserved": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."
+ }
+ },
+ "additionalProperties": false
+ },
+ "providerMetadata": {
+ "type": "object",
+ "description": "Details related to the information container provider (CNA or ADP).",
+ "properties": {
+ "orgId": {
+ "$ref": "#/definitions/orgId",
+ "description": "The container provider's organizational UUID."
+ },
+ "shortName": {
+ "$ref": "#/definitions/shortName",
+ "description": "The container provider's organizational short name."
+ },
+ "dateUpdated": {
+ "$ref": "#/definitions/timestamp",
+ "description": "Timestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission."
+ }
+ },
+ "required": [
+ "orgId"
+ ],
+ "additionalProperties": false
+ },
+ "cnaPublishedContainer": {
+ "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.",
+ "type": "object",
+ "properties": {
+ "providerMetadata": {
+ "$ref": "#/definitions/providerMetadata"
+ },
+ "dateAssigned": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time this CVE ID was associated with a vulnerability by a CNA."
+ },
+ "datePublic": {
+ "$ref": "#/definitions/timestamp",
+ "description": "If known, the date/time the vulnerability was disclosed publicly."
+ },
+ "title": {
+ "type": "string",
+ "description": "A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.",
+ "minLength": 1,
+ "maxLength": 256
+ },
+ "descriptions": {
+ "$ref": "#/definitions/descriptions"
+ },
+ "affected": {
+ "$ref": "#/definitions/affected"
+ },
+ "problemTypes": {
+ "$ref": "#/definitions/problemTypes"
+ },
+ "references": {
+ "$ref": "#/definitions/references"
+ },
+ "impacts": {
+ "$ref": "#/definitions/impacts"
+ },
+ "metrics": {
+ "$ref": "#/definitions/metrics"
+ },
+ "configurations": {
+ "$ref": "#/definitions/configurations"
+ },
+ "workarounds": {
+ "$ref": "#/definitions/workarounds"
+ },
+ "solutions": {
+ "$ref": "#/definitions/solutions"
+ },
+ "exploits": {
+ "$ref": "#/definitions/exploits"
+ },
+ "timeline": {
+ "$ref": "#/definitions/timeline"
+ },
+ "credits": {
+ "$ref": "#/definitions/credits"
+ },
+ "source": {
+ "$ref": "#/definitions/source"
+ },
+ "tags": {
+ "$ref": "#/definitions/cnaTags"
+ },
+ "taxonomyMappings": {
+ "$ref": "#/definitions/taxonomyMappings"
+ }
+ },
+ "required": [
+ "providerMetadata",
+ "descriptions",
+ "affected",
+ "references"
+ ],
+ "patternProperties": {
+ "^x_[^.]*$": {}
+ },
+ "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
+ "additionalProperties": false
+ },
+ "cnaRejectedContainer": {
+ "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a rejected CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA.",
+ "type": "object",
+ "properties": {
+ "providerMetadata": {
+ "$ref": "#/definitions/providerMetadata"
+ },
+ "rejectedReasons": {
+ "description": "Reasons for rejecting this CVE Record.",
+ "$ref": "#/definitions/descriptions"
+ },
+ "replacedBy": {
+ "type": "array",
+ "description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/cveId"
+ }
+ }
+ },
+ "required": [
+ "providerMetadata",
+ "rejectedReasons"
+ ],
+ "patternProperties": {
+ "^x_[^.]*$": {}
+ },
+ "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
+ "additionalProperties": false
+ },
+ "adpContainer": {
+ "description": "An object containing the vulnerability information provided by an Authorized Data Publisher (ADP). Since multiple ADPs can provide information for a CVE ID, an ADP container must indicate which ADP is the source of the information in the object.",
+ "type": "object",
+ "properties": {
+ "providerMetadata": {
+ "$ref": "#/definitions/providerMetadata"
+ },
+ "datePublic": {
+ "$ref": "#/definitions/timestamp",
+ "description": "If known, the date/time the vulnerability was disclosed publicly."
+ },
+ "title": {
+ "type": "string",
+ "description": "A title, headline, or a brief phrase summarizing the information in an ADP container.",
+ "minLength": 1,
+ "maxLength": 256
+ },
+ "descriptions": {
+ "$ref": "#/definitions/descriptions"
+ },
+ "affected": {
+ "$ref": "#/definitions/affected"
+ },
+ "problemTypes": {
+ "$ref": "#/definitions/problemTypes"
+ },
+ "references": {
+ "$ref": "#/definitions/references"
+ },
+ "impacts": {
+ "$ref": "#/definitions/impacts"
+ },
+ "metrics": {
+ "$ref": "#/definitions/metrics"
+ },
+ "configurations": {
+ "$ref": "#/definitions/configurations"
+ },
+ "workarounds": {
+ "$ref": "#/definitions/workarounds"
+ },
+ "solutions": {
+ "$ref": "#/definitions/solutions"
+ },
+ "exploits": {
+ "$ref": "#/definitions/exploits"
+ },
+ "timeline": {
+ "$ref": "#/definitions/timeline"
+ },
+ "credits": {
+ "$ref": "#/definitions/credits"
+ },
+ "source": {
+ "$ref": "#/definitions/source"
+ },
+ "tags": {
+ "$ref": "#/definitions/adpTags"
+ },
+ "taxonomyMappings": {
+ "$ref": "#/definitions/taxonomyMappings"
+ }
+ },
+ "required": [
+ "providerMetadata"
+ ],
+ "minProperties": 2,
+ "patternProperties": {
+ "^x_[^.]*$": {}
+ },
+ "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
+ "additionalProperties": false
+ },
+ "affected": {
+ "type": "array",
+ "description": "List of affected products.",
+ "minItems": 1,
+ "items": {
+ "$ref": "#/definitions/product"
+ }
+ },
+ "description": {
+ "type": "object",
+ "description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.",
+ "properties": {
+ "lang": {
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "type": "string",
+ "description": "Plain text description.",
+ "minLength": 1,
+ "maxLength": 4096
+ },
+ "supportingMedia": {
+ "type": "array",
+ "title": "Supporting media",
+ "description": "Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.",
+ "uniqueItems": true,
+ "minItems": 1,
+ "items": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "type": "string",
+ "title": "Media type",
+ "minLength": 1,
+ "maxLength": 256,
+ "description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.",
+ "examples": [
+ "text/markdown",
+ "text/html",
+ "image/png",
+ "image/svg",
+ "audio/mp3"
+ ]
+ },
+ "base64": {
+ "type": "boolean",
+ "title": "Encoding",
+ "description": "If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.",
+ "default": false
+ },
+ "value": {
+ "type": "string",
+ "description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.",
+ "minLength": 1,
+ "maxLength": 16384
+ }
+ },
+ "required": [
+ "type",
+ "value"
+ ],
+ "additionalProperties": false
+ }
+ }
+ },
+ "required": [
+ "lang",
+ "value"
+ ],
+ "additionalProperties": false
+ },
+ "englishLanguageDescription": {
+ "type": "object",
+ "description": "A description with lang set to an English language (en, en_US, en_UK, and so on).",
+ "properties": {
+ "lang": {
+ "$ref": "#/definitions/englishLanguage"
+ }
+ },
+ "required": [
+ "lang"
+ ],
+ "$comment": "Cannot use additionalProperties: false here, as this prevents the other properties used by /definitions/description."
+ },
+ "descriptions": {
+ "type": "array",
+ "description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ },
+ "contains": {
+ "$ref": "#/definitions/englishLanguageDescription"
+ }
+ },
+ "problemTypes": {
+ "type": "array",
+ "description": "This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).",
+ "items": {
+ "type": "object",
+ "required": [
+ "descriptions"
+ ],
+ "properties": {
+ "descriptions": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "required": [
+ "lang",
+ "description"
+ ],
+ "properties": {
+ "lang": {
+ "$ref": "#/definitions/language"
+ },
+ "description": {
+ "type": "string",
+ "description": "Text description of problemType, or title from CWE or OWASP.",
+ "minLength": 1,
+ "maxLength": 4096
+ },
+ "cweId": {
+ "type": "string",
+ "description": "CWE ID of the CWE that best describes this problemType entry.",
+ "minLength": 5,
+ "maxLength": 9,
+ "pattern": "^CWE-[1-9][0-9]*$"
+ },
+ "type": {
+ "type": "string",
+ "description": "Problemtype source, text, OWASP, CWE, etc.,",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "references": {
+ "$ref": "#/definitions/references"
+ }
+ },
+ "additionalProperties": false
+ },
+ "minItems": 1,
+ "uniqueItems": true
+ }
+ },
+ "additionalProperties": false
+ },
+ "minItems": 1,
+ "uniqueItems": true
+ },
+ "references": {
+ "type": "array",
+ "description": "This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are \"dangerous\").",
+ "items": {
+ "$ref": "#/definitions/reference"
+ },
+ "minItems": 1,
+ "maxItems": 512,
+ "uniqueItems": true
+ },
+ "impacts": {
+ "type": "array",
+ "description": "Collection of impacts of this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "This is impact type information (e.g. a text description.",
+ "required": [
+ "descriptions"
+ ],
+ "properties": {
+ "capecId": {
+ "type": "string",
+ "description": "CAPEC ID that best relates to this impact.",
+ "minLength": 7,
+ "maxLength": 11,
+ "pattern": "^CAPEC-[1-9][0-9]{0,4}$"
+ },
+ "descriptions": {
+ "description": "Prose description of the impact scenario. At a minimum provide the description given by CAPEC.",
+ "$ref": "#/definitions/descriptions"
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "metrics": {
+ "type": "array",
+ "description": "Collection of impact scores with attribution.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "This is impact type information (e.g. a text description, CVSSv2, CVSSv3, CVSSV4, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added.",
+ "anyOf": [
+ {
+ "required": [
+ "cvssV4_0"
+ ]
+ },
+ {
+ "required": [
+ "cvssV3_1"
+ ]
+ },
+ {
+ "required": [
+ "cvssV3_0"
+ ]
+ },
+ {
+ "required": [
+ "cvssV2_0"
+ ]
+ },
+ {
+ "required": [
+ "other"
+ ]
+ }
+ ],
+ "properties": {
+ "format": {
+ "type": "string",
+ "description": "Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.",
+ "minLength": 1,
+ "maxLength": 64
+ },
+ "scenarios": {
+ "type": "array",
+ "description": "Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "properties": {
+ "lang": {
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "type": "string",
+ "default": "GENERAL",
+ "description": "Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "required": [
+ "lang",
+ "value"
+ ],
+ "additionalProperties": false
+ }
+ },
+ "cvssV4_0": {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 4.0",
+ "type": "object",
+ "definitions": {
+ "attackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT",
+ "LOCAL",
+ "PHYSICAL"
+ ]
+ },
+ "modifiedAttackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT",
+ "LOCAL",
+ "PHYSICAL",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "attackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW"
+ ]
+ },
+ "modifiedAttackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "attackRequirementsType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PRESENT"
+ ]
+ },
+ "modifiedAttackRequirementsType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PRESENT",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "privilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE"
+ ]
+ },
+ "modifiedPrivilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "userInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PASSIVE",
+ "ACTIVE"
+ ]
+ },
+ "modifiedUserInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PASSIVE",
+ "ACTIVE",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "vulnCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ]
+ },
+ "modifiedVulnCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "subCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ]
+ },
+ "modifiedSubCType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "modifiedSubIaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "SAFETY",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "exploitMaturityType": {
+ "type": "string",
+ "enum": [
+ "UNREPORTED",
+ "PROOF_OF_CONCEPT",
+ "ATTACKED",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "safetyType": {
+ "type": "string",
+ "enum": [
+ "NEGLIGIBLE",
+ "PRESENT",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "automatableType": {
+ "type": "string",
+ "enum": [
+ "NO",
+ "YES",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "recoveryType": {
+ "type": "string",
+ "enum": [
+ "AUTOMATIC",
+ "USER",
+ "IRRECOVERABLE",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "valueDensityType": {
+ "type": "string",
+ "enum": [
+ "DIFFUSE",
+ "CONCENTRATED",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "vulnerabilityResponseEffortType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MODERATE",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "providerUrgencyType": {
+ "type": "string",
+ "enum": [
+ "CLEAR",
+ "GREEN",
+ "AMBER",
+ "RED",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "scoreType": {
+ "type": "number",
+ "enum": [
+ 0,
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9,
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9,
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9,
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "noneScoreType": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 0
+ },
+ "lowScoreType": {
+ "type": "number",
+ "enum": [
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9
+ ]
+ },
+ "mediumScoreType": {
+ "type": "number",
+ "enum": [
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9
+ ]
+ },
+ "highScoreType": {
+ "type": "number",
+ "enum": [
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9
+ ]
+ },
+ "criticalScoreType": {
+ "type": "number",
+ "enum": [
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "severityType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "CRITICAL"
+ ]
+ },
+ "noneSeverityType": {
+ "const": "NONE"
+ },
+ "lowSeverityType": {
+ "const": "LOW"
+ },
+ "mediumSeverityType": {
+ "const": "MEDIUM"
+ },
+ "highSeverityType": {
+ "const": "HIGH"
+ },
+ "criticalSeverityType": {
+ "const": "CRITICAL"
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [
+ "4.0"
+ ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/E:[XAPU])?(/CR:[XHML])?(/IR:[XHML])?(/AR:[XHML])?(/MAV:[XNALP])?(/MAC:[XLH])?(/MAT:[XNP])?(/MPR:[XNLH])?(/MUI:[XNPA])?(/MVC:[XNLH])?(/MVI:[XNLH])?(/MVA:[XNLH])?(/MSC:[XNLH])?(/MSI:[XNLHS])?(/MSA:[XNLHS])?(/S:[XNP])?(/AU:[XNY])?(/R:[XAUI])?(/V:[XDC])?(/RE:[XLMH])?(/U:(X|Clear|Green|Amber|Red))?$"
+ },
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType"
+ },
+ "attackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType"
+ },
+ "attackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType"
+ },
+ "attackRequirements": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType"
+ },
+ "privilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType"
+ },
+ "userInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType"
+ },
+ "vulnConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType"
+ },
+ "vulnIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType"
+ },
+ "vulnAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType"
+ },
+ "subConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType"
+ },
+ "subIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType"
+ },
+ "subAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType"
+ },
+ "exploitMaturity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType"
+ },
+ "modifiedAttackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType"
+ },
+ "modifiedAttackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType"
+ },
+ "modifiedAttackRequirements": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType"
+ },
+ "modifiedPrivilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType"
+ },
+ "modifiedUserInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType"
+ },
+ "modifiedVulnConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType"
+ },
+ "modifiedVulnIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType"
+ },
+ "modifiedVulnAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType"
+ },
+ "modifiedSubConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType"
+ },
+ "modifiedSubIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType"
+ },
+ "modifiedSubAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType"
+ },
+ "Safety": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType"
+ },
+ "Automatable": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType"
+ },
+ "Recovery": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType"
+ },
+ "valueDensity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType"
+ },
+ "vulnerabilityResponseEffort": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType"
+ },
+ "providerUrgency": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType"
+ }
+ },
+ "allOf": [
+ {
+ "anyOf": [
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore",
+ "baseSeverity"
+ ],
+ "additionalProperties": false
+ },
+ "cvssV3_1": {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 3.1",
+ "type": "object",
+ "definitions": {
+ "attackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL",
+ "PHYSICAL"
+ ]
+ },
+ "modifiedAttackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL",
+ "PHYSICAL",
+ "NOT_DEFINED"
+ ]
+ },
+ "attackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW"
+ ]
+ },
+ "modifiedAttackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NOT_DEFINED"
+ ]
+ },
+ "privilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE"
+ ]
+ },
+ "modifiedPrivilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE",
+ "NOT_DEFINED"
+ ]
+ },
+ "userInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "REQUIRED"
+ ]
+ },
+ "modifiedUserInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "REQUIRED",
+ "NOT_DEFINED"
+ ]
+ },
+ "scopeType": {
+ "type": "string",
+ "enum": [
+ "UNCHANGED",
+ "CHANGED"
+ ]
+ },
+ "modifiedScopeType": {
+ "type": "string",
+ "enum": [
+ "UNCHANGED",
+ "CHANGED",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ]
+ },
+ "modifiedCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "exploitCodeMaturityType": {
+ "type": "string",
+ "enum": [
+ "UNPROVEN",
+ "PROOF_OF_CONCEPT",
+ "FUNCTIONAL",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "remediationLevelType": {
+ "type": "string",
+ "enum": [
+ "OFFICIAL_FIX",
+ "TEMPORARY_FIX",
+ "WORKAROUND",
+ "UNAVAILABLE",
+ "NOT_DEFINED"
+ ]
+ },
+ "confidenceType": {
+ "type": "string",
+ "enum": [
+ "UNKNOWN",
+ "REASONABLE",
+ "CONFIRMED",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "scoreType": {
+ "type": "number",
+ "enum": [
+ 0,
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9,
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9,
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9,
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "severityType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "CRITICAL"
+ ]
+ },
+ "noneScoreType": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 0
+ },
+ "lowScoreType": {
+ "type": "number",
+ "enum": [
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9
+ ]
+ },
+ "mediumScoreType": {
+ "type": "number",
+ "enum": [
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9
+ ]
+ },
+ "highScoreType": {
+ "type": "number",
+ "enum": [
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9
+ ]
+ },
+ "criticalScoreType": {
+ "type": "number",
+ "enum": [
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "noneSeverityType": {
+ "const": "NONE"
+ },
+ "lowSeverityType": {
+ "const": "LOW"
+ },
+ "mediumSeverityType": {
+ "const": "MEDIUM"
+ },
+ "highSeverityType": {
+ "const": "HIGH"
+ },
+ "criticalSeverityType": {
+ "const": "CRITICAL"
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [
+ "3.1"
+ ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^CVSS:3[.]1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"
+ },
+ "attackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType"
+ },
+ "attackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType"
+ },
+ "privilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType"
+ },
+ "userInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType"
+ },
+ "scope": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType"
+ },
+ "confidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType"
+ },
+ "integrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType"
+ },
+ "availabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType"
+ },
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType"
+ },
+ "exploitCodeMaturity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType"
+ },
+ "remediationLevel": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType"
+ },
+ "reportConfidence": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType"
+ },
+ "temporalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType"
+ },
+ "temporalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType"
+ },
+ "modifiedAttackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType"
+ },
+ "modifiedAttackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType"
+ },
+ "modifiedPrivilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType"
+ },
+ "modifiedUserInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType"
+ },
+ "modifiedScope": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType"
+ },
+ "modifiedConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType"
+ },
+ "modifiedIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType"
+ },
+ "modifiedAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType"
+ },
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType"
+ }
+ },
+ "anyOf": [
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/noneScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/lowScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/mediumScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/highScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/criticalScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ],
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore",
+ "baseSeverity"
+ ],
+ "additionalProperties": false
+ },
+ "cvssV3_0": {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 3.0",
+ "type": "object",
+ "definitions": {
+ "attackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL",
+ "PHYSICAL"
+ ]
+ },
+ "modifiedAttackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL",
+ "PHYSICAL",
+ "NOT_DEFINED"
+ ]
+ },
+ "attackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW"
+ ]
+ },
+ "modifiedAttackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NOT_DEFINED"
+ ]
+ },
+ "privilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE"
+ ]
+ },
+ "modifiedPrivilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE",
+ "NOT_DEFINED"
+ ]
+ },
+ "userInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "REQUIRED"
+ ]
+ },
+ "modifiedUserInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "REQUIRED",
+ "NOT_DEFINED"
+ ]
+ },
+ "scopeType": {
+ "type": "string",
+ "enum": [
+ "UNCHANGED",
+ "CHANGED"
+ ]
+ },
+ "modifiedScopeType": {
+ "type": "string",
+ "enum": [
+ "UNCHANGED",
+ "CHANGED",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ]
+ },
+ "modifiedCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "exploitCodeMaturityType": {
+ "type": "string",
+ "enum": [
+ "UNPROVEN",
+ "PROOF_OF_CONCEPT",
+ "FUNCTIONAL",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "remediationLevelType": {
+ "type": "string",
+ "enum": [
+ "OFFICIAL_FIX",
+ "TEMPORARY_FIX",
+ "WORKAROUND",
+ "UNAVAILABLE",
+ "NOT_DEFINED"
+ ]
+ },
+ "confidenceType": {
+ "type": "string",
+ "enum": [
+ "UNKNOWN",
+ "REASONABLE",
+ "CONFIRMED",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "scoreType": {
+ "type": "number",
+ "enum": [
+ 0,
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9,
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9,
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9,
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "noneScoreType": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 0
+ },
+ "lowScoreType": {
+ "type": "number",
+ "enum": [
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9
+ ]
+ },
+ "mediumScoreType": {
+ "type": "number",
+ "enum": [
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9
+ ]
+ },
+ "highScoreType": {
+ "type": "number",
+ "enum": [
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9
+ ]
+ },
+ "criticalScoreType": {
+ "type": "number",
+ "enum": [
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "severityType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "CRITICAL"
+ ]
+ },
+ "noneSeverityType": {
+ "const": "NONE"
+ },
+ "lowSeverityType": {
+ "const": "LOW"
+ },
+ "mediumSeverityType": {
+ "const": "MEDIUM"
+ },
+ "highSeverityType": {
+ "const": "HIGH"
+ },
+ "criticalSeverityType": {
+ "const": "CRITICAL"
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [
+ "3.0"
+ ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"
+ },
+ "attackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType"
+ },
+ "attackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType"
+ },
+ "privilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType"
+ },
+ "userInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType"
+ },
+ "scope": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType"
+ },
+ "confidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType"
+ },
+ "integrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType"
+ },
+ "availabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType"
+ },
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType"
+ },
+ "exploitCodeMaturity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType"
+ },
+ "remediationLevel": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType"
+ },
+ "reportConfidence": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType"
+ },
+ "temporalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType"
+ },
+ "temporalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType"
+ },
+ "modifiedAttackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType"
+ },
+ "modifiedAttackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType"
+ },
+ "modifiedPrivilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType"
+ },
+ "modifiedUserInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType"
+ },
+ "modifiedScope": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType"
+ },
+ "modifiedConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType"
+ },
+ "modifiedIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType"
+ },
+ "modifiedAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType"
+ },
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType"
+ }
+ },
+ "anyOf": [
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/noneScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/lowScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/mediumScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/highScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/criticalScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ],
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore",
+ "baseSeverity"
+ ],
+ "additionalProperties": false
+ },
+ "cvssV2_0": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 2.0",
+ "type": "object",
+ "definitions": {
+ "accessVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL"
+ ]
+ },
+ "accessComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "MEDIUM",
+ "LOW"
+ ]
+ },
+ "authenticationType": {
+ "type": "string",
+ "enum": [
+ "MULTIPLE",
+ "SINGLE",
+ "NONE"
+ ]
+ },
+ "ciaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PARTIAL",
+ "COMPLETE"
+ ]
+ },
+ "exploitabilityType": {
+ "type": "string",
+ "enum": [
+ "UNPROVEN",
+ "PROOF_OF_CONCEPT",
+ "FUNCTIONAL",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "remediationLevelType": {
+ "type": "string",
+ "enum": [
+ "OFFICIAL_FIX",
+ "TEMPORARY_FIX",
+ "WORKAROUND",
+ "UNAVAILABLE",
+ "NOT_DEFINED"
+ ]
+ },
+ "reportConfidenceType": {
+ "type": "string",
+ "enum": [
+ "UNCONFIRMED",
+ "UNCORROBORATED",
+ "CONFIRMED",
+ "NOT_DEFINED"
+ ]
+ },
+ "collateralDamagePotentialType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "LOW_MEDIUM",
+ "MEDIUM_HIGH",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "targetDistributionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "scoreType": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 10
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [
+ "2.0"
+ ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$"
+ },
+ "accessVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType"
+ },
+ "accessComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType"
+ },
+ "authentication": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType"
+ },
+ "confidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType"
+ },
+ "integrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType"
+ },
+ "availabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType"
+ },
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType"
+ },
+ "exploitability": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType"
+ },
+ "remediationLevel": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType"
+ },
+ "reportConfidence": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType"
+ },
+ "temporalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType"
+ },
+ "collateralDamagePotential": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType"
+ },
+ "targetDistribution": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType"
+ },
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType"
+ }
+ },
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore"
+ ],
+ "additionalProperties": false
+ },
+ "other": {
+ "type": "object",
+ "description": "A non-standard impact description, may be prose or JSON block.",
+ "required": [
+ "type",
+ "content"
+ ],
+ "properties": {
+ "type": {
+ "description": "Name of the non-standard impact metrics format used.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "content": {
+ "type": "object",
+ "$comment": "additionalProperties are allowed here, since this construct supports arbitrary JSON.",
+ "description": "JSON object not covered by another metrics format.",
+ "minProperties": 1
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "configurations": {
+ "type": "array",
+ "description": "Configurations required for exploiting this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "workarounds": {
+ "type": "array",
+ "description": "Workarounds and mitigations for this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "solutions": {
+ "type": "array",
+ "description": "Information about solutions or remediations available for this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "exploits": {
+ "type": "array",
+ "description": "Information about exploits of the vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "timeline": {
+ "type": "array",
+ "description": "This is timeline information for significant events about this vulnerability or changes to the CVE Record.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "required": [
+ "time",
+ "lang",
+ "value"
+ ],
+ "properties": {
+ "time": {
+ "description": "Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00) is assumed.",
+ "$ref": "#/definitions/timestamp"
+ },
+ "lang": {
+ "description": "The language used in the description of the event. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.",
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "description": "A summary of the event.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "credits": {
+ "type": "array",
+ "description": "Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "properties": {
+ "lang": {
+ "description": "The language used when describing the credits. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.",
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 4096
+ },
+ "user": {
+ "description": "UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.",
+ "$ref": "#/definitions/uuidType"
+ },
+ "type": {
+ "type": "string",
+ "description": "Type or role of the entity being credited (optional). finder: identifies the vulnerability.\nreporter: notifies the vendor of the vulnerability to a CNA.\nanalyst: validates the vulnerability to ensure accuracy or severity.\ncoordinator: facilitates the coordinated response process.\nremediation developer: prepares a code change or other remediation plans.\nremediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness.\nremediation verifier: tests and verifies the vulnerability or its remediation.\ntool: names of tools used in vulnerability discovery or identification.\nsponsor: supports the vulnerability identification or remediation activities.",
+ "default": "finder",
+ "enum": [
+ "finder",
+ "reporter",
+ "analyst",
+ "coordinator",
+ "remediation developer",
+ "remediation reviewer",
+ "remediation verifier",
+ "tool",
+ "sponsor",
+ "other"
+ ]
+ }
+ },
+ "additionalProperties": false,
+ "required": [
+ "lang",
+ "value"
+ ]
+ }
+ },
+ "source": {
+ "type": "object",
+ "description": "This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.",
+ "minProperties": 1
+ },
+ "language": {
+ "type": "string",
+ "description": "BCP 47 language code, language-region.",
+ "default": "en",
+ "pattern": "^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"
+ },
+ "englishLanguage": {
+ "type": "string",
+ "description": "BCP 47 language code, language-region, required to be English.",
+ "pattern": "^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"
+ },
+ "taxonomyMappings": {
+ "type": "array",
+ "description": "List of taxonomy items related to the vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "A taxonomy mapping object identifies the taxonomy by a name and version (eg., ATT&CK v13.1, CVSS 3.1, CWE 4.12) along with a list of relations relevant to this CVE.",
+ "required": [
+ "taxonomyName",
+ "taxonomyRelations"
+ ],
+ "properties": {
+ "taxonomyName": {
+ "type": "string",
+ "description": "The name of the taxonomy, eg., ATT&CK, D3FEND, CWE, CVSS",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "taxonomyVersion": {
+ "type": "string",
+ "description": "The version of taxonomy the identifiers come from.",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "taxonomyRelations": {
+ "type": "array",
+ "description": "List of relationships to the taxonomy for the vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "A relationship between the taxonomy and the CVE or two taxonomy items.",
+ "required": [
+ "taxonomyId",
+ "relationshipName",
+ "relationshipValue"
+ ],
+ "properties": {
+ "taxonomyId": {
+ "type": "string",
+ "description": "Identifier of the item in the taxonomy. Used as the subject of the relationship.",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "relationshipName": {
+ "type": "string",
+ "description": "A description of the relationship.",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "relationshipValue": {
+ "type": "string",
+ "description": "The target of the relationship. Can be the CVE ID or another taxonomy identifier.",
+ "minLength": 1,
+ "maxLength": 2048
+ }
+ },
+ "additionalProperties": false
+ }
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "tagExtension": {
+ "type": "string",
+ "minLength": 2,
+ "maxLength": 128,
+ "pattern": "^x_.*$",
+ "$comment": "These values are not used as JSON property names, so there is not a need to work-around property naming limitations in some common implementations."
+ },
+ "cnaTags": {
+ "type": "array",
+ "description": "Tags provided by a CNA describing the CVE Record.",
+ "uniqueItems": true,
+ "minItems": 1,
+ "items": {
+ "oneOf": [
+ {
+ "$ref": "#/definitions/tagExtension"
+ },
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/",
+ "type": "string",
+ "description": "exclusively-hosted-service: All known software and/or hardware affected by this CVE Record is known to exist only in the affected hosted service. If the vulnerability affects both hosted and on-prem software and/or hardware, then the tag should not be used.\n\nunsupported-when-assigned: Used by the assigning CNA to indicate that when a request for a CVE assignment was received, the product was already end-of-life (EOL) or a product or specific version was deemed not to be supported by the vendor. This tag should only be applied to a CVE Record when all affected products or version lines referenced in the CVE-Record are EOL.\n\ndisputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.",
+ "enum": [
+ "unsupported-when-assigned",
+ "exclusively-hosted-service",
+ "disputed"
+ ]
+ }
+ ]
+ }
+ },
+ "adpTags": {
+ "type": "array",
+ "description": "Tags provided by an ADP describing the CVE Record.",
+ "uniqueItems": true,
+ "minItems": 1,
+ "items": {
+ "oneOf": [
+ {
+ "$ref": "#/definitions/tagExtension"
+ },
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/",
+ "type": "string",
+ "description": "disputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.",
+ "enum": [
+ "disputed"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ "oneOf": [
+ {
+ "title": "Published",
+ "description": "When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.",
+ "type": "object",
+ "properties": {
+ "dataType": {
+ "$ref": "#/definitions/dataType"
+ },
+ "dataVersion": {
+ "$ref": "#/definitions/dataVersion"
+ },
+ "cveMetadata": {
+ "$ref": "#/definitions/cveMetadataPublished"
+ },
+ "containers": {
+ "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt a minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information. The 'cna' container requires the CNA to include certain fields, while the 'adp' container does not.",
+ "type": "object",
+ "properties": {
+ "cna": {
+ "$ref": "#/definitions/cnaPublishedContainer"
+ },
+ "adp": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/adpContainer"
+ },
+ "minItems": 1,
+ "uniqueItems": true
+ }
+ },
+ "required": [
+ "cna"
+ ],
+ "additionalProperties": false
+ }
+ },
+ "required": [
+ "dataType",
+ "dataVersion",
+ "cveMetadata",
+ "containers"
+ ],
+ "additionalProperties": false
+ },
+ {
+ "title": "Rejected",
+ "description": "If the CVE ID and associated CVE Record should no longer be used, the CVE Record is placed in the Rejected state. A Rejected CVE Record remains on the CVE List so that users can know when it is invalid.",
+ "type": "object",
+ "properties": {
+ "dataType": {
+ "$ref": "#/definitions/dataType"
+ },
+ "dataVersion": {
+ "$ref": "#/definitions/dataVersion"
+ },
+ "cveMetadata": {
+ "$ref": "#/definitions/cveMetadataRejected"
+ },
+ "containers": {
+ "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA.",
+ "type": "object",
+ "properties": {
+ "cna": {
+ "$ref": "#/definitions/cnaRejectedContainer"
+ }
+ },
+ "required": [
+ "cna"
+ ],
+ "additionalProperties": false
+ }
+ },
+ "required": [
+ "dataType",
+ "dataVersion",
+ "cveMetadata",
+ "containers"
+ ],
+ "additionalProperties": false
+ }
+ ]
+}
\ No newline at end of file
diff --git a/schema/docs/CVE_Record_Format_bundled_adpContainer.json b/schema/docs/CVE_Record_Format_bundled_adpContainer.json
new file mode 100644
index 00000000000..c225c381d44
--- /dev/null
+++ b/schema/docs/CVE_Record_Format_bundled_adpContainer.json
@@ -0,0 +1,3341 @@
+{
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled_adpContainer.json",
+ "title": "CVE JSON adpContainer sub schema",
+ "description": "CVE JSON adpContainer format",
+ "definitions": {
+ "uriType": {
+ "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).",
+ "type": "string",
+ "format": "uri",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "uuidType": {
+ "description": "A version 4 (random) universally unique identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122#section-4.1.3).",
+ "type": "string",
+ "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
+ },
+ "reference": {
+ "type": "object",
+ "required": [
+ "url"
+ ],
+ "properties": {
+ "url": {
+ "description": "The uniform resource locator (URL), according to [RFC 3986](https://tools.ietf.org/html/rfc3986#section-1.1.3), that can be used to retrieve the referenced resource.",
+ "$ref": "#/definitions/uriType"
+ },
+ "name": {
+ "description": "User created name for the reference, often the title of the page.",
+ "type": "string",
+ "maxLength": 512,
+ "minLength": 1
+ },
+ "tags": {
+ "description": "An array of one or more tags that describe the resource referenced by 'url'.",
+ "type": "array",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "oneOf": [
+ {
+ "$ref": "#/definitions/tagExtension"
+ },
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/",
+ "type": "string",
+ "description": "broken-link: The reference link is returning a 404 error, or the site is no longer online.\n\ncustomer-entitlement: Similar to Privileges Required, but specific to references that require non-public/paid access for customers of the particular vendor.\n\nexploit: Reference contains an in-depth/detailed description of steps to exploit a vulnerability OR the reference contains any legitimate Proof of Concept (PoC) code or exploit kit.\n\ngovernment-resource: All reference links that are from a government agency or organization should be given the Government Resource tag.\n\nissue-tracking: The reference is a post from a bug tracking tool such as MantisBT, Bugzilla, JIRA, Github Issues, etc...\n\nmailing-list: The reference is from a mailing list -- often specific to a product or vendor.\n\nmitigation: The reference contains information on steps to mitigate against the vulnerability in the event a patch can't be applied or is unavailable or for EOL product situations.\n\nnot-applicable: The reference link is not applicable to the vulnerability and was likely associated by MITRE accidentally (should be used sparingly).\n\npatch: The reference contains an update to the software that fixes the vulnerability.\n\npermissions-required: The reference link provided is blocked by a logon page. If credentials are required to see any information this tag must be applied.\n\nmedia-coverage: The reference is from a media outlet such as a newspaper, magazine, social media, or weblog. This tag is not intended to apply to any individual's personal social media account. It is strictly intended for public media entities.\n\nproduct: A reference appropriate for describing a product for the purpose of CPE or SWID.\n\nrelated: A reference that is for a related (but not the same) vulnerability.\n\nrelease-notes: The reference is in the format of a vendor or open source project's release notes or change log.\n\nsignature: The reference contains a method to detect or prevent the presence or exploitation of the vulnerability.\n\ntechnical-description: The reference contains in-depth technical information about a vulnerability and its exploitation process, typically in the form of a presentation or whitepaper.\n\nthird-party-advisory: Advisory is from an organization that is not the vulnerable product's vendor/publisher/maintainer.\n\nvendor-advisory: Advisory is from the vendor/publisher/maintainer of the product or the parent organization.\n\nvdb-entry: VDBs are loosely defined as sites that provide information about this vulnerability, such as advisories, with identifiers. Included VDBs are free to access, substantially public, and have broad scope and coverage (not limited to a single vendor or research organization). See: https://www.first.org/global/sigs/vrdx/vdb-catalog",
+ "enum": [
+ "broken-link",
+ "customer-entitlement",
+ "exploit",
+ "government-resource",
+ "issue-tracking",
+ "mailing-list",
+ "mitigation",
+ "not-applicable",
+ "patch",
+ "permissions-required",
+ "media-coverage",
+ "product",
+ "related",
+ "release-notes",
+ "signature",
+ "technical-description",
+ "third-party-advisory",
+ "vendor-advisory",
+ "vdb-entry"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ "additionalProperties": false
+ },
+ "cveId": {
+ "type": "string",
+ "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
+ },
+ "orgId": {
+ "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.",
+ "$ref": "#/definitions/uuidType"
+ },
+ "userId": {
+ "description": "A UUID for a user participating in the CVE program. This UUID can be used to lookup the user record in the user registry service.",
+ "$ref": "#/definitions/uuidType"
+ },
+ "shortName": {
+ "description": "A 2-32 character name that can be used to complement an organization's UUID.",
+ "type": "string",
+ "minLength": 2,
+ "maxLength": 32
+ },
+ "datestamp": {
+ "description": "Date/time format based on RFC3339 and ISO ISO8601.",
+ "type": "string",
+ "format": "date",
+ "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$"
+ },
+ "timestamp": {
+ "type": "string",
+ "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.",
+ "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"
+ },
+ "version": {
+ "description": "A single version of a product, as expressed in its own version numbering scheme.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 1024
+ },
+ "status": {
+ "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.",
+ "type": "string",
+ "enum": [
+ "affected",
+ "unaffected",
+ "unknown"
+ ]
+ },
+ "product": {
+ "type": "object",
+ "description": "Provides information about the set of products and services affected by this vulnerability.",
+ "allOf": [
+ {
+ "anyOf": [
+ {
+ "required": [
+ "vendor",
+ "product"
+ ]
+ },
+ {
+ "required": [
+ "collectionURL",
+ "packageName"
+ ]
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "required": [
+ "versions"
+ ]
+ },
+ {
+ "required": [
+ "defaultStatus"
+ ]
+ }
+ ]
+ }
+ ],
+ "properties": {
+ "vendor": {
+ "type": "string",
+ "description": "Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.",
+ "minLength": 1,
+ "maxLength": 512
+ },
+ "product": {
+ "type": "string",
+ "description": "Name of the affected product.",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "collectionURL": {
+ "description": "URL identifying a package collection (determines the meaning of packageName).",
+ "$ref": "#/definitions/uriType",
+ "examples": [
+ "https://access.redhat.com/downloads/content/package-browser",
+ "https://addons.mozilla.org",
+ "https://addons.thunderbird.net",
+ "https://anaconda.org/anaconda/repo",
+ "https://app.vagrantup.com/boxes/search",
+ "https://apps.apple.com",
+ "https://archlinux.org/packages",
+ "https://atmospherejs.meteor.com",
+ "https://atom.io/packages",
+ "https://bitbucket.org",
+ "https://bower.io",
+ "https://brew.sh/",
+ "https://chocolatey.org/packages",
+ "https://chrome.google.com/webstore",
+ "https://clojars.org",
+ "https://cocoapods.org",
+ "https://code.dlang.org",
+ "https://conan.io/center",
+ "https://cpan.org/modules",
+ "https://cran.r-project.org",
+ "https://crates.io",
+ "https://ctan.org/pkg",
+ "https://drupal.org",
+ "https://exchange.adobe.com",
+ "https://forge.puppet.com/modules",
+ "https://github.com",
+ "https://gitlab.com/explore",
+ "https://golang.org/pkg",
+ "https://guix.gnu.org/packages",
+ "https://hackage.haskell.org",
+ "https://helm.sh",
+ "https://hub.docker.com",
+ "https://juliahub.com",
+ "https://lib.haxe.org",
+ "https://luarocks.org",
+ "https://marketplace.visualstudio.com",
+ "https://melpa.org",
+ "https://microsoft.com/en-us/store/apps",
+ "https://nimble.directory",
+ "https://nuget.org/packages",
+ "https://opam.ocaml.org/packages",
+ "https://openwrt.org/packages/index",
+ "https://package.elm-lang.org",
+ "https://packagecontrol.io",
+ "https://packages.debian.org",
+ "https://packages.gentoo.org",
+ "https://packagist.org",
+ "https://pear.php.net/packages.php",
+ "https://pecl.php.net",
+ "https://platformio.org/lib",
+ "https://play.google.com/store",
+ "https://plugins.gradle.org",
+ "https://projects.eclipse.org",
+ "https://pub.dev",
+ "https://pypi.python.org",
+ "https://registry.npmjs.org",
+ "https://registry.terraform.io",
+ "https://repo.hex.pm",
+ "https://repo.maven.apache.org/maven2",
+ "https://rubygems.org",
+ "https://search.nixos.org/packages",
+ "https://sourceforge.net",
+ "https://wordpress.org/plugins"
+ ]
+ },
+ "packageName": {
+ "type": "string",
+ "description": "Name or identifier of the affected software package as used in the package collection.",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "cpes": {
+ "type": "array",
+ "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.",
+ "uniqueItems": true,
+ "items": {
+ "title": "CPE Name",
+ "type": "string",
+ "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format",
+ "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})",
+ "minLength": 1,
+ "maxLength": 2048
+ }
+ },
+ "modules": {
+ "type": "array",
+ "description": "A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional).",
+ "uniqueItems": true,
+ "items": {
+ "type": "string",
+ "description": "Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "programFiles": {
+ "type": "array",
+ "description": "A list of the affected source code files (optional).",
+ "uniqueItems": true,
+ "items": {
+ "description": "Name or path or location of the affected source code file.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 1024
+ }
+ },
+ "programRoutines": {
+ "type": "array",
+ "description": "A list of the affected source code functions, methods, subroutines, or procedures (optional).",
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "An object describing program routine.",
+ "required": [
+ "name"
+ ],
+ "properties": {
+ "name": {
+ "type": "string",
+ "description": "Name of the affected source code file, function, method, subroutine, or procedure.",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "platforms": {
+ "title": "Platforms",
+ "description": "List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field or an empty array implies that the other fields are applicable to all relevant platforms.",
+ "type": "array",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "string",
+ "examples": [
+ "iOS",
+ "Android",
+ "Windows",
+ "macOS",
+ "x86",
+ "ARM",
+ "64 bit",
+ "Big Endian",
+ "iPad",
+ "Chromebook",
+ "Docker",
+ "Model T"
+ ],
+ "maxLength": 1024
+ }
+ },
+ "repo": {
+ "description": "The URL of the source code repository, for informational purposes and/or to resolve git hash version ranges.",
+ "$ref": "#/definitions/uriType"
+ },
+ "defaultStatus": {
+ "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.",
+ "$ref": "#/definitions/status"
+ },
+ "versions": {
+ "type": "array",
+ "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "A single version or a range of versions, with vulnerability status.\n\nAn entry with only 'version' and 'status' indicates the status of a single version.\n\nOtherwise, an entry describes a range; it must include the 'versionType' property, to define the version numbering semantics in use, and 'limit', to indicate the non-inclusive upper limit of the range. The object describes the status for versions V such that 'version' <= V and V < 'limit', using the <= and < semantics defined for the specific kind of 'versionType'. Status changes within the range can be specified by an optional 'changes' list.\n\nThe algorithm to decide the status specified for a version V is:\n\n\tfor entry in product.versions {\n\t\tif entry.lessThan is not present and entry.lessThanOrEqual is not present and v == entry.version {\n\t\t\treturn entry.status\n\t\t}\n\t\tif (entry.lessThan is present and entry.version <= v and v < entry.lessThan) or\n\t\t (entry.lessThanOrEqual is present and entry.version <= v and v <= entry.lessThanOrEqual) { // <= and < defined by entry.versionType\n\t\t\tstatus = entry.status\n\t\t\tfor change in entry.changes {\n\t\t\t\tif change.at <= v {\n\t\t\t\t\tstatus = change.status\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn status\n\t\t}\n\t}\n\treturn product.defaultStatus\n\n.",
+ "oneOf": [
+ {
+ "required": [
+ "version",
+ "status"
+ ],
+ "maxProperties": 2
+ },
+ {
+ "required": [
+ "version",
+ "status",
+ "versionType"
+ ],
+ "maxProperties": 3
+ },
+ {
+ "required": [
+ "version",
+ "status",
+ "versionType",
+ "lessThan"
+ ]
+ },
+ {
+ "required": [
+ "version",
+ "status",
+ "versionType",
+ "lessThanOrEqual"
+ ]
+ }
+ ],
+ "properties": {
+ "version": {
+ "description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.",
+ "$ref": "#/definitions/version"
+ },
+ "status": {
+ "description": "The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.",
+ "$ref": "#/definitions/status"
+ },
+ "versionType": {
+ "type": "string",
+ "description": "The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.",
+ "minLength": 1,
+ "maxLength": 128,
+ "examples": [
+ "custom",
+ "git",
+ "maven",
+ "python",
+ "rpm",
+ "semver"
+ ]
+ },
+ "lessThan": {
+ "description": "The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk `(*)`, indicating an arbitrarily large number in the version ordering. For example, `{version: 1.0 lessThan: 1.*}` would describe the entire 1.X branch for most range kinds, and `{version: 2.0, lessThan: *}` describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified.",
+ "$ref": "#/definitions/version"
+ },
+ "lessThanOrEqual": {
+ "description": "The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, `{version: 1.0, lessThanOrEqual: 1.3}` covers all versions from 1.0 up to and including 1.3.",
+ "$ref": "#/definitions/version"
+ },
+ "changes": {
+ "type": "array",
+ "description": "A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "The start of a single status change during the range.",
+ "required": [
+ "at",
+ "status"
+ ],
+ "additionalProperties": false,
+ "properties": {
+ "at": {
+ "description": "The version at which a status change occurs.",
+ "$ref": "#/definitions/version"
+ },
+ "status": {
+ "description": "The new status in the range starting at the given version.",
+ "$ref": "#/definitions/status"
+ }
+ }
+ }
+ }
+ },
+ "additionalProperties": false
+ }
+ }
+ }
+ },
+ "dataType": {
+ "description": "Indicates the type of information represented in the JSON instance.",
+ "type": "string",
+ "enum": [
+ "CVE_RECORD"
+ ]
+ },
+ "dataVersion": {
+ "description": "The version of the CVE schema used for validating this record. Used to support multiple versions of this format.",
+ "type": "string",
+ "pattern": "^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$",
+ "default": "5.1.0"
+ },
+ "cveMetadataPublished": {
+ "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.",
+ "type": "object",
+ "required": [
+ "cveId",
+ "assignerOrgId",
+ "state"
+ ],
+ "properties": {
+ "cveId": {
+ "description": "The CVE identifier that this record pertains to.",
+ "$ref": "#/definitions/cveId"
+ },
+ "assignerOrgId": {
+ "$ref": "#/definitions/orgId",
+ "description": "The UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service."
+ },
+ "assignerShortName": {
+ "$ref": "#/definitions/shortName",
+ "description": "The short name for the organization to which the CVE ID was originally assigned."
+ },
+ "requesterUserId": {
+ "$ref": "#/definitions/userId",
+ "description": "The user that requested the CVE identifier."
+ },
+ "dateUpdated": {
+ "description": "The date/time the record was last updated.",
+ "$ref": "#/definitions/timestamp"
+ },
+ "serial": {
+ "type": "integer",
+ "minimum": 1,
+ "description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition."
+ },
+ "dateReserved": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."
+ },
+ "datePublished": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time the CVE Record was first published in the CVE List."
+ },
+ "state": {
+ "description": "State of CVE - PUBLISHED, REJECTED.",
+ "type": "string",
+ "enum": [
+ "PUBLISHED"
+ ]
+ }
+ },
+ "additionalProperties": false
+ },
+ "cveMetadataRejected": {
+ "type": "object",
+ "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.",
+ "required": [
+ "cveId",
+ "assignerOrgId",
+ "state"
+ ],
+ "properties": {
+ "cveId": {
+ "description": "The CVE identifier that this record pertains to.",
+ "$ref": "#/definitions/cveId"
+ },
+ "assignerOrgId": {
+ "$ref": "#/definitions/orgId",
+ "description": "The UUID for the organization to which the CVE ID was originally assigned."
+ },
+ "assignerShortName": {
+ "$ref": "#/definitions/shortName",
+ "description": "The short name for the organization to which the CVE ID was originally assigned."
+ },
+ "serial": {
+ "type": "integer",
+ "minimum": 1,
+ "description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition."
+ },
+ "dateUpdated": {
+ "description": "The date/time the record was last updated.",
+ "$ref": "#/definitions/timestamp"
+ },
+ "datePublished": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time the CVE Record was first published in the CVE List."
+ },
+ "dateRejected": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time the CVE ID was rejected."
+ },
+ "state": {
+ "type": "string",
+ "description": "State of CVE - PUBLISHED, REJECTED.",
+ "enum": [
+ "REJECTED"
+ ]
+ },
+ "dateReserved": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."
+ }
+ },
+ "additionalProperties": false
+ },
+ "providerMetadata": {
+ "type": "object",
+ "description": "Details related to the information container provider (CNA or ADP).",
+ "properties": {
+ "orgId": {
+ "$ref": "#/definitions/orgId",
+ "description": "The container provider's organizational UUID."
+ },
+ "shortName": {
+ "$ref": "#/definitions/shortName",
+ "description": "The container provider's organizational short name."
+ },
+ "dateUpdated": {
+ "$ref": "#/definitions/timestamp",
+ "description": "Timestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission."
+ }
+ },
+ "required": [
+ "orgId"
+ ],
+ "additionalProperties": false
+ },
+ "cnaPublishedContainer": {
+ "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.",
+ "type": "object",
+ "properties": {
+ "providerMetadata": {
+ "$ref": "#/definitions/providerMetadata"
+ },
+ "dateAssigned": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time this CVE ID was associated with a vulnerability by a CNA."
+ },
+ "datePublic": {
+ "$ref": "#/definitions/timestamp",
+ "description": "If known, the date/time the vulnerability was disclosed publicly."
+ },
+ "title": {
+ "type": "string",
+ "description": "A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.",
+ "minLength": 1,
+ "maxLength": 256
+ },
+ "descriptions": {
+ "$ref": "#/definitions/descriptions"
+ },
+ "affected": {
+ "$ref": "#/definitions/affected"
+ },
+ "problemTypes": {
+ "$ref": "#/definitions/problemTypes"
+ },
+ "references": {
+ "$ref": "#/definitions/references"
+ },
+ "impacts": {
+ "$ref": "#/definitions/impacts"
+ },
+ "metrics": {
+ "$ref": "#/definitions/metrics"
+ },
+ "configurations": {
+ "$ref": "#/definitions/configurations"
+ },
+ "workarounds": {
+ "$ref": "#/definitions/workarounds"
+ },
+ "solutions": {
+ "$ref": "#/definitions/solutions"
+ },
+ "exploits": {
+ "$ref": "#/definitions/exploits"
+ },
+ "timeline": {
+ "$ref": "#/definitions/timeline"
+ },
+ "credits": {
+ "$ref": "#/definitions/credits"
+ },
+ "source": {
+ "$ref": "#/definitions/source"
+ },
+ "tags": {
+ "$ref": "#/definitions/cnaTags"
+ },
+ "taxonomyMappings": {
+ "$ref": "#/definitions/taxonomyMappings"
+ }
+ },
+ "required": [
+ "providerMetadata",
+ "descriptions",
+ "affected",
+ "references"
+ ],
+ "patternProperties": {
+ "^x_[^.]*$": {}
+ },
+ "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
+ "additionalProperties": false
+ },
+ "cnaRejectedContainer": {
+ "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a rejected CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA.",
+ "type": "object",
+ "properties": {
+ "providerMetadata": {
+ "$ref": "#/definitions/providerMetadata"
+ },
+ "rejectedReasons": {
+ "description": "Reasons for rejecting this CVE Record.",
+ "$ref": "#/definitions/descriptions"
+ },
+ "replacedBy": {
+ "type": "array",
+ "description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/cveId"
+ }
+ }
+ },
+ "required": [
+ "providerMetadata",
+ "rejectedReasons"
+ ],
+ "patternProperties": {
+ "^x_[^.]*$": {}
+ },
+ "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
+ "additionalProperties": false
+ },
+ "adpContainer": {
+ "description": "An object containing the vulnerability information provided by an Authorized Data Publisher (ADP). Since multiple ADPs can provide information for a CVE ID, an ADP container must indicate which ADP is the source of the information in the object.",
+ "type": "object",
+ "properties": {
+ "providerMetadata": {
+ "$ref": "#/definitions/providerMetadata"
+ },
+ "datePublic": {
+ "$ref": "#/definitions/timestamp",
+ "description": "If known, the date/time the vulnerability was disclosed publicly."
+ },
+ "title": {
+ "type": "string",
+ "description": "A title, headline, or a brief phrase summarizing the information in an ADP container.",
+ "minLength": 1,
+ "maxLength": 256
+ },
+ "descriptions": {
+ "$ref": "#/definitions/descriptions"
+ },
+ "affected": {
+ "$ref": "#/definitions/affected"
+ },
+ "problemTypes": {
+ "$ref": "#/definitions/problemTypes"
+ },
+ "references": {
+ "$ref": "#/definitions/references"
+ },
+ "impacts": {
+ "$ref": "#/definitions/impacts"
+ },
+ "metrics": {
+ "$ref": "#/definitions/metrics"
+ },
+ "configurations": {
+ "$ref": "#/definitions/configurations"
+ },
+ "workarounds": {
+ "$ref": "#/definitions/workarounds"
+ },
+ "solutions": {
+ "$ref": "#/definitions/solutions"
+ },
+ "exploits": {
+ "$ref": "#/definitions/exploits"
+ },
+ "timeline": {
+ "$ref": "#/definitions/timeline"
+ },
+ "credits": {
+ "$ref": "#/definitions/credits"
+ },
+ "source": {
+ "$ref": "#/definitions/source"
+ },
+ "tags": {
+ "$ref": "#/definitions/adpTags"
+ },
+ "taxonomyMappings": {
+ "$ref": "#/definitions/taxonomyMappings"
+ }
+ },
+ "required": [
+ "providerMetadata"
+ ],
+ "minProperties": 2,
+ "patternProperties": {
+ "^x_[^.]*$": {}
+ },
+ "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
+ "additionalProperties": false
+ },
+ "affected": {
+ "type": "array",
+ "description": "List of affected products.",
+ "minItems": 1,
+ "items": {
+ "$ref": "#/definitions/product"
+ }
+ },
+ "description": {
+ "type": "object",
+ "description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.",
+ "properties": {
+ "lang": {
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "type": "string",
+ "description": "Plain text description.",
+ "minLength": 1,
+ "maxLength": 4096
+ },
+ "supportingMedia": {
+ "type": "array",
+ "title": "Supporting media",
+ "description": "Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.",
+ "uniqueItems": true,
+ "minItems": 1,
+ "items": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "type": "string",
+ "title": "Media type",
+ "minLength": 1,
+ "maxLength": 256,
+ "description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.",
+ "examples": [
+ "text/markdown",
+ "text/html",
+ "image/png",
+ "image/svg",
+ "audio/mp3"
+ ]
+ },
+ "base64": {
+ "type": "boolean",
+ "title": "Encoding",
+ "description": "If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.",
+ "default": false
+ },
+ "value": {
+ "type": "string",
+ "description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.",
+ "minLength": 1,
+ "maxLength": 16384
+ }
+ },
+ "required": [
+ "type",
+ "value"
+ ],
+ "additionalProperties": false
+ }
+ }
+ },
+ "required": [
+ "lang",
+ "value"
+ ],
+ "additionalProperties": false
+ },
+ "englishLanguageDescription": {
+ "type": "object",
+ "description": "A description with lang set to an English language (en, en_US, en_UK, and so on).",
+ "properties": {
+ "lang": {
+ "$ref": "#/definitions/englishLanguage"
+ }
+ },
+ "required": [
+ "lang"
+ ],
+ "$comment": "Cannot use additionalProperties: false here, as this prevents the other properties used by /definitions/description."
+ },
+ "descriptions": {
+ "type": "array",
+ "description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ },
+ "contains": {
+ "$ref": "#/definitions/englishLanguageDescription"
+ }
+ },
+ "problemTypes": {
+ "type": "array",
+ "description": "This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).",
+ "items": {
+ "type": "object",
+ "required": [
+ "descriptions"
+ ],
+ "properties": {
+ "descriptions": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "required": [
+ "lang",
+ "description"
+ ],
+ "properties": {
+ "lang": {
+ "$ref": "#/definitions/language"
+ },
+ "description": {
+ "type": "string",
+ "description": "Text description of problemType, or title from CWE or OWASP.",
+ "minLength": 1,
+ "maxLength": 4096
+ },
+ "cweId": {
+ "type": "string",
+ "description": "CWE ID of the CWE that best describes this problemType entry.",
+ "minLength": 5,
+ "maxLength": 9,
+ "pattern": "^CWE-[1-9][0-9]*$"
+ },
+ "type": {
+ "type": "string",
+ "description": "Problemtype source, text, OWASP, CWE, etc.,",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "references": {
+ "$ref": "#/definitions/references"
+ }
+ },
+ "additionalProperties": false
+ },
+ "minItems": 1,
+ "uniqueItems": true
+ }
+ },
+ "additionalProperties": false
+ },
+ "minItems": 1,
+ "uniqueItems": true
+ },
+ "references": {
+ "type": "array",
+ "description": "This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are \"dangerous\").",
+ "items": {
+ "$ref": "#/definitions/reference"
+ },
+ "minItems": 1,
+ "maxItems": 512,
+ "uniqueItems": true
+ },
+ "impacts": {
+ "type": "array",
+ "description": "Collection of impacts of this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "This is impact type information (e.g. a text description.",
+ "required": [
+ "descriptions"
+ ],
+ "properties": {
+ "capecId": {
+ "type": "string",
+ "description": "CAPEC ID that best relates to this impact.",
+ "minLength": 7,
+ "maxLength": 11,
+ "pattern": "^CAPEC-[1-9][0-9]{0,4}$"
+ },
+ "descriptions": {
+ "description": "Prose description of the impact scenario. At a minimum provide the description given by CAPEC.",
+ "$ref": "#/definitions/descriptions"
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "metrics": {
+ "type": "array",
+ "description": "Collection of impact scores with attribution.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "This is impact type information (e.g. a text description, CVSSv2, CVSSv3, CVSSV4, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added.",
+ "anyOf": [
+ {
+ "required": [
+ "cvssV4_0"
+ ]
+ },
+ {
+ "required": [
+ "cvssV3_1"
+ ]
+ },
+ {
+ "required": [
+ "cvssV3_0"
+ ]
+ },
+ {
+ "required": [
+ "cvssV2_0"
+ ]
+ },
+ {
+ "required": [
+ "other"
+ ]
+ }
+ ],
+ "properties": {
+ "format": {
+ "type": "string",
+ "description": "Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.",
+ "minLength": 1,
+ "maxLength": 64
+ },
+ "scenarios": {
+ "type": "array",
+ "description": "Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "properties": {
+ "lang": {
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "type": "string",
+ "default": "GENERAL",
+ "description": "Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "required": [
+ "lang",
+ "value"
+ ],
+ "additionalProperties": false
+ }
+ },
+ "cvssV4_0": {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 4.0",
+ "type": "object",
+ "definitions": {
+ "attackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT",
+ "LOCAL",
+ "PHYSICAL"
+ ]
+ },
+ "modifiedAttackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT",
+ "LOCAL",
+ "PHYSICAL",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "attackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW"
+ ]
+ },
+ "modifiedAttackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "attackRequirementsType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PRESENT"
+ ]
+ },
+ "modifiedAttackRequirementsType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PRESENT",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "privilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE"
+ ]
+ },
+ "modifiedPrivilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "userInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PASSIVE",
+ "ACTIVE"
+ ]
+ },
+ "modifiedUserInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PASSIVE",
+ "ACTIVE",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "vulnCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ]
+ },
+ "modifiedVulnCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "subCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ]
+ },
+ "modifiedSubCType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "modifiedSubIaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "SAFETY",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "exploitMaturityType": {
+ "type": "string",
+ "enum": [
+ "UNREPORTED",
+ "PROOF_OF_CONCEPT",
+ "ATTACKED",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "safetyType": {
+ "type": "string",
+ "enum": [
+ "NEGLIGIBLE",
+ "PRESENT",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "automatableType": {
+ "type": "string",
+ "enum": [
+ "NO",
+ "YES",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "recoveryType": {
+ "type": "string",
+ "enum": [
+ "AUTOMATIC",
+ "USER",
+ "IRRECOVERABLE",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "valueDensityType": {
+ "type": "string",
+ "enum": [
+ "DIFFUSE",
+ "CONCENTRATED",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "vulnerabilityResponseEffortType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MODERATE",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "providerUrgencyType": {
+ "type": "string",
+ "enum": [
+ "CLEAR",
+ "GREEN",
+ "AMBER",
+ "RED",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "scoreType": {
+ "type": "number",
+ "enum": [
+ 0,
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9,
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9,
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9,
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "noneScoreType": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 0
+ },
+ "lowScoreType": {
+ "type": "number",
+ "enum": [
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9
+ ]
+ },
+ "mediumScoreType": {
+ "type": "number",
+ "enum": [
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9
+ ]
+ },
+ "highScoreType": {
+ "type": "number",
+ "enum": [
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9
+ ]
+ },
+ "criticalScoreType": {
+ "type": "number",
+ "enum": [
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "severityType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "CRITICAL"
+ ]
+ },
+ "noneSeverityType": {
+ "const": "NONE"
+ },
+ "lowSeverityType": {
+ "const": "LOW"
+ },
+ "mediumSeverityType": {
+ "const": "MEDIUM"
+ },
+ "highSeverityType": {
+ "const": "HIGH"
+ },
+ "criticalSeverityType": {
+ "const": "CRITICAL"
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [
+ "4.0"
+ ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/E:[XAPU])?(/CR:[XHML])?(/IR:[XHML])?(/AR:[XHML])?(/MAV:[XNALP])?(/MAC:[XLH])?(/MAT:[XNP])?(/MPR:[XNLH])?(/MUI:[XNPA])?(/MVC:[XNLH])?(/MVI:[XNLH])?(/MVA:[XNLH])?(/MSC:[XNLH])?(/MSI:[XNLHS])?(/MSA:[XNLHS])?(/S:[XNP])?(/AU:[XNY])?(/R:[XAUI])?(/V:[XDC])?(/RE:[XLMH])?(/U:(X|Clear|Green|Amber|Red))?$"
+ },
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType"
+ },
+ "attackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType"
+ },
+ "attackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType"
+ },
+ "attackRequirements": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType"
+ },
+ "privilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType"
+ },
+ "userInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType"
+ },
+ "vulnConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType"
+ },
+ "vulnIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType"
+ },
+ "vulnAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType"
+ },
+ "subConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType"
+ },
+ "subIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType"
+ },
+ "subAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType"
+ },
+ "exploitMaturity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType"
+ },
+ "modifiedAttackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType"
+ },
+ "modifiedAttackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType"
+ },
+ "modifiedAttackRequirements": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType"
+ },
+ "modifiedPrivilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType"
+ },
+ "modifiedUserInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType"
+ },
+ "modifiedVulnConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType"
+ },
+ "modifiedVulnIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType"
+ },
+ "modifiedVulnAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType"
+ },
+ "modifiedSubConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType"
+ },
+ "modifiedSubIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType"
+ },
+ "modifiedSubAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType"
+ },
+ "Safety": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType"
+ },
+ "Automatable": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType"
+ },
+ "Recovery": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType"
+ },
+ "valueDensity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType"
+ },
+ "vulnerabilityResponseEffort": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType"
+ },
+ "providerUrgency": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType"
+ }
+ },
+ "allOf": [
+ {
+ "anyOf": [
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore",
+ "baseSeverity"
+ ],
+ "additionalProperties": false
+ },
+ "cvssV3_1": {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 3.1",
+ "type": "object",
+ "definitions": {
+ "attackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL",
+ "PHYSICAL"
+ ]
+ },
+ "modifiedAttackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL",
+ "PHYSICAL",
+ "NOT_DEFINED"
+ ]
+ },
+ "attackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW"
+ ]
+ },
+ "modifiedAttackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NOT_DEFINED"
+ ]
+ },
+ "privilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE"
+ ]
+ },
+ "modifiedPrivilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE",
+ "NOT_DEFINED"
+ ]
+ },
+ "userInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "REQUIRED"
+ ]
+ },
+ "modifiedUserInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "REQUIRED",
+ "NOT_DEFINED"
+ ]
+ },
+ "scopeType": {
+ "type": "string",
+ "enum": [
+ "UNCHANGED",
+ "CHANGED"
+ ]
+ },
+ "modifiedScopeType": {
+ "type": "string",
+ "enum": [
+ "UNCHANGED",
+ "CHANGED",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ]
+ },
+ "modifiedCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "exploitCodeMaturityType": {
+ "type": "string",
+ "enum": [
+ "UNPROVEN",
+ "PROOF_OF_CONCEPT",
+ "FUNCTIONAL",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "remediationLevelType": {
+ "type": "string",
+ "enum": [
+ "OFFICIAL_FIX",
+ "TEMPORARY_FIX",
+ "WORKAROUND",
+ "UNAVAILABLE",
+ "NOT_DEFINED"
+ ]
+ },
+ "confidenceType": {
+ "type": "string",
+ "enum": [
+ "UNKNOWN",
+ "REASONABLE",
+ "CONFIRMED",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "scoreType": {
+ "type": "number",
+ "enum": [
+ 0,
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9,
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9,
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9,
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "severityType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "CRITICAL"
+ ]
+ },
+ "noneScoreType": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 0
+ },
+ "lowScoreType": {
+ "type": "number",
+ "enum": [
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9
+ ]
+ },
+ "mediumScoreType": {
+ "type": "number",
+ "enum": [
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9
+ ]
+ },
+ "highScoreType": {
+ "type": "number",
+ "enum": [
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9
+ ]
+ },
+ "criticalScoreType": {
+ "type": "number",
+ "enum": [
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "noneSeverityType": {
+ "const": "NONE"
+ },
+ "lowSeverityType": {
+ "const": "LOW"
+ },
+ "mediumSeverityType": {
+ "const": "MEDIUM"
+ },
+ "highSeverityType": {
+ "const": "HIGH"
+ },
+ "criticalSeverityType": {
+ "const": "CRITICAL"
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [
+ "3.1"
+ ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^CVSS:3[.]1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"
+ },
+ "attackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType"
+ },
+ "attackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType"
+ },
+ "privilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType"
+ },
+ "userInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType"
+ },
+ "scope": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType"
+ },
+ "confidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType"
+ },
+ "integrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType"
+ },
+ "availabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType"
+ },
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType"
+ },
+ "exploitCodeMaturity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType"
+ },
+ "remediationLevel": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType"
+ },
+ "reportConfidence": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType"
+ },
+ "temporalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType"
+ },
+ "temporalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType"
+ },
+ "modifiedAttackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType"
+ },
+ "modifiedAttackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType"
+ },
+ "modifiedPrivilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType"
+ },
+ "modifiedUserInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType"
+ },
+ "modifiedScope": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType"
+ },
+ "modifiedConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType"
+ },
+ "modifiedIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType"
+ },
+ "modifiedAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType"
+ },
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType"
+ }
+ },
+ "anyOf": [
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/noneScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/lowScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/mediumScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/highScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/criticalScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ],
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore",
+ "baseSeverity"
+ ],
+ "additionalProperties": false
+ },
+ "cvssV3_0": {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 3.0",
+ "type": "object",
+ "definitions": {
+ "attackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL",
+ "PHYSICAL"
+ ]
+ },
+ "modifiedAttackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL",
+ "PHYSICAL",
+ "NOT_DEFINED"
+ ]
+ },
+ "attackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW"
+ ]
+ },
+ "modifiedAttackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NOT_DEFINED"
+ ]
+ },
+ "privilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE"
+ ]
+ },
+ "modifiedPrivilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE",
+ "NOT_DEFINED"
+ ]
+ },
+ "userInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "REQUIRED"
+ ]
+ },
+ "modifiedUserInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "REQUIRED",
+ "NOT_DEFINED"
+ ]
+ },
+ "scopeType": {
+ "type": "string",
+ "enum": [
+ "UNCHANGED",
+ "CHANGED"
+ ]
+ },
+ "modifiedScopeType": {
+ "type": "string",
+ "enum": [
+ "UNCHANGED",
+ "CHANGED",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ]
+ },
+ "modifiedCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "exploitCodeMaturityType": {
+ "type": "string",
+ "enum": [
+ "UNPROVEN",
+ "PROOF_OF_CONCEPT",
+ "FUNCTIONAL",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "remediationLevelType": {
+ "type": "string",
+ "enum": [
+ "OFFICIAL_FIX",
+ "TEMPORARY_FIX",
+ "WORKAROUND",
+ "UNAVAILABLE",
+ "NOT_DEFINED"
+ ]
+ },
+ "confidenceType": {
+ "type": "string",
+ "enum": [
+ "UNKNOWN",
+ "REASONABLE",
+ "CONFIRMED",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "scoreType": {
+ "type": "number",
+ "enum": [
+ 0,
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9,
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9,
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9,
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "noneScoreType": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 0
+ },
+ "lowScoreType": {
+ "type": "number",
+ "enum": [
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9
+ ]
+ },
+ "mediumScoreType": {
+ "type": "number",
+ "enum": [
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9
+ ]
+ },
+ "highScoreType": {
+ "type": "number",
+ "enum": [
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9
+ ]
+ },
+ "criticalScoreType": {
+ "type": "number",
+ "enum": [
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "severityType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "CRITICAL"
+ ]
+ },
+ "noneSeverityType": {
+ "const": "NONE"
+ },
+ "lowSeverityType": {
+ "const": "LOW"
+ },
+ "mediumSeverityType": {
+ "const": "MEDIUM"
+ },
+ "highSeverityType": {
+ "const": "HIGH"
+ },
+ "criticalSeverityType": {
+ "const": "CRITICAL"
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [
+ "3.0"
+ ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"
+ },
+ "attackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType"
+ },
+ "attackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType"
+ },
+ "privilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType"
+ },
+ "userInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType"
+ },
+ "scope": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType"
+ },
+ "confidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType"
+ },
+ "integrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType"
+ },
+ "availabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType"
+ },
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType"
+ },
+ "exploitCodeMaturity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType"
+ },
+ "remediationLevel": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType"
+ },
+ "reportConfidence": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType"
+ },
+ "temporalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType"
+ },
+ "temporalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType"
+ },
+ "modifiedAttackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType"
+ },
+ "modifiedAttackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType"
+ },
+ "modifiedPrivilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType"
+ },
+ "modifiedUserInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType"
+ },
+ "modifiedScope": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType"
+ },
+ "modifiedConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType"
+ },
+ "modifiedIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType"
+ },
+ "modifiedAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType"
+ },
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType"
+ }
+ },
+ "anyOf": [
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/noneScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/lowScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/mediumScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/highScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/criticalScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ],
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore",
+ "baseSeverity"
+ ],
+ "additionalProperties": false
+ },
+ "cvssV2_0": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 2.0",
+ "type": "object",
+ "definitions": {
+ "accessVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL"
+ ]
+ },
+ "accessComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "MEDIUM",
+ "LOW"
+ ]
+ },
+ "authenticationType": {
+ "type": "string",
+ "enum": [
+ "MULTIPLE",
+ "SINGLE",
+ "NONE"
+ ]
+ },
+ "ciaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PARTIAL",
+ "COMPLETE"
+ ]
+ },
+ "exploitabilityType": {
+ "type": "string",
+ "enum": [
+ "UNPROVEN",
+ "PROOF_OF_CONCEPT",
+ "FUNCTIONAL",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "remediationLevelType": {
+ "type": "string",
+ "enum": [
+ "OFFICIAL_FIX",
+ "TEMPORARY_FIX",
+ "WORKAROUND",
+ "UNAVAILABLE",
+ "NOT_DEFINED"
+ ]
+ },
+ "reportConfidenceType": {
+ "type": "string",
+ "enum": [
+ "UNCONFIRMED",
+ "UNCORROBORATED",
+ "CONFIRMED",
+ "NOT_DEFINED"
+ ]
+ },
+ "collateralDamagePotentialType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "LOW_MEDIUM",
+ "MEDIUM_HIGH",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "targetDistributionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "scoreType": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 10
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [
+ "2.0"
+ ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$"
+ },
+ "accessVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType"
+ },
+ "accessComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType"
+ },
+ "authentication": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType"
+ },
+ "confidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType"
+ },
+ "integrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType"
+ },
+ "availabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType"
+ },
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType"
+ },
+ "exploitability": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType"
+ },
+ "remediationLevel": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType"
+ },
+ "reportConfidence": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType"
+ },
+ "temporalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType"
+ },
+ "collateralDamagePotential": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType"
+ },
+ "targetDistribution": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType"
+ },
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType"
+ }
+ },
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore"
+ ],
+ "additionalProperties": false
+ },
+ "other": {
+ "type": "object",
+ "description": "A non-standard impact description, may be prose or JSON block.",
+ "required": [
+ "type",
+ "content"
+ ],
+ "properties": {
+ "type": {
+ "description": "Name of the non-standard impact metrics format used.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "content": {
+ "type": "object",
+ "$comment": "additionalProperties are allowed here, since this construct supports arbitrary JSON.",
+ "description": "JSON object not covered by another metrics format.",
+ "minProperties": 1
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "configurations": {
+ "type": "array",
+ "description": "Configurations required for exploiting this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "workarounds": {
+ "type": "array",
+ "description": "Workarounds and mitigations for this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "solutions": {
+ "type": "array",
+ "description": "Information about solutions or remediations available for this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "exploits": {
+ "type": "array",
+ "description": "Information about exploits of the vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "timeline": {
+ "type": "array",
+ "description": "This is timeline information for significant events about this vulnerability or changes to the CVE Record.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "required": [
+ "time",
+ "lang",
+ "value"
+ ],
+ "properties": {
+ "time": {
+ "description": "Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00) is assumed.",
+ "$ref": "#/definitions/timestamp"
+ },
+ "lang": {
+ "description": "The language used in the description of the event. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.",
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "description": "A summary of the event.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "credits": {
+ "type": "array",
+ "description": "Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "properties": {
+ "lang": {
+ "description": "The language used when describing the credits. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.",
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 4096
+ },
+ "user": {
+ "description": "UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.",
+ "$ref": "#/definitions/uuidType"
+ },
+ "type": {
+ "type": "string",
+ "description": "Type or role of the entity being credited (optional). finder: identifies the vulnerability.\nreporter: notifies the vendor of the vulnerability to a CNA.\nanalyst: validates the vulnerability to ensure accuracy or severity.\ncoordinator: facilitates the coordinated response process.\nremediation developer: prepares a code change or other remediation plans.\nremediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness.\nremediation verifier: tests and verifies the vulnerability or its remediation.\ntool: names of tools used in vulnerability discovery or identification.\nsponsor: supports the vulnerability identification or remediation activities.",
+ "default": "finder",
+ "enum": [
+ "finder",
+ "reporter",
+ "analyst",
+ "coordinator",
+ "remediation developer",
+ "remediation reviewer",
+ "remediation verifier",
+ "tool",
+ "sponsor",
+ "other"
+ ]
+ }
+ },
+ "additionalProperties": false,
+ "required": [
+ "lang",
+ "value"
+ ]
+ }
+ },
+ "source": {
+ "type": "object",
+ "description": "This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.",
+ "minProperties": 1
+ },
+ "language": {
+ "type": "string",
+ "description": "BCP 47 language code, language-region.",
+ "default": "en",
+ "pattern": "^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"
+ },
+ "englishLanguage": {
+ "type": "string",
+ "description": "BCP 47 language code, language-region, required to be English.",
+ "pattern": "^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"
+ },
+ "taxonomyMappings": {
+ "type": "array",
+ "description": "List of taxonomy items related to the vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "A taxonomy mapping object identifies the taxonomy by a name and version (eg., ATT&CK v13.1, CVSS 3.1, CWE 4.12) along with a list of relations relevant to this CVE.",
+ "required": [
+ "taxonomyName",
+ "taxonomyRelations"
+ ],
+ "properties": {
+ "taxonomyName": {
+ "type": "string",
+ "description": "The name of the taxonomy, eg., ATT&CK, D3FEND, CWE, CVSS",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "taxonomyVersion": {
+ "type": "string",
+ "description": "The version of taxonomy the identifiers come from.",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "taxonomyRelations": {
+ "type": "array",
+ "description": "List of relationships to the taxonomy for the vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "A relationship between the taxonomy and the CVE or two taxonomy items.",
+ "required": [
+ "taxonomyId",
+ "relationshipName",
+ "relationshipValue"
+ ],
+ "properties": {
+ "taxonomyId": {
+ "type": "string",
+ "description": "Identifier of the item in the taxonomy. Used as the subject of the relationship.",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "relationshipName": {
+ "type": "string",
+ "description": "A description of the relationship.",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "relationshipValue": {
+ "type": "string",
+ "description": "The target of the relationship. Can be the CVE ID or another taxonomy identifier.",
+ "minLength": 1,
+ "maxLength": 2048
+ }
+ },
+ "additionalProperties": false
+ }
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "tagExtension": {
+ "type": "string",
+ "minLength": 2,
+ "maxLength": 128,
+ "pattern": "^x_.*$",
+ "$comment": "These values are not used as JSON property names, so there is not a need to work-around property naming limitations in some common implementations."
+ },
+ "cnaTags": {
+ "type": "array",
+ "description": "Tags provided by a CNA describing the CVE Record.",
+ "uniqueItems": true,
+ "minItems": 1,
+ "items": {
+ "oneOf": [
+ {
+ "$ref": "#/definitions/tagExtension"
+ },
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/",
+ "type": "string",
+ "description": "exclusively-hosted-service: All known software and/or hardware affected by this CVE Record is known to exist only in the affected hosted service. If the vulnerability affects both hosted and on-prem software and/or hardware, then the tag should not be used.\n\nunsupported-when-assigned: Used by the assigning CNA to indicate that when a request for a CVE assignment was received, the product was already end-of-life (EOL) or a product or specific version was deemed not to be supported by the vendor. This tag should only be applied to a CVE Record when all affected products or version lines referenced in the CVE-Record are EOL.\n\ndisputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.",
+ "enum": [
+ "unsupported-when-assigned",
+ "exclusively-hosted-service",
+ "disputed"
+ ]
+ }
+ ]
+ }
+ },
+ "adpTags": {
+ "type": "array",
+ "description": "Tags provided by an ADP describing the CVE Record.",
+ "uniqueItems": true,
+ "minItems": 1,
+ "items": {
+ "oneOf": [
+ {
+ "$ref": "#/definitions/tagExtension"
+ },
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/",
+ "type": "string",
+ "description": "disputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.",
+ "enum": [
+ "disputed"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ "properties": {
+ "adpContainer": {
+ "$ref": "#/definitions/adpContainer"
+ }
+ },
+ "additionalProperties": false
+}
\ No newline at end of file
diff --git a/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json
new file mode 100644
index 00000000000..db7dffd02ce
--- /dev/null
+++ b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json
@@ -0,0 +1,3341 @@
+{
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json",
+ "title": "CVE JSON cnaPublishedContainer sub schema",
+ "description": "CVE JSON cnaPublishedContainer format",
+ "definitions": {
+ "uriType": {
+ "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).",
+ "type": "string",
+ "format": "uri",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "uuidType": {
+ "description": "A version 4 (random) universally unique identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122#section-4.1.3).",
+ "type": "string",
+ "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
+ },
+ "reference": {
+ "type": "object",
+ "required": [
+ "url"
+ ],
+ "properties": {
+ "url": {
+ "description": "The uniform resource locator (URL), according to [RFC 3986](https://tools.ietf.org/html/rfc3986#section-1.1.3), that can be used to retrieve the referenced resource.",
+ "$ref": "#/definitions/uriType"
+ },
+ "name": {
+ "description": "User created name for the reference, often the title of the page.",
+ "type": "string",
+ "maxLength": 512,
+ "minLength": 1
+ },
+ "tags": {
+ "description": "An array of one or more tags that describe the resource referenced by 'url'.",
+ "type": "array",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "oneOf": [
+ {
+ "$ref": "#/definitions/tagExtension"
+ },
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/",
+ "type": "string",
+ "description": "broken-link: The reference link is returning a 404 error, or the site is no longer online.\n\ncustomer-entitlement: Similar to Privileges Required, but specific to references that require non-public/paid access for customers of the particular vendor.\n\nexploit: Reference contains an in-depth/detailed description of steps to exploit a vulnerability OR the reference contains any legitimate Proof of Concept (PoC) code or exploit kit.\n\ngovernment-resource: All reference links that are from a government agency or organization should be given the Government Resource tag.\n\nissue-tracking: The reference is a post from a bug tracking tool such as MantisBT, Bugzilla, JIRA, Github Issues, etc...\n\nmailing-list: The reference is from a mailing list -- often specific to a product or vendor.\n\nmitigation: The reference contains information on steps to mitigate against the vulnerability in the event a patch can't be applied or is unavailable or for EOL product situations.\n\nnot-applicable: The reference link is not applicable to the vulnerability and was likely associated by MITRE accidentally (should be used sparingly).\n\npatch: The reference contains an update to the software that fixes the vulnerability.\n\npermissions-required: The reference link provided is blocked by a logon page. If credentials are required to see any information this tag must be applied.\n\nmedia-coverage: The reference is from a media outlet such as a newspaper, magazine, social media, or weblog. This tag is not intended to apply to any individual's personal social media account. It is strictly intended for public media entities.\n\nproduct: A reference appropriate for describing a product for the purpose of CPE or SWID.\n\nrelated: A reference that is for a related (but not the same) vulnerability.\n\nrelease-notes: The reference is in the format of a vendor or open source project's release notes or change log.\n\nsignature: The reference contains a method to detect or prevent the presence or exploitation of the vulnerability.\n\ntechnical-description: The reference contains in-depth technical information about a vulnerability and its exploitation process, typically in the form of a presentation or whitepaper.\n\nthird-party-advisory: Advisory is from an organization that is not the vulnerable product's vendor/publisher/maintainer.\n\nvendor-advisory: Advisory is from the vendor/publisher/maintainer of the product or the parent organization.\n\nvdb-entry: VDBs are loosely defined as sites that provide information about this vulnerability, such as advisories, with identifiers. Included VDBs are free to access, substantially public, and have broad scope and coverage (not limited to a single vendor or research organization). See: https://www.first.org/global/sigs/vrdx/vdb-catalog",
+ "enum": [
+ "broken-link",
+ "customer-entitlement",
+ "exploit",
+ "government-resource",
+ "issue-tracking",
+ "mailing-list",
+ "mitigation",
+ "not-applicable",
+ "patch",
+ "permissions-required",
+ "media-coverage",
+ "product",
+ "related",
+ "release-notes",
+ "signature",
+ "technical-description",
+ "third-party-advisory",
+ "vendor-advisory",
+ "vdb-entry"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ "additionalProperties": false
+ },
+ "cveId": {
+ "type": "string",
+ "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
+ },
+ "orgId": {
+ "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.",
+ "$ref": "#/definitions/uuidType"
+ },
+ "userId": {
+ "description": "A UUID for a user participating in the CVE program. This UUID can be used to lookup the user record in the user registry service.",
+ "$ref": "#/definitions/uuidType"
+ },
+ "shortName": {
+ "description": "A 2-32 character name that can be used to complement an organization's UUID.",
+ "type": "string",
+ "minLength": 2,
+ "maxLength": 32
+ },
+ "datestamp": {
+ "description": "Date/time format based on RFC3339 and ISO ISO8601.",
+ "type": "string",
+ "format": "date",
+ "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$"
+ },
+ "timestamp": {
+ "type": "string",
+ "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.",
+ "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"
+ },
+ "version": {
+ "description": "A single version of a product, as expressed in its own version numbering scheme.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 1024
+ },
+ "status": {
+ "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.",
+ "type": "string",
+ "enum": [
+ "affected",
+ "unaffected",
+ "unknown"
+ ]
+ },
+ "product": {
+ "type": "object",
+ "description": "Provides information about the set of products and services affected by this vulnerability.",
+ "allOf": [
+ {
+ "anyOf": [
+ {
+ "required": [
+ "vendor",
+ "product"
+ ]
+ },
+ {
+ "required": [
+ "collectionURL",
+ "packageName"
+ ]
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "required": [
+ "versions"
+ ]
+ },
+ {
+ "required": [
+ "defaultStatus"
+ ]
+ }
+ ]
+ }
+ ],
+ "properties": {
+ "vendor": {
+ "type": "string",
+ "description": "Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.",
+ "minLength": 1,
+ "maxLength": 512
+ },
+ "product": {
+ "type": "string",
+ "description": "Name of the affected product.",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "collectionURL": {
+ "description": "URL identifying a package collection (determines the meaning of packageName).",
+ "$ref": "#/definitions/uriType",
+ "examples": [
+ "https://access.redhat.com/downloads/content/package-browser",
+ "https://addons.mozilla.org",
+ "https://addons.thunderbird.net",
+ "https://anaconda.org/anaconda/repo",
+ "https://app.vagrantup.com/boxes/search",
+ "https://apps.apple.com",
+ "https://archlinux.org/packages",
+ "https://atmospherejs.meteor.com",
+ "https://atom.io/packages",
+ "https://bitbucket.org",
+ "https://bower.io",
+ "https://brew.sh/",
+ "https://chocolatey.org/packages",
+ "https://chrome.google.com/webstore",
+ "https://clojars.org",
+ "https://cocoapods.org",
+ "https://code.dlang.org",
+ "https://conan.io/center",
+ "https://cpan.org/modules",
+ "https://cran.r-project.org",
+ "https://crates.io",
+ "https://ctan.org/pkg",
+ "https://drupal.org",
+ "https://exchange.adobe.com",
+ "https://forge.puppet.com/modules",
+ "https://github.com",
+ "https://gitlab.com/explore",
+ "https://golang.org/pkg",
+ "https://guix.gnu.org/packages",
+ "https://hackage.haskell.org",
+ "https://helm.sh",
+ "https://hub.docker.com",
+ "https://juliahub.com",
+ "https://lib.haxe.org",
+ "https://luarocks.org",
+ "https://marketplace.visualstudio.com",
+ "https://melpa.org",
+ "https://microsoft.com/en-us/store/apps",
+ "https://nimble.directory",
+ "https://nuget.org/packages",
+ "https://opam.ocaml.org/packages",
+ "https://openwrt.org/packages/index",
+ "https://package.elm-lang.org",
+ "https://packagecontrol.io",
+ "https://packages.debian.org",
+ "https://packages.gentoo.org",
+ "https://packagist.org",
+ "https://pear.php.net/packages.php",
+ "https://pecl.php.net",
+ "https://platformio.org/lib",
+ "https://play.google.com/store",
+ "https://plugins.gradle.org",
+ "https://projects.eclipse.org",
+ "https://pub.dev",
+ "https://pypi.python.org",
+ "https://registry.npmjs.org",
+ "https://registry.terraform.io",
+ "https://repo.hex.pm",
+ "https://repo.maven.apache.org/maven2",
+ "https://rubygems.org",
+ "https://search.nixos.org/packages",
+ "https://sourceforge.net",
+ "https://wordpress.org/plugins"
+ ]
+ },
+ "packageName": {
+ "type": "string",
+ "description": "Name or identifier of the affected software package as used in the package collection.",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "cpes": {
+ "type": "array",
+ "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.",
+ "uniqueItems": true,
+ "items": {
+ "title": "CPE Name",
+ "type": "string",
+ "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format",
+ "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})",
+ "minLength": 1,
+ "maxLength": 2048
+ }
+ },
+ "modules": {
+ "type": "array",
+ "description": "A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional).",
+ "uniqueItems": true,
+ "items": {
+ "type": "string",
+ "description": "Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "programFiles": {
+ "type": "array",
+ "description": "A list of the affected source code files (optional).",
+ "uniqueItems": true,
+ "items": {
+ "description": "Name or path or location of the affected source code file.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 1024
+ }
+ },
+ "programRoutines": {
+ "type": "array",
+ "description": "A list of the affected source code functions, methods, subroutines, or procedures (optional).",
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "An object describing program routine.",
+ "required": [
+ "name"
+ ],
+ "properties": {
+ "name": {
+ "type": "string",
+ "description": "Name of the affected source code file, function, method, subroutine, or procedure.",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "platforms": {
+ "title": "Platforms",
+ "description": "List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field or an empty array implies that the other fields are applicable to all relevant platforms.",
+ "type": "array",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "string",
+ "examples": [
+ "iOS",
+ "Android",
+ "Windows",
+ "macOS",
+ "x86",
+ "ARM",
+ "64 bit",
+ "Big Endian",
+ "iPad",
+ "Chromebook",
+ "Docker",
+ "Model T"
+ ],
+ "maxLength": 1024
+ }
+ },
+ "repo": {
+ "description": "The URL of the source code repository, for informational purposes and/or to resolve git hash version ranges.",
+ "$ref": "#/definitions/uriType"
+ },
+ "defaultStatus": {
+ "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.",
+ "$ref": "#/definitions/status"
+ },
+ "versions": {
+ "type": "array",
+ "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "A single version or a range of versions, with vulnerability status.\n\nAn entry with only 'version' and 'status' indicates the status of a single version.\n\nOtherwise, an entry describes a range; it must include the 'versionType' property, to define the version numbering semantics in use, and 'limit', to indicate the non-inclusive upper limit of the range. The object describes the status for versions V such that 'version' <= V and V < 'limit', using the <= and < semantics defined for the specific kind of 'versionType'. Status changes within the range can be specified by an optional 'changes' list.\n\nThe algorithm to decide the status specified for a version V is:\n\n\tfor entry in product.versions {\n\t\tif entry.lessThan is not present and entry.lessThanOrEqual is not present and v == entry.version {\n\t\t\treturn entry.status\n\t\t}\n\t\tif (entry.lessThan is present and entry.version <= v and v < entry.lessThan) or\n\t\t (entry.lessThanOrEqual is present and entry.version <= v and v <= entry.lessThanOrEqual) { // <= and < defined by entry.versionType\n\t\t\tstatus = entry.status\n\t\t\tfor change in entry.changes {\n\t\t\t\tif change.at <= v {\n\t\t\t\t\tstatus = change.status\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn status\n\t\t}\n\t}\n\treturn product.defaultStatus\n\n.",
+ "oneOf": [
+ {
+ "required": [
+ "version",
+ "status"
+ ],
+ "maxProperties": 2
+ },
+ {
+ "required": [
+ "version",
+ "status",
+ "versionType"
+ ],
+ "maxProperties": 3
+ },
+ {
+ "required": [
+ "version",
+ "status",
+ "versionType",
+ "lessThan"
+ ]
+ },
+ {
+ "required": [
+ "version",
+ "status",
+ "versionType",
+ "lessThanOrEqual"
+ ]
+ }
+ ],
+ "properties": {
+ "version": {
+ "description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.",
+ "$ref": "#/definitions/version"
+ },
+ "status": {
+ "description": "The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.",
+ "$ref": "#/definitions/status"
+ },
+ "versionType": {
+ "type": "string",
+ "description": "The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.",
+ "minLength": 1,
+ "maxLength": 128,
+ "examples": [
+ "custom",
+ "git",
+ "maven",
+ "python",
+ "rpm",
+ "semver"
+ ]
+ },
+ "lessThan": {
+ "description": "The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk `(*)`, indicating an arbitrarily large number in the version ordering. For example, `{version: 1.0 lessThan: 1.*}` would describe the entire 1.X branch for most range kinds, and `{version: 2.0, lessThan: *}` describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified.",
+ "$ref": "#/definitions/version"
+ },
+ "lessThanOrEqual": {
+ "description": "The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, `{version: 1.0, lessThanOrEqual: 1.3}` covers all versions from 1.0 up to and including 1.3.",
+ "$ref": "#/definitions/version"
+ },
+ "changes": {
+ "type": "array",
+ "description": "A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "The start of a single status change during the range.",
+ "required": [
+ "at",
+ "status"
+ ],
+ "additionalProperties": false,
+ "properties": {
+ "at": {
+ "description": "The version at which a status change occurs.",
+ "$ref": "#/definitions/version"
+ },
+ "status": {
+ "description": "The new status in the range starting at the given version.",
+ "$ref": "#/definitions/status"
+ }
+ }
+ }
+ }
+ },
+ "additionalProperties": false
+ }
+ }
+ }
+ },
+ "dataType": {
+ "description": "Indicates the type of information represented in the JSON instance.",
+ "type": "string",
+ "enum": [
+ "CVE_RECORD"
+ ]
+ },
+ "dataVersion": {
+ "description": "The version of the CVE schema used for validating this record. Used to support multiple versions of this format.",
+ "type": "string",
+ "pattern": "^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$",
+ "default": "5.1.0"
+ },
+ "cveMetadataPublished": {
+ "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.",
+ "type": "object",
+ "required": [
+ "cveId",
+ "assignerOrgId",
+ "state"
+ ],
+ "properties": {
+ "cveId": {
+ "description": "The CVE identifier that this record pertains to.",
+ "$ref": "#/definitions/cveId"
+ },
+ "assignerOrgId": {
+ "$ref": "#/definitions/orgId",
+ "description": "The UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service."
+ },
+ "assignerShortName": {
+ "$ref": "#/definitions/shortName",
+ "description": "The short name for the organization to which the CVE ID was originally assigned."
+ },
+ "requesterUserId": {
+ "$ref": "#/definitions/userId",
+ "description": "The user that requested the CVE identifier."
+ },
+ "dateUpdated": {
+ "description": "The date/time the record was last updated.",
+ "$ref": "#/definitions/timestamp"
+ },
+ "serial": {
+ "type": "integer",
+ "minimum": 1,
+ "description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition."
+ },
+ "dateReserved": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."
+ },
+ "datePublished": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time the CVE Record was first published in the CVE List."
+ },
+ "state": {
+ "description": "State of CVE - PUBLISHED, REJECTED.",
+ "type": "string",
+ "enum": [
+ "PUBLISHED"
+ ]
+ }
+ },
+ "additionalProperties": false
+ },
+ "cveMetadataRejected": {
+ "type": "object",
+ "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.",
+ "required": [
+ "cveId",
+ "assignerOrgId",
+ "state"
+ ],
+ "properties": {
+ "cveId": {
+ "description": "The CVE identifier that this record pertains to.",
+ "$ref": "#/definitions/cveId"
+ },
+ "assignerOrgId": {
+ "$ref": "#/definitions/orgId",
+ "description": "The UUID for the organization to which the CVE ID was originally assigned."
+ },
+ "assignerShortName": {
+ "$ref": "#/definitions/shortName",
+ "description": "The short name for the organization to which the CVE ID was originally assigned."
+ },
+ "serial": {
+ "type": "integer",
+ "minimum": 1,
+ "description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition."
+ },
+ "dateUpdated": {
+ "description": "The date/time the record was last updated.",
+ "$ref": "#/definitions/timestamp"
+ },
+ "datePublished": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time the CVE Record was first published in the CVE List."
+ },
+ "dateRejected": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time the CVE ID was rejected."
+ },
+ "state": {
+ "type": "string",
+ "description": "State of CVE - PUBLISHED, REJECTED.",
+ "enum": [
+ "REJECTED"
+ ]
+ },
+ "dateReserved": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."
+ }
+ },
+ "additionalProperties": false
+ },
+ "providerMetadata": {
+ "type": "object",
+ "description": "Details related to the information container provider (CNA or ADP).",
+ "properties": {
+ "orgId": {
+ "$ref": "#/definitions/orgId",
+ "description": "The container provider's organizational UUID."
+ },
+ "shortName": {
+ "$ref": "#/definitions/shortName",
+ "description": "The container provider's organizational short name."
+ },
+ "dateUpdated": {
+ "$ref": "#/definitions/timestamp",
+ "description": "Timestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission."
+ }
+ },
+ "required": [
+ "orgId"
+ ],
+ "additionalProperties": false
+ },
+ "cnaPublishedContainer": {
+ "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.",
+ "type": "object",
+ "properties": {
+ "providerMetadata": {
+ "$ref": "#/definitions/providerMetadata"
+ },
+ "dateAssigned": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time this CVE ID was associated with a vulnerability by a CNA."
+ },
+ "datePublic": {
+ "$ref": "#/definitions/timestamp",
+ "description": "If known, the date/time the vulnerability was disclosed publicly."
+ },
+ "title": {
+ "type": "string",
+ "description": "A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.",
+ "minLength": 1,
+ "maxLength": 256
+ },
+ "descriptions": {
+ "$ref": "#/definitions/descriptions"
+ },
+ "affected": {
+ "$ref": "#/definitions/affected"
+ },
+ "problemTypes": {
+ "$ref": "#/definitions/problemTypes"
+ },
+ "references": {
+ "$ref": "#/definitions/references"
+ },
+ "impacts": {
+ "$ref": "#/definitions/impacts"
+ },
+ "metrics": {
+ "$ref": "#/definitions/metrics"
+ },
+ "configurations": {
+ "$ref": "#/definitions/configurations"
+ },
+ "workarounds": {
+ "$ref": "#/definitions/workarounds"
+ },
+ "solutions": {
+ "$ref": "#/definitions/solutions"
+ },
+ "exploits": {
+ "$ref": "#/definitions/exploits"
+ },
+ "timeline": {
+ "$ref": "#/definitions/timeline"
+ },
+ "credits": {
+ "$ref": "#/definitions/credits"
+ },
+ "source": {
+ "$ref": "#/definitions/source"
+ },
+ "tags": {
+ "$ref": "#/definitions/cnaTags"
+ },
+ "taxonomyMappings": {
+ "$ref": "#/definitions/taxonomyMappings"
+ }
+ },
+ "required": [
+ "providerMetadata",
+ "descriptions",
+ "affected",
+ "references"
+ ],
+ "patternProperties": {
+ "^x_[^.]*$": {}
+ },
+ "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
+ "additionalProperties": false
+ },
+ "cnaRejectedContainer": {
+ "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a rejected CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA.",
+ "type": "object",
+ "properties": {
+ "providerMetadata": {
+ "$ref": "#/definitions/providerMetadata"
+ },
+ "rejectedReasons": {
+ "description": "Reasons for rejecting this CVE Record.",
+ "$ref": "#/definitions/descriptions"
+ },
+ "replacedBy": {
+ "type": "array",
+ "description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/cveId"
+ }
+ }
+ },
+ "required": [
+ "providerMetadata",
+ "rejectedReasons"
+ ],
+ "patternProperties": {
+ "^x_[^.]*$": {}
+ },
+ "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
+ "additionalProperties": false
+ },
+ "adpContainer": {
+ "description": "An object containing the vulnerability information provided by an Authorized Data Publisher (ADP). Since multiple ADPs can provide information for a CVE ID, an ADP container must indicate which ADP is the source of the information in the object.",
+ "type": "object",
+ "properties": {
+ "providerMetadata": {
+ "$ref": "#/definitions/providerMetadata"
+ },
+ "datePublic": {
+ "$ref": "#/definitions/timestamp",
+ "description": "If known, the date/time the vulnerability was disclosed publicly."
+ },
+ "title": {
+ "type": "string",
+ "description": "A title, headline, or a brief phrase summarizing the information in an ADP container.",
+ "minLength": 1,
+ "maxLength": 256
+ },
+ "descriptions": {
+ "$ref": "#/definitions/descriptions"
+ },
+ "affected": {
+ "$ref": "#/definitions/affected"
+ },
+ "problemTypes": {
+ "$ref": "#/definitions/problemTypes"
+ },
+ "references": {
+ "$ref": "#/definitions/references"
+ },
+ "impacts": {
+ "$ref": "#/definitions/impacts"
+ },
+ "metrics": {
+ "$ref": "#/definitions/metrics"
+ },
+ "configurations": {
+ "$ref": "#/definitions/configurations"
+ },
+ "workarounds": {
+ "$ref": "#/definitions/workarounds"
+ },
+ "solutions": {
+ "$ref": "#/definitions/solutions"
+ },
+ "exploits": {
+ "$ref": "#/definitions/exploits"
+ },
+ "timeline": {
+ "$ref": "#/definitions/timeline"
+ },
+ "credits": {
+ "$ref": "#/definitions/credits"
+ },
+ "source": {
+ "$ref": "#/definitions/source"
+ },
+ "tags": {
+ "$ref": "#/definitions/adpTags"
+ },
+ "taxonomyMappings": {
+ "$ref": "#/definitions/taxonomyMappings"
+ }
+ },
+ "required": [
+ "providerMetadata"
+ ],
+ "minProperties": 2,
+ "patternProperties": {
+ "^x_[^.]*$": {}
+ },
+ "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
+ "additionalProperties": false
+ },
+ "affected": {
+ "type": "array",
+ "description": "List of affected products.",
+ "minItems": 1,
+ "items": {
+ "$ref": "#/definitions/product"
+ }
+ },
+ "description": {
+ "type": "object",
+ "description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.",
+ "properties": {
+ "lang": {
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "type": "string",
+ "description": "Plain text description.",
+ "minLength": 1,
+ "maxLength": 4096
+ },
+ "supportingMedia": {
+ "type": "array",
+ "title": "Supporting media",
+ "description": "Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.",
+ "uniqueItems": true,
+ "minItems": 1,
+ "items": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "type": "string",
+ "title": "Media type",
+ "minLength": 1,
+ "maxLength": 256,
+ "description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.",
+ "examples": [
+ "text/markdown",
+ "text/html",
+ "image/png",
+ "image/svg",
+ "audio/mp3"
+ ]
+ },
+ "base64": {
+ "type": "boolean",
+ "title": "Encoding",
+ "description": "If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.",
+ "default": false
+ },
+ "value": {
+ "type": "string",
+ "description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.",
+ "minLength": 1,
+ "maxLength": 16384
+ }
+ },
+ "required": [
+ "type",
+ "value"
+ ],
+ "additionalProperties": false
+ }
+ }
+ },
+ "required": [
+ "lang",
+ "value"
+ ],
+ "additionalProperties": false
+ },
+ "englishLanguageDescription": {
+ "type": "object",
+ "description": "A description with lang set to an English language (en, en_US, en_UK, and so on).",
+ "properties": {
+ "lang": {
+ "$ref": "#/definitions/englishLanguage"
+ }
+ },
+ "required": [
+ "lang"
+ ],
+ "$comment": "Cannot use additionalProperties: false here, as this prevents the other properties used by /definitions/description."
+ },
+ "descriptions": {
+ "type": "array",
+ "description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ },
+ "contains": {
+ "$ref": "#/definitions/englishLanguageDescription"
+ }
+ },
+ "problemTypes": {
+ "type": "array",
+ "description": "This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).",
+ "items": {
+ "type": "object",
+ "required": [
+ "descriptions"
+ ],
+ "properties": {
+ "descriptions": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "required": [
+ "lang",
+ "description"
+ ],
+ "properties": {
+ "lang": {
+ "$ref": "#/definitions/language"
+ },
+ "description": {
+ "type": "string",
+ "description": "Text description of problemType, or title from CWE or OWASP.",
+ "minLength": 1,
+ "maxLength": 4096
+ },
+ "cweId": {
+ "type": "string",
+ "description": "CWE ID of the CWE that best describes this problemType entry.",
+ "minLength": 5,
+ "maxLength": 9,
+ "pattern": "^CWE-[1-9][0-9]*$"
+ },
+ "type": {
+ "type": "string",
+ "description": "Problemtype source, text, OWASP, CWE, etc.,",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "references": {
+ "$ref": "#/definitions/references"
+ }
+ },
+ "additionalProperties": false
+ },
+ "minItems": 1,
+ "uniqueItems": true
+ }
+ },
+ "additionalProperties": false
+ },
+ "minItems": 1,
+ "uniqueItems": true
+ },
+ "references": {
+ "type": "array",
+ "description": "This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are \"dangerous\").",
+ "items": {
+ "$ref": "#/definitions/reference"
+ },
+ "minItems": 1,
+ "maxItems": 512,
+ "uniqueItems": true
+ },
+ "impacts": {
+ "type": "array",
+ "description": "Collection of impacts of this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "This is impact type information (e.g. a text description.",
+ "required": [
+ "descriptions"
+ ],
+ "properties": {
+ "capecId": {
+ "type": "string",
+ "description": "CAPEC ID that best relates to this impact.",
+ "minLength": 7,
+ "maxLength": 11,
+ "pattern": "^CAPEC-[1-9][0-9]{0,4}$"
+ },
+ "descriptions": {
+ "description": "Prose description of the impact scenario. At a minimum provide the description given by CAPEC.",
+ "$ref": "#/definitions/descriptions"
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "metrics": {
+ "type": "array",
+ "description": "Collection of impact scores with attribution.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "This is impact type information (e.g. a text description, CVSSv2, CVSSv3, CVSSV4, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added.",
+ "anyOf": [
+ {
+ "required": [
+ "cvssV4_0"
+ ]
+ },
+ {
+ "required": [
+ "cvssV3_1"
+ ]
+ },
+ {
+ "required": [
+ "cvssV3_0"
+ ]
+ },
+ {
+ "required": [
+ "cvssV2_0"
+ ]
+ },
+ {
+ "required": [
+ "other"
+ ]
+ }
+ ],
+ "properties": {
+ "format": {
+ "type": "string",
+ "description": "Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.",
+ "minLength": 1,
+ "maxLength": 64
+ },
+ "scenarios": {
+ "type": "array",
+ "description": "Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "properties": {
+ "lang": {
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "type": "string",
+ "default": "GENERAL",
+ "description": "Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "required": [
+ "lang",
+ "value"
+ ],
+ "additionalProperties": false
+ }
+ },
+ "cvssV4_0": {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 4.0",
+ "type": "object",
+ "definitions": {
+ "attackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT",
+ "LOCAL",
+ "PHYSICAL"
+ ]
+ },
+ "modifiedAttackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT",
+ "LOCAL",
+ "PHYSICAL",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "attackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW"
+ ]
+ },
+ "modifiedAttackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "attackRequirementsType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PRESENT"
+ ]
+ },
+ "modifiedAttackRequirementsType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PRESENT",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "privilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE"
+ ]
+ },
+ "modifiedPrivilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "userInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PASSIVE",
+ "ACTIVE"
+ ]
+ },
+ "modifiedUserInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PASSIVE",
+ "ACTIVE",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "vulnCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ]
+ },
+ "modifiedVulnCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "subCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ]
+ },
+ "modifiedSubCType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "modifiedSubIaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "SAFETY",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "exploitMaturityType": {
+ "type": "string",
+ "enum": [
+ "UNREPORTED",
+ "PROOF_OF_CONCEPT",
+ "ATTACKED",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "safetyType": {
+ "type": "string",
+ "enum": [
+ "NEGLIGIBLE",
+ "PRESENT",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "automatableType": {
+ "type": "string",
+ "enum": [
+ "NO",
+ "YES",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "recoveryType": {
+ "type": "string",
+ "enum": [
+ "AUTOMATIC",
+ "USER",
+ "IRRECOVERABLE",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "valueDensityType": {
+ "type": "string",
+ "enum": [
+ "DIFFUSE",
+ "CONCENTRATED",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "vulnerabilityResponseEffortType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MODERATE",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "providerUrgencyType": {
+ "type": "string",
+ "enum": [
+ "CLEAR",
+ "GREEN",
+ "AMBER",
+ "RED",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "scoreType": {
+ "type": "number",
+ "enum": [
+ 0,
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9,
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9,
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9,
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "noneScoreType": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 0
+ },
+ "lowScoreType": {
+ "type": "number",
+ "enum": [
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9
+ ]
+ },
+ "mediumScoreType": {
+ "type": "number",
+ "enum": [
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9
+ ]
+ },
+ "highScoreType": {
+ "type": "number",
+ "enum": [
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9
+ ]
+ },
+ "criticalScoreType": {
+ "type": "number",
+ "enum": [
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "severityType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "CRITICAL"
+ ]
+ },
+ "noneSeverityType": {
+ "const": "NONE"
+ },
+ "lowSeverityType": {
+ "const": "LOW"
+ },
+ "mediumSeverityType": {
+ "const": "MEDIUM"
+ },
+ "highSeverityType": {
+ "const": "HIGH"
+ },
+ "criticalSeverityType": {
+ "const": "CRITICAL"
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [
+ "4.0"
+ ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/E:[XAPU])?(/CR:[XHML])?(/IR:[XHML])?(/AR:[XHML])?(/MAV:[XNALP])?(/MAC:[XLH])?(/MAT:[XNP])?(/MPR:[XNLH])?(/MUI:[XNPA])?(/MVC:[XNLH])?(/MVI:[XNLH])?(/MVA:[XNLH])?(/MSC:[XNLH])?(/MSI:[XNLHS])?(/MSA:[XNLHS])?(/S:[XNP])?(/AU:[XNY])?(/R:[XAUI])?(/V:[XDC])?(/RE:[XLMH])?(/U:(X|Clear|Green|Amber|Red))?$"
+ },
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType"
+ },
+ "attackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType"
+ },
+ "attackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType"
+ },
+ "attackRequirements": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType"
+ },
+ "privilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType"
+ },
+ "userInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType"
+ },
+ "vulnConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType"
+ },
+ "vulnIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType"
+ },
+ "vulnAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType"
+ },
+ "subConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType"
+ },
+ "subIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType"
+ },
+ "subAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType"
+ },
+ "exploitMaturity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType"
+ },
+ "modifiedAttackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType"
+ },
+ "modifiedAttackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType"
+ },
+ "modifiedAttackRequirements": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType"
+ },
+ "modifiedPrivilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType"
+ },
+ "modifiedUserInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType"
+ },
+ "modifiedVulnConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType"
+ },
+ "modifiedVulnIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType"
+ },
+ "modifiedVulnAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType"
+ },
+ "modifiedSubConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType"
+ },
+ "modifiedSubIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType"
+ },
+ "modifiedSubAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType"
+ },
+ "Safety": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType"
+ },
+ "Automatable": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType"
+ },
+ "Recovery": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType"
+ },
+ "valueDensity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType"
+ },
+ "vulnerabilityResponseEffort": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType"
+ },
+ "providerUrgency": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType"
+ }
+ },
+ "allOf": [
+ {
+ "anyOf": [
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore",
+ "baseSeverity"
+ ],
+ "additionalProperties": false
+ },
+ "cvssV3_1": {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 3.1",
+ "type": "object",
+ "definitions": {
+ "attackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL",
+ "PHYSICAL"
+ ]
+ },
+ "modifiedAttackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL",
+ "PHYSICAL",
+ "NOT_DEFINED"
+ ]
+ },
+ "attackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW"
+ ]
+ },
+ "modifiedAttackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NOT_DEFINED"
+ ]
+ },
+ "privilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE"
+ ]
+ },
+ "modifiedPrivilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE",
+ "NOT_DEFINED"
+ ]
+ },
+ "userInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "REQUIRED"
+ ]
+ },
+ "modifiedUserInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "REQUIRED",
+ "NOT_DEFINED"
+ ]
+ },
+ "scopeType": {
+ "type": "string",
+ "enum": [
+ "UNCHANGED",
+ "CHANGED"
+ ]
+ },
+ "modifiedScopeType": {
+ "type": "string",
+ "enum": [
+ "UNCHANGED",
+ "CHANGED",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ]
+ },
+ "modifiedCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "exploitCodeMaturityType": {
+ "type": "string",
+ "enum": [
+ "UNPROVEN",
+ "PROOF_OF_CONCEPT",
+ "FUNCTIONAL",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "remediationLevelType": {
+ "type": "string",
+ "enum": [
+ "OFFICIAL_FIX",
+ "TEMPORARY_FIX",
+ "WORKAROUND",
+ "UNAVAILABLE",
+ "NOT_DEFINED"
+ ]
+ },
+ "confidenceType": {
+ "type": "string",
+ "enum": [
+ "UNKNOWN",
+ "REASONABLE",
+ "CONFIRMED",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "scoreType": {
+ "type": "number",
+ "enum": [
+ 0,
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9,
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9,
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9,
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "severityType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "CRITICAL"
+ ]
+ },
+ "noneScoreType": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 0
+ },
+ "lowScoreType": {
+ "type": "number",
+ "enum": [
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9
+ ]
+ },
+ "mediumScoreType": {
+ "type": "number",
+ "enum": [
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9
+ ]
+ },
+ "highScoreType": {
+ "type": "number",
+ "enum": [
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9
+ ]
+ },
+ "criticalScoreType": {
+ "type": "number",
+ "enum": [
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "noneSeverityType": {
+ "const": "NONE"
+ },
+ "lowSeverityType": {
+ "const": "LOW"
+ },
+ "mediumSeverityType": {
+ "const": "MEDIUM"
+ },
+ "highSeverityType": {
+ "const": "HIGH"
+ },
+ "criticalSeverityType": {
+ "const": "CRITICAL"
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [
+ "3.1"
+ ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^CVSS:3[.]1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"
+ },
+ "attackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType"
+ },
+ "attackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType"
+ },
+ "privilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType"
+ },
+ "userInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType"
+ },
+ "scope": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType"
+ },
+ "confidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType"
+ },
+ "integrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType"
+ },
+ "availabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType"
+ },
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType"
+ },
+ "exploitCodeMaturity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType"
+ },
+ "remediationLevel": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType"
+ },
+ "reportConfidence": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType"
+ },
+ "temporalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType"
+ },
+ "temporalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType"
+ },
+ "modifiedAttackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType"
+ },
+ "modifiedAttackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType"
+ },
+ "modifiedPrivilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType"
+ },
+ "modifiedUserInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType"
+ },
+ "modifiedScope": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType"
+ },
+ "modifiedConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType"
+ },
+ "modifiedIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType"
+ },
+ "modifiedAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType"
+ },
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType"
+ }
+ },
+ "anyOf": [
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/noneScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/lowScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/mediumScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/highScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/criticalScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ],
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore",
+ "baseSeverity"
+ ],
+ "additionalProperties": false
+ },
+ "cvssV3_0": {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 3.0",
+ "type": "object",
+ "definitions": {
+ "attackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL",
+ "PHYSICAL"
+ ]
+ },
+ "modifiedAttackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL",
+ "PHYSICAL",
+ "NOT_DEFINED"
+ ]
+ },
+ "attackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW"
+ ]
+ },
+ "modifiedAttackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NOT_DEFINED"
+ ]
+ },
+ "privilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE"
+ ]
+ },
+ "modifiedPrivilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE",
+ "NOT_DEFINED"
+ ]
+ },
+ "userInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "REQUIRED"
+ ]
+ },
+ "modifiedUserInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "REQUIRED",
+ "NOT_DEFINED"
+ ]
+ },
+ "scopeType": {
+ "type": "string",
+ "enum": [
+ "UNCHANGED",
+ "CHANGED"
+ ]
+ },
+ "modifiedScopeType": {
+ "type": "string",
+ "enum": [
+ "UNCHANGED",
+ "CHANGED",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ]
+ },
+ "modifiedCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "exploitCodeMaturityType": {
+ "type": "string",
+ "enum": [
+ "UNPROVEN",
+ "PROOF_OF_CONCEPT",
+ "FUNCTIONAL",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "remediationLevelType": {
+ "type": "string",
+ "enum": [
+ "OFFICIAL_FIX",
+ "TEMPORARY_FIX",
+ "WORKAROUND",
+ "UNAVAILABLE",
+ "NOT_DEFINED"
+ ]
+ },
+ "confidenceType": {
+ "type": "string",
+ "enum": [
+ "UNKNOWN",
+ "REASONABLE",
+ "CONFIRMED",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "scoreType": {
+ "type": "number",
+ "enum": [
+ 0,
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9,
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9,
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9,
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "noneScoreType": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 0
+ },
+ "lowScoreType": {
+ "type": "number",
+ "enum": [
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9
+ ]
+ },
+ "mediumScoreType": {
+ "type": "number",
+ "enum": [
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9
+ ]
+ },
+ "highScoreType": {
+ "type": "number",
+ "enum": [
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9
+ ]
+ },
+ "criticalScoreType": {
+ "type": "number",
+ "enum": [
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "severityType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "CRITICAL"
+ ]
+ },
+ "noneSeverityType": {
+ "const": "NONE"
+ },
+ "lowSeverityType": {
+ "const": "LOW"
+ },
+ "mediumSeverityType": {
+ "const": "MEDIUM"
+ },
+ "highSeverityType": {
+ "const": "HIGH"
+ },
+ "criticalSeverityType": {
+ "const": "CRITICAL"
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [
+ "3.0"
+ ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"
+ },
+ "attackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType"
+ },
+ "attackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType"
+ },
+ "privilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType"
+ },
+ "userInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType"
+ },
+ "scope": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType"
+ },
+ "confidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType"
+ },
+ "integrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType"
+ },
+ "availabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType"
+ },
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType"
+ },
+ "exploitCodeMaturity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType"
+ },
+ "remediationLevel": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType"
+ },
+ "reportConfidence": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType"
+ },
+ "temporalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType"
+ },
+ "temporalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType"
+ },
+ "modifiedAttackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType"
+ },
+ "modifiedAttackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType"
+ },
+ "modifiedPrivilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType"
+ },
+ "modifiedUserInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType"
+ },
+ "modifiedScope": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType"
+ },
+ "modifiedConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType"
+ },
+ "modifiedIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType"
+ },
+ "modifiedAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType"
+ },
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType"
+ }
+ },
+ "anyOf": [
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/noneScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/lowScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/mediumScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/highScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/criticalScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ],
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore",
+ "baseSeverity"
+ ],
+ "additionalProperties": false
+ },
+ "cvssV2_0": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 2.0",
+ "type": "object",
+ "definitions": {
+ "accessVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL"
+ ]
+ },
+ "accessComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "MEDIUM",
+ "LOW"
+ ]
+ },
+ "authenticationType": {
+ "type": "string",
+ "enum": [
+ "MULTIPLE",
+ "SINGLE",
+ "NONE"
+ ]
+ },
+ "ciaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PARTIAL",
+ "COMPLETE"
+ ]
+ },
+ "exploitabilityType": {
+ "type": "string",
+ "enum": [
+ "UNPROVEN",
+ "PROOF_OF_CONCEPT",
+ "FUNCTIONAL",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "remediationLevelType": {
+ "type": "string",
+ "enum": [
+ "OFFICIAL_FIX",
+ "TEMPORARY_FIX",
+ "WORKAROUND",
+ "UNAVAILABLE",
+ "NOT_DEFINED"
+ ]
+ },
+ "reportConfidenceType": {
+ "type": "string",
+ "enum": [
+ "UNCONFIRMED",
+ "UNCORROBORATED",
+ "CONFIRMED",
+ "NOT_DEFINED"
+ ]
+ },
+ "collateralDamagePotentialType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "LOW_MEDIUM",
+ "MEDIUM_HIGH",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "targetDistributionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "scoreType": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 10
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [
+ "2.0"
+ ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$"
+ },
+ "accessVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType"
+ },
+ "accessComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType"
+ },
+ "authentication": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType"
+ },
+ "confidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType"
+ },
+ "integrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType"
+ },
+ "availabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType"
+ },
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType"
+ },
+ "exploitability": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType"
+ },
+ "remediationLevel": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType"
+ },
+ "reportConfidence": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType"
+ },
+ "temporalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType"
+ },
+ "collateralDamagePotential": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType"
+ },
+ "targetDistribution": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType"
+ },
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType"
+ }
+ },
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore"
+ ],
+ "additionalProperties": false
+ },
+ "other": {
+ "type": "object",
+ "description": "A non-standard impact description, may be prose or JSON block.",
+ "required": [
+ "type",
+ "content"
+ ],
+ "properties": {
+ "type": {
+ "description": "Name of the non-standard impact metrics format used.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "content": {
+ "type": "object",
+ "$comment": "additionalProperties are allowed here, since this construct supports arbitrary JSON.",
+ "description": "JSON object not covered by another metrics format.",
+ "minProperties": 1
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "configurations": {
+ "type": "array",
+ "description": "Configurations required for exploiting this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "workarounds": {
+ "type": "array",
+ "description": "Workarounds and mitigations for this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "solutions": {
+ "type": "array",
+ "description": "Information about solutions or remediations available for this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "exploits": {
+ "type": "array",
+ "description": "Information about exploits of the vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "timeline": {
+ "type": "array",
+ "description": "This is timeline information for significant events about this vulnerability or changes to the CVE Record.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "required": [
+ "time",
+ "lang",
+ "value"
+ ],
+ "properties": {
+ "time": {
+ "description": "Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00) is assumed.",
+ "$ref": "#/definitions/timestamp"
+ },
+ "lang": {
+ "description": "The language used in the description of the event. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.",
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "description": "A summary of the event.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "credits": {
+ "type": "array",
+ "description": "Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "properties": {
+ "lang": {
+ "description": "The language used when describing the credits. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.",
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 4096
+ },
+ "user": {
+ "description": "UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.",
+ "$ref": "#/definitions/uuidType"
+ },
+ "type": {
+ "type": "string",
+ "description": "Type or role of the entity being credited (optional). finder: identifies the vulnerability.\nreporter: notifies the vendor of the vulnerability to a CNA.\nanalyst: validates the vulnerability to ensure accuracy or severity.\ncoordinator: facilitates the coordinated response process.\nremediation developer: prepares a code change or other remediation plans.\nremediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness.\nremediation verifier: tests and verifies the vulnerability or its remediation.\ntool: names of tools used in vulnerability discovery or identification.\nsponsor: supports the vulnerability identification or remediation activities.",
+ "default": "finder",
+ "enum": [
+ "finder",
+ "reporter",
+ "analyst",
+ "coordinator",
+ "remediation developer",
+ "remediation reviewer",
+ "remediation verifier",
+ "tool",
+ "sponsor",
+ "other"
+ ]
+ }
+ },
+ "additionalProperties": false,
+ "required": [
+ "lang",
+ "value"
+ ]
+ }
+ },
+ "source": {
+ "type": "object",
+ "description": "This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.",
+ "minProperties": 1
+ },
+ "language": {
+ "type": "string",
+ "description": "BCP 47 language code, language-region.",
+ "default": "en",
+ "pattern": "^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"
+ },
+ "englishLanguage": {
+ "type": "string",
+ "description": "BCP 47 language code, language-region, required to be English.",
+ "pattern": "^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"
+ },
+ "taxonomyMappings": {
+ "type": "array",
+ "description": "List of taxonomy items related to the vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "A taxonomy mapping object identifies the taxonomy by a name and version (eg., ATT&CK v13.1, CVSS 3.1, CWE 4.12) along with a list of relations relevant to this CVE.",
+ "required": [
+ "taxonomyName",
+ "taxonomyRelations"
+ ],
+ "properties": {
+ "taxonomyName": {
+ "type": "string",
+ "description": "The name of the taxonomy, eg., ATT&CK, D3FEND, CWE, CVSS",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "taxonomyVersion": {
+ "type": "string",
+ "description": "The version of taxonomy the identifiers come from.",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "taxonomyRelations": {
+ "type": "array",
+ "description": "List of relationships to the taxonomy for the vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "A relationship between the taxonomy and the CVE or two taxonomy items.",
+ "required": [
+ "taxonomyId",
+ "relationshipName",
+ "relationshipValue"
+ ],
+ "properties": {
+ "taxonomyId": {
+ "type": "string",
+ "description": "Identifier of the item in the taxonomy. Used as the subject of the relationship.",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "relationshipName": {
+ "type": "string",
+ "description": "A description of the relationship.",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "relationshipValue": {
+ "type": "string",
+ "description": "The target of the relationship. Can be the CVE ID or another taxonomy identifier.",
+ "minLength": 1,
+ "maxLength": 2048
+ }
+ },
+ "additionalProperties": false
+ }
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "tagExtension": {
+ "type": "string",
+ "minLength": 2,
+ "maxLength": 128,
+ "pattern": "^x_.*$",
+ "$comment": "These values are not used as JSON property names, so there is not a need to work-around property naming limitations in some common implementations."
+ },
+ "cnaTags": {
+ "type": "array",
+ "description": "Tags provided by a CNA describing the CVE Record.",
+ "uniqueItems": true,
+ "minItems": 1,
+ "items": {
+ "oneOf": [
+ {
+ "$ref": "#/definitions/tagExtension"
+ },
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/",
+ "type": "string",
+ "description": "exclusively-hosted-service: All known software and/or hardware affected by this CVE Record is known to exist only in the affected hosted service. If the vulnerability affects both hosted and on-prem software and/or hardware, then the tag should not be used.\n\nunsupported-when-assigned: Used by the assigning CNA to indicate that when a request for a CVE assignment was received, the product was already end-of-life (EOL) or a product or specific version was deemed not to be supported by the vendor. This tag should only be applied to a CVE Record when all affected products or version lines referenced in the CVE-Record are EOL.\n\ndisputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.",
+ "enum": [
+ "unsupported-when-assigned",
+ "exclusively-hosted-service",
+ "disputed"
+ ]
+ }
+ ]
+ }
+ },
+ "adpTags": {
+ "type": "array",
+ "description": "Tags provided by an ADP describing the CVE Record.",
+ "uniqueItems": true,
+ "minItems": 1,
+ "items": {
+ "oneOf": [
+ {
+ "$ref": "#/definitions/tagExtension"
+ },
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/",
+ "type": "string",
+ "description": "disputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.",
+ "enum": [
+ "disputed"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ "properties": {
+ "cnaContainer": {
+ "$ref": "#/definitions/cnaPublishedContainer"
+ }
+ },
+ "additionalProperties": false
+}
\ No newline at end of file
diff --git a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json
new file mode 100644
index 00000000000..7a404c3af02
--- /dev/null
+++ b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json
@@ -0,0 +1,3341 @@
+{
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json",
+ "title": "CVE JSON cnaRejectedContainer sub schema",
+ "description": "CVE JSON cnaRejectedContainer format",
+ "definitions": {
+ "uriType": {
+ "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).",
+ "type": "string",
+ "format": "uri",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "uuidType": {
+ "description": "A version 4 (random) universally unique identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122#section-4.1.3).",
+ "type": "string",
+ "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
+ },
+ "reference": {
+ "type": "object",
+ "required": [
+ "url"
+ ],
+ "properties": {
+ "url": {
+ "description": "The uniform resource locator (URL), according to [RFC 3986](https://tools.ietf.org/html/rfc3986#section-1.1.3), that can be used to retrieve the referenced resource.",
+ "$ref": "#/definitions/uriType"
+ },
+ "name": {
+ "description": "User created name for the reference, often the title of the page.",
+ "type": "string",
+ "maxLength": 512,
+ "minLength": 1
+ },
+ "tags": {
+ "description": "An array of one or more tags that describe the resource referenced by 'url'.",
+ "type": "array",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "oneOf": [
+ {
+ "$ref": "#/definitions/tagExtension"
+ },
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/",
+ "type": "string",
+ "description": "broken-link: The reference link is returning a 404 error, or the site is no longer online.\n\ncustomer-entitlement: Similar to Privileges Required, but specific to references that require non-public/paid access for customers of the particular vendor.\n\nexploit: Reference contains an in-depth/detailed description of steps to exploit a vulnerability OR the reference contains any legitimate Proof of Concept (PoC) code or exploit kit.\n\ngovernment-resource: All reference links that are from a government agency or organization should be given the Government Resource tag.\n\nissue-tracking: The reference is a post from a bug tracking tool such as MantisBT, Bugzilla, JIRA, Github Issues, etc...\n\nmailing-list: The reference is from a mailing list -- often specific to a product or vendor.\n\nmitigation: The reference contains information on steps to mitigate against the vulnerability in the event a patch can't be applied or is unavailable or for EOL product situations.\n\nnot-applicable: The reference link is not applicable to the vulnerability and was likely associated by MITRE accidentally (should be used sparingly).\n\npatch: The reference contains an update to the software that fixes the vulnerability.\n\npermissions-required: The reference link provided is blocked by a logon page. If credentials are required to see any information this tag must be applied.\n\nmedia-coverage: The reference is from a media outlet such as a newspaper, magazine, social media, or weblog. This tag is not intended to apply to any individual's personal social media account. It is strictly intended for public media entities.\n\nproduct: A reference appropriate for describing a product for the purpose of CPE or SWID.\n\nrelated: A reference that is for a related (but not the same) vulnerability.\n\nrelease-notes: The reference is in the format of a vendor or open source project's release notes or change log.\n\nsignature: The reference contains a method to detect or prevent the presence or exploitation of the vulnerability.\n\ntechnical-description: The reference contains in-depth technical information about a vulnerability and its exploitation process, typically in the form of a presentation or whitepaper.\n\nthird-party-advisory: Advisory is from an organization that is not the vulnerable product's vendor/publisher/maintainer.\n\nvendor-advisory: Advisory is from the vendor/publisher/maintainer of the product or the parent organization.\n\nvdb-entry: VDBs are loosely defined as sites that provide information about this vulnerability, such as advisories, with identifiers. Included VDBs are free to access, substantially public, and have broad scope and coverage (not limited to a single vendor or research organization). See: https://www.first.org/global/sigs/vrdx/vdb-catalog",
+ "enum": [
+ "broken-link",
+ "customer-entitlement",
+ "exploit",
+ "government-resource",
+ "issue-tracking",
+ "mailing-list",
+ "mitigation",
+ "not-applicable",
+ "patch",
+ "permissions-required",
+ "media-coverage",
+ "product",
+ "related",
+ "release-notes",
+ "signature",
+ "technical-description",
+ "third-party-advisory",
+ "vendor-advisory",
+ "vdb-entry"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ "additionalProperties": false
+ },
+ "cveId": {
+ "type": "string",
+ "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
+ },
+ "orgId": {
+ "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.",
+ "$ref": "#/definitions/uuidType"
+ },
+ "userId": {
+ "description": "A UUID for a user participating in the CVE program. This UUID can be used to lookup the user record in the user registry service.",
+ "$ref": "#/definitions/uuidType"
+ },
+ "shortName": {
+ "description": "A 2-32 character name that can be used to complement an organization's UUID.",
+ "type": "string",
+ "minLength": 2,
+ "maxLength": 32
+ },
+ "datestamp": {
+ "description": "Date/time format based on RFC3339 and ISO ISO8601.",
+ "type": "string",
+ "format": "date",
+ "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$"
+ },
+ "timestamp": {
+ "type": "string",
+ "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.",
+ "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"
+ },
+ "version": {
+ "description": "A single version of a product, as expressed in its own version numbering scheme.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 1024
+ },
+ "status": {
+ "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.",
+ "type": "string",
+ "enum": [
+ "affected",
+ "unaffected",
+ "unknown"
+ ]
+ },
+ "product": {
+ "type": "object",
+ "description": "Provides information about the set of products and services affected by this vulnerability.",
+ "allOf": [
+ {
+ "anyOf": [
+ {
+ "required": [
+ "vendor",
+ "product"
+ ]
+ },
+ {
+ "required": [
+ "collectionURL",
+ "packageName"
+ ]
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "required": [
+ "versions"
+ ]
+ },
+ {
+ "required": [
+ "defaultStatus"
+ ]
+ }
+ ]
+ }
+ ],
+ "properties": {
+ "vendor": {
+ "type": "string",
+ "description": "Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.",
+ "minLength": 1,
+ "maxLength": 512
+ },
+ "product": {
+ "type": "string",
+ "description": "Name of the affected product.",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "collectionURL": {
+ "description": "URL identifying a package collection (determines the meaning of packageName).",
+ "$ref": "#/definitions/uriType",
+ "examples": [
+ "https://access.redhat.com/downloads/content/package-browser",
+ "https://addons.mozilla.org",
+ "https://addons.thunderbird.net",
+ "https://anaconda.org/anaconda/repo",
+ "https://app.vagrantup.com/boxes/search",
+ "https://apps.apple.com",
+ "https://archlinux.org/packages",
+ "https://atmospherejs.meteor.com",
+ "https://atom.io/packages",
+ "https://bitbucket.org",
+ "https://bower.io",
+ "https://brew.sh/",
+ "https://chocolatey.org/packages",
+ "https://chrome.google.com/webstore",
+ "https://clojars.org",
+ "https://cocoapods.org",
+ "https://code.dlang.org",
+ "https://conan.io/center",
+ "https://cpan.org/modules",
+ "https://cran.r-project.org",
+ "https://crates.io",
+ "https://ctan.org/pkg",
+ "https://drupal.org",
+ "https://exchange.adobe.com",
+ "https://forge.puppet.com/modules",
+ "https://github.com",
+ "https://gitlab.com/explore",
+ "https://golang.org/pkg",
+ "https://guix.gnu.org/packages",
+ "https://hackage.haskell.org",
+ "https://helm.sh",
+ "https://hub.docker.com",
+ "https://juliahub.com",
+ "https://lib.haxe.org",
+ "https://luarocks.org",
+ "https://marketplace.visualstudio.com",
+ "https://melpa.org",
+ "https://microsoft.com/en-us/store/apps",
+ "https://nimble.directory",
+ "https://nuget.org/packages",
+ "https://opam.ocaml.org/packages",
+ "https://openwrt.org/packages/index",
+ "https://package.elm-lang.org",
+ "https://packagecontrol.io",
+ "https://packages.debian.org",
+ "https://packages.gentoo.org",
+ "https://packagist.org",
+ "https://pear.php.net/packages.php",
+ "https://pecl.php.net",
+ "https://platformio.org/lib",
+ "https://play.google.com/store",
+ "https://plugins.gradle.org",
+ "https://projects.eclipse.org",
+ "https://pub.dev",
+ "https://pypi.python.org",
+ "https://registry.npmjs.org",
+ "https://registry.terraform.io",
+ "https://repo.hex.pm",
+ "https://repo.maven.apache.org/maven2",
+ "https://rubygems.org",
+ "https://search.nixos.org/packages",
+ "https://sourceforge.net",
+ "https://wordpress.org/plugins"
+ ]
+ },
+ "packageName": {
+ "type": "string",
+ "description": "Name or identifier of the affected software package as used in the package collection.",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "cpes": {
+ "type": "array",
+ "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.",
+ "uniqueItems": true,
+ "items": {
+ "title": "CPE Name",
+ "type": "string",
+ "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format",
+ "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})",
+ "minLength": 1,
+ "maxLength": 2048
+ }
+ },
+ "modules": {
+ "type": "array",
+ "description": "A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional).",
+ "uniqueItems": true,
+ "items": {
+ "type": "string",
+ "description": "Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "programFiles": {
+ "type": "array",
+ "description": "A list of the affected source code files (optional).",
+ "uniqueItems": true,
+ "items": {
+ "description": "Name or path or location of the affected source code file.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 1024
+ }
+ },
+ "programRoutines": {
+ "type": "array",
+ "description": "A list of the affected source code functions, methods, subroutines, or procedures (optional).",
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "An object describing program routine.",
+ "required": [
+ "name"
+ ],
+ "properties": {
+ "name": {
+ "type": "string",
+ "description": "Name of the affected source code file, function, method, subroutine, or procedure.",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "platforms": {
+ "title": "Platforms",
+ "description": "List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field or an empty array implies that the other fields are applicable to all relevant platforms.",
+ "type": "array",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "string",
+ "examples": [
+ "iOS",
+ "Android",
+ "Windows",
+ "macOS",
+ "x86",
+ "ARM",
+ "64 bit",
+ "Big Endian",
+ "iPad",
+ "Chromebook",
+ "Docker",
+ "Model T"
+ ],
+ "maxLength": 1024
+ }
+ },
+ "repo": {
+ "description": "The URL of the source code repository, for informational purposes and/or to resolve git hash version ranges.",
+ "$ref": "#/definitions/uriType"
+ },
+ "defaultStatus": {
+ "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.",
+ "$ref": "#/definitions/status"
+ },
+ "versions": {
+ "type": "array",
+ "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "A single version or a range of versions, with vulnerability status.\n\nAn entry with only 'version' and 'status' indicates the status of a single version.\n\nOtherwise, an entry describes a range; it must include the 'versionType' property, to define the version numbering semantics in use, and 'limit', to indicate the non-inclusive upper limit of the range. The object describes the status for versions V such that 'version' <= V and V < 'limit', using the <= and < semantics defined for the specific kind of 'versionType'. Status changes within the range can be specified by an optional 'changes' list.\n\nThe algorithm to decide the status specified for a version V is:\n\n\tfor entry in product.versions {\n\t\tif entry.lessThan is not present and entry.lessThanOrEqual is not present and v == entry.version {\n\t\t\treturn entry.status\n\t\t}\n\t\tif (entry.lessThan is present and entry.version <= v and v < entry.lessThan) or\n\t\t (entry.lessThanOrEqual is present and entry.version <= v and v <= entry.lessThanOrEqual) { // <= and < defined by entry.versionType\n\t\t\tstatus = entry.status\n\t\t\tfor change in entry.changes {\n\t\t\t\tif change.at <= v {\n\t\t\t\t\tstatus = change.status\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn status\n\t\t}\n\t}\n\treturn product.defaultStatus\n\n.",
+ "oneOf": [
+ {
+ "required": [
+ "version",
+ "status"
+ ],
+ "maxProperties": 2
+ },
+ {
+ "required": [
+ "version",
+ "status",
+ "versionType"
+ ],
+ "maxProperties": 3
+ },
+ {
+ "required": [
+ "version",
+ "status",
+ "versionType",
+ "lessThan"
+ ]
+ },
+ {
+ "required": [
+ "version",
+ "status",
+ "versionType",
+ "lessThanOrEqual"
+ ]
+ }
+ ],
+ "properties": {
+ "version": {
+ "description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.",
+ "$ref": "#/definitions/version"
+ },
+ "status": {
+ "description": "The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.",
+ "$ref": "#/definitions/status"
+ },
+ "versionType": {
+ "type": "string",
+ "description": "The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.",
+ "minLength": 1,
+ "maxLength": 128,
+ "examples": [
+ "custom",
+ "git",
+ "maven",
+ "python",
+ "rpm",
+ "semver"
+ ]
+ },
+ "lessThan": {
+ "description": "The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk `(*)`, indicating an arbitrarily large number in the version ordering. For example, `{version: 1.0 lessThan: 1.*}` would describe the entire 1.X branch for most range kinds, and `{version: 2.0, lessThan: *}` describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified.",
+ "$ref": "#/definitions/version"
+ },
+ "lessThanOrEqual": {
+ "description": "The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, `{version: 1.0, lessThanOrEqual: 1.3}` covers all versions from 1.0 up to and including 1.3.",
+ "$ref": "#/definitions/version"
+ },
+ "changes": {
+ "type": "array",
+ "description": "A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "The start of a single status change during the range.",
+ "required": [
+ "at",
+ "status"
+ ],
+ "additionalProperties": false,
+ "properties": {
+ "at": {
+ "description": "The version at which a status change occurs.",
+ "$ref": "#/definitions/version"
+ },
+ "status": {
+ "description": "The new status in the range starting at the given version.",
+ "$ref": "#/definitions/status"
+ }
+ }
+ }
+ }
+ },
+ "additionalProperties": false
+ }
+ }
+ }
+ },
+ "dataType": {
+ "description": "Indicates the type of information represented in the JSON instance.",
+ "type": "string",
+ "enum": [
+ "CVE_RECORD"
+ ]
+ },
+ "dataVersion": {
+ "description": "The version of the CVE schema used for validating this record. Used to support multiple versions of this format.",
+ "type": "string",
+ "pattern": "^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$",
+ "default": "5.1.0"
+ },
+ "cveMetadataPublished": {
+ "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.",
+ "type": "object",
+ "required": [
+ "cveId",
+ "assignerOrgId",
+ "state"
+ ],
+ "properties": {
+ "cveId": {
+ "description": "The CVE identifier that this record pertains to.",
+ "$ref": "#/definitions/cveId"
+ },
+ "assignerOrgId": {
+ "$ref": "#/definitions/orgId",
+ "description": "The UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service."
+ },
+ "assignerShortName": {
+ "$ref": "#/definitions/shortName",
+ "description": "The short name for the organization to which the CVE ID was originally assigned."
+ },
+ "requesterUserId": {
+ "$ref": "#/definitions/userId",
+ "description": "The user that requested the CVE identifier."
+ },
+ "dateUpdated": {
+ "description": "The date/time the record was last updated.",
+ "$ref": "#/definitions/timestamp"
+ },
+ "serial": {
+ "type": "integer",
+ "minimum": 1,
+ "description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition."
+ },
+ "dateReserved": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."
+ },
+ "datePublished": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time the CVE Record was first published in the CVE List."
+ },
+ "state": {
+ "description": "State of CVE - PUBLISHED, REJECTED.",
+ "type": "string",
+ "enum": [
+ "PUBLISHED"
+ ]
+ }
+ },
+ "additionalProperties": false
+ },
+ "cveMetadataRejected": {
+ "type": "object",
+ "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.",
+ "required": [
+ "cveId",
+ "assignerOrgId",
+ "state"
+ ],
+ "properties": {
+ "cveId": {
+ "description": "The CVE identifier that this record pertains to.",
+ "$ref": "#/definitions/cveId"
+ },
+ "assignerOrgId": {
+ "$ref": "#/definitions/orgId",
+ "description": "The UUID for the organization to which the CVE ID was originally assigned."
+ },
+ "assignerShortName": {
+ "$ref": "#/definitions/shortName",
+ "description": "The short name for the organization to which the CVE ID was originally assigned."
+ },
+ "serial": {
+ "type": "integer",
+ "minimum": 1,
+ "description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition."
+ },
+ "dateUpdated": {
+ "description": "The date/time the record was last updated.",
+ "$ref": "#/definitions/timestamp"
+ },
+ "datePublished": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time the CVE Record was first published in the CVE List."
+ },
+ "dateRejected": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time the CVE ID was rejected."
+ },
+ "state": {
+ "type": "string",
+ "description": "State of CVE - PUBLISHED, REJECTED.",
+ "enum": [
+ "REJECTED"
+ ]
+ },
+ "dateReserved": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."
+ }
+ },
+ "additionalProperties": false
+ },
+ "providerMetadata": {
+ "type": "object",
+ "description": "Details related to the information container provider (CNA or ADP).",
+ "properties": {
+ "orgId": {
+ "$ref": "#/definitions/orgId",
+ "description": "The container provider's organizational UUID."
+ },
+ "shortName": {
+ "$ref": "#/definitions/shortName",
+ "description": "The container provider's organizational short name."
+ },
+ "dateUpdated": {
+ "$ref": "#/definitions/timestamp",
+ "description": "Timestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission."
+ }
+ },
+ "required": [
+ "orgId"
+ ],
+ "additionalProperties": false
+ },
+ "cnaPublishedContainer": {
+ "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.",
+ "type": "object",
+ "properties": {
+ "providerMetadata": {
+ "$ref": "#/definitions/providerMetadata"
+ },
+ "dateAssigned": {
+ "$ref": "#/definitions/timestamp",
+ "description": "The date/time this CVE ID was associated with a vulnerability by a CNA."
+ },
+ "datePublic": {
+ "$ref": "#/definitions/timestamp",
+ "description": "If known, the date/time the vulnerability was disclosed publicly."
+ },
+ "title": {
+ "type": "string",
+ "description": "A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.",
+ "minLength": 1,
+ "maxLength": 256
+ },
+ "descriptions": {
+ "$ref": "#/definitions/descriptions"
+ },
+ "affected": {
+ "$ref": "#/definitions/affected"
+ },
+ "problemTypes": {
+ "$ref": "#/definitions/problemTypes"
+ },
+ "references": {
+ "$ref": "#/definitions/references"
+ },
+ "impacts": {
+ "$ref": "#/definitions/impacts"
+ },
+ "metrics": {
+ "$ref": "#/definitions/metrics"
+ },
+ "configurations": {
+ "$ref": "#/definitions/configurations"
+ },
+ "workarounds": {
+ "$ref": "#/definitions/workarounds"
+ },
+ "solutions": {
+ "$ref": "#/definitions/solutions"
+ },
+ "exploits": {
+ "$ref": "#/definitions/exploits"
+ },
+ "timeline": {
+ "$ref": "#/definitions/timeline"
+ },
+ "credits": {
+ "$ref": "#/definitions/credits"
+ },
+ "source": {
+ "$ref": "#/definitions/source"
+ },
+ "tags": {
+ "$ref": "#/definitions/cnaTags"
+ },
+ "taxonomyMappings": {
+ "$ref": "#/definitions/taxonomyMappings"
+ }
+ },
+ "required": [
+ "providerMetadata",
+ "descriptions",
+ "affected",
+ "references"
+ ],
+ "patternProperties": {
+ "^x_[^.]*$": {}
+ },
+ "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
+ "additionalProperties": false
+ },
+ "cnaRejectedContainer": {
+ "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a rejected CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA.",
+ "type": "object",
+ "properties": {
+ "providerMetadata": {
+ "$ref": "#/definitions/providerMetadata"
+ },
+ "rejectedReasons": {
+ "description": "Reasons for rejecting this CVE Record.",
+ "$ref": "#/definitions/descriptions"
+ },
+ "replacedBy": {
+ "type": "array",
+ "description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/cveId"
+ }
+ }
+ },
+ "required": [
+ "providerMetadata",
+ "rejectedReasons"
+ ],
+ "patternProperties": {
+ "^x_[^.]*$": {}
+ },
+ "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
+ "additionalProperties": false
+ },
+ "adpContainer": {
+ "description": "An object containing the vulnerability information provided by an Authorized Data Publisher (ADP). Since multiple ADPs can provide information for a CVE ID, an ADP container must indicate which ADP is the source of the information in the object.",
+ "type": "object",
+ "properties": {
+ "providerMetadata": {
+ "$ref": "#/definitions/providerMetadata"
+ },
+ "datePublic": {
+ "$ref": "#/definitions/timestamp",
+ "description": "If known, the date/time the vulnerability was disclosed publicly."
+ },
+ "title": {
+ "type": "string",
+ "description": "A title, headline, or a brief phrase summarizing the information in an ADP container.",
+ "minLength": 1,
+ "maxLength": 256
+ },
+ "descriptions": {
+ "$ref": "#/definitions/descriptions"
+ },
+ "affected": {
+ "$ref": "#/definitions/affected"
+ },
+ "problemTypes": {
+ "$ref": "#/definitions/problemTypes"
+ },
+ "references": {
+ "$ref": "#/definitions/references"
+ },
+ "impacts": {
+ "$ref": "#/definitions/impacts"
+ },
+ "metrics": {
+ "$ref": "#/definitions/metrics"
+ },
+ "configurations": {
+ "$ref": "#/definitions/configurations"
+ },
+ "workarounds": {
+ "$ref": "#/definitions/workarounds"
+ },
+ "solutions": {
+ "$ref": "#/definitions/solutions"
+ },
+ "exploits": {
+ "$ref": "#/definitions/exploits"
+ },
+ "timeline": {
+ "$ref": "#/definitions/timeline"
+ },
+ "credits": {
+ "$ref": "#/definitions/credits"
+ },
+ "source": {
+ "$ref": "#/definitions/source"
+ },
+ "tags": {
+ "$ref": "#/definitions/adpTags"
+ },
+ "taxonomyMappings": {
+ "$ref": "#/definitions/taxonomyMappings"
+ }
+ },
+ "required": [
+ "providerMetadata"
+ ],
+ "minProperties": 2,
+ "patternProperties": {
+ "^x_[^.]*$": {}
+ },
+ "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
+ "additionalProperties": false
+ },
+ "affected": {
+ "type": "array",
+ "description": "List of affected products.",
+ "minItems": 1,
+ "items": {
+ "$ref": "#/definitions/product"
+ }
+ },
+ "description": {
+ "type": "object",
+ "description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.",
+ "properties": {
+ "lang": {
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "type": "string",
+ "description": "Plain text description.",
+ "minLength": 1,
+ "maxLength": 4096
+ },
+ "supportingMedia": {
+ "type": "array",
+ "title": "Supporting media",
+ "description": "Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.",
+ "uniqueItems": true,
+ "minItems": 1,
+ "items": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "type": "string",
+ "title": "Media type",
+ "minLength": 1,
+ "maxLength": 256,
+ "description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.",
+ "examples": [
+ "text/markdown",
+ "text/html",
+ "image/png",
+ "image/svg",
+ "audio/mp3"
+ ]
+ },
+ "base64": {
+ "type": "boolean",
+ "title": "Encoding",
+ "description": "If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.",
+ "default": false
+ },
+ "value": {
+ "type": "string",
+ "description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.",
+ "minLength": 1,
+ "maxLength": 16384
+ }
+ },
+ "required": [
+ "type",
+ "value"
+ ],
+ "additionalProperties": false
+ }
+ }
+ },
+ "required": [
+ "lang",
+ "value"
+ ],
+ "additionalProperties": false
+ },
+ "englishLanguageDescription": {
+ "type": "object",
+ "description": "A description with lang set to an English language (en, en_US, en_UK, and so on).",
+ "properties": {
+ "lang": {
+ "$ref": "#/definitions/englishLanguage"
+ }
+ },
+ "required": [
+ "lang"
+ ],
+ "$comment": "Cannot use additionalProperties: false here, as this prevents the other properties used by /definitions/description."
+ },
+ "descriptions": {
+ "type": "array",
+ "description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ },
+ "contains": {
+ "$ref": "#/definitions/englishLanguageDescription"
+ }
+ },
+ "problemTypes": {
+ "type": "array",
+ "description": "This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).",
+ "items": {
+ "type": "object",
+ "required": [
+ "descriptions"
+ ],
+ "properties": {
+ "descriptions": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "required": [
+ "lang",
+ "description"
+ ],
+ "properties": {
+ "lang": {
+ "$ref": "#/definitions/language"
+ },
+ "description": {
+ "type": "string",
+ "description": "Text description of problemType, or title from CWE or OWASP.",
+ "minLength": 1,
+ "maxLength": 4096
+ },
+ "cweId": {
+ "type": "string",
+ "description": "CWE ID of the CWE that best describes this problemType entry.",
+ "minLength": 5,
+ "maxLength": 9,
+ "pattern": "^CWE-[1-9][0-9]*$"
+ },
+ "type": {
+ "type": "string",
+ "description": "Problemtype source, text, OWASP, CWE, etc.,",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "references": {
+ "$ref": "#/definitions/references"
+ }
+ },
+ "additionalProperties": false
+ },
+ "minItems": 1,
+ "uniqueItems": true
+ }
+ },
+ "additionalProperties": false
+ },
+ "minItems": 1,
+ "uniqueItems": true
+ },
+ "references": {
+ "type": "array",
+ "description": "This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are \"dangerous\").",
+ "items": {
+ "$ref": "#/definitions/reference"
+ },
+ "minItems": 1,
+ "maxItems": 512,
+ "uniqueItems": true
+ },
+ "impacts": {
+ "type": "array",
+ "description": "Collection of impacts of this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "This is impact type information (e.g. a text description.",
+ "required": [
+ "descriptions"
+ ],
+ "properties": {
+ "capecId": {
+ "type": "string",
+ "description": "CAPEC ID that best relates to this impact.",
+ "minLength": 7,
+ "maxLength": 11,
+ "pattern": "^CAPEC-[1-9][0-9]{0,4}$"
+ },
+ "descriptions": {
+ "description": "Prose description of the impact scenario. At a minimum provide the description given by CAPEC.",
+ "$ref": "#/definitions/descriptions"
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "metrics": {
+ "type": "array",
+ "description": "Collection of impact scores with attribution.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "This is impact type information (e.g. a text description, CVSSv2, CVSSv3, CVSSV4, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added.",
+ "anyOf": [
+ {
+ "required": [
+ "cvssV4_0"
+ ]
+ },
+ {
+ "required": [
+ "cvssV3_1"
+ ]
+ },
+ {
+ "required": [
+ "cvssV3_0"
+ ]
+ },
+ {
+ "required": [
+ "cvssV2_0"
+ ]
+ },
+ {
+ "required": [
+ "other"
+ ]
+ }
+ ],
+ "properties": {
+ "format": {
+ "type": "string",
+ "description": "Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.",
+ "minLength": 1,
+ "maxLength": 64
+ },
+ "scenarios": {
+ "type": "array",
+ "description": "Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "properties": {
+ "lang": {
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "type": "string",
+ "default": "GENERAL",
+ "description": "Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "required": [
+ "lang",
+ "value"
+ ],
+ "additionalProperties": false
+ }
+ },
+ "cvssV4_0": {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 4.0",
+ "type": "object",
+ "definitions": {
+ "attackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT",
+ "LOCAL",
+ "PHYSICAL"
+ ]
+ },
+ "modifiedAttackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT",
+ "LOCAL",
+ "PHYSICAL",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "attackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW"
+ ]
+ },
+ "modifiedAttackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "attackRequirementsType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PRESENT"
+ ]
+ },
+ "modifiedAttackRequirementsType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PRESENT",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "privilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE"
+ ]
+ },
+ "modifiedPrivilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "userInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PASSIVE",
+ "ACTIVE"
+ ]
+ },
+ "modifiedUserInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PASSIVE",
+ "ACTIVE",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "vulnCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ]
+ },
+ "modifiedVulnCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "subCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ]
+ },
+ "modifiedSubCType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "modifiedSubIaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "SAFETY",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "exploitMaturityType": {
+ "type": "string",
+ "enum": [
+ "UNREPORTED",
+ "PROOF_OF_CONCEPT",
+ "ATTACKED",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "safetyType": {
+ "type": "string",
+ "enum": [
+ "NEGLIGIBLE",
+ "PRESENT",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "automatableType": {
+ "type": "string",
+ "enum": [
+ "NO",
+ "YES",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "recoveryType": {
+ "type": "string",
+ "enum": [
+ "AUTOMATIC",
+ "USER",
+ "IRRECOVERABLE",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "valueDensityType": {
+ "type": "string",
+ "enum": [
+ "DIFFUSE",
+ "CONCENTRATED",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "vulnerabilityResponseEffortType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MODERATE",
+ "HIGH",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "providerUrgencyType": {
+ "type": "string",
+ "enum": [
+ "CLEAR",
+ "GREEN",
+ "AMBER",
+ "RED",
+ "NOT_DEFINED"
+ ],
+ "default": "NOT_DEFINED"
+ },
+ "scoreType": {
+ "type": "number",
+ "enum": [
+ 0,
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9,
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9,
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9,
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "noneScoreType": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 0
+ },
+ "lowScoreType": {
+ "type": "number",
+ "enum": [
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9
+ ]
+ },
+ "mediumScoreType": {
+ "type": "number",
+ "enum": [
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9
+ ]
+ },
+ "highScoreType": {
+ "type": "number",
+ "enum": [
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9
+ ]
+ },
+ "criticalScoreType": {
+ "type": "number",
+ "enum": [
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "severityType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "CRITICAL"
+ ]
+ },
+ "noneSeverityType": {
+ "const": "NONE"
+ },
+ "lowSeverityType": {
+ "const": "LOW"
+ },
+ "mediumSeverityType": {
+ "const": "MEDIUM"
+ },
+ "highSeverityType": {
+ "const": "HIGH"
+ },
+ "criticalSeverityType": {
+ "const": "CRITICAL"
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [
+ "4.0"
+ ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/E:[XAPU])?(/CR:[XHML])?(/IR:[XHML])?(/AR:[XHML])?(/MAV:[XNALP])?(/MAC:[XLH])?(/MAT:[XNP])?(/MPR:[XNLH])?(/MUI:[XNPA])?(/MVC:[XNLH])?(/MVI:[XNLH])?(/MVA:[XNLH])?(/MSC:[XNLH])?(/MSI:[XNLHS])?(/MSA:[XNLHS])?(/S:[XNP])?(/AU:[XNY])?(/R:[XAUI])?(/V:[XDC])?(/RE:[XLMH])?(/U:(X|Clear|Green|Amber|Red))?$"
+ },
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType"
+ },
+ "attackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType"
+ },
+ "attackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType"
+ },
+ "attackRequirements": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType"
+ },
+ "privilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType"
+ },
+ "userInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType"
+ },
+ "vulnConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType"
+ },
+ "vulnIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType"
+ },
+ "vulnAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType"
+ },
+ "subConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType"
+ },
+ "subIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType"
+ },
+ "subAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType"
+ },
+ "exploitMaturity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType"
+ },
+ "modifiedAttackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType"
+ },
+ "modifiedAttackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType"
+ },
+ "modifiedAttackRequirements": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType"
+ },
+ "modifiedPrivilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType"
+ },
+ "modifiedUserInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType"
+ },
+ "modifiedVulnConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType"
+ },
+ "modifiedVulnIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType"
+ },
+ "modifiedVulnAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType"
+ },
+ "modifiedSubConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType"
+ },
+ "modifiedSubIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType"
+ },
+ "modifiedSubAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType"
+ },
+ "Safety": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType"
+ },
+ "Automatable": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType"
+ },
+ "Recovery": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType"
+ },
+ "valueDensity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType"
+ },
+ "vulnerabilityResponseEffort": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType"
+ },
+ "providerUrgency": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType"
+ }
+ },
+ "allOf": [
+ {
+ "anyOf": [
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "threatScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType"
+ },
+ "threatSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore",
+ "baseSeverity"
+ ],
+ "additionalProperties": false
+ },
+ "cvssV3_1": {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 3.1",
+ "type": "object",
+ "definitions": {
+ "attackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL",
+ "PHYSICAL"
+ ]
+ },
+ "modifiedAttackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL",
+ "PHYSICAL",
+ "NOT_DEFINED"
+ ]
+ },
+ "attackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW"
+ ]
+ },
+ "modifiedAttackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NOT_DEFINED"
+ ]
+ },
+ "privilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE"
+ ]
+ },
+ "modifiedPrivilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE",
+ "NOT_DEFINED"
+ ]
+ },
+ "userInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "REQUIRED"
+ ]
+ },
+ "modifiedUserInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "REQUIRED",
+ "NOT_DEFINED"
+ ]
+ },
+ "scopeType": {
+ "type": "string",
+ "enum": [
+ "UNCHANGED",
+ "CHANGED"
+ ]
+ },
+ "modifiedScopeType": {
+ "type": "string",
+ "enum": [
+ "UNCHANGED",
+ "CHANGED",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ]
+ },
+ "modifiedCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "exploitCodeMaturityType": {
+ "type": "string",
+ "enum": [
+ "UNPROVEN",
+ "PROOF_OF_CONCEPT",
+ "FUNCTIONAL",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "remediationLevelType": {
+ "type": "string",
+ "enum": [
+ "OFFICIAL_FIX",
+ "TEMPORARY_FIX",
+ "WORKAROUND",
+ "UNAVAILABLE",
+ "NOT_DEFINED"
+ ]
+ },
+ "confidenceType": {
+ "type": "string",
+ "enum": [
+ "UNKNOWN",
+ "REASONABLE",
+ "CONFIRMED",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "scoreType": {
+ "type": "number",
+ "enum": [
+ 0,
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9,
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9,
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9,
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "severityType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "CRITICAL"
+ ]
+ },
+ "noneScoreType": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 0
+ },
+ "lowScoreType": {
+ "type": "number",
+ "enum": [
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9
+ ]
+ },
+ "mediumScoreType": {
+ "type": "number",
+ "enum": [
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9
+ ]
+ },
+ "highScoreType": {
+ "type": "number",
+ "enum": [
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9
+ ]
+ },
+ "criticalScoreType": {
+ "type": "number",
+ "enum": [
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "noneSeverityType": {
+ "const": "NONE"
+ },
+ "lowSeverityType": {
+ "const": "LOW"
+ },
+ "mediumSeverityType": {
+ "const": "MEDIUM"
+ },
+ "highSeverityType": {
+ "const": "HIGH"
+ },
+ "criticalSeverityType": {
+ "const": "CRITICAL"
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [
+ "3.1"
+ ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^CVSS:3[.]1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"
+ },
+ "attackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType"
+ },
+ "attackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType"
+ },
+ "privilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType"
+ },
+ "userInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType"
+ },
+ "scope": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType"
+ },
+ "confidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType"
+ },
+ "integrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType"
+ },
+ "availabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType"
+ },
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType"
+ },
+ "exploitCodeMaturity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType"
+ },
+ "remediationLevel": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType"
+ },
+ "reportConfidence": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType"
+ },
+ "temporalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType"
+ },
+ "temporalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType"
+ },
+ "modifiedAttackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType"
+ },
+ "modifiedAttackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType"
+ },
+ "modifiedPrivilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType"
+ },
+ "modifiedUserInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType"
+ },
+ "modifiedScope": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType"
+ },
+ "modifiedConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType"
+ },
+ "modifiedIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType"
+ },
+ "modifiedAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType"
+ },
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType"
+ }
+ },
+ "anyOf": [
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/noneScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/lowScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/mediumScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/highScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/criticalScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ],
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore",
+ "baseSeverity"
+ ],
+ "additionalProperties": false
+ },
+ "cvssV3_0": {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 3.0",
+ "type": "object",
+ "definitions": {
+ "attackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL",
+ "PHYSICAL"
+ ]
+ },
+ "modifiedAttackVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL",
+ "PHYSICAL",
+ "NOT_DEFINED"
+ ]
+ },
+ "attackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW"
+ ]
+ },
+ "modifiedAttackComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NOT_DEFINED"
+ ]
+ },
+ "privilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE"
+ ]
+ },
+ "modifiedPrivilegesRequiredType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "LOW",
+ "NONE",
+ "NOT_DEFINED"
+ ]
+ },
+ "userInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "REQUIRED"
+ ]
+ },
+ "modifiedUserInteractionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "REQUIRED",
+ "NOT_DEFINED"
+ ]
+ },
+ "scopeType": {
+ "type": "string",
+ "enum": [
+ "UNCHANGED",
+ "CHANGED"
+ ]
+ },
+ "modifiedScopeType": {
+ "type": "string",
+ "enum": [
+ "UNCHANGED",
+ "CHANGED",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH"
+ ]
+ },
+ "modifiedCiaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "exploitCodeMaturityType": {
+ "type": "string",
+ "enum": [
+ "UNPROVEN",
+ "PROOF_OF_CONCEPT",
+ "FUNCTIONAL",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "remediationLevelType": {
+ "type": "string",
+ "enum": [
+ "OFFICIAL_FIX",
+ "TEMPORARY_FIX",
+ "WORKAROUND",
+ "UNAVAILABLE",
+ "NOT_DEFINED"
+ ]
+ },
+ "confidenceType": {
+ "type": "string",
+ "enum": [
+ "UNKNOWN",
+ "REASONABLE",
+ "CONFIRMED",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "scoreType": {
+ "type": "number",
+ "enum": [
+ 0,
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9,
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9,
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9,
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "noneScoreType": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 0
+ },
+ "lowScoreType": {
+ "type": "number",
+ "enum": [
+ 0.1,
+ 0.2,
+ 0.3,
+ 0.4,
+ 0.5,
+ 0.6,
+ 0.7,
+ 0.8,
+ 0.9,
+ 1,
+ 1.1,
+ 1.2,
+ 1.3,
+ 1.4,
+ 1.5,
+ 1.6,
+ 1.7,
+ 1.8,
+ 1.9,
+ 2,
+ 2.1,
+ 2.2,
+ 2.3,
+ 2.4,
+ 2.5,
+ 2.6,
+ 2.7,
+ 2.8,
+ 2.9,
+ 3,
+ 3.1,
+ 3.2,
+ 3.3,
+ 3.4,
+ 3.5,
+ 3.6,
+ 3.7,
+ 3.8,
+ 3.9
+ ]
+ },
+ "mediumScoreType": {
+ "type": "number",
+ "enum": [
+ 4,
+ 4.1,
+ 4.2,
+ 4.3,
+ 4.4,
+ 4.5,
+ 4.6,
+ 4.7,
+ 4.8,
+ 4.9,
+ 5,
+ 5.1,
+ 5.2,
+ 5.3,
+ 5.4,
+ 5.5,
+ 5.6,
+ 5.7,
+ 5.8,
+ 5.9,
+ 6,
+ 6.1,
+ 6.2,
+ 6.3,
+ 6.4,
+ 6.5,
+ 6.6,
+ 6.7,
+ 6.8,
+ 6.9
+ ]
+ },
+ "highScoreType": {
+ "type": "number",
+ "enum": [
+ 7,
+ 7.1,
+ 7.2,
+ 7.3,
+ 7.4,
+ 7.5,
+ 7.6,
+ 7.7,
+ 7.8,
+ 7.9,
+ 8,
+ 8.1,
+ 8.2,
+ 8.3,
+ 8.4,
+ 8.5,
+ 8.6,
+ 8.7,
+ 8.8,
+ 8.9
+ ]
+ },
+ "criticalScoreType": {
+ "type": "number",
+ "enum": [
+ 9,
+ 9.1,
+ 9.2,
+ 9.3,
+ 9.4,
+ 9.5,
+ 9.6,
+ 9.7,
+ 9.8,
+ 9.9,
+ 10
+ ]
+ },
+ "severityType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "CRITICAL"
+ ]
+ },
+ "noneSeverityType": {
+ "const": "NONE"
+ },
+ "lowSeverityType": {
+ "const": "LOW"
+ },
+ "mediumSeverityType": {
+ "const": "MEDIUM"
+ },
+ "highSeverityType": {
+ "const": "HIGH"
+ },
+ "criticalSeverityType": {
+ "const": "CRITICAL"
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [
+ "3.0"
+ ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"
+ },
+ "attackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType"
+ },
+ "attackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType"
+ },
+ "privilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType"
+ },
+ "userInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType"
+ },
+ "scope": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType"
+ },
+ "confidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType"
+ },
+ "integrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType"
+ },
+ "availabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType"
+ },
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType"
+ },
+ "exploitCodeMaturity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType"
+ },
+ "remediationLevel": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType"
+ },
+ "reportConfidence": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType"
+ },
+ "temporalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType"
+ },
+ "temporalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType"
+ },
+ "modifiedAttackVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType"
+ },
+ "modifiedAttackComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType"
+ },
+ "modifiedPrivilegesRequired": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType"
+ },
+ "modifiedUserInteraction": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType"
+ },
+ "modifiedScope": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType"
+ },
+ "modifiedConfidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType"
+ },
+ "modifiedIntegrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType"
+ },
+ "modifiedAvailabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType"
+ },
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType"
+ },
+ "environmentalSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType"
+ }
+ },
+ "anyOf": [
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/noneScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/noneSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/lowScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/lowSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/mediumScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/mediumSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/highScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/highSeverityType"
+ }
+ }
+ },
+ {
+ "properties": {
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/criticalScoreType"
+ },
+ "baseSeverity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/criticalSeverityType"
+ }
+ }
+ }
+ ],
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore",
+ "baseSeverity"
+ ],
+ "additionalProperties": false
+ },
+ "cvssV2_0": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "title": "JSON Schema for Common Vulnerability Scoring System version 2.0",
+ "type": "object",
+ "definitions": {
+ "accessVectorType": {
+ "type": "string",
+ "enum": [
+ "NETWORK",
+ "ADJACENT_NETWORK",
+ "LOCAL"
+ ]
+ },
+ "accessComplexityType": {
+ "type": "string",
+ "enum": [
+ "HIGH",
+ "MEDIUM",
+ "LOW"
+ ]
+ },
+ "authenticationType": {
+ "type": "string",
+ "enum": [
+ "MULTIPLE",
+ "SINGLE",
+ "NONE"
+ ]
+ },
+ "ciaType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "PARTIAL",
+ "COMPLETE"
+ ]
+ },
+ "exploitabilityType": {
+ "type": "string",
+ "enum": [
+ "UNPROVEN",
+ "PROOF_OF_CONCEPT",
+ "FUNCTIONAL",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "remediationLevelType": {
+ "type": "string",
+ "enum": [
+ "OFFICIAL_FIX",
+ "TEMPORARY_FIX",
+ "WORKAROUND",
+ "UNAVAILABLE",
+ "NOT_DEFINED"
+ ]
+ },
+ "reportConfidenceType": {
+ "type": "string",
+ "enum": [
+ "UNCONFIRMED",
+ "UNCORROBORATED",
+ "CONFIRMED",
+ "NOT_DEFINED"
+ ]
+ },
+ "collateralDamagePotentialType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "LOW_MEDIUM",
+ "MEDIUM_HIGH",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "targetDistributionType": {
+ "type": "string",
+ "enum": [
+ "NONE",
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "ciaRequirementType": {
+ "type": "string",
+ "enum": [
+ "LOW",
+ "MEDIUM",
+ "HIGH",
+ "NOT_DEFINED"
+ ]
+ },
+ "scoreType": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 10
+ }
+ },
+ "properties": {
+ "version": {
+ "description": "CVSS Version",
+ "type": "string",
+ "enum": [
+ "2.0"
+ ]
+ },
+ "vectorString": {
+ "type": "string",
+ "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$"
+ },
+ "accessVector": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType"
+ },
+ "accessComplexity": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType"
+ },
+ "authentication": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType"
+ },
+ "confidentialityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType"
+ },
+ "integrityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType"
+ },
+ "availabilityImpact": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType"
+ },
+ "baseScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType"
+ },
+ "exploitability": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType"
+ },
+ "remediationLevel": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType"
+ },
+ "reportConfidence": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType"
+ },
+ "temporalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType"
+ },
+ "collateralDamagePotential": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType"
+ },
+ "targetDistribution": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType"
+ },
+ "confidentialityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType"
+ },
+ "integrityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType"
+ },
+ "availabilityRequirement": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType"
+ },
+ "environmentalScore": {
+ "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType"
+ }
+ },
+ "required": [
+ "version",
+ "vectorString",
+ "baseScore"
+ ],
+ "additionalProperties": false
+ },
+ "other": {
+ "type": "object",
+ "description": "A non-standard impact description, may be prose or JSON block.",
+ "required": [
+ "type",
+ "content"
+ ],
+ "properties": {
+ "type": {
+ "description": "Name of the non-standard impact metrics format used.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "content": {
+ "type": "object",
+ "$comment": "additionalProperties are allowed here, since this construct supports arbitrary JSON.",
+ "description": "JSON object not covered by another metrics format.",
+ "minProperties": 1
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "configurations": {
+ "type": "array",
+ "description": "Configurations required for exploiting this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "workarounds": {
+ "type": "array",
+ "description": "Workarounds and mitigations for this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "solutions": {
+ "type": "array",
+ "description": "Information about solutions or remediations available for this vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "exploits": {
+ "type": "array",
+ "description": "Information about exploits of the vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/description"
+ }
+ },
+ "timeline": {
+ "type": "array",
+ "description": "This is timeline information for significant events about this vulnerability or changes to the CVE Record.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "required": [
+ "time",
+ "lang",
+ "value"
+ ],
+ "properties": {
+ "time": {
+ "description": "Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00) is assumed.",
+ "$ref": "#/definitions/timestamp"
+ },
+ "lang": {
+ "description": "The language used in the description of the event. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.",
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "description": "A summary of the event.",
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 4096
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "credits": {
+ "type": "array",
+ "description": "Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "properties": {
+ "lang": {
+ "description": "The language used when describing the credits. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.",
+ "$ref": "#/definitions/language"
+ },
+ "value": {
+ "type": "string",
+ "minLength": 1,
+ "maxLength": 4096
+ },
+ "user": {
+ "description": "UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.",
+ "$ref": "#/definitions/uuidType"
+ },
+ "type": {
+ "type": "string",
+ "description": "Type or role of the entity being credited (optional). finder: identifies the vulnerability.\nreporter: notifies the vendor of the vulnerability to a CNA.\nanalyst: validates the vulnerability to ensure accuracy or severity.\ncoordinator: facilitates the coordinated response process.\nremediation developer: prepares a code change or other remediation plans.\nremediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness.\nremediation verifier: tests and verifies the vulnerability or its remediation.\ntool: names of tools used in vulnerability discovery or identification.\nsponsor: supports the vulnerability identification or remediation activities.",
+ "default": "finder",
+ "enum": [
+ "finder",
+ "reporter",
+ "analyst",
+ "coordinator",
+ "remediation developer",
+ "remediation reviewer",
+ "remediation verifier",
+ "tool",
+ "sponsor",
+ "other"
+ ]
+ }
+ },
+ "additionalProperties": false,
+ "required": [
+ "lang",
+ "value"
+ ]
+ }
+ },
+ "source": {
+ "type": "object",
+ "description": "This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.",
+ "minProperties": 1
+ },
+ "language": {
+ "type": "string",
+ "description": "BCP 47 language code, language-region.",
+ "default": "en",
+ "pattern": "^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"
+ },
+ "englishLanguage": {
+ "type": "string",
+ "description": "BCP 47 language code, language-region, required to be English.",
+ "pattern": "^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"
+ },
+ "taxonomyMappings": {
+ "type": "array",
+ "description": "List of taxonomy items related to the vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "A taxonomy mapping object identifies the taxonomy by a name and version (eg., ATT&CK v13.1, CVSS 3.1, CWE 4.12) along with a list of relations relevant to this CVE.",
+ "required": [
+ "taxonomyName",
+ "taxonomyRelations"
+ ],
+ "properties": {
+ "taxonomyName": {
+ "type": "string",
+ "description": "The name of the taxonomy, eg., ATT&CK, D3FEND, CWE, CVSS",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "taxonomyVersion": {
+ "type": "string",
+ "description": "The version of taxonomy the identifiers come from.",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "taxonomyRelations": {
+ "type": "array",
+ "description": "List of relationships to the taxonomy for the vulnerability.",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": {
+ "type": "object",
+ "description": "A relationship between the taxonomy and the CVE or two taxonomy items.",
+ "required": [
+ "taxonomyId",
+ "relationshipName",
+ "relationshipValue"
+ ],
+ "properties": {
+ "taxonomyId": {
+ "type": "string",
+ "description": "Identifier of the item in the taxonomy. Used as the subject of the relationship.",
+ "minLength": 1,
+ "maxLength": 2048
+ },
+ "relationshipName": {
+ "type": "string",
+ "description": "A description of the relationship.",
+ "minLength": 1,
+ "maxLength": 128
+ },
+ "relationshipValue": {
+ "type": "string",
+ "description": "The target of the relationship. Can be the CVE ID or another taxonomy identifier.",
+ "minLength": 1,
+ "maxLength": 2048
+ }
+ },
+ "additionalProperties": false
+ }
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "tagExtension": {
+ "type": "string",
+ "minLength": 2,
+ "maxLength": 128,
+ "pattern": "^x_.*$",
+ "$comment": "These values are not used as JSON property names, so there is not a need to work-around property naming limitations in some common implementations."
+ },
+ "cnaTags": {
+ "type": "array",
+ "description": "Tags provided by a CNA describing the CVE Record.",
+ "uniqueItems": true,
+ "minItems": 1,
+ "items": {
+ "oneOf": [
+ {
+ "$ref": "#/definitions/tagExtension"
+ },
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/",
+ "type": "string",
+ "description": "exclusively-hosted-service: All known software and/or hardware affected by this CVE Record is known to exist only in the affected hosted service. If the vulnerability affects both hosted and on-prem software and/or hardware, then the tag should not be used.\n\nunsupported-when-assigned: Used by the assigning CNA to indicate that when a request for a CVE assignment was received, the product was already end-of-life (EOL) or a product or specific version was deemed not to be supported by the vendor. This tag should only be applied to a CVE Record when all affected products or version lines referenced in the CVE-Record are EOL.\n\ndisputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.",
+ "enum": [
+ "unsupported-when-assigned",
+ "exclusively-hosted-service",
+ "disputed"
+ ]
+ }
+ ]
+ }
+ },
+ "adpTags": {
+ "type": "array",
+ "description": "Tags provided by an ADP describing the CVE Record.",
+ "uniqueItems": true,
+ "minItems": 1,
+ "items": {
+ "oneOf": [
+ {
+ "$ref": "#/definitions/tagExtension"
+ },
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/",
+ "type": "string",
+ "description": "disputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.",
+ "enum": [
+ "disputed"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ "properties": {
+ "cnaContainer": {
+ "$ref": "#/definitions/cnaRejectedContainer"
+ }
+ },
+ "additionalProperties": false
+}
\ No newline at end of file
diff --git a/schema/docs/cnaContainer-advanced-example.json b/schema/docs/cnaContainer-advanced-example.json
new file mode 100644
index 00000000000..c255d81b336
--- /dev/null
+++ b/schema/docs/cnaContainer-advanced-example.json
@@ -0,0 +1,302 @@
+{
+ "cnaContainer": {
+ "providerMetadata": {
+ "orgId": "00000000-0000-4000-9000-000000000000"
+ },
+ "title": "Buffer overflow in Example Enterprise allows Privilege Escalation.",
+ "datePublic": "2021-09-08T16:24:00.000Z",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "cweId": "CWE-78",
+ "description": "CWE-78 OS Command Injection",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "impacts": [
+ {
+ "capecId": "CAPEC-233",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "CAPEC-233 Privilege Escalation"
+ }
+ ]
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "Example.org",
+ "product": "Example Enterprise",
+ "platforms": [
+ "Windows",
+ "MacOS",
+ "XT-4500"
+ ],
+ "collectionURL": "https://example.org/packages",
+ "packageName": "example_enterprise",
+ "repo": "git://example.org/source/example_enterprise",
+ "modules": [
+ "Web-Management-Interface"
+ ],
+ "programFiles": [
+ "example_enterprise/example.php"
+ ],
+ "programRoutines": [
+ {
+ "name": "parseFilename"
+ }
+ ],
+ "versions": [
+ {
+ "version": "1.0.0",
+ "status": "affected",
+ "lessThan": "1.0.6",
+ "versionType": "semver"
+ },
+ {
+ "version": "2.1.0",
+ "status": "unaffected",
+ "lessThan": "2.1.*",
+ "changes": [
+ {
+ "at": "2.1.6",
+ "status": "affected"
+ },
+ {
+ "at": "2.1.9",
+ "status": "unaffected"
+ }
+ ],
+ "versionType": "semver"
+ },
+ {
+ "version": "3.0.0",
+ "status": "unaffected",
+ "lessThan": "*",
+ "versionType": "semver"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, macOS, and XT-4500 allows remote unauthenticated attackers to escalate privileges. This issue affects: 1.0 versions before 1.0.6, 2.1 versions from 2.16 until 2.1.9.",
+ "supportingMedia": [
+ {
+ "type": "text/html",
+ "base64": false,
+ "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, macOS, and XT-4500 allows remote unauthenticated attackers to escalate privileges.
This issue affects:
> service disable webmgmt" + } + ] + } + ], + "configurations": [ + { + "lang": "en", + "value": "Web management interface should be enabled.\n> service status webmgmt\nwebmgmt running", + "supportingMedia": [ + { + "type": "text/html", + "base64": false, + "value": "Web management interface should be enabled.
> service status webmgmt" + } + ] + } + ], + "exploits": [ + { + "lang": "en", + "value": "Example.org is not aware of any malicious exploitation of the issue however exploits targeting this issue are publicly available.", + "supportingMedia": [ + { + "type": "text/html", + "base64": false, + "value": "Example.org is not aware of any malicious exploitation of the issue however exploits targeting this issue are publicly available." + } + ] + } + ], + "timeline": [ + { + "time": "2001-09-01T07:31:00.000Z", + "lang": "en", + "value": "Issue discovered by Alice using Acme Autofuzz" + }, + { + "time": "2021-09-02T16:36:00.000Z", + "lang": "en", + "value": "Confirmed by Bob" + }, + { + "time": "2021-09-07T16:37:00.000Z", + "lang": "en", + "value": "Fixes released" + } + ], + "credits": [ + { + "lang": "en", + "value": "Alice", + "type": "finder" + }, + { + "lang": "en", + "value": "Bob", + "type": "analyst" + }, + { + "lang": "en", + "value": "Acme Autofuzz", + "type": "tool" + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1337-1234", + "name": "ESA-22-11", + "tags": [ + "vendor-advisory" + ] + }, + { + "url": "https://example.com/blog/alice/pwning_example_enterprise", + "name": "Pwning Example Enterprise", + "tags": [ + "technical-description", + "third-party-advisory" + ] + }, + { + "url": "https://example.org/bugs/EXAMPLE-1234", + "name": "EXAMPLE-1234", + "tags": [ + "issue-tracking" + ] + }, + { + "url": "https://example.org/ExampleEnterprise", + "tags": [ + "product" + ] + } + ], + "source": { + "defects": [ + "EXAMPLE-1234" + ], + "advisory": "ESA-22-11", + "discovery": "EXTERNAL" + }, + "taxonomyMappings": [ + { + "taxonomyName": "ATT&CK", + "taxonomyVersion": "v9", + "taxonomyRelations": [ + { + "taxonomyId": "T1190", + "relationshipName": "mitigated by", + "relationshipValue": "M1048" + } + ] + } + ] + } +} diff --git a/schema/docs/cnaContainer-basic-example.json b/schema/docs/cnaContainer-basic-example.json new file mode 100644 index 00000000000..0b474d3e5f6 --- /dev/null +++ b/schema/docs/cnaContainer-basic-example.json @@ -0,0 +1,43 @@ +{ + "cnaContainer": { + "providerMetadata": { + "orgId": "00000000-0000-4000-9000-000000000000" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "version": "1.0.0", + "status": "affected", + "lessThan": "1.0.6", + "versionType": "semver" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1337-1234" + } + ] + } +} diff --git a/schema/docs/cnaContainer-rejected-example.json b/schema/docs/cnaContainer-rejected-example.json new file mode 100644 index 00000000000..dce4296a3b3 --- /dev/null +++ b/schema/docs/cnaContainer-rejected-example.json @@ -0,0 +1,14 @@ +{ + "cnaContainer": { + "providerMetadata": { + "orgId": "00000000-0000-4000-9000-000000000000", + "shortName": "example" + }, + "rejectedReasons": [ + { + "lang": "en", + "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority." + } + ] + } +} \ No newline at end of file diff --git a/schema/docs/full-record-advanced-example.json b/schema/docs/full-record-advanced-example.json new file mode 100644 index 00000000000..da1532278cd --- /dev/null +++ b/schema/docs/full-record-advanced-example.json @@ -0,0 +1,316 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1337-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "assignerShortName": "example", + "requesterUserId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "serial": 1, + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "shortName": "example", + "dateUpdated": "2021-09-08T16:24:00.000Z" + }, + "title": "Buffer overflow in Example Enterprise allows Privilege Escalation.", + "datePublic": "2021-09-08T16:24:00.000Z", + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "cweId": "CWE-78", + "description": "CWE-78 OS Command Injection", + "type": "CWE" + } + ] + } + ], + "impacts": [ + { + "capecId": "CAPEC-233", + "descriptions": [ + { + "lang": "en", + "value": "CAPEC-233 Privilege Escalation" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "platforms": [ + "Windows", + "MacOS", + "XT-4500" + ], + "collectionURL": "https://example.org/packages", + "packageName": "example_enterprise", + "repo": "git://example.org/source/example_enterprise", + "modules": [ + "Web-Management-Interface" + ], + "programFiles": [ + "example_enterprise/example.php" + ], + "programRoutines": [ + { + "name": "parseFilename" + } + ], + "versions": [ + { + "version": "1.0.0", + "status": "affected", + "lessThan": "1.0.6", + "versionType": "semver" + }, + { + "version": "2.1.0", + "status": "unaffected", + "lessThan": "2.1.*", + "changes": [ + { + "at": "2.1.6", + "status": "affected" + }, + { + "at": "2.1.9", + "status": "unaffected" + } + ], + "versionType": "semver" + }, + { + "version": "3.0.0", + "status": "unaffected", + "lessThan": "*", + "versionType": "semver" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, macOS, and XT-4500 allows remote unauthenticated attackers to escalate privileges. This issue affects: 1.0 versions before 1.0.6, 2.1 versions from 2.16 until 2.1.9.", + "supportingMedia": [ + { + "type": "text/html", + "base64": false, + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, macOS, and XT-4500 allows remote unauthenticated attackers to escalate privileges.
webmgmt running
> service disable webmgmt" + } + ] + } + ], + "configurations": [ + { + "lang": "en", + "value": "Web management interface should be enabled.\n> service status webmgmt\nwebmgmt running", + "supportingMedia": [ + { + "type": "text/html", + "base64": false, + "value": "Web management interface should be enabled.
> service status webmgmt" + } + ] + } + ], + "exploits": [ + { + "lang": "en", + "value": "Example.org is not aware of any malicious exploitation of the issue however exploits targeting this issue are publicly available.", + "supportingMedia": [ + { + "type": "text/html", + "base64": false, + "value": "Example.org is not aware of any malicious exploitation of the issue however exploits targeting this issue are publicly available." + } + ] + } + ], + "timeline": [ + { + "time": "2001-09-01T07:31:00.000Z", + "lang": "en", + "value": "Issue discovered by Alice using Acme Autofuzz" + }, + { + "time": "2021-09-02T16:36:00.000Z", + "lang": "en", + "value": "Confirmed by Bob" + }, + { + "time": "2021-09-07T16:37:00.000Z", + "lang": "en", + "value": "Fixes released" + } + ], + "credits": [ + { + "lang": "en", + "value": "Alice", + "type": "finder" + }, + { + "lang": "en", + "value": "Bob", + "type": "analyst" + }, + { + "lang": "en", + "value": "Acme Autofuzz", + "type": "tool" + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1337-1234", + "name": "ESA-22-11", + "tags": [ + "vendor-advisory" + ] + }, + { + "url": "https://example.com/blog/alice/pwning_example_enterprise", + "name": "Pwning Example Enterprise", + "tags": [ + "technical-description", + "third-party-advisory" + ] + }, + { + "url": "https://example.org/bugs/EXAMPLE-1234", + "name": "EXAMPLE-1234", + "tags": [ + "issue-tracking" + ] + }, + { + "url": "https://example.org/ExampleEnterprise", + "tags": [ + "product" + ] + } + ], + "source": { + "defects": [ + "EXAMPLE-1234" + ], + "advisory": "ESA-22-11", + "discovery": "EXTERNAL" + }, + "taxonomyMappings": [ + { + "taxonomyName": "ATT&CK", + "taxonomyVersion": "v9", + "taxonomyRelations": [ + { + "taxonomyId": "T1190", + "relationshipName": "mitigated by", + "relationshipValue": "M1048" + } + ] + } + ] + } + } +} diff --git a/schema/docs/full-record-basic-example.json b/schema/docs/full-record-basic-example.json new file mode 100644 index 00000000000..b1c3f5eaac0 --- /dev/null +++ b/schema/docs/full-record-basic-example.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1337-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "version": "1.0.0", + "status": "affected", + "lessThan": "1.0.6", + "versionType": "semver" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1337-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/docs/index.html b/schema/docs/index.html new file mode 100644 index 00000000000..d47da866163 --- /dev/null +++ b/schema/docs/index.html @@ -0,0 +1,103 @@ +
webmgmt running
cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at the official website. This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema here.
When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.
No Additional PropertiesIndicates the type of information represented in the JSON instance.
The version of the CVE schema used for validating this record. Used to support multiple versions of this format.
Must match regular expression:^5\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))?$
This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.
No Additional PropertiesThe CVE identifier that this record pertains to.
Must match regular expression:^CVE-[0-9]{4}-[0-9]{4,19}$
The UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service.
Must match regular expression:^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
The short name for the organization to which the CVE ID was originally assigned.
Must be at least 2
characters long
Must be at most 32
characters long
The date/time the record was last updated.
Must match regular expression:^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$
The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition.
Value must be greater or equal to 1
The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Same definition as dateUpdatedThe date/time the CVE Record was first published in the CVE List.
Same definition as dateUpdatedState of CVE - PUBLISHED, REJECTED.
A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.
At a minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.
There can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information. The 'cna' container requires the CNA to include certain fields, while the 'adp' container does not.
An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.
No Additional PropertiesDetails related to the information container provider (CNA or ADP).
No Additional PropertiesThe container provider's organizational short name.
Same definition as assignerShortNameTimestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission.
Same definition as dateUpdatedThe date/time this CVE ID was associated with a vulnerability by a CNA.
Same definition as dateUpdatedIf known, the date/time the vulnerability was disclosed publicly.
Same definition as dateUpdatedA title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.
Must be at least 1
characters long
Must be at most 256
characters long
A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].
Must contain a minimum of 1
items
All items must be unique
Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.
No Additional PropertiesBCP 47 language code, language-region.
Must match regular expression:^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$
Plain text description.
Must be at least 1
characters long
Must be at most 4096
characters long
Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.
Must contain a minimum of 1
items
All items must be unique
RFC2046 compliant IANA Media type for eg., text/markdown, text/html.
Must be at least 1
characters long
Must be at most 256
characters long
"text/markdown"
+
"text/html"
+
"image/png"
+
"image/svg"
+
"audio/mp3"
+
If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.
Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.
Must be at least 1
characters long
Must be at most 16384
characters long
A description with lang set to an English language (en, enUS, enUK, and so on).
BCP 47 language code, language-region, required to be English.
Must match regular expression:^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$
List of affected products.
Must contain a minimum of 1
items
Provides information about the set of products and services affected by this vulnerability.
Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.
Must be at least 1
characters long
Must be at most 512
characters long
Name of the affected product.
Must be at least 1
characters long
Must be at most 2048
characters long
URL identifying a package collection (determines the meaning of packageName).
Must be at least 1
characters long
Must be at most 2048
characters long
"https://access.redhat.com/downloads/content/package-browser"
+
"https://addons.mozilla.org"
+
"https://addons.thunderbird.net"
+
"https://anaconda.org/anaconda/repo"
+
"https://app.vagrantup.com/boxes/search"
+
"https://apps.apple.com"
+
"https://archlinux.org/packages"
+
"https://atmospherejs.meteor.com"
+
"https://atom.io/packages"
+
"https://bitbucket.org"
+
"https://bower.io"
+
"https://brew.sh/"
+
"https://chocolatey.org/packages"
+
"https://chrome.google.com/webstore"
+
"https://clojars.org"
+
"https://cocoapods.org"
+
"https://code.dlang.org"
+
"https://conan.io/center"
+
"https://cpan.org/modules"
+
"https://cran.r-project.org"
+
"https://crates.io"
+
"https://ctan.org/pkg"
+
"https://drupal.org"
+
"https://exchange.adobe.com"
+
"https://forge.puppet.com/modules"
+
"https://github.com"
+
"https://gitlab.com/explore"
+
"https://golang.org/pkg"
+
"https://guix.gnu.org/packages"
+
"https://hackage.haskell.org"
+
"https://helm.sh"
+
"https://hub.docker.com"
+
"https://juliahub.com"
+
"https://lib.haxe.org"
+
"https://luarocks.org"
+
"https://marketplace.visualstudio.com"
+
"https://melpa.org"
+
"https://microsoft.com/en-us/store/apps"
+
"https://nimble.directory"
+
"https://nuget.org/packages"
+
"https://opam.ocaml.org/packages"
+
"https://openwrt.org/packages/index"
+
"https://package.elm-lang.org"
+
"https://packagecontrol.io"
+
"https://packages.debian.org"
+
"https://packages.gentoo.org"
+
"https://packagist.org"
+
"https://pear.php.net/packages.php"
+
"https://pecl.php.net"
+
"https://platformio.org/lib"
+
"https://play.google.com/store"
+
"https://plugins.gradle.org"
+
"https://projects.eclipse.org"
+
"https://pub.dev"
+
"https://pypi.python.org"
+
"https://registry.npmjs.org"
+
"https://registry.terraform.io"
+
"https://repo.hex.pm"
+
"https://repo.maven.apache.org/maven2"
+
"https://rubygems.org"
+
"https://search.nixos.org/packages"
+
"https://sourceforge.net"
+
"https://wordpress.org/plugins"
+
Name or identifier of the affected software package as used in the package collection.
Must be at least 1
characters long
Must be at most 2048
characters long
Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as "Product X between versions 10.2 and 10.8" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.
All items must be unique
Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format
Must match regular expression:([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\-~%]*){0,6})|(cpe:2\.3:[aho*\-](:(((\?*|\*?)([a-zA-Z0-9\-._]|(\\[\\*?!"#$%&'()+,/:;<=>@\[\]\^`{|}~]))+(\?*|\*?))|[*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-._]|(\\[\\*?!"#$%&'()+,/:;<=>@\[\]\^`{|}~]))+(\?*|\*?))|[*\-])){4})
Must be at least 1
characters long
Must be at most 2048
characters long
A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional).
All items must be unique
Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).
Must be at least 1
characters long
Must be at most 4096
characters long
A list of the affected source code files (optional).
All items must be unique
Name or path or location of the affected source code file.
Must be at least 1
characters long
Must be at most 1024
characters long
A list of the affected source code functions, methods, subroutines, or procedures (optional).
All items must be unique
An object describing program routine.
No Additional PropertiesName of the affected source code file, function, method, subroutine, or procedure.
Must be at least 1
characters long
Must be at most 4096
characters long
List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field or an empty array implies that the other fields are applicable to all relevant platforms.
Must contain a minimum of 1
items
All items must be unique
Must be at most 1024
characters long
"iOS"
+
"Android"
+
"Windows"
+
"macOS"
+
"x86"
+
"ARM"
+
"64 bit"
+
"Big Endian"
+
"iPad"
+
"Chromebook"
+
"Docker"
+
"Model T"
+
The URL of the source code repository, for informational purposes and/or to resolve git hash version ranges.
Same definition as collectionURLThe default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.
Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules 8.1.2 requirement. Versions or defaultStatus may be omitted, but not both.
Must contain a minimum of 1
items
All items must be unique
A single version or a range of versions, with vulnerability status.
An entry with only 'version' and 'status' indicates the status of a single version.
Otherwise, an entry describes a range; it must include the 'versionType' property, to define the version numbering semantics in use, and 'limit', to indicate the non-inclusive upper limit of the range. The object describes the status for versions V such that 'version' <= V and V < 'limit', using the <= and < semantics defined for the specific kind of 'versionType'. Status changes within the range can be specified by an optional 'changes' list.
The algorithm to decide the status specified for a version V is:
for entry in product.versions {
+ if entry.lessThan is not present and entry.lessThanOrEqual is not present and v == entry.version {
+ return entry.status
+ }
+ if (entry.lessThan is present and entry.version <= v and v < entry.lessThan) or
+ (entry.lessThanOrEqual is present and entry.version <= v and v <= entry.lessThanOrEqual) { // <= and < defined by entry.versionType
+ status = entry.status
+ for change in entry.changes {
+ if change.at <= v {
+ status = change.status
+ }
+ }
+ return status
+ }
+}
+return product.defaultStatus
+
.
The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.
Must be at least 1
characters long
Must be at most 1024
characters long
The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.
Same definition as defaultStatusThe version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.
Must be at least 1
characters long
Must be at most 128
characters long
"custom"
+
"git"
+
"maven"
+
"python"
+
"rpm"
+
"semver"
+
The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk (*)
, indicating an arbitrarily large number in the version ordering. For example, {version: 1.0 lessThan: 1.*}
would describe the entire 1.X branch for most range kinds, and {version: 2.0, lessThan: *}
describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified.
The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, {version: 1.0, lessThanOrEqual: 1.3}
covers all versions from 1.0 up to and including 1.3.
A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.
Must contain a minimum of 1
items
All items must be unique
The start of a single status change during the range.
No Additional PropertiesThe new status in the range starting at the given version.
Same definition as defaultStatusThis is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).
Must contain a minimum of 1
items
All items must be unique
Must contain a minimum of 1
items
All items must be unique
Text description of problemType, or title from CWE or OWASP.
Must be at least 1
characters long
Must be at most 4096
characters long
CWE ID of the CWE that best describes this problemType entry.
Must match regular expression:^CWE-[1-9][0-9]*$
Must be at least 5
characters long
Must be at most 9
characters long
Problemtype source, text, OWASP, CWE, etc.,
Must be at least 1
characters long
Must be at most 128
characters long
This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").
Same definition as referencesThis is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").
Must contain a minimum of 1
items
Must contain a maximum of 512
items
All items must be unique
The uniform resource locator (URL), according to RFC 3986, that can be used to retrieve the referenced resource.
Same definition as collectionURLUser created name for the reference, often the title of the page.
Must be at least 1
characters long
Must be at most 512
characters long
Collection of impacts of this vulnerability.
Must contain a minimum of 1
items
All items must be unique
This is impact type information (e.g. a text description.
No Additional PropertiesCAPEC ID that best relates to this impact.
Must match regular expression:^CAPEC-[1-9][0-9]{0,4}$
Must be at least 7
characters long
Must be at most 11
characters long
Prose description of the impact scenario. At a minimum provide the description given by CAPEC.
Same definition as descriptionsCollection of impact scores with attribution.
Must contain a minimum of 1
items
All items must be unique
This is impact type information (e.g. a text description, CVSSv2, CVSSv3, CVSSV4, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added.
No Additional PropertiesName of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.
Must be at least 1
characters long
Must be at most 64
characters long
Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.
Must contain a minimum of 1
items
All items must be unique
Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.
Must be at least 1
characters long
Must be at most 4096
characters long
Value must be greater or equal to 0.0
and lesser or equal to 0.0
"NONE"
Value must be greater or equal to 0.1
and lesser or equal to 3.9
and a multiple of 0.1
"LOW"
Value must be greater or equal to 4.0
and lesser or equal to 6.9
and a multiple of 0.1
"MEDIUM"
Value must be greater or equal to 7.0
and lesser or equal to 8.9
and a multiple of 0.1
"HIGH"
Value must be greater or equal to 9.0
and lesser or equal to 10
and a multiple of 0.1
"CRITICAL"
CVSS Version
^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/E:[XAPU])?(/CR:[XHML])?(/IR:[XHML])?(/AR:[XHML])?(/MAV:[XNALP])?(/MAC:[XLH])?(/MAT:[XNP])?(/MPR:[XNLH])?(/MUI:[XNPA])?(/MVC:[XNLH])?(/MVI:[XNLH])?(/MVA:[XNLH])?(/MSC:[XNLH])?(/MSI:[XNLHS])?(/MSA:[XNLHS])?(/S:[XNP])?(/AU:[XNY])?(/R:[XAUI])?(/V:[XDC])?(/RE:[XLMH])?(/U:(X|Clear|Green|Amber|Red))?$
Value must be greater or equal to 0.0
and lesser or equal to 10.0
and a multiple of 0.1
CVSS Version
^CVSS:3[.]1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$
Value must be greater or equal to 0
and lesser or equal to 10
CVSS Version
^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$
Value must be greater or equal to 0
and lesser or equal to 10
CVSS Version
^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$
Value must be greater or equal to 0
and lesser or equal to 10
A non-standard impact description, may be prose or JSON block.
No Additional PropertiesName of the non-standard impact metrics format used.
Must be at least 1
characters long
Must be at most 128
characters long
JSON object not covered by another metrics format.
Configurations required for exploiting this vulnerability.
Must contain a minimum of 1
items
All items must be unique
Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.
Same definition as descriptionWorkarounds and mitigations for this vulnerability.
Must contain a minimum of 1
items
All items must be unique
Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.
Same definition as descriptionInformation about solutions or remediations available for this vulnerability.
Must contain a minimum of 1
items
All items must be unique
Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.
Same definition as descriptionInformation about exploits of the vulnerability.
Must contain a minimum of 1
items
All items must be unique
Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.
Same definition as descriptionThis is timeline information for significant events about this vulnerability or changes to the CVE Record.
Must contain a minimum of 1
items
All items must be unique
Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00) is assumed.
Same definition as dateUpdatedThe language used in the description of the event. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.
Same definition as langA summary of the event.
Must be at least 1
characters long
Must be at most 4096
characters long
Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.
Must contain a minimum of 1
items
All items must be unique
The language used when describing the credits. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.
Same definition as langMust be at least 1
characters long
Must be at most 4096
characters long
UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.
Same definition as assignerOrgIdType or role of the entity being credited (optional). finder: identifies the vulnerability.
reporter: notifies the vendor of the vulnerability to a CNA.
analyst: validates the vulnerability to ensure accuracy or severity.
coordinator: facilitates the coordinated response process.
remediation developer: prepares a code change or other remediation plans.
remediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness.
remediation verifier: tests and verifies the vulnerability or its remediation.
tool: names of tools used in vulnerability discovery or identification.
sponsor: supports the vulnerability identification or remediation activities.
This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).
Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.
List of taxonomy items related to the vulnerability.
Must contain a minimum of 1
items
All items must be unique
A taxonomy mapping object identifies the taxonomy by a name and version (eg., ATT&CK v13.1, CVSS 3.1, CWE 4.12) along with a list of relations relevant to this CVE.
No Additional PropertiesThe name of the taxonomy, eg., ATT&CK, D3FEND, CWE, CVSS
Must be at least 1
characters long
Must be at most 128
characters long
The version of taxonomy the identifiers come from.
Must be at least 1
characters long
Must be at most 128
characters long
List of relationships to the taxonomy for the vulnerability.
Must contain a minimum of 1
items
All items must be unique
A relationship between the taxonomy and the CVE or two taxonomy items.
No Additional PropertiesIdentifier of the item in the taxonomy. Used as the subject of the relationship.
Must be at least 1
characters long
Must be at most 2048
characters long
A description of the relationship.
Must be at least 1
characters long
Must be at most 128
characters long
The target of the relationship. Can be the CVE ID or another taxonomy identifier.
Must be at least 1
characters long
Must be at most 2048
characters long
All property whose name matches the following regular expression must respect the following conditions
Property name regular expression:^x_[^.]*$
Must contain a minimum of 1
items
All items must be unique
An object containing the vulnerability information provided by an Authorized Data Publisher (ADP). Since multiple ADPs can provide information for a CVE ID, an ADP container must indicate which ADP is the source of the information in the object.
No Additional PropertiesDetails related to the information container provider (CNA or ADP).
Same definition as providerMetadataIf known, the date/time the vulnerability was disclosed publicly.
Same definition as dateUpdatedA title, headline, or a brief phrase summarizing the information in an ADP container.
Must be at least 1
characters long
Must be at most 256
characters long
A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].
Same definition as descriptionsThis is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).
Same definition as problemTypesThis is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are "dangerous").
Same definition as referencesConfigurations required for exploiting this vulnerability.
Same definition as configurationsInformation about solutions or remediations available for this vulnerability.
Same definition as solutionsThis is timeline information for significant events about this vulnerability or changes to the CVE Record.
Same definition as timelineStatements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.
Same definition as creditsThis is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).
Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.
List of taxonomy items related to the vulnerability.
Same definition as taxonomyMappingsAll property whose name matches the following regular expression must respect the following conditions
Property name regular expression:^x_[^.]*$
If the CVE ID and associated CVE Record should no longer be used, the CVE Record is placed in the Rejected state. A Rejected CVE Record remains on the CVE List so that users can know when it is invalid.
No Additional PropertiesIndicates the type of information represented in the JSON instance.
Same definition as dataTypeThe version of the CVE schema used for validating this record. Used to support multiple versions of this format.
Same definition as dataVersionThis is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.
No Additional PropertiesThe UUID for the organization to which the CVE ID was originally assigned.
Same definition as assignerOrgIdThe short name for the organization to which the CVE ID was originally assigned.
Same definition as assignerShortNameThe system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition.
Value must be greater or equal to 1
The date/time the CVE Record was first published in the CVE List.
Same definition as dateUpdatedState of CVE - PUBLISHED, REJECTED.
The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Same definition as dateUpdatedA set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.
At minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.
There can only be one 'cna' container, as there can only be one assigning CNA.
An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a rejected CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA.
No Additional PropertiesDetails related to the information container provider (CNA or ADP).
Same definition as providerMetadataContains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.
Must contain a minimum of 1
items
All items must be unique
All property whose name matches the following regular expression must respect the following conditions
Property name regular expression:^x_[^.]*$
+ + $ node validate.js file-1.json file-2.json ... + file-1.json is valid. + file-2.json is invalid! + Summary: Validation FAILED for 1 out of 2 files!. + ++ +To validate a list of files in a file or on stdin: +
+ $ cat list.txt | node validate.js -e + + $ find directory1 -name '*.json' | node validate.js -e + directory1/file1.json is valid. + Summary: All files PASSED validation. ++ +To validate a single file via stdin: +``` + $ cat file.json | node validate.js +``` + +##### 4. Use validator in a NodeJS program + +``` +const validateCve = require('./dist/cve5validator.js') + +if (validateCve(cveJsonObject)) { + // cveJsonObject is valid +} else { + // cveJsonObject is invalid. Errors are in validateCve.errors +} + +``` + +##### 5. Generate a HTML report of validation + +``` + $ find directory1 -name '*.json' | node reportValidation.js > output.html +``` + +Example report https://chandanbn.github.io/notes/cve5-validation-errors-Jan26.html + +##### 6. Development: Build the standalone validator library dist/cve5validator.js compiled from bundled CVE JSON schema. + +``` + $ npm install + $ node build.js +``` + +This creates standalone validator module at ./dist/cve5validator.js based on the bundled CVE JSON schema. +When the schema is updated, a new validator module needs to be built using build.js. diff --git a/schema/support/Node_Validator/build.js b/schema/support/Node_Validator/build.js new file mode 100644 index 00000000000..09ab39b0cd4 --- /dev/null +++ b/schema/support/Node_Validator/build.js @@ -0,0 +1,28 @@ +const fs = require("fs") +const path = require("path") +const Ajv = require('ajv').default; +const standaloneCode = require("ajv/dist/standalone").default +const addFormats = require('ajv-formats').default; +const schema = require("../../docs/CVE_JSON_bundled.json") + +function reduceSchema(o) { + for(prop in o) { + if(typeof(o[prop])=='object') { + reduceSchema(o[prop]) + } else if (prop == "description" && typeof(o[prop])=='string') { + delete o[prop] + } else if (prop == "title" && typeof(o[prop])=='string') { + delete o[prop] + } + } + return o; +} +var rSchema = reduceSchema(schema); + +const ajv = new Ajv({code: {source: true, optimize: 10}}) +addFormats(ajv); +const validate = ajv.compile(rSchema) +let moduleCode = standaloneCode(ajv, validate) + +// Now you can write the module code to file +fs.writeFileSync(path.join(__dirname+'/dist', "cve5validator.js"), moduleCode) diff --git a/schema/support/Node_Validator/dist/cve5validator.js b/schema/support/Node_Validator/dist/cve5validator.js new file mode 100644 index 00000000000..6e0db22c3db --- /dev/null +++ b/schema/support/Node_Validator/dist/cve5validator.js @@ -0,0 +1 @@ +"use strict";module.exports = validate10;module.exports.default = validate10;const schema11 = {"$schema":"http://json-schema.org/draft-07/schema#","$id":"https://cveproject.github.io/cve-schema/schema/v5.0/docs/CVE_JSON_bundled.json","definitions":{"uriType":{"type":"string","format":"uri","minLength":1,"maxLength":2048},"uuidType":{"type":"string","pattern":"^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"},"reference":{"type":"object","required":["url"],"properties":{"url":{"$ref":"#/definitions/uriType"},"name":{"type":"string","maxLength":512,"minLength":1},"tags":{"type":"array","minItems":1,"uniqueItems":true,"items":{"oneOf":[{"$ref":"#/definitions/tagExtension"},{"$schema":"http://json-schema.org/draft-07/schema#","$id":"https://cve.mitre.org/cve/v5_00/tags/reference/","type":"string","enum":["broken-link","customer-entitlement","exploit","government-resource","issue-tracking","mailing-list","mitigation","not-applicable","patch","permissions-required","media-coverage","product","related","release-notes","signature","technical-description","third-party-advisory","vendor-advisory","vdb-entry"]}]}}},"additionalProperties":false},"cveId":{"type":"string","pattern":"^CVE-[0-9]{4}-[0-9]{4,19}$"},"orgId":{"$ref":"#/definitions/uuidType"},"userId":{"$ref":"#/definitions/uuidType"},"shortName":{"type":"string","minLength":2,"maxLength":32},"datestamp":{"type":"string","format":"date","pattern":"^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$"},"timestamp":{"type":"string","format":"date-time","pattern":"^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"},"version":{"type":"string","minLength":1,"maxLength":1024},"status":{"type":"string","enum":["affected","unaffected","unknown"]},"product":{"type":"object","allOf":[{"anyOf":[{"required":["vendor","product"]},{"required":["collectionURL","packageName"]}]},{"anyOf":[{"required":["versions"]},{"required":["defaultStatus"]}]}],"properties":{"vendor":{"type":"string","minLength":1,"maxLength":512},"product":{"type":"string","minLength":1,"maxLength":2048},"collectionURL":{"$ref":"#/definitions/uriType","examples":["https://access.redhat.com/downloads/content/package-browser","https://addons.mozilla.org","https://addons.thunderbird.net","https://anaconda.org/anaconda/repo","https://app.vagrantup.com/boxes/search","https://apps.apple.com","https://archlinux.org/packages","https://atmospherejs.meteor.com","https://atom.io/packages","https://bitbucket.org","https://bower.io","https://brew.sh/","https://chocolatey.org/packages","https://chrome.google.com/webstore","https://clojars.org","https://cocoapods.org","https://code.dlang.org","https://conan.io/center","https://cpan.org/modules","https://cran.r-project.org","https://crates.io","https://ctan.org/pkg","https://drupal.org","https://exchange.adobe.com","https://forge.puppet.com/modules","https://github.com","https://gitlab.com/explore","https://golang.org/pkg","https://guix.gnu.org/packages","https://hackage.haskell.org","https://helm.sh","https://hub.docker.com","https://juliahub.com","https://lib.haxe.org","https://luarocks.org","https://marketplace.visualstudio.com","https://melpa.org","https://microsoft.com/en-us/store/apps","https://nimble.directory","https://nuget.org/packages","https://opam.ocaml.org/packages","https://openwrt.org/packages/index","https://package.elm-lang.org","https://packagecontrol.io","https://packages.debian.org","https://packages.gentoo.org","https://packagist.org","https://pear.php.net/packages.php","https://pecl.php.net","https://platformio.org/lib","https://play.google.com/store","https://plugins.gradle.org","https://projects.eclipse.org","https://pub.dev","https://pypi.python.org","https://registry.npmjs.org","https://registry.terraform.io","https://repo.hex.pm","https://repo.maven.apache.org/maven2","https://rubygems.org","https://search.nixos.org/packages","https://sourceforge.net","https://wordpress.org/plugins"]},"packageName":{"type":"string","minLength":1,"maxLength":2048},"cpes":{"type":"array","uniqueItems":true,"items":{"type":"string","pattern":"([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})","minLength":1,"maxLength":2048}},"modules":{"type":"array","uniqueItems":true,"items":{"type":"string","minLength":1,"maxLength":4096}},"programFiles":{"type":"array","uniqueItems":true,"items":{"type":"string","minLength":1,"maxLength":1024}},"programRoutines":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["name"],"properties":{"name":{"type":"string","minLength":1,"maxLength":4096}},"additionalProperties":false}},"platforms":{"type":"array","minItems":1,"uniqueItems":true,"items":{"type":"string","examples":["iOS","Android","Windows","macOS","x86","ARM","64 bit","Big Endian","iPad","Chromebook","Docker","Model T"],"maxLength":1024}},"repo":{"$ref":"#/definitions/uriType"},"defaultStatus":{"$ref":"#/definitions/status"},"versions":{"type":"array","minItems":1,"uniqueItems":true,"items":{"type":"object","oneOf":[{"required":["version","status"],"maxProperties":2},{"required":["version","status","versionType"],"maxProperties":3},{"required":["version","status","versionType","lessThan"]},{"required":["version","status","versionType","lessThanOrEqual"]}],"properties":{"version":{"$ref":"#/definitions/version"},"status":{"$ref":"#/definitions/status"},"versionType":{"type":"string","minLength":1,"maxLength":128,"examples":["custom","git","maven","python","rpm","semver"]},"lessThan":{"$ref":"#/definitions/version"},"lessThanOrEqual":{"$ref":"#/definitions/version"},"changes":{"type":"array","minItems":1,"uniqueItems":true,"items":{"type":"object","required":["at","status"],"additionalProperties":false,"properties":{"at":{"$ref":"#/definitions/version"},"status":{"$ref":"#/definitions/status"}}}}},"additionalProperties":false}}}},"dataType":{"type":"string","enum":["CVE_RECORD"]},"dataVersion":{"type":"string","pattern":"^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$","default":"5.1.0"},"cveMetadataPublished":{"type":"object","required":["cveId","assignerOrgId","state"],"properties":{"cveId":{"$ref":"#/definitions/cveId"},"assignerOrgId":{"$ref":"#/definitions/orgId"},"assignerShortName":{"$ref":"#/definitions/shortName"},"requesterUserId":{"$ref":"#/definitions/userId"},"dateUpdated":{"$ref":"#/definitions/timestamp"},"serial":{"type":"integer","minimum":1},"dateReserved":{"$ref":"#/definitions/timestamp"},"datePublished":{"$ref":"#/definitions/timestamp"},"state":{"type":"string","enum":["PUBLISHED"]}},"additionalProperties":false},"cveMetadataRejected":{"type":"object","required":["cveId","assignerOrgId","state"],"properties":{"cveId":{"$ref":"#/definitions/cveId"},"assignerOrgId":{"$ref":"#/definitions/orgId"},"assignerShortName":{"$ref":"#/definitions/shortName"},"serial":{"type":"integer","minimum":1},"dateUpdated":{"$ref":"#/definitions/timestamp"},"datePublished":{"$ref":"#/definitions/timestamp"},"dateRejected":{"$ref":"#/definitions/timestamp"},"state":{"type":"string","enum":["REJECTED"]},"dateReserved":{"$ref":"#/definitions/timestamp"}},"additionalProperties":false},"providerMetadata":{"type":"object","properties":{"orgId":{"$ref":"#/definitions/orgId"},"shortName":{"$ref":"#/definitions/shortName"},"dateUpdated":{"$ref":"#/definitions/timestamp"}},"required":["orgId"],"additionalProperties":false},"cnaPublishedContainer":{"type":"object","properties":{"providerMetadata":{"$ref":"#/definitions/providerMetadata"},"dateAssigned":{"$ref":"#/definitions/timestamp"},"datePublic":{"$ref":"#/definitions/timestamp"},"title":{"type":"string","minLength":1,"maxLength":256},"descriptions":{"$ref":"#/definitions/descriptions"},"affected":{"$ref":"#/definitions/affected"},"problemTypes":{"$ref":"#/definitions/problemTypes"},"references":{"$ref":"#/definitions/references"},"impacts":{"$ref":"#/definitions/impacts"},"metrics":{"$ref":"#/definitions/metrics"},"configurations":{"$ref":"#/definitions/configurations"},"workarounds":{"$ref":"#/definitions/workarounds"},"solutions":{"$ref":"#/definitions/solutions"},"exploits":{"$ref":"#/definitions/exploits"},"timeline":{"$ref":"#/definitions/timeline"},"credits":{"$ref":"#/definitions/credits"},"source":{"$ref":"#/definitions/source"},"tags":{"$ref":"#/definitions/cnaTags"},"taxonomyMappings":{"$ref":"#/definitions/taxonomyMappings"}},"required":["providerMetadata","descriptions","affected","references"],"patternProperties":{"^x_[^.]*$":{}},"$comment":"The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.","additionalProperties":false},"cnaRejectedContainer":{"type":"object","properties":{"providerMetadata":{"$ref":"#/definitions/providerMetadata"},"rejectedReasons":{"$ref":"#/definitions/descriptions"},"replacedBy":{"type":"array","minItems":1,"uniqueItems":true,"items":{"$ref":"#/definitions/cveId"}}},"required":["providerMetadata","rejectedReasons"],"patternProperties":{"^x_[^.]*$":{}},"$comment":"The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.","additionalProperties":false},"adpContainer":{"type":"object","properties":{"providerMetadata":{"$ref":"#/definitions/providerMetadata"},"datePublic":{"$ref":"#/definitions/timestamp"},"title":{"type":"string","minLength":1,"maxLength":256},"descriptions":{"$ref":"#/definitions/descriptions"},"affected":{"$ref":"#/definitions/affected"},"problemTypes":{"$ref":"#/definitions/problemTypes"},"references":{"$ref":"#/definitions/references"},"impacts":{"$ref":"#/definitions/impacts"},"metrics":{"$ref":"#/definitions/metrics"},"configurations":{"$ref":"#/definitions/configurations"},"workarounds":{"$ref":"#/definitions/workarounds"},"solutions":{"$ref":"#/definitions/solutions"},"exploits":{"$ref":"#/definitions/exploits"},"timeline":{"$ref":"#/definitions/timeline"},"credits":{"$ref":"#/definitions/credits"},"source":{"$ref":"#/definitions/source"},"tags":{"$ref":"#/definitions/adpTags"},"taxonomyMappings":{"$ref":"#/definitions/taxonomyMappings"}},"required":["providerMetadata"],"minProperties":2,"patternProperties":{"^x_[^.]*$":{}},"$comment":"The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.","additionalProperties":false},"affected":{"type":"array","minItems":1,"items":{"$ref":"#/definitions/product"}},"description":{"type":"object","properties":{"lang":{"$ref":"#/definitions/language"},"value":{"type":"string","minLength":1,"maxLength":4096},"supportingMedia":{"type":"array","uniqueItems":true,"minItems":1,"items":{"type":"object","properties":{"type":{"type":"string","minLength":1,"maxLength":256,"examples":["text/markdown","text/html","image/png","image/svg","audio/mp3"]},"base64":{"type":"boolean","default":false},"value":{"type":"string","minLength":1,"maxLength":16384}},"required":["type","value"],"additionalProperties":false}}},"required":["lang","value"],"additionalProperties":false},"englishLanguageDescription":{"type":"object","properties":{"lang":{"$ref":"#/definitions/englishLanguage"}},"required":["lang"],"$comment":"Cannot use additionalProperties: false here, as this prevents the other properties used by /definitions/description."},"descriptions":{"type":"array","minItems":1,"uniqueItems":true,"items":{"$ref":"#/definitions/description"},"contains":{"$ref":"#/definitions/englishLanguageDescription"}},"problemTypes":{"type":"array","items":{"type":"object","required":["descriptions"],"properties":{"descriptions":{"type":"array","items":{"type":"object","required":["lang","description"],"properties":{"lang":{"$ref":"#/definitions/language"},"description":{"type":"string","minLength":1,"maxLength":4096},"cweId":{"type":"string","minLength":5,"maxLength":9,"pattern":"^CWE-[1-9][0-9]*$"},"type":{"type":"string","minLength":1,"maxLength":128},"references":{"$ref":"#/definitions/references"}},"additionalProperties":false},"minItems":1,"uniqueItems":true}},"additionalProperties":false},"minItems":1,"uniqueItems":true},"references":{"type":"array","items":{"$ref":"#/definitions/reference"},"minItems":1,"maxItems":512,"uniqueItems":true},"impacts":{"type":"array","minItems":1,"uniqueItems":true,"items":{"type":"object","required":["descriptions"],"properties":{"capecId":{"type":"string","minLength":7,"maxLength":11,"pattern":"^CAPEC-[1-9][0-9]{0,4}$"},"descriptions":{"$ref":"#/definitions/descriptions"}},"additionalProperties":false}},"metrics":{"type":"array","minItems":1,"uniqueItems":true,"items":{"type":"object","anyOf":[{"required":["cvssV4_0"]},{"required":["cvssV3_1"]},{"required":["cvssV3_0"]},{"required":["cvssV2_0"]},{"required":["other"]}],"properties":{"format":{"type":"string","minLength":1,"maxLength":64},"scenarios":{"type":"array","minItems":1,"uniqueItems":true,"items":{"type":"object","properties":{"lang":{"$ref":"#/definitions/language"},"value":{"type":"string","default":"GENERAL","minLength":1,"maxLength":4096}},"required":["lang","value"],"additionalProperties":false}},"cvssV4_0":{"$schema":"http://json-schema.org/draft-07/schema#","type":"object","definitions":{"attackVectorType":{"type":"string","enum":["NETWORK","ADJACENT","LOCAL","PHYSICAL"]},"modifiedAttackVectorType":{"type":"string","enum":["NETWORK","ADJACENT","LOCAL","PHYSICAL","NOT_DEFINED"],"default":"NOT_DEFINED"},"attackComplexityType":{"type":"string","enum":["HIGH","LOW"]},"modifiedAttackComplexityType":{"type":"string","enum":["HIGH","LOW","NOT_DEFINED"],"default":"NOT_DEFINED"},"attackRequirementsType":{"type":"string","enum":["NONE","PRESENT"]},"modifiedAttackRequirementsType":{"type":"string","enum":["NONE","PRESENT","NOT_DEFINED"],"default":"NOT_DEFINED"},"privilegesRequiredType":{"type":"string","enum":["HIGH","LOW","NONE"]},"modifiedPrivilegesRequiredType":{"type":"string","enum":["HIGH","LOW","NONE","NOT_DEFINED"],"default":"NOT_DEFINED"},"userInteractionType":{"type":"string","enum":["NONE","PASSIVE","ACTIVE"]},"modifiedUserInteractionType":{"type":"string","enum":["NONE","PASSIVE","ACTIVE","NOT_DEFINED"],"default":"NOT_DEFINED"},"vulnCiaType":{"type":"string","enum":["NONE","LOW","HIGH"]},"modifiedVulnCiaType":{"type":"string","enum":["NONE","LOW","HIGH","NOT_DEFINED"],"default":"NOT_DEFINED"},"subCiaType":{"type":"string","enum":["NONE","LOW","HIGH"]},"modifiedSubCType":{"type":"string","enum":["NONE","LOW","HIGH","NOT_DEFINED"],"default":"NOT_DEFINED"},"modifiedSubIaType":{"type":"string","enum":["NONE","LOW","HIGH","SAFETY","NOT_DEFINED"],"default":"NOT_DEFINED"},"exploitMaturityType":{"type":"string","enum":["UNREPORTED","PROOF_OF_CONCEPT","ATTACKED","NOT_DEFINED"],"default":"NOT_DEFINED"},"ciaRequirementType":{"type":"string","enum":["LOW","MEDIUM","HIGH","NOT_DEFINED"],"default":"NOT_DEFINED"},"safetyType":{"type":"string","enum":["NEGLIGIBLE","PRESENT","NOT_DEFINED"],"default":"NOT_DEFINED"},"automatableType":{"type":"string","enum":["NO","YES","NOT_DEFINED"],"default":"NOT_DEFINED"},"recoveryType":{"type":"string","enum":["AUTOMATIC","USER","IRRECOVERABLE","NOT_DEFINED"],"default":"NOT_DEFINED"},"valueDensityType":{"type":"string","enum":["DIFFUSE","CONCENTRATED","NOT_DEFINED"],"default":"NOT_DEFINED"},"vulnerabilityResponseEffortType":{"type":"string","enum":["LOW","MODERATE","HIGH","NOT_DEFINED"],"default":"NOT_DEFINED"},"providerUrgencyType":{"type":"string","enum":["CLEAR","GREEN","AMBER","RED","NOT_DEFINED"],"default":"NOT_DEFINED"},"scoreType":{"type":"number","minimum":0,"maximum":10,"multipleOf":0.1},"noneScoreType":{"type":"number","minimum":0,"maximum":0},"lowScoreType":{"type":"number","minimum":0.1,"maximum":3.9,"multipleOf":0.1},"mediumScoreType":{"type":"number","minimum":4,"maximum":6.9,"multipleOf":0.1},"highScoreType":{"type":"number","minimum":7,"maximum":8.9,"multipleOf":0.1},"criticalScoreType":{"type":"number","minimum":9,"maximum":10,"multipleOf":0.1},"severityType":{"type":"string","enum":["NONE","LOW","MEDIUM","HIGH","CRITICAL"]},"noneSeverityType":{"const":"NONE"},"lowSeverityType":{"const":"LOW"},"mediumSeverityType":{"const":"MEDIUM"},"highSeverityType":{"const":"HIGH"},"criticalSeverityType":{"const":"CRITICAL"}},"properties":{"version":{"type":"string","enum":["4.0"]},"vectorString":{"type":"string","pattern":"^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/E:[XAPU])?(/CR:[XHML])?(/IR:[XHML])?(/AR:[XHML])?(/MAV:[XNALP])?(/MAC:[XLH])?(/MAT:[XNP])?(/MPR:[XNLH])?(/MUI:[XNPA])?(/MVC:[XNLH])?(/MVI:[XNLH])?(/MVA:[XNLH])?(/MSC:[XNLH])?(/MSI:[XNLHS])?(/MSA:[XNLHS])?(/S:[XNP])?(/AU:[XNY])?(/R:[XAUI])?(/V:[XDC])?(/RE:[XLMH])?(/U:(X|Clear|Green|Amber|Red))?$"},"baseScore":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType"},"baseSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType"},"attackVector":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType"},"attackComplexity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType"},"attackRequirements":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType"},"privilegesRequired":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType"},"userInteraction":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType"},"vulnConfidentialityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType"},"vulnIntegrityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType"},"vulnAvailabilityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType"},"subConfidentialityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType"},"subIntegrityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType"},"subAvailabilityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType"},"exploitMaturity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType"},"confidentialityRequirement":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType"},"integrityRequirement":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType"},"availabilityRequirement":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType"},"modifiedAttackVector":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType"},"modifiedAttackComplexity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType"},"modifiedAttackRequirements":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType"},"modifiedPrivilegesRequired":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType"},"modifiedUserInteraction":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType"},"modifiedVulnConfidentialityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType"},"modifiedVulnIntegrityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType"},"modifiedVulnAvailabilityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType"},"modifiedSubConfidentialityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType"},"modifiedSubIntegrityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType"},"modifiedSubAvailabilityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType"},"Safety":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType"},"Automatable":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType"},"Recovery":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType"},"valueDensity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType"},"vulnerabilityResponseEffort":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType"},"providerUrgency":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType"}},"allOf":[{"anyOf":[{"properties":{"baseScore":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType"},"baseSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType"}}},{"properties":{"baseScore":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType"},"baseSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType"}}},{"properties":{"baseScore":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType"},"baseSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType"}}},{"properties":{"baseScore":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType"},"baseSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType"}}},{"properties":{"baseScore":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType"},"baseSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType"}}}]},{"anyOf":[{"properties":{"threatScore":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType"},"threatSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType"}}},{"properties":{"threatScore":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType"},"threatSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType"}}},{"properties":{"threatScore":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType"},"threatSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType"}}},{"properties":{"threatScore":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType"},"threatSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType"}}},{"properties":{"threatScore":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType"},"threatSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType"}}}]},{"anyOf":[{"properties":{"environmentalScore":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType"},"environmentalSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType"}}},{"properties":{"environmentalScore":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType"},"environmentalSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType"}}},{"properties":{"environmentalScore":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType"},"environmentalSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType"}}},{"properties":{"environmentalScore":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType"},"environmentalSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType"}}},{"properties":{"environmentalScore":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType"},"environmentalSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType"}}}]}],"required":["version","vectorString","baseScore","baseSeverity"],"additionalProperties":false},"cvssV3_1":{"$schema":"http://json-schema.org/draft-07/schema#","type":"object","definitions":{"attackVectorType":{"type":"string","enum":["NETWORK","ADJACENT_NETWORK","LOCAL","PHYSICAL"]},"modifiedAttackVectorType":{"type":"string","enum":["NETWORK","ADJACENT_NETWORK","LOCAL","PHYSICAL","NOT_DEFINED"]},"attackComplexityType":{"type":"string","enum":["HIGH","LOW"]},"modifiedAttackComplexityType":{"type":"string","enum":["HIGH","LOW","NOT_DEFINED"]},"privilegesRequiredType":{"type":"string","enum":["HIGH","LOW","NONE"]},"modifiedPrivilegesRequiredType":{"type":"string","enum":["HIGH","LOW","NONE","NOT_DEFINED"]},"userInteractionType":{"type":"string","enum":["NONE","REQUIRED"]},"modifiedUserInteractionType":{"type":"string","enum":["NONE","REQUIRED","NOT_DEFINED"]},"scopeType":{"type":"string","enum":["UNCHANGED","CHANGED"]},"modifiedScopeType":{"type":"string","enum":["UNCHANGED","CHANGED","NOT_DEFINED"]},"ciaType":{"type":"string","enum":["NONE","LOW","HIGH"]},"modifiedCiaType":{"type":"string","enum":["NONE","LOW","HIGH","NOT_DEFINED"]},"exploitCodeMaturityType":{"type":"string","enum":["UNPROVEN","PROOF_OF_CONCEPT","FUNCTIONAL","HIGH","NOT_DEFINED"]},"remediationLevelType":{"type":"string","enum":["OFFICIAL_FIX","TEMPORARY_FIX","WORKAROUND","UNAVAILABLE","NOT_DEFINED"]},"confidenceType":{"type":"string","enum":["UNKNOWN","REASONABLE","CONFIRMED","NOT_DEFINED"]},"ciaRequirementType":{"type":"string","enum":["LOW","MEDIUM","HIGH","NOT_DEFINED"]},"scoreType":{"type":"number","minimum":0,"maximum":10},"severityType":{"type":"string","enum":["NONE","LOW","MEDIUM","HIGH","CRITICAL"]}},"properties":{"version":{"type":"string","enum":["3.1"]},"vectorString":{"type":"string","pattern":"^CVSS:3[.]1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"},"attackVector":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType"},"attackComplexity":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType"},"privilegesRequired":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType"},"userInteraction":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType"},"scope":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType"},"confidentialityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType"},"integrityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType"},"availabilityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType"},"baseScore":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType"},"baseSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType"},"exploitCodeMaturity":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType"},"remediationLevel":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType"},"reportConfidence":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType"},"temporalScore":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType"},"temporalSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType"},"confidentialityRequirement":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType"},"integrityRequirement":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType"},"availabilityRequirement":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType"},"modifiedAttackVector":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType"},"modifiedAttackComplexity":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType"},"modifiedPrivilegesRequired":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType"},"modifiedUserInteraction":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType"},"modifiedScope":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType"},"modifiedConfidentialityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType"},"modifiedIntegrityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType"},"modifiedAvailabilityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType"},"environmentalScore":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType"},"environmentalSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType"}},"required":["version","vectorString","baseScore","baseSeverity"],"additionalProperties":false},"cvssV3_0":{"$schema":"http://json-schema.org/draft-04/schema#","type":"object","definitions":{"attackVectorType":{"type":"string","enum":["NETWORK","ADJACENT_NETWORK","LOCAL","PHYSICAL"]},"modifiedAttackVectorType":{"type":"string","enum":["NETWORK","ADJACENT_NETWORK","LOCAL","PHYSICAL","NOT_DEFINED"]},"attackComplexityType":{"type":"string","enum":["HIGH","LOW"]},"modifiedAttackComplexityType":{"type":"string","enum":["HIGH","LOW","NOT_DEFINED"]},"privilegesRequiredType":{"type":"string","enum":["HIGH","LOW","NONE"]},"modifiedPrivilegesRequiredType":{"type":"string","enum":["HIGH","LOW","NONE","NOT_DEFINED"]},"userInteractionType":{"type":"string","enum":["NONE","REQUIRED"]},"modifiedUserInteractionType":{"type":"string","enum":["NONE","REQUIRED","NOT_DEFINED"]},"scopeType":{"type":"string","enum":["UNCHANGED","CHANGED"]},"modifiedScopeType":{"type":"string","enum":["UNCHANGED","CHANGED","NOT_DEFINED"]},"ciaType":{"type":"string","enum":["NONE","LOW","HIGH"]},"modifiedCiaType":{"type":"string","enum":["NONE","LOW","HIGH","NOT_DEFINED"]},"exploitCodeMaturityType":{"type":"string","enum":["UNPROVEN","PROOF_OF_CONCEPT","FUNCTIONAL","HIGH","NOT_DEFINED"]},"remediationLevelType":{"type":"string","enum":["OFFICIAL_FIX","TEMPORARY_FIX","WORKAROUND","UNAVAILABLE","NOT_DEFINED"]},"confidenceType":{"type":"string","enum":["UNKNOWN","REASONABLE","CONFIRMED","NOT_DEFINED"]},"ciaRequirementType":{"type":"string","enum":["LOW","MEDIUM","HIGH","NOT_DEFINED"]},"scoreType":{"type":"number","minimum":0,"maximum":10},"severityType":{"type":"string","enum":["NONE","LOW","MEDIUM","HIGH","CRITICAL"]}},"properties":{"version":{"type":"string","enum":["3.0"]},"vectorString":{"type":"string","pattern":"^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"},"attackVector":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType"},"attackComplexity":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType"},"privilegesRequired":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType"},"userInteraction":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType"},"scope":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType"},"confidentialityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType"},"integrityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType"},"availabilityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType"},"baseScore":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType"},"baseSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType"},"exploitCodeMaturity":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType"},"remediationLevel":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType"},"reportConfidence":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType"},"temporalScore":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType"},"temporalSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType"},"confidentialityRequirement":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType"},"integrityRequirement":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType"},"availabilityRequirement":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType"},"modifiedAttackVector":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType"},"modifiedAttackComplexity":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType"},"modifiedPrivilegesRequired":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType"},"modifiedUserInteraction":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType"},"modifiedScope":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType"},"modifiedConfidentialityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType"},"modifiedIntegrityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType"},"modifiedAvailabilityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType"},"environmentalScore":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType"},"environmentalSeverity":{"$ref":"#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType"}},"required":["version","vectorString","baseScore","baseSeverity"],"additionalProperties":false},"cvssV2_0":{"$schema":"http://json-schema.org/draft-04/schema#","type":"object","definitions":{"accessVectorType":{"type":"string","enum":["NETWORK","ADJACENT_NETWORK","LOCAL"]},"accessComplexityType":{"type":"string","enum":["HIGH","MEDIUM","LOW"]},"authenticationType":{"type":"string","enum":["MULTIPLE","SINGLE","NONE"]},"ciaType":{"type":"string","enum":["NONE","PARTIAL","COMPLETE"]},"exploitabilityType":{"type":"string","enum":["UNPROVEN","PROOF_OF_CONCEPT","FUNCTIONAL","HIGH","NOT_DEFINED"]},"remediationLevelType":{"type":"string","enum":["OFFICIAL_FIX","TEMPORARY_FIX","WORKAROUND","UNAVAILABLE","NOT_DEFINED"]},"reportConfidenceType":{"type":"string","enum":["UNCONFIRMED","UNCORROBORATED","CONFIRMED","NOT_DEFINED"]},"collateralDamagePotentialType":{"type":"string","enum":["NONE","LOW","LOW_MEDIUM","MEDIUM_HIGH","HIGH","NOT_DEFINED"]},"targetDistributionType":{"type":"string","enum":["NONE","LOW","MEDIUM","HIGH","NOT_DEFINED"]},"ciaRequirementType":{"type":"string","enum":["LOW","MEDIUM","HIGH","NOT_DEFINED"]},"scoreType":{"type":"number","minimum":0,"maximum":10}},"properties":{"version":{"type":"string","enum":["2.0"]},"vectorString":{"type":"string","pattern":"^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$"},"accessVector":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType"},"accessComplexity":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType"},"authentication":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType"},"confidentialityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType"},"integrityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType"},"availabilityImpact":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType"},"baseScore":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType"},"exploitability":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType"},"remediationLevel":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType"},"reportConfidence":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType"},"temporalScore":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType"},"collateralDamagePotential":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType"},"targetDistribution":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType"},"confidentialityRequirement":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType"},"integrityRequirement":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType"},"availabilityRequirement":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType"},"environmentalScore":{"$ref":"#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType"}},"required":["version","vectorString","baseScore"],"additionalProperties":false},"other":{"type":"object","required":["type","content"],"properties":{"type":{"type":"string","minLength":1,"maxLength":128},"content":{"type":"object","$comment":"additionalProperties are allowed here, since this construct supports arbitrary JSON.","minProperties":1}},"additionalProperties":false}},"additionalProperties":false}},"configurations":{"type":"array","minItems":1,"uniqueItems":true,"items":{"$ref":"#/definitions/description"}},"workarounds":{"type":"array","minItems":1,"uniqueItems":true,"items":{"$ref":"#/definitions/description"}},"solutions":{"type":"array","minItems":1,"uniqueItems":true,"items":{"$ref":"#/definitions/description"}},"exploits":{"type":"array","minItems":1,"uniqueItems":true,"items":{"$ref":"#/definitions/description"}},"timeline":{"type":"array","minItems":1,"uniqueItems":true,"items":{"type":"object","required":["time","lang","value"],"properties":{"time":{"$ref":"#/definitions/timestamp"},"lang":{"$ref":"#/definitions/language"},"value":{"type":"string","minLength":1,"maxLength":4096}},"additionalProperties":false}},"credits":{"type":"array","minItems":1,"uniqueItems":true,"items":{"type":"object","properties":{"lang":{"$ref":"#/definitions/language"},"value":{"type":"string","minLength":1,"maxLength":4096},"user":{"$ref":"#/definitions/uuidType"},"type":{"type":"string","default":"finder","enum":["finder","reporter","analyst","coordinator","remediation developer","remediation reviewer","remediation verifier","tool","sponsor","other"]}},"additionalProperties":false,"required":["lang","value"]}},"source":{"type":"object","minProperties":1},"language":{"type":"string","default":"en","pattern":"^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"},"englishLanguage":{"type":"string","pattern":"^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"},"taxonomyMappings":{"type":"array","minItems":1,"uniqueItems":true,"items":{"type":"object","required":["taxonomyName","taxonomyRelations"],"properties":{"taxonomyName":{"type":"string","minLength":1,"maxLength":128},"taxonomyVersion":{"type":"string","minLength":1,"maxLength":128},"taxonomyRelations":{"type":"array","minItems":1,"uniqueItems":true,"items":{"type":"object","required":["taxonomyId","relationshipName","relationshipValue"],"properties":{"taxonomyId":{"type":"string","minLength":1,"maxLength":2048},"relationshipName":{"type":"string","minLength":1,"maxLength":128},"relationshipValue":{"type":"string","minLength":1,"maxLength":2048}},"additionalProperties":false}}},"additionalProperties":false}},"tagExtension":{"type":"string","minLength":2,"maxLength":128,"pattern":"^x_.*$","$comment":"These values are not used as JSON property names, so there is not a need to work-around property naming limitations in some common implementations."},"cnaTags":{"type":"array","uniqueItems":true,"minItems":1,"items":{"oneOf":[{"$ref":"#/definitions/tagExtension"},{"$schema":"http://json-schema.org/draft-07/schema#","$id":"https://cve.mitre.org/cve/v5_00/tags/cna/","type":"string","enum":["unsupported-when-assigned","exclusively-hosted-service","disputed"]}]}},"adpTags":{"type":"array","uniqueItems":true,"minItems":1,"items":{"oneOf":[{"$ref":"#/definitions/tagExtension"},{"$schema":"http://json-schema.org/draft-07/schema#","$id":"https://cve.mitre.org/cve/v5_00/tags/adp/","type":"string","enum":["disputed"]}]}}},"oneOf":[{"type":"object","properties":{"dataType":{"$ref":"#/definitions/dataType"},"dataVersion":{"$ref":"#/definitions/dataVersion"},"cveMetadata":{"$ref":"#/definitions/cveMetadataPublished"},"containers":{"type":"object","properties":{"cna":{"$ref":"#/definitions/cnaPublishedContainer"},"adp":{"type":"array","items":{"$ref":"#/definitions/adpContainer"},"minItems":1,"uniqueItems":true}},"required":["cna"],"additionalProperties":false}},"required":["dataType","dataVersion","cveMetadata","containers"],"additionalProperties":false},{"type":"object","properties":{"dataType":{"$ref":"#/definitions/dataType"},"dataVersion":{"$ref":"#/definitions/dataVersion"},"cveMetadata":{"$ref":"#/definitions/cveMetadataRejected"},"containers":{"type":"object","properties":{"cna":{"$ref":"#/definitions/cnaRejectedContainer"}},"required":["cna"],"additionalProperties":false}},"required":["dataType","dataVersion","cveMetadata","containers"],"additionalProperties":false}]};const schema12 = {"type":"string","enum":["CVE_RECORD"]};const schema13 = {"type":"string","pattern":"^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$","default":"5.1.0"};const func0 = require("ajv/dist/runtime/equal").default;const pattern0 = new RegExp("^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$", "u");const schema14 = {"type":"object","required":["cveId","assignerOrgId","state"],"properties":{"cveId":{"$ref":"#/definitions/cveId"},"assignerOrgId":{"$ref":"#/definitions/orgId"},"assignerShortName":{"$ref":"#/definitions/shortName"},"requesterUserId":{"$ref":"#/definitions/userId"},"dateUpdated":{"$ref":"#/definitions/timestamp"},"serial":{"type":"integer","minimum":1},"dateReserved":{"$ref":"#/definitions/timestamp"},"datePublished":{"$ref":"#/definitions/timestamp"},"state":{"type":"string","enum":["PUBLISHED"]}},"additionalProperties":false};const schema15 = {"type":"string","pattern":"^CVE-[0-9]{4}-[0-9]{4,19}$"};const schema16 = {"type":"string","pattern":"^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"};const schema17 = {"type":"string","minLength":2,"maxLength":32};const schema19 = {"type":"string","format":"date-time","pattern":"^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"};const func5 = Object.prototype.hasOwnProperty;const func6 = require("ajv/dist/runtime/ucs2length").default;const pattern1 = new RegExp("^CVE-[0-9]{4}-[0-9]{4,19}$", "u");const pattern2 = new RegExp("^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$", "u");const pattern4 = new RegExp("^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$", "u");const formats0 = require("ajv-formats/dist/formats").fullFormats["date-time"];function validate11(data, {instancePath="", parentData, parentDataProperty, rootData=data}={}){let vErrors = null;let errors = 0;if(errors === 0){if(data && typeof data == "object" && !Array.isArray(data)){let missing0;if((((data.cveId === undefined) && (missing0 = "cveId")) || ((data.assignerOrgId === undefined) && (missing0 = "assignerOrgId"))) || ((data.state === undefined) && (missing0 = "state"))){validate11.errors = [{instancePath,schemaPath:"#/required",keyword:"required",params:{missingProperty: missing0},message:"must have required property '"+missing0+"'"}];return false;}else {const _errs1 = errors;for(const key0 in data){if(!(func5.call(schema14.properties, key0))){validate11.errors = [{instancePath,schemaPath:"#/additionalProperties",keyword:"additionalProperties",params:{additionalProperty: key0},message:"must NOT have additional properties"}];return false;break;}}if(_errs1 === errors){if(data.cveId !== undefined){let data0 = data.cveId;const _errs2 = errors;const _errs3 = errors;if(errors === _errs3){if(typeof data0 === "string"){if(!pattern1.test(data0)){validate11.errors = [{instancePath:instancePath+"/cveId",schemaPath:"#/definitions/cveId/pattern",keyword:"pattern",params:{pattern: "^CVE-[0-9]{4}-[0-9]{4,19}$"},message:"must match pattern \""+"^CVE-[0-9]{4}-[0-9]{4,19}$"+"\""}];return false;}}else {validate11.errors = [{instancePath:instancePath+"/cveId",schemaPath:"#/definitions/cveId/type",keyword:"type",params:{type: "string"},message:"must be string"}];return false;}}var valid0 = _errs2 === errors;}else {var valid0 = true;}if(valid0){if(data.assignerOrgId !== undefined){let data1 = data.assignerOrgId;const _errs5 = errors;const _errs6 = errors;if(errors === _errs6){if(typeof data1 === "string"){if(!pattern2.test(data1)){validate11.errors = [{instancePath:instancePath+"/assignerOrgId",schemaPath:"#/definitions/orgId/pattern",keyword:"pattern",params:{pattern: "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"},message:"must match pattern \""+"^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"+"\""}];return false;}}else {validate11.errors = [{instancePath:instancePath+"/assignerOrgId",schemaPath:"#/definitions/orgId/type",keyword:"type",params:{type: "string"},message:"must be string"}];return false;}}var valid0 = _errs5 === errors;}else {var valid0 = true;}if(valid0){if(data.assignerShortName !== undefined){let data2 = data.assignerShortName;const _errs8 = errors;const _errs9 = errors;if(errors === _errs9){if(typeof data2 === "string"){if(func6(data2) > 32){validate11.errors = [{instancePath:instancePath+"/assignerShortName",schemaPath:"#/definitions/shortName/maxLength",keyword:"maxLength",params:{limit: 32},message:"must NOT have more than 32 characters"}];return false;}else {if(func6(data2) < 2){validate11.errors = [{instancePath:instancePath+"/assignerShortName",schemaPath:"#/definitions/shortName/minLength",keyword:"minLength",params:{limit: 2},message:"must NOT have fewer than 2 characters"}];return false;}}}else {validate11.errors = [{instancePath:instancePath+"/assignerShortName",schemaPath:"#/definitions/shortName/type",keyword:"type",params:{type: "string"},message:"must be string"}];return false;}}var valid0 = _errs8 === errors;}else {var valid0 = true;}if(valid0){if(data.requesterUserId !== undefined){let data3 = data.requesterUserId;const _errs11 = errors;const _errs12 = errors;if(errors === _errs12){if(typeof data3 === "string"){if(!pattern2.test(data3)){validate11.errors = [{instancePath:instancePath+"/requesterUserId",schemaPath:"#/definitions/userId/pattern",keyword:"pattern",params:{pattern: "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"},message:"must match pattern \""+"^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"+"\""}];return false;}}else {validate11.errors = [{instancePath:instancePath+"/requesterUserId",schemaPath:"#/definitions/userId/type",keyword:"type",params:{type: "string"},message:"must be string"}];return false;}}var valid0 = _errs11 === errors;}else {var valid0 = true;}if(valid0){if(data.dateUpdated !== undefined){let data4 = data.dateUpdated;const _errs14 = errors;const _errs15 = errors;if(errors === _errs15){if(errors === _errs15){if(typeof data4 === "string"){if(!pattern4.test(data4)){validate11.errors = [{instancePath:instancePath+"/dateUpdated",schemaPath:"#/definitions/timestamp/pattern",keyword:"pattern",params:{pattern: "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"},message:"must match pattern \""+"^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"+"\""}];return false;}else {if(!(formats0.validate(data4))){validate11.errors = [{instancePath:instancePath+"/dateUpdated",schemaPath:"#/definitions/timestamp/format",keyword:"format",params:{format: "date-time"},message:"must match format \""+"date-time"+"\""}];return false;}}}else {validate11.errors = [{instancePath:instancePath+"/dateUpdated",schemaPath:"#/definitions/timestamp/type",keyword:"type",params:{type: "string"},message:"must be string"}];return false;}}}var valid0 = _errs14 === errors;}else {var valid0 = true;}if(valid0){if(data.serial !== undefined){let data5 = data.serial;const _errs17 = errors;if(!(((typeof data5 == "number") && (!(data5 % 1) && !isNaN(data5))) && (isFinite(data5)))){validate11.errors = [{instancePath:instancePath+"/serial",schemaPath:"#/properties/serial/type",keyword:"type",params:{type: "integer"},message:"must be integer"}];return false;}if(errors === _errs17){if((typeof data5 == "number") && (isFinite(data5))){if(data5 < 1 || isNaN(data5)){validate11.errors = [{instancePath:instancePath+"/serial",schemaPath:"#/properties/serial/minimum",keyword:"minimum",params:{comparison: ">=", limit: 1},message:"must be >= 1"}];return false;}}}var valid0 = _errs17 === errors;}else {var valid0 = true;}if(valid0){if(data.dateReserved !== undefined){let data6 = data.dateReserved;const _errs19 = errors;const _errs20 = errors;if(errors === _errs20){if(errors === _errs20){if(typeof data6 === "string"){if(!pattern4.test(data6)){validate11.errors = [{instancePath:instancePath+"/dateReserved",schemaPath:"#/definitions/timestamp/pattern",keyword:"pattern",params:{pattern: "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"},message:"must match pattern \""+"^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"+"\""}];return false;}else {if(!(formats0.validate(data6))){validate11.errors = [{instancePath:instancePath+"/dateReserved",schemaPath:"#/definitions/timestamp/format",keyword:"format",params:{format: "date-time"},message:"must match format \""+"date-time"+"\""}];return false;}}}else {validate11.errors = [{instancePath:instancePath+"/dateReserved",schemaPath:"#/definitions/timestamp/type",keyword:"type",params:{type: "string"},message:"must be string"}];return false;}}}var valid0 = _errs19 === errors;}else {var valid0 = true;}if(valid0){if(data.datePublished !== undefined){let data7 = data.datePublished;const _errs22 = errors;const _errs23 = errors;if(errors === _errs23){if(errors === _errs23){if(typeof data7 === "string"){if(!pattern4.test(data7)){validate11.errors = [{instancePath:instancePath+"/datePublished",schemaPath:"#/definitions/timestamp/pattern",keyword:"pattern",params:{pattern: "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"},message:"must match pattern \""+"^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"+"\""}];return false;}else {if(!(formats0.validate(data7))){validate11.errors = [{instancePath:instancePath+"/datePublished",schemaPath:"#/definitions/timestamp/format",keyword:"format",params:{format: "date-time"},message:"must match format \""+"date-time"+"\""}];return false;}}}else {validate11.errors = [{instancePath:instancePath+"/datePublished",schemaPath:"#/definitions/timestamp/type",keyword:"type",params:{type: "string"},message:"must be string"}];return false;}}}var valid0 = _errs22 === errors;}else {var valid0 = true;}if(valid0){if(data.state !== undefined){let data8 = data.state;const _errs25 = errors;if(typeof data8 !== "string"){validate11.errors = [{instancePath:instancePath+"/state",schemaPath:"#/properties/state/type",keyword:"type",params:{type: "string"},message:"must be string"}];return false;}if(!(data8 === "PUBLISHED")){validate11.errors = [{instancePath:instancePath+"/state",schemaPath:"#/properties/state/enum",keyword:"enum",params:{allowedValues: schema14.properties.state.enum},message:"must be equal to one of the allowed values"}];return false;}var valid0 = _errs25 === errors;}else {var valid0 = true;}}}}}}}}}}}}else {validate11.errors = [{instancePath,schemaPath:"#/type",keyword:"type",params:{type: "object"},message:"must be object"}];return false;}}validate11.errors = vErrors;return errors === 0;}const schema22 = {"type":"object","properties":{"providerMetadata":{"$ref":"#/definitions/providerMetadata"},"dateAssigned":{"$ref":"#/definitions/timestamp"},"datePublic":{"$ref":"#/definitions/timestamp"},"title":{"type":"string","minLength":1,"maxLength":256},"descriptions":{"$ref":"#/definitions/descriptions"},"affected":{"$ref":"#/definitions/affected"},"problemTypes":{"$ref":"#/definitions/problemTypes"},"references":{"$ref":"#/definitions/references"},"impacts":{"$ref":"#/definitions/impacts"},"metrics":{"$ref":"#/definitions/metrics"},"configurations":{"$ref":"#/definitions/configurations"},"workarounds":{"$ref":"#/definitions/workarounds"},"solutions":{"$ref":"#/definitions/solutions"},"exploits":{"$ref":"#/definitions/exploits"},"timeline":{"$ref":"#/definitions/timeline"},"credits":{"$ref":"#/definitions/credits"},"source":{"$ref":"#/definitions/source"},"tags":{"$ref":"#/definitions/cnaTags"},"taxonomyMappings":{"$ref":"#/definitions/taxonomyMappings"}},"required":["providerMetadata","descriptions","affected","references"],"patternProperties":{"^x_[^.]*$":{}},"$comment":"The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.","additionalProperties":false};const schema201 = {"type":"object","minProperties":1};const schema204 = {"type":"array","minItems":1,"uniqueItems":true,"items":{"type":"object","required":["taxonomyName","taxonomyRelations"],"properties":{"taxonomyName":{"type":"string","minLength":1,"maxLength":128},"taxonomyVersion":{"type":"string","minLength":1,"maxLength":128},"taxonomyRelations":{"type":"array","minItems":1,"uniqueItems":true,"items":{"type":"object","required":["taxonomyId","relationshipName","relationshipValue"],"properties":{"taxonomyId":{"type":"string","minLength":1,"maxLength":2048},"relationshipName":{"type":"string","minLength":1,"maxLength":128},"relationshipValue":{"type":"string","minLength":1,"maxLength":2048}},"additionalProperties":false}}},"additionalProperties":false}};const pattern7 = new RegExp("^x_[^.]*$", "u");const schema23 = {"type":"object","properties":{"orgId":{"$ref":"#/definitions/orgId"},"shortName":{"$ref":"#/definitions/shortName"},"dateUpdated":{"$ref":"#/definitions/timestamp"}},"required":["orgId"],"additionalProperties":false};function validate14(data, {instancePath="", parentData, parentDataProperty, rootData=data}={}){let vErrors = null;let errors = 0;if(errors === 0){if(data && typeof data == "object" && !Array.isArray(data)){let missing0;if((data.orgId === undefined) && (missing0 = "orgId")){validate14.errors = [{instancePath,schemaPath:"#/required",keyword:"required",params:{missingProperty: missing0},message:"must have required property '"+missing0+"'"}];return false;}else {const _errs1 = errors;for(const key0 in data){if(!(((key0 === "orgId") || (key0 === "shortName")) || (key0 === "dateUpdated"))){validate14.errors = [{instancePath,schemaPath:"#/additionalProperties",keyword:"additionalProperties",params:{additionalProperty: key0},message:"must NOT have additional properties"}];return false;break;}}if(_errs1 === errors){if(data.orgId !== undefined){let data0 = data.orgId;const _errs2 = errors;const _errs3 = errors;if(errors === _errs3){if(typeof data0 === "string"){if(!pattern2.test(data0)){validate14.errors = [{instancePath:instancePath+"/orgId",schemaPath:"#/definitions/orgId/pattern",keyword:"pattern",params:{pattern: "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"},message:"must match pattern \""+"^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"+"\""}];return false;}}else {validate14.errors = [{instancePath:instancePath+"/orgId",schemaPath:"#/definitions/orgId/type",keyword:"type",params:{type: "string"},message:"must be string"}];return false;}}var valid0 = _errs2 === errors;}else {var valid0 = true;}if(valid0){if(data.shortName !== undefined){let data1 = data.shortName;const _errs5 = errors;const _errs6 = errors;if(errors === _errs6){if(typeof data1 === "string"){if(func6(data1) > 32){validate14.errors = [{instancePath:instancePath+"/shortName",schemaPath:"#/definitions/shortName/maxLength",keyword:"maxLength",params:{limit: 32},message:"must NOT have more than 32 characters"}];return false;}else {if(func6(data1) < 2){validate14.errors = [{instancePath:instancePath+"/shortName",schemaPath:"#/definitions/shortName/minLength",keyword:"minLength",params:{limit: 2},message:"must NOT have fewer than 2 characters"}];return false;}}}else {validate14.errors = [{instancePath:instancePath+"/shortName",schemaPath:"#/definitions/shortName/type",keyword:"type",params:{type: "string"},message:"must be string"}];return false;}}var valid0 = _errs5 === errors;}else {var valid0 = true;}if(valid0){if(data.dateUpdated !== undefined){let data2 = data.dateUpdated;const _errs8 = errors;const _errs9 = errors;if(errors === _errs9){if(errors === _errs9){if(typeof data2 === "string"){if(!pattern4.test(data2)){validate14.errors = [{instancePath:instancePath+"/dateUpdated",schemaPath:"#/definitions/timestamp/pattern",keyword:"pattern",params:{pattern: "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"},message:"must match pattern \""+"^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"+"\""}];return false;}else {if(!(formats0.validate(data2))){validate14.errors = [{instancePath:instancePath+"/dateUpdated",schemaPath:"#/definitions/timestamp/format",keyword:"format",params:{format: "date-time"},message:"must match format \""+"date-time"+"\""}];return false;}}}else {validate14.errors = [{instancePath:instancePath+"/dateUpdated",schemaPath:"#/definitions/timestamp/type",keyword:"type",params:{type: "string"},message:"must be string"}];return false;}}}var valid0 = _errs8 === errors;}else {var valid0 = true;}}}}}}else {validate14.errors = [{instancePath,schemaPath:"#/type",keyword:"type",params:{type: "object"},message:"must be object"}];return false;}}validate14.errors = vErrors;return errors === 0;}const schema29 = {"type":"array","minItems":1,"uniqueItems":true,"items":{"$ref":"#/definitions/description"},"contains":{"$ref":"#/definitions/englishLanguageDescription"}};const schema30 = {"type":"object","properties":{"lang":{"$ref":"#/definitions/language"},"value":{"type":"string","minLength":1,"maxLength":4096},"supportingMedia":{"type":"array","uniqueItems":true,"minItems":1,"items":{"type":"object","properties":{"type":{"type":"string","minLength":1,"maxLength":256,"examples":["text/markdown","text/html","image/png","image/svg","audio/mp3"]},"base64":{"type":"boolean","default":false},"value":{"type":"string","minLength":1,"maxLength":16384}},"required":["type","value"],"additionalProperties":false}}},"required":["lang","value"],"additionalProperties":false};const schema31 = {"type":"string","default":"en","pattern":"^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"};const pattern12 = new RegExp("^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$", "u");function validate17(data, {instancePath="", parentData, parentDataProperty, rootData=data}={}){let vErrors = null;let errors = 0;if(errors === 0){if(data && typeof data == "object" && !Array.isArray(data)){let missing0;if(((data.lang === undefined) && (missing0 = "lang")) || ((data.value === undefined) && (missing0 = "value"))){validate17.errors = [{instancePath,schemaPath:"#/required",keyword:"required",params:{missingProperty: missing0},message:"must have required property '"+missing0+"'"}];return false;}else {const _errs1 = errors;for(const key0 in data){if(!(((key0 === "lang") || (key0 === "value")) || (key0 === "supportingMedia"))){validate17.errors = [{instancePath,schemaPath:"#/additionalProperties",keyword:"additionalProperties",params:{additionalProperty: key0},message:"must NOT have additional properties"}];return false;break;}}if(_errs1 === errors){if(data.lang !== undefined){let data0 = data.lang;const _errs2 = errors;const _errs3 = errors;if(errors === _errs3){if(typeof data0 === "string"){if(!pattern12.test(data0)){validate17.errors = [{instancePath:instancePath+"/lang",schemaPath:"#/definitions/language/pattern",keyword:"pattern",params:{pattern: "^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"},message:"must match pattern \""+"^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"+"\""}];return false;}}else {validate17.errors = [{instancePath:instancePath+"/lang",schemaPath:"#/definitions/language/type",keyword:"type",params:{type: "string"},message:"must be string"}];return false;}}var valid0 = _errs2 === errors;}else {var valid0 = true;}if(valid0){if(data.value !== undefined){let data1 = data.value;const _errs5 = errors;if(errors === _errs5){if(typeof data1 === "string"){if(func6(data1) > 4096){validate17.errors = [{instancePath:instancePath+"/value",schemaPath:"#/properties/value/maxLength",keyword:"maxLength",params:{limit: 4096},message:"must NOT have more than 4096 characters"}];return false;}else {if(func6(data1) < 1){validate17.errors = [{instancePath:instancePath+"/value",schemaPath:"#/properties/value/minLength",keyword:"minLength",params:{limit: 1},message:"must NOT have fewer than 1 characters"}];return false;}}}else {validate17.errors = [{instancePath:instancePath+"/value",schemaPath:"#/properties/value/type",keyword:"type",params:{type: "string"},message:"must be string"}];return false;}}var valid0 = _errs5 === errors;}else {var valid0 = true;}if(valid0){if(data.supportingMedia !== undefined){let data2 = data.supportingMedia;const _errs7 = errors;if(errors === _errs7){if(Array.isArray(data2)){if(data2.length < 1){validate17.errors = [{instancePath:instancePath+"/supportingMedia",schemaPath:"#/properties/supportingMedia/minItems",keyword:"minItems",params:{limit: 1},message:"must NOT have fewer than 1 items"}];return false;}else {var valid2 = true;const len0 = data2.length;for(let i0=0; i0
') + } + } + }); +} + +rl.on('line', validate) +rl.on('close', report) \ No newline at end of file diff --git a/schema/support/Node_Validator/validate.js b/schema/support/Node_Validator/validate.js new file mode 100644 index 00000000000..52e6f5139f3 --- /dev/null +++ b/schema/support/Node_Validator/validate.js @@ -0,0 +1,77 @@ +const fs = require('fs'); +const readline = require('readline'); +const validateCve = require('./dist/cve5validator.js') +var invalid = 0; +var total = 0; +function validateFile(line) { + if (line) { + try { + if (!fs.lstatSync(line).isDirectory()) { + var cveFile = fs.readFileSync(line); + var cve = JSON.parse(cveFile); + total++; + var valid = validateCve(cve); + if (!valid) { + invalid++; + console.log(line + ' is invalid:'); + console.log(validateCve.errors); + } else { + console.log(line + ' is valid.'); + } + } + } catch (e) { + console.error(e.message); + } + } +} + +function report() { + if (invalid == 0) { + console.log(`Summary: All files PASSED validation.`) + } else { + console.log(`Summary: Validation FAILED for ${invalid} out of ${total} files!`) + } +} +var usage = ` +To validate one or more files + $ node validate.js [file-1.json] [file-2.json] ... + +To validate a list of files in a file or on stdin: + $ cat list.txt | node validate.js -e + $ find directory -name '*.json' | node validate.js -e + +To validate a single file via stdin: + $ cat file.json | node validate.js + +` +try { + if (process.argv.length >= 3) { + if (process.argv[2] && (process.argv[2].startsWith("-?") || process.argv[2].startsWith("-h"))) { + console.log(usage) + } else if (process.argv[2] && process.argv[2] == '-e') { + var rl = readline.createInterface({ + input: process.stdin, + output: process.stdout, + terminal: false + }); + rl.on('line', validateFile) + rl.on('close', report) + } else { + for (i = 2; i < process.argv.length; i++) { + validateFile(process.argv[i]); + } + report(); + } + } else { + var cve = fs.readFileSync(0, 'utf-8'); + var valid = validateCve(JSON.parse(cve)); + if (!valid) { + console.log('Input is invalid:'); + console.log(validateCve.errors); + } else + console.log('Input is valid.'); + } +} catch (e) { + console.log(e.message); + console.log(usage); +} \ No newline at end of file diff --git a/schema/support/Python3.x_Validator/D7Validator.py b/schema/support/Python3.x_Validator/D7Validator.py new file mode 100644 index 00000000000..d2be1aad7b1 --- /dev/null +++ b/schema/support/Python3.x_Validator/D7Validator.py @@ -0,0 +1,31 @@ +from jsonschema import * +import json +import sys + +jsource = None +jschema = None + +if len(sys.argv) == 3: + argv = sys.argv + jsource = json.load(open(argv[1])) #'cve502example.json' + jschema = json.load(open(argv[2])) #'cve502.schema' + + D7validator = Draft7Validator(jschema) + hasErrors = 0 + for error in sorted(D7validator.iter_errors(jsource), key=str): + hasErrors += 1 + print('Schema object with error: ', error.validator) + print('ERROR CONTEXT', error.context) + #print(error.message) + print('') + print('---------------------------------------------') + print('') + + if hasErrors > 0: + print('Found ', hasErrors, ' error(s)') + else: + print('Source was valid against schema') +else: + print('Usage: python D7Validator.py [json source file] [json schema file]') + + diff --git a/schema/support/Python3.x_Validator/cvss-v2.0.json b/schema/support/Python3.x_Validator/cvss-v2.0.json new file mode 100644 index 00000000000..efe9917af6c --- /dev/null +++ b/schema/support/Python3.x_Validator/cvss-v2.0.json @@ -0,0 +1,104 @@ +{ + "license": [ + "Copyright (c) 2017, FIRST.ORG, INC.", + "All rights reserved.", + "", + "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ", + "following conditions are met:", + "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ", + " disclaimer.", + "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ", + " following disclaimer in the documentation and/or other materials provided with the distribution.", + "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ", + " products derived from this software without specific prior written permission.", + "", + "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ", + "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ", + "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ", + "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ", + "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ", + "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ", + "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." + ], + + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "JSON Schema for Common Vulnerability Scoring System version 2.0", + "id": "https://www.first.org/cvss/cvss-v2.0.json?20170531", + "type": "object", + "definitions": { + "accessVectorType": { + "type": "string", + "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL" ] + }, + "accessComplexityType": { + "type": "string", + "enum": [ "HIGH", "MEDIUM", "LOW" ] + }, + "authenticationType": { + "type": "string", + "enum": [ "MULTIPLE", "SINGLE", "NONE" ] + }, + "ciaType": { + "type": "string", + "enum": [ "NONE", "PARTIAL", "COMPLETE" ] + }, + "exploitabilityType": { + "type": "string", + "enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ] + }, + "remediationLevelType": { + "type": "string", + "enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ] + }, + "reportConfidenceType": { + "type": "string", + "enum": [ "UNCONFIRMED", "UNCORROBORATED", "CONFIRMED", "NOT_DEFINED" ] + }, + "collateralDamagePotentialType": { + "type": "string", + "enum": [ "NONE", "LOW", "LOW_MEDIUM", "MEDIUM_HIGH", "HIGH", "NOT_DEFINED" ] + }, + "targetDistributionType": { + "type": "string", + "enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] + }, + "ciaRequirementType": { + "type": "string", + "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] + }, + "scoreType": { + "type": "number", + "minimum": 0, + "maximum": 10 + } + }, + "properties": { + "version": { + "description": "CVSS Version", + "type": "string", + "enum": [ "2.0" ] + }, + "vectorString": { + "type": "string", + "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$" + }, + "accessVector": { "$ref": "#/definitions/accessVectorType" }, + "accessComplexity": { "$ref": "#/definitions/accessComplexityType" }, + "authentication": { "$ref": "#/definitions/authenticationType" }, + "confidentialityImpact": { "$ref": "#/definitions/ciaType" }, + "integrityImpact": { "$ref": "#/definitions/ciaType" }, + "availabilityImpact": { "$ref": "#/definitions/ciaType" }, + "baseScore": { "$ref": "#/definitions/scoreType" }, + "exploitability": { "$ref": "#/definitions/exploitabilityType" }, + "remediationLevel": { "$ref": "#/definitions/remediationLevelType" }, + "reportConfidence": { "$ref": "#/definitions/reportConfidenceType" }, + "temporalScore": { "$ref": "#/definitions/scoreType" }, + "collateralDamagePotential": { "$ref": "#/definitions/collateralDamagePotentialType" }, + "targetDistribution": { "$ref": "#/definitions/targetDistributionType" }, + "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, + "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, + "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, + "environmentalScore": { "$ref": "#/definitions/scoreType" } + }, + "required": [ "version", "vectorString", "baseScore" ] +} diff --git a/schema/support/Python3.x_Validator/cvss-v3.0.json b/schema/support/Python3.x_Validator/cvss-v3.0.json new file mode 100644 index 00000000000..ac14ac0012f --- /dev/null +++ b/schema/support/Python3.x_Validator/cvss-v3.0.json @@ -0,0 +1,143 @@ +{ + "license": [ + "Copyright (c) 2017, FIRST.ORG, INC.", + "All rights reserved.", + "", + "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ", + "following conditions are met:", + "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ", + " disclaimer.", + "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ", + " following disclaimer in the documentation and/or other materials provided with the distribution.", + "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ", + " products derived from this software without specific prior written permission.", + "", + "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ", + "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ", + "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ", + "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ", + "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ", + "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ", + "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." + ], + + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "JSON Schema for Common Vulnerability Scoring System version 3.0", + "id": "https://www.first.org/cvss/cvss-v3.0.json?20170531", + "type": "object", + "definitions": { + "attackVectorType": { + "type": "string", + "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL" ] + }, + "modifiedAttackVectorType": { + "type": "string", + "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL", "NOT_DEFINED" ] + }, + "attackComplexityType": { + "type": "string", + "enum": [ "HIGH", "LOW" ] + }, + "modifiedAttackComplexityType": { + "type": "string", + "enum": [ "HIGH", "LOW", "NOT_DEFINED" ] + }, + "privilegesRequiredType": { + "type": "string", + "enum": [ "HIGH", "LOW", "NONE" ] + }, + "modifiedPrivilegesRequiredType": { + "type": "string", + "enum": [ "HIGH", "LOW", "NONE", "NOT_DEFINED" ] + }, + "userInteractionType": { + "type": "string", + "enum": [ "NONE", "REQUIRED" ] + }, + "modifiedUserInteractionType": { + "type": "string", + "enum": [ "NONE", "REQUIRED", "NOT_DEFINED" ] + }, + "scopeType": { + "type": "string", + "enum": [ "UNCHANGED", "CHANGED" ] + }, + "modifiedScopeType": { + "type": "string", + "enum": [ "UNCHANGED", "CHANGED", "NOT_DEFINED" ] + }, + "ciaType": { + "type": "string", + "enum": [ "NONE", "LOW", "HIGH" ] + }, + "modifiedCiaType": { + "type": "string", + "enum": [ "NONE", "LOW", "HIGH", "NOT_DEFINED" ] + }, + "exploitCodeMaturityType": { + "type": "string", + "enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ] + }, + "remediationLevelType": { + "type": "string", + "enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ] + }, + "confidenceType": { + "type": "string", + "enum": [ "UNKNOWN", "REASONABLE", "CONFIRMED", "NOT_DEFINED" ] + }, + "ciaRequirementType": { + "type": "string", + "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] + }, + "scoreType": { + "type": "number", + "minimum": 0, + "maximum": 10 + }, + "severityType": { + "type": "string", + "enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL" ] + } + }, + "properties": { + "version": { + "description": "CVSS Version", + "type": "string", + "enum": [ "3.0" ] + }, + "vectorString": { + "type": "string", + "pattern": "^CVSS:3.0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" + }, + "attackVector": { "$ref": "#/definitions/attackVectorType" }, + "attackComplexity": { "$ref": "#/definitions/attackComplexityType" }, + "privilegesRequired": { "$ref": "#/definitions/privilegesRequiredType" }, + "userInteraction": { "$ref": "#/definitions/userInteractionType" }, + "scope": { "$ref": "#/definitions/scopeType" }, + "confidentialityImpact": { "$ref": "#/definitions/ciaType" }, + "integrityImpact": { "$ref": "#/definitions/ciaType" }, + "availabilityImpact": { "$ref": "#/definitions/ciaType" }, + "baseScore": { "$ref": "#/definitions/scoreType" }, + "baseSeverity": { "$ref": "#/definitions/severityType" }, + "exploitCodeMaturity": { "$ref": "#/definitions/exploitCodeMaturityType" }, + "remediationLevel": { "$ref": "#/definitions/remediationLevelType" }, + "reportConfidence": { "$ref": "#/definitions/confidenceType" }, + "temporalScore": { "$ref": "#/definitions/scoreType" }, + "temporalSeverity": { "$ref": "#/definitions/severityType" }, + "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, + "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, + "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, + "modifiedAttackVector": { "$ref": "#/definitions/modifiedAttackVectorType" }, + "modifiedAttackComplexity": { "$ref": "#/definitions/modifiedAttackComplexityType" }, + "modifiedPrivilegesRequired": { "$ref": "#/definitions/modifiedPrivilegesRequiredType" }, + "modifiedUserInteraction": { "$ref": "#/definitions/modifiedUserInteractionType" }, + "modifiedScope": { "$ref": "#/definitions/modifiedScopeType" }, + "modifiedConfidentialityImpact": { "$ref": "#/definitions/modifiedCiaType" }, + "modifiedIntegrityImpact": { "$ref": "#/definitions/modifiedCiaType" }, + "modifiedAvailabilityImpact": { "$ref": "#/definitions/modifiedCiaType" }, + "environmentalScore": { "$ref": "#/definitions/scoreType" }, + "environmentalSeverity": { "$ref": "#/definitions/severityType" } + }, + "required": [ "version", "vectorString", "baseScore", "baseSeverity" ] +} diff --git a/schema/support/Python3.x_Validator/cvss-v3.1.json b/schema/support/Python3.x_Validator/cvss-v3.1.json new file mode 100644 index 00000000000..32410fd4ec7 --- /dev/null +++ b/schema/support/Python3.x_Validator/cvss-v3.1.json @@ -0,0 +1,143 @@ +{ + "license": [ + "Copyright (c) 2019, FIRST.ORG, INC.", + "All rights reserved.", + "", + "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ", + "following conditions are met:", + "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ", + " disclaimer.", + "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ", + " following disclaimer in the documentation and/or other materials provided with the distribution.", + "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ", + " products derived from this software without specific prior written permission.", + "", + "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ", + "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ", + "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ", + "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ", + "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ", + "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ", + "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." + ], + + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "JSON Schema for Common Vulnerability Scoring System version 3.1", + "id": "https://www.first.org/cvss/cvss-v3.1.json?20190610", + "type": "object", + "definitions": { + "attackVectorType": { + "type": "string", + "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL" ] + }, + "modifiedAttackVectorType": { + "type": "string", + "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL", "NOT_DEFINED" ] + }, + "attackComplexityType": { + "type": "string", + "enum": [ "HIGH", "LOW" ] + }, + "modifiedAttackComplexityType": { + "type": "string", + "enum": [ "HIGH", "LOW", "NOT_DEFINED" ] + }, + "privilegesRequiredType": { + "type": "string", + "enum": [ "HIGH", "LOW", "NONE" ] + }, + "modifiedPrivilegesRequiredType": { + "type": "string", + "enum": [ "HIGH", "LOW", "NONE", "NOT_DEFINED" ] + }, + "userInteractionType": { + "type": "string", + "enum": [ "NONE", "REQUIRED" ] + }, + "modifiedUserInteractionType": { + "type": "string", + "enum": [ "NONE", "REQUIRED", "NOT_DEFINED" ] + }, + "scopeType": { + "type": "string", + "enum": [ "UNCHANGED", "CHANGED" ] + }, + "modifiedScopeType": { + "type": "string", + "enum": [ "UNCHANGED", "CHANGED", "NOT_DEFINED" ] + }, + "ciaType": { + "type": "string", + "enum": [ "NONE", "LOW", "HIGH" ] + }, + "modifiedCiaType": { + "type": "string", + "enum": [ "NONE", "LOW", "HIGH", "NOT_DEFINED" ] + }, + "exploitCodeMaturityType": { + "type": "string", + "enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ] + }, + "remediationLevelType": { + "type": "string", + "enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ] + }, + "confidenceType": { + "type": "string", + "enum": [ "UNKNOWN", "REASONABLE", "CONFIRMED", "NOT_DEFINED" ] + }, + "ciaRequirementType": { + "type": "string", + "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] + }, + "scoreType": { + "type": "number", + "minimum": 0, + "maximum": 10 + }, + "severityType": { + "type": "string", + "enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL" ] + } + }, + "properties": { + "version": { + "description": "CVSS Version", + "type": "string", + "enum": [ "3.1" ] + }, + "vectorString": { + "type": "string", + "pattern": "^CVSS:3.1/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" + }, + "attackVector": { "$ref": "#/definitions/attackVectorType" }, + "attackComplexity": { "$ref": "#/definitions/attackComplexityType" }, + "privilegesRequired": { "$ref": "#/definitions/privilegesRequiredType" }, + "userInteraction": { "$ref": "#/definitions/userInteractionType" }, + "scope": { "$ref": "#/definitions/scopeType" }, + "confidentialityImpact": { "$ref": "#/definitions/ciaType" }, + "integrityImpact": { "$ref": "#/definitions/ciaType" }, + "availabilityImpact": { "$ref": "#/definitions/ciaType" }, + "baseScore": { "$ref": "#/definitions/scoreType" }, + "baseSeverity": { "$ref": "#/definitions/severityType" }, + "exploitCodeMaturity": { "$ref": "#/definitions/exploitCodeMaturityType" }, + "remediationLevel": { "$ref": "#/definitions/remediationLevelType" }, + "reportConfidence": { "$ref": "#/definitions/confidenceType" }, + "temporalScore": { "$ref": "#/definitions/scoreType" }, + "temporalSeverity": { "$ref": "#/definitions/severityType" }, + "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, + "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, + "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, + "modifiedAttackVector": { "$ref": "#/definitions/modifiedAttackVectorType" }, + "modifiedAttackComplexity": { "$ref": "#/definitions/modifiedAttackComplexityType" }, + "modifiedPrivilegesRequired": { "$ref": "#/definitions/modifiedPrivilegesRequiredType" }, + "modifiedUserInteraction": { "$ref": "#/definitions/modifiedUserInteractionType" }, + "modifiedScope": { "$ref": "#/definitions/modifiedScopeType" }, + "modifiedConfidentialityImpact": { "$ref": "#/definitions/modifiedCiaType" }, + "modifiedIntegrityImpact": { "$ref": "#/definitions/modifiedCiaType" }, + "modifiedAvailabilityImpact": { "$ref": "#/definitions/modifiedCiaType" }, + "environmentalScore": { "$ref": "#/definitions/scoreType" }, + "environmentalSeverity": { "$ref": "#/definitions/severityType" } + }, + "required": [ "version", "vectorString", "baseScore", "baseSeverity" ] +} diff --git a/schema/support/docs/css_override.css b/schema/support/docs/css_override.css new file mode 100644 index 00000000000..c277084a91e --- /dev/null +++ b/schema/support/docs/css_override.css @@ -0,0 +1,51 @@ + +.examples, .highlight.jumbotron, .card-header { + padding: 0rem !important; +} +.jumbotron { + margin-bottom: 0px !important; +} + +.badge { + font-size: 80% !important; + margin-bottom: 0px !important; +} +h2, h4, .h2, .h4 { + font-size: 100% !important; +} +.btn.btn-link { + font-size: 16px; +} +.property-name-button { + padding: 0px 5px; +} +.btn.btn-primary { + margin: 5px; +} + +p { + margin-bottom: 0px; +} + +.list-group-item { + padding: 3px 8px; +} + +.pl-5, .card-body { + padding-left: 0.5em !important; +} + +#root h1:before { + background: url("https://cve.mitre.org/images/cvelogobanner.png") no-repeat; + background-size: contain; + background-position-y: center; + width: 120px; + height: 30px; + display: inline-block; + content: ""; +} + +span.description ~ p { + display: inline-block; + margin-right: 3px; +} diff --git a/schema/support/docs/docs.sh b/schema/support/docs/docs.sh new file mode 100644 index 00000000000..58c2f40fbb2 --- /dev/null +++ b/schema/support/docs/docs.sh @@ -0,0 +1,8 @@ +#!/bin/bash +cd ../../ +sed 's/file\://g' CVE_JSON_5.1_schema.json > tmp.json | generate-schema-doc --minify tmp.json docs/index.html +perl -pi -e 's/[${ids.length} CVEs] ${a} - field ${k} [link]:
`) + if(docs[x + ':' + k]) { + console.log(``+docs[x + ':' + k]+'
') + } + console.log('') + for (const c of ids.sort()) { + console.log(` ${c}`) + } + console.log('
') + } + } + }); + + console.log(''); +} +/* var index = start + '[${ids.length} CVEs] ${a} - field ${k} [link]:
`) + if(docs[shortName + ':' + k]) { + console.log(``+docs[shortName + ':' + k]+'
') + } + console.log('') + for (const c of ids.sort()) { + console.log(` ${c}`) + } + console.log('
`; + for (c in cnaIndex[x].sort(new Intl.Collator('en',{numeric:true}).compare)) { + index += ` ${cnaIndex[x][c]}` + } + //report = report + ''; + //fs.writeFileSync('./reports/'+x+'.html',report); + } + fs.writeFileSync('./reports/index.html',index + '