Merge pull request #409 from alilleybrinker/alilleybrinker/affected-purls

ccoffin · web-flow · commit e4fe53e746da · 2025-08-21T13:30:08.000-05:00
Add `packageURL` field to product in `affected` array.
diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json
@@ -363,6 +363,28 @@
                         },
                         "additionalProperties": false
                     }
+                },
+                "packageURL": {
+                    "description": "A Package URL, a unified URL specification for identifying packages hosted by known package hosts. The Package URL MUST NOT include a version.",
+                    "$ref": "#/definitions/uriType",
+                    "examples": [
+                        "pkg:bitbucket/birkenfeld/pygments-main",
+                        "pkg:deb/debian/curl?arch=i386&distro=jessie",
+                        "pkg:docker/cassandra",
+                        "pkg:docker/customer/dockerimage?repository_url=gcr.io",
+                        "pkg:gem/jruby-launcher?platform=java",
+                        "pkg:gem/ruby-advisory-db-check",
+                        "pkg:github/package-url/purl-spec",
+                        "pkg:golang/google.golang.org/genproto#googleapis/api/annotations",
+                        "pkg:maven/org.apache.xmlgraphics/batik-anim?packaging=sources",
+                        "pkg:maven/org.apache.xmlgraphics/batik-anim?repository_url=repo.spring.io/release",
+                        "pkg:npm/%40angular/animation",
+                        "pkg:npm/foobar",
+                        "pkg:nuget/EnterpriseLibrary.Common",
+                        "pkg:pypi/django",
+                        "pkg:rpm/fedora/curl?arch=i386&distro=fedora-25",
+                        "pkg:rpm/opensuse/curl?arch=i386&distro=opensuse-tumbleweed"
+                    ]
                 }
             }
         },
diff --git a/schema/docs/cnaContainer-advanced-example.json b/schema/docs/cnaContainer-advanced-example.json
@@ -37,8 +37,9 @@
           "MacOS",
           "XT-4500"
         ],
-        "collectionURL": "https://example.org/packages",
-        "packageName": "example_enterprise",
+        "collectionURL": "https://npmjs.com",
+        "packageName": "example",
+        "packageURL": "pkg:npm/example",
         "repo": "git://example.org/source/example_enterprise",
         "modules": [
           "Web-Management-Interface"
diff --git a/schema/docs/full-record-advanced-example.json b/schema/docs/full-record-advanced-example.json
@@ -50,8 +50,9 @@
             "MacOS",
             "XT-4500"
           ],
-          "collectionURL": "https://example.org/packages",
-          "packageName": "example_enterprise",
+          "collectionURL": "https://npmjs.com",
+          "packageName": "example",
+          "packageURL": "pkg:npm/example",
           "repo": "git://example.org/source/example_enterprise",
           "modules": [
             "Web-Management-Interface"
@@ -162,7 +163,7 @@
               "value": "OS-komand-injekta vundebleco <tt>parseFilename</tt> funkcio de <tt>example.php</tt> en la Web Administrado-Interfaco de Example.org Example Enterprise ĉe Windows, macOS kaj XT-4500 permesas al malproksimaj neaŭtentikigitaj atakantoj eskaladi privilegiojn.<br><br> Ĉi tiu afero efikas:<br><ul><li>1.0-versioj antaŭ 1.0.6</li><li>2.1-versioj de 2.1.6 ĝis 2.1.9.</li></ul>"
             }
           ]
-        }          
+        }
       ],
       "metrics": [
         {
