From a2e12e8e49de5af4a5a8628f31ec7839091b9b0f Mon Sep 17 00:00:00 2001 From: jwhitmore-mitre Date: Tue, 1 Dec 2020 13:03:24 -0500 Subject: [PATCH] Applied approved PR#92 from previous repository https://github.com/CVEProject/automation-working-group/pull/92 Applied 4-space indenting --- schema/v5.0/CVE_JSON_5.0.schema | 1997 ++++++++++++++++--------------- 1 file changed, 1024 insertions(+), 973 deletions(-) diff --git a/schema/v5.0/CVE_JSON_5.0.schema b/schema/v5.0/CVE_JSON_5.0.schema index 566590ee08d..da426025e70 100644 --- a/schema/v5.0/CVE_JSON_5.0.schema +++ b/schema/v5.0/CVE_JSON_5.0.schema @@ -1,1022 +1,1073 @@ { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/", - "type": "object", - "title": "", - "description": "a CVE entry", - "definitions": { - "reference": { - "type": "object", - "required": [ - "url" - ], - "properties": { - "url": { - "maxLength": 500, - "minLength": 5, - "type": "string", - "pattern": "^(ftp|http)s?://\\S+$" - }, - "name": { - "type": "string", - "maxLength": 500, - "minLength": 1 - }, - "refSource": { - "type": "string", - "maxLength": 500, - "minLength": 1, - "description": "name of the source, program, etc that produced the URL." - }, - "tags": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "string", - "minLength": 1, - "maxLength": 40, - "examples": [ - "Broken Link", - "Exploit", - "Issue Tracking", - "Mailing List", - "Mitigation", - "Not Applicable", - "Patch", - "Permissions Required", - "Press/Media Coverage", - "Product", - "Release Notes", - "Technical Description", - "Third Party Advisory", - "Tool Signature", - "VDB Entry", - "Vendor Advisory" - ] - } + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.mitre.org/cve/v5_00/", + "type": "object", + "title": "", + "description": "a CVE entry", + "definitions": { + "reference": { + "type": "object", + "required": [ + "url" + ], + "properties": { + "url": { + "maxLength": 500, + "minLength": 5, + "type": "string", + "pattern": "^(ftp|http)s?://\\S+$" + }, + "name": { + "type": "string", + "maxLength": 500, + "minLength": 1 + }, + "refSource": { + "type": "string", + "maxLength": 500, + "minLength": 1, + "description": "name of the source, program, etc that produced the URL." + }, + "tags": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "string", + "minLength": 1, + "maxLength": 40, + "examples": [ + "Broken Link", + "Exploit", + "Issue Tracking", + "Mailing List", + "Mitigation", + "Not Applicable", + "Patch", + "Permissions Required", + "Press/Media Coverage", + "Product", + "Release Notes", + "Technical Description", + "Third Party Advisory", + "Tool Signature", + "VDB Entry", + "Vendor Advisory" + ] + } + } } - } - }, - "cveId": { - "type": "string", - "pattern": "^CVE-[0-9]{4}-[0-9]{4,}$" - }, - "orgId": { - "type": "string", - "pattern": "^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$" - }, - "userId": { - "type": "string", - "pattern": "^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$" - }, - "shortName": { - "type": "string", - "minLength": 3, - "maxLength": 12 - }, - "datestamp": { - "type": "string", - "format": "date", - "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$" - }, - "timestamp": { - "type": "string", - "format": "date-time", - "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ssZZZZ - if timezone offset is not given, GMT (0000) is assumed.", - "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$" - }, - "product": { - "type": "object", - "description": "", - "required": [ - "productName", - "versions" - ], - "properties": { - "productName": { - "type": "string", - "description": "Name of the affected product.", - "minLength": 1 - }, - "modules": { - "type": "array", - "description": "A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional)", - "uniqueItems": true, - "items": { - "type": "string", - "description": "Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).", - "minLength": 1 - } - }, - "programFiles": { - "type": "array", - "description": "A list of the affected source code files (optional)", - "uniqueItems": true, - "items": { - "type": "uri", - "description": "Name or path or location of the affected source code file in RFC3986 compliant format (optional).", - "minLength": 1 - } - }, - "programRoutines": { - "type": "array", - "description": "A list of the affected source code functions, methods, subroutines, or procedures (optional).", - "uniqueItems": true, - "items": { - "type": "string", - "description": "Name of the affected source code file, function, method, subroutine, or procedure (optional).", - "minLength": 1 - } - }, - "collectionURL": { - "type": "string", - "description": "A URL that, among the users of the software package collection, is considered the most popular starting point for accessing the collection (optional).", - "maxLength": 500, - "minLength": 5, - "pattern": "^(ftp|http)s?://\\S+$", - "examples": [ - "https://access.redhat.com/downloads/content/package-browser", - "https://addons.mozilla.org", - "https://addons.thunderbird.net", - "https://anaconda.org/anaconda/repo", - "https://app.vagrantup.com/boxes/search", - "https://apps.apple.com", - "https://archlinux.org/packages", - "https://atmospherejs.meteor.com", - "https://atom.io/packages", - "https://bitbucket.org", - "https://bower.io", - "https://brew.sh/", - "https://chocolatey.org/packages", - "https://chrome.google.com/webstore", - "https://clojars.org", - "https://cocoapods.org", - "https://code.dlang.org", - "https://conan.io/center", - "https://cpan.org/modules", - "https://cran.r-project.org", - "https://crates.io", - "https://ctan.org/pkg", - "https://drupal.org", - "https://exchange.adobe.com", - "https://forge.puppet.com/modules", - "https://github.com", - "https://gitlab.com/explore", - "https://golang.org/pkg", - "https://guix.gnu.org/packages", - "https://hackage.haskell.org", - "https://helm.sh", - "https://hub.docker.com", - "https://juliahub.com", - "https://lib.haxe.org", - "https://luarocks.org", - "https://marketplace.visualstudio.com", - "https://melpa.org", - "https://microsoft.com/en-us/store/apps", - "https://nimble.directory", - "https://nuget.org/packages", - "https://opam.ocaml.org/packages", - "https://openwrt.org/packages/index", - "https://package.elm-lang.org", - "https://packagecontrol.io", - "https://packages.debian.org", - "https://packages.gentoo.org", - "https://packagist.org", - "https://pear.php.net/packages.php", - "https://pecl.php.net", - "https://platformio.org/lib", - "https://play.google.com/store", - "https://plugins.gradle.org", - "https://projects.eclipse.org", - "https://pub.dev", - "https://pypi.python.org", - "https://registry.npmjs.org", - "https://registry.terraform.io", - "https://repo.hex.pm", - "https://repo.maven.apache.org/maven2", - "https://rubygems.org", - "https://search.nixos.org/packages", - "https://sourceforge.net", - "https://wordpress.org/plugins" - ] - }, - "versions": { - "type": "array", - "description": "", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "description": "Affected/non-affected/fixed versions of a given technology, product, hardware, etc.", - "required": [ - "versionValue" - ], - "properties": { - "versionGroup": { + }, + "cveId": { + "type": "string", + "pattern": "^CVE-[0-9]{4}-[0-9]{4,}$" + }, + "orgId": { + "type": "string", + "pattern": "^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$" + }, + "userId": { + "type": "string", + "pattern": "^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$" + }, + "shortName": { + "type": "string", + "minLength": 3, + "maxLength": 12 + }, + "datestamp": { + "type": "string", + "format": "date", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$" + }, + "timestamp": { + "type": "string", + "format": "date-time", + "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ssZZZZ - if timezone offset is not given, GMT (0000) is assumed.", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$" + }, + "product": { + "type": "object", + "description": "", + "required": [ + "productName", + "versions" + ], + "properties": { + "productName": { + "type": "string", + "description": "Name of the affected product.", + "minLength": 1 + }, + "modules": { + "type": "array", + "description": "A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional)", + "uniqueItems": true, + "items": { "type": "string", - "description": "A string that represents a version branch, group, or a major version (e.g. 10.0, 3.1.*) where all version values are typically sequential or versionAffected comparisons are meaningful (optional).", + "description": "Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).", "minLength": 1 - }, - "versionValue": { - "type": "string", - "description": "The version name/value (e.g. 10.0.1, 3.1.2, \"IceHouse\")", + } + }, + "programFiles": { + "type": "array", + "description": "A list of the affected source code files (optional)", + "uniqueItems": true, + "items": { + "type": "uri", + "description": "Name or path or location of the affected source code file in RFC3986 compliant format (optional).", "minLength": 1 - }, - "versionAffected": { - "type": "string", - "description": "A string value:\n \"=\" (affects versionValue),\n \">\" (affects versions prior to versionValue),\n \">\" (affects versions later than versionValue),\n \"<=\" (affects versionValue and prior versions),\n \">=\" (affects versionValue and later versions),\n \"!\" (doesn't affect versionValue),\n \"!<\" (doesn't affect versions prior to versionValue),\n \"!>\" (doesn't affect versions later than versionValue),\n \"!<=\" (doesn't affect versionValue and prior versions),\n \"!>=\" (doesn't affect versionValue and later versions),\n \"?\" (status of versionValue is unknown),\n \"?<\" (status of versions prior to versionValue is unknown),\n \"?>\" (status of versions later than versionValue is unknown),\n \"?<=\" (status of versionValue and prior versions is unknown),\n \"?>=\" (status of versionValue and later versions is unknown)", - "enum": [ - "=", - "<", - ">", - "<=", - ">=", - "!", - "!<", - "!>", - "!<=", - "!>=", - "?", - "?<", - "?>", - "?<=", - "?>=" - ] - }, - "references": { - "$ref": "#/definitions/references" - } - } - } - } - } - }, - "dataType": { - "type": "string", - "enum": [ - "CVE" - ] - }, - "dataFormat": { - "type": "string", - "enum": [ - "MITRE" - ] - }, - "dataVersion": { - "type": "string", - "enum": [ - "5.0" - ] - }, - "cveDataMetaPublic": { - "type": "object", - "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, when it was assigned, the current state (PUBLIC, REJECT, etc.) and so on.", - "required": [ - "id", - "assigner", - "state" - ], - "properties": { - "id": { - "$ref": "#/definitions/cveId" - }, - "assigner": { - "$ref": "#/definitions/orgId", - "description": "the UUID for the organization to which the CVE ID was originally assigned" - }, - "assignerShortName": { - "$ref": "#/definitions/shortName", - "description": "the short name for the organization to which the CVE ID was originally assigned" - }, - "requester": { - "$ref": "#/definitions/userId", - "description": " the requester of the CVE" - }, - "updated": { - "$ref": "#/definitions/timestamp" - }, - "serial": { - "type": "integer", - "minimum": 1, - "description": "starts at 1, add 1 every time an entry is updated or changed" - }, - "dateRequested": { - "$ref": "#/definitions/timestamp", - "description": "the date/time this issue was requested" - }, - "dateAssigned": { - "$ref": "#/definitions/timestamp", - "description": "the date/time this was assigned" - }, - "datePublic": { - "$ref": "#/definitions/timestamp", - "description": "the date/time this went public if known" - }, - "replacedBy": { - "type": "string", - "description": "a single CVE ID or list of CVE IDs (comma separated)", - "pattern": "^(CVE-[0-9]{4}-[0-9]{4,})\\s*(,\\s*CVE-[0-9]{4}-[0-9]{4,})*$" - }, - "state": { - "type": "string", - "description": "State of CVE - PUBLIC, RESERVED, REJECT", - "enum": [ - "PUBLIC" - ] - }, - "title": { - "type": "string", - "description": "Short title - if the description is long we may want a short title to refer to", - "minLength": 1 - } - }, - "additionalProperties": false - }, - "cveDataMetaReserved": { - "type": "object", - "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, when it was assigned, the current state (PUBLIC, REJECT, etc.) and so on.", - "required": [ - "id", - "state" - ], - "properties": { - "id": { - "$ref": "#/definitions/cveId" - }, - "assigner": { - "$ref": "#/definitions/orgId", - "description": "the UUID for the organization to which the CVE ID was originally assigned" - }, - "assignerShortName": { - "$ref": "#/definitions/shortName", - "description": "the short name for the organization to which the CVE ID was originally assigned" - }, - "state": { - "type": "string", - "description": "State of CVE - PUBLIC, RESERVED, REJECT", - "enum": [ - "RESERVED" - ] - }, - "datePublic": { - "$ref": "#/definitions/datestamp", - "description": "Anticipated date for public release (YYYY-MM-DD)." - }, - "descriptions": { - "$ref": "#/definitions/descriptions" - } - }, - "additionalProperties": false - }, - "cveDataMetaReject": { - "type": "object", - "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, when it was assigned, the current state (PUBLIC, REJECT, etc.) and so on.", - "required": [ - "id", - "assigner", - "state" - ], - "properties": { - "id": { - "$ref": "#/definitions/cveId" - }, - "assigner": { - "$ref": "#/definitions/orgId", - "description": "the UUID for the organization to which the CVE ID was originally assigned" - }, - "assignerShortName": { - "$ref": "#/definitions/shortName", - "description": "the short name for the organization to which the CVE ID was originally assigned" - }, - "state": { - "type": "string", - "description": "State of CVE - PUBLIC, RESERVED, REJECT", - "enum": [ - "REJECT" - ] - }, - "descriptions": { - "$ref": "#/definitions/descriptions" - } - }, - "additionalProperties": false - }, - "providerDataMeta": { - "type": "object", - "description": "will be updated to coordinate with CVE user registry, current identifier is an email address.", - "properties": { - "id": { - "$ref": "#/definitions/orgId", - "description": "the container provider's organizational UUID" - }, - "shortName": { - "$ref": "#/definitions/shortName", - "description": "the container provider's organizational short name" - }, - "updated": { - "$ref": "#/definitions/timestamp", - "description": "Timestamp to be set by system of record at time of submission. If UPDATED is provided to the system of record it will be replaced by the timestamp at the time of submission. If a provider has multiple contributions, they shall be consolidated to a final single contribution before submission, or the system of record will reject the input with, Rejected – simultaneous contributions by a single provider." - } - }, - "required": [ - "id" - ] - }, - "cnaContainer": { - "type": "object", - "properties": { - "providerDataMeta": { - "$ref": "#/definitions/providerDataMeta" - }, - "descriptions": { - "$ref": "#/definitions/descriptions" - }, - "affected": { - "$ref": "#/definitions/affected" - }, - "problemTypes": { - "$ref": "#/definitions/problemTypes" - }, - "references": { - "$ref": "#/definitions/references" - }, - "impacts": { - "$ref": "#/definitions/impacts" - }, - "metrics": { - "$ref": "#/definitions/metrics" - }, - "configuration": { - "$ref": "#/definitions/configurations" - }, - "workaround": { - "$ref": "#/definitions/workarounds" - }, - "exploit": { - "$ref": "#/definitions/exploits" - }, - "timeline": { - "$ref": "#/definitions/timeline" - }, - "credit": { - "$ref": "#/definitions/credits" - }, - "source": { - "$ref": "#/definitions/source" - } - }, - "required": [ - "providerDataMeta", - "descriptions", - "affected", - "references" - ] - }, - "adpContainer": { - "type": "object", - "properties": { - "providerDataMeta": { - "$ref": "#/definitions/providerDataMeta" - }, - "descriptions": { - "$ref": "#/definitions/descriptions" - }, - "affected": { - "$ref": "#/definitions/affected" - }, - "problemtypes": { - "$ref": "#/definitions/problemtypes" - }, - "references": { - "$ref": "#/definitions/references" - }, - "impacts": { - "$ref": "#/definitions/impacts" - }, - "metrics": { - "$ref": "#/definitions/metrics" - }, - "configuration": { - "$ref": "#/definitions/configurations" - }, - "workaround": { - "$ref": "#/definitions/workarounds" - }, - "exploit": { - "$ref": "#/definitions/exploits" - }, - "timeline": { - "$ref": "#/definitions/timeline" - }, - "credit": { - "$ref": "#/definitions/credits" - }, - "source": { - "$ref": "#/definitions/source" - } - }, - "required": [ - "providerDataMeta" - ], - "minProperties": 2 - }, - "containers": { - "type": "object", - "properties": { - "cna": { - "$ref": "#/definitions/cnaContainer" - }, - "adp": { - "type": "array", - "items": { - "$ref": "#/definitions/adpContainer" - }, - "minItems": 1, - "uniqueItems": true - } - }, - "required": [ - "cna" - ], - "additionalProperties": false - }, - "affected": { - "type": "object", - "description": "CVE affects, there must be at least one defined vulnerable product either in the form of a text description (via data defined in vendors, product, version) OR a affectsCpe OR a affectsSwid", - "anyOf": [ - { - "required": [ - "vendors" - ] - }, - { - "required": [ - "affectsCpe" - ] - }, - { - "required": [ - "affectsSwid" - ] - } - ], - "properties": { - "vendors": { - "type": "array", - "description": "This is the container for affected vendors, it only goes in the affects container.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "description": "", - "required": [ - "vendorName", - "products" - ], - "properties": { - "vendorName": { + } + }, + "programRoutines": { + "type": "array", + "description": "A list of the affected source code functions, methods, subroutines, or procedures (optional).", + "uniqueItems": true, + "items": { "type": "string", - "description": "Name of the vendor that produced this product.", + "description": "Name of the affected source code file, function, method, subroutine, or procedure (optional).", "minLength": 1 - }, - "products": { - "description": "This is the container for affected technologies, products, hardware, etc.", - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/product" + } + }, + "collectionURL": { + "type": "string", + "description": "A URL that, among the users of the software package collection, is considered the most popular starting point for accessing the collection (optional).", + "maxLength": 500, + "minLength": 5, + "pattern": "^(ftp|http)s?://\\S+$", + "examples": [ + "https://access.redhat.com/downloads/content/package-browser", + "https://addons.mozilla.org", + "https://addons.thunderbird.net", + "https://anaconda.org/anaconda/repo", + "https://app.vagrantup.com/boxes/search", + "https://apps.apple.com", + "https://archlinux.org/packages", + "https://atmospherejs.meteor.com", + "https://atom.io/packages", + "https://bitbucket.org", + "https://bower.io", + "https://brew.sh/", + "https://chocolatey.org/packages", + "https://chrome.google.com/webstore", + "https://clojars.org", + "https://cocoapods.org", + "https://code.dlang.org", + "https://conan.io/center", + "https://cpan.org/modules", + "https://cran.r-project.org", + "https://crates.io", + "https://ctan.org/pkg", + "https://drupal.org", + "https://exchange.adobe.com", + "https://forge.puppet.com/modules", + "https://github.com", + "https://gitlab.com/explore", + "https://golang.org/pkg", + "https://guix.gnu.org/packages", + "https://hackage.haskell.org", + "https://helm.sh", + "https://hub.docker.com", + "https://juliahub.com", + "https://lib.haxe.org", + "https://luarocks.org", + "https://marketplace.visualstudio.com", + "https://melpa.org", + "https://microsoft.com/en-us/store/apps", + "https://nimble.directory", + "https://nuget.org/packages", + "https://opam.ocaml.org/packages", + "https://openwrt.org/packages/index", + "https://package.elm-lang.org", + "https://packagecontrol.io", + "https://packages.debian.org", + "https://packages.gentoo.org", + "https://packagist.org", + "https://pear.php.net/packages.php", + "https://pecl.php.net", + "https://platformio.org/lib", + "https://play.google.com/store", + "https://plugins.gradle.org", + "https://projects.eclipse.org", + "https://pub.dev", + "https://pypi.python.org", + "https://registry.npmjs.org", + "https://registry.terraform.io", + "https://repo.hex.pm", + "https://repo.maven.apache.org/maven2", + "https://rubygems.org", + "https://search.nixos.org/packages", + "https://sourceforge.net", + "https://wordpress.org/plugins" + ] + }, + "versions": { + "type": "array", + "description": "", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "Affected/non-affected/fixed versions of a given technology, product, hardware, etc.", + "required": [ + "versionValue" + ], + "properties": { + "versionGroup": { + "type": "string", + "description": "A string that represents a version branch, group, or a major version (e.g. 10.0, 3.1.*) where all version values are typically sequential or versionAffected comparisons are meaningful (optional).", + "minLength": 1 + }, + "versionValue": { + "type": "string", + "description": "The version name/value (e.g. 10.0.1, 3.1.2, \"IceHouse\")", + "minLength": 1 + }, + "versionAffected": { + "type": "string", + "description": "A string value:\n \"=\" (affects versionValue),\n \">\" (affects versions prior to versionValue),\n \">\" (affects versions later than versionValue),\n \"<=\" (affects versionValue and prior versions),\n \">=\" (affects versionValue and later versions),\n \"!\" (doesn't affect versionValue),\n \"!<\" (doesn't affect versions prior to versionValue),\n \"!>\" (doesn't affect versions later than versionValue),\n \"!<=\" (doesn't affect versionValue and prior versions),\n \"!>=\" (doesn't affect versionValue and later versions),\n \"?\" (status of versionValue is unknown),\n \"?<\" (status of versions prior to versionValue is unknown),\n \"?>\" (status of versions later than versionValue is unknown),\n \"?<=\" (status of versionValue and prior versions is unknown),\n \"?>=\" (status of versionValue and later versions is unknown)", + "enum": [ + "=", + "<", + ">", + "<=", + ">=", + "!", + "!<", + "!>", + "!<=", + "!>=", + "?", + "?<", + "?>", + "?<=", + "?>=" + ] + }, + "references": { + "$ref": "#/definitions/references" + } } - } - } - } - }, - "affectsCpe": { - "type": "array", - "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "description": "", - "properties": {}, - "minProperties": 1 - } - }, - "affectsSwid": { - "type": "array", - "description": "", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "description": "", - "properties": {}, - "minProperties": 1 - } + } + } } - }, - "additionalProperties": false - }, - "descriptions": { - "type": "array", - "description": "multi-lingual description of the vulnerability", - "minItems": 1, - "uniqueItems": true, - "items": { + }, + "dataType": { + "type": "string", + "enum": [ + "CVE" + ] + }, + "dataFormat": { + "type": "string", + "enum": [ + "MITRE" + ] + }, + "dataVersion": { + "type": "string", + "enum": [ + "5.0" + ] + }, + "cveDataMetaPublic": { "type": "object", - "description": "", - "properties": { - "lang": { - "type": "string", - "description": "ISO 639-2 language code", - "default": "EN", - "minLength": 1 - }, - "value": { - "type": "string", - "description": "Description of the vulnerability. Eg., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].", - "minLength": 1 - } - }, + "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, when it was assigned, the current state (PUBLIC, REJECT, etc.) and so on.", "required": [ - "lang", - "value" + "id", + "assigner", + "state" ], + "properties": { + "id": { + "$ref": "#/definitions/cveId" + }, + "assigner": { + "$ref": "#/definitions/orgId", + "description": "the UUID for the organization to which the CVE ID was originally assigned" + }, + "assignerShortName": { + "$ref": "#/definitions/shortName", + "description": "the short name for the organization to which the CVE ID was originally assigned" + }, + "requester": { + "$ref": "#/definitions/userId", + "description": " the requester of the CVE" + }, + "updated": { + "$ref": "#/definitions/timestamp" + }, + "serial": { + "type": "integer", + "minimum": 1, + "description": "starts at 1, add 1 every time an entry is updated or changed" + }, + "dateRequested": { + "$ref": "#/definitions/timestamp", + "description": "the date/time this issue was requested" + }, + "dateAssigned": { + "$ref": "#/definitions/timestamp", + "description": "the date/time this was assigned" + }, + "datePublic": { + "$ref": "#/definitions/timestamp", + "description": "the date/time this went public if known" + }, + "replacedBy": { + "type": "string", + "description": "a single CVE ID or list of CVE IDs (comma separated)", + "pattern": "^(CVE-[0-9]{4}-[0-9]{4,})\\s*(,\\s*CVE-[0-9]{4}-[0-9]{4,})*$" + }, + "state": { + "type": "string", + "description": "State of CVE - PUBLIC, RESERVED, REJECT", + "enum": [ + "PUBLIC" + ] + }, + "title": { + "type": "string", + "description": "Short title - if the description is long we may want a short title to refer to", + "minLength": 1 + } + }, "additionalProperties": false - } - }, - "problemTypes": { - "type": "array", - "description": "This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE])", - "items": { + }, + "cveDataMetaReserved": { "type": "object", - "description": "text, OWASP, or CWE", + "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, when it was assigned, the current state (PUBLIC, REJECT, etc.) and so on.", "required": [ - "descriptions" + "id", + "state" ], "properties": { - "descriptions": { - "type": "array", - "items": { - "type": "object", - "description": "problem type description", - "required": [ - "lang", - "description" - ], - "properties": { - "lang": { - "type": "string", - "description": "ISO 639-2 language code", - "minLength": 1 - }, - "description": { - "type": "string", - "description": "string description of problemType, or title from CWE, OWASP", - "minLength": 1 - }, - "cweId": { - "type": "string", - "description": "CWE ID of the CWE that best describes this problemType entry", - "minLength": 5, - "pattern": "^CWE-[0-9]+$" - }, - "type": { - "type": "string", - "description": "problemtype source, text, OWASP, CWE, etc", - "minLength": 1 - }, - "references": { - "$ref": "#/definitions/references" - } - } - }, - "minItems": 1, - "uniqueItems": true - } - } - }, - "minItems": 1, - "uniqueItems": true - }, - "references": { - "type": "array", - "description": "This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are \"dangerous\").", - "items": { - "$ref": "#/definitions/reference" - }, - "minItems": 1, - "maxItems": 500, - "uniqueItems": true - }, - "impacts": { - "type": "array", - "description": "collection of impact scores with attribution", - "minItems": 1, - "uniqueItems": true, - "items": { + "id": { + "$ref": "#/definitions/cveId" + }, + "assigner": { + "$ref": "#/definitions/orgId", + "description": "the UUID for the organization to which the CVE ID was originally assigned" + }, + "assignerShortName": { + "$ref": "#/definitions/shortName", + "description": "the short name for the organization to which the CVE ID was originally assigned" + }, + "state": { + "type": "string", + "description": "State of CVE - PUBLIC, RESERVED, REJECT", + "enum": [ + "RESERVED" + ] + }, + "datePublic": { + "$ref": "#/definitions/datestamp", + "description": "Anticipated date for public release (YYYY-MM-DD)." + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + } + }, + "additionalProperties": false + }, + "cveDataMetaReject": { "type": "object", - "description": "This is impact type information (e.g. a text description", + "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, when it was assigned, the current state (PUBLIC, REJECT, etc.) and so on.", "required": [ - "descriptions" + "id", + "assigner", + "state" ], "properties": { - "capecId": { - "type": "string", - "description": "CAPEC ID that best relates to this impact", - "minLength": 1 + "id": { + "$ref": "#/definitions/cveId" + }, + "assigner": { + "$ref": "#/definitions/orgId", + "description": "the UUID for the organization to which the CVE ID was originally assigned" + }, + "assignerShortName": { + "$ref": "#/definitions/shortName", + "description": "the short name for the organization to which the CVE ID was originally assigned" + }, + "state": { + "type": "string", + "description": "State of CVE - PUBLIC, RESERVED, REJECT", + "enum": [ + "REJECT" + ] }, "descriptions": { - "description": "Prose description of the impact scenario. At a minimum provide the description given by CAPEC", "$ref": "#/definitions/descriptions" } - } - } - }, - "metrics": { - "type": "array", - "description": "collection of impact scores with attribution", - "minItems": 1, - "uniqueItems": true, - "items": { + }, + "additionalProperties": false + }, + "providerDataMeta": { "type": "object", - "description": "This is impact type information (e.g. a text description, CVSSv2, CVSSv3, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added", - "anyOf": [ - { - "required": [ - "cvssV3_1" - ] - }, - { - "required": [ - "cvssV3_0" - ] - }, - { - "required": [ - "cvssV2_0" - ] - }, - { - "required": [ - "other" - ] - } - ], - "properties": { - "format": { - "type": "string", - "descriptions": "Name of the score format. This provides a bit future proofing. Additional properties are not prohibitied, so this will support inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV4_4, format = 'cvssV4_4', other = cvssV4_4 json object. In the future the other properties can be converted to score properties when they become part of the schema.", - "minLength": 1 - }, - "scenario": { - "type": "string", - "default": "GENERAL", - "description": "Description of the scenario this metrics object applies to. If no specific scenarion is given, GENERAL is used as the default and applies when no more specific metric matches.", - "minLength": 1 - }, - "cvssV3_1": { - "$ref": "file:cvss-v3.1.json" - }, - "cvssV3_0": { - "$ref": "file:cvss-v3.0.json" - }, - "cvssV2_0": { - "$ref": "file:cvss-v2.0.json" - }, - "other": { - "type": "object", - "description": "non-standard impact description, may be prose or JSON block", - "required": [ - "type", - "content" - ], - "properties": { - "type": { - "type": "string", - "minLength": 1 - }, - "content": { - "type": "object", - "description": "JSON object not covered by another metrics format", - "minProperties": 1 - } - } - } - } - } - }, - "configurations": { - "type": "array", - "description": "This is configuration information. It is generally meant to contain additional containers (e.g. cveDescription, cveImpact). Must contain: At least one configuration", - "minItems": 1, - "uniqueItems": true, - "items": { + "description": "will be updated to coordinate with CVE user registry, current identifier is an email address.", "properties": { - "lang": { - "type": "string", - "description": "ISO 639-2 language code", - "minLength": 1 - }, - "value": { - "description": "Configurations required for exploiting this vulnerability.", - "type": "string", - "minLength": 1 - } + "id": { + "$ref": "#/definitions/orgId", + "description": "the container provider's organizational UUID" + }, + "shortName": { + "$ref": "#/definitions/shortName", + "description": "the container provider's organizational short name" + }, + "updated": { + "$ref": "#/definitions/timestamp", + "description": "Timestamp to be set by system of record at time of submission. If UPDATED is provided to the system of record it will be replaced by the timestamp at the time of submission. If a provider has multiple contributions, they shall be consolidated to a final single contribution before submission, or the system of record will reject the input with, Rejected – simultaneous contributions by a single provider." + } }, "required": [ - "lang", - "value" + "id" ] - } - }, - "workarounds": { - "type": "array", - "description": "Workarounds and mitigations for this vulnerability.", - "minItems": 1, - "uniqueItems": true, - "items": { + }, + "cnaContainer": { + "type": "object", "properties": { - "lang": { - "type": "string", - "description": "ISO 639-2 language code", - "minLength": 1 - }, - "value": { - "type": "string", - "minLength": 1 - } + "providerDataMeta": { + "$ref": "#/definitions/providerDataMeta" + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + }, + "affected": { + "$ref": "#/definitions/affected" + }, + "problemTypes": { + "$ref": "#/definitions/problemTypes" + }, + "references": { + "$ref": "#/definitions/references" + }, + "impacts": { + "$ref": "#/definitions/impacts" + }, + "metrics": { + "$ref": "#/definitions/metrics" + }, + "configuration": { + "$ref": "#/definitions/configurations" + }, + "workaround": { + "$ref": "#/definitions/workarounds" + }, + "exploit": { + "$ref": "#/definitions/exploits" + }, + "timeline": { + "$ref": "#/definitions/timeline" + }, + "credit": { + "$ref": "#/definitions/credits" + }, + "source": { + "$ref": "#/definitions/source" + } }, "required": [ - "lang", - "value" - ] - } - }, - "exploits": { - "type": "array", - "description": "Information about exploits of the vulnerability", - "minItems": 1, - "uniqueItems": true, - "items": { + "providerDataMeta", + "descriptions", + "affected", + "references" + ], + "additionalProperties": { + "patternProperties": { + "^x_": {} + } + } + }, + "adpContainer": { + "type": "object", "properties": { - "lang": { - "type": "string", - "description": "ISO 639-2 language code", - "minLength": 1 - }, - "value": { - "type": "string", - "minLength": 1 - } + "providerDataMeta": { + "$ref": "#/definitions/providerDataMeta" + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + }, + "affected": { + "$ref": "#/definitions/affected" + }, + "problemtypes": { + "$ref": "#/definitions/problemtypes" + }, + "references": { + "$ref": "#/definitions/references" + }, + "impacts": { + "$ref": "#/definitions/impacts" + }, + "metrics": { + "$ref": "#/definitions/metrics" + }, + "configuration": { + "$ref": "#/definitions/configurations" + }, + "workaround": { + "$ref": "#/definitions/workarounds" + }, + "exploit": { + "$ref": "#/definitions/exploits" + }, + "timeline": { + "$ref": "#/definitions/timeline" + }, + "credit": { + "$ref": "#/definitions/credits" + }, + "source": { + "$ref": "#/definitions/source" + } }, "required": [ - "lang", - "value" - ] - } - }, - "timeline": { - "type": "array", - "description": "This is timeline information for significant events about this vulnerability or changes to CVE entry", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "time", - "lang", - "value" + "providerDataMeta" ], - "properties": { - "time": { - "$ref": "#/definitions/timestamp" - }, - "lang": { - "type": "string", - "description": "ISO 639-2 language code", - "minLength": 1 - }, - "value": { - "description": "Description of event", - "type": "string", - "minLength": 1 - } + "minProperties": 2, + "additionalProperties": { + "patternProperties": { + "^x_": {} + } } - } - }, - "credits": { - "type": "array", - "description": "Statements acknowledging specific people/organizations/etc.,", - "minItems": 1, - "uniqueItems": true, - "items": { + }, + "containers": { "type": "object", "properties": { - "lang": { - "type": "string", - "description": "ISO 639-2 language code", - "minLength": 1 - }, - "value": { - "type": "string", - "minLength": 1 - } + "cna": { + "$ref": "#/definitions/cnaContainer" + }, + "adp": { + "type": "array", + "items": { + "$ref": "#/definitions/adpContainer" + }, + "minItems": 1, + "uniqueItems": true + } }, "required": [ - "lang", - "value" - ] - } - }, - "source": { - "type": "object", - "description": "This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.\n Mandatory in: none | Optional in: all containers", - "minProperties": 1 - } - }, - "oneOf": [ - { - "properties": { - "dataType": { - "$ref": "#/definitions/dataType" - }, - "dataFormat": { - "$ref": "#/definitions/dataFormat" - }, - "dataVersion": { - "$ref": "#/definitions/dataVersion" - }, - "cveDataMeta": { - "$ref": "#/definitions/cveDataMetaPublic" + "cna" + ], + "additionalProperties": false + }, + "affected": { + "type": "object", + "description": "CVE affects, there must be at least one defined vulnerable product either in the form of a text description (via data defined in vendors, product, version) OR a affectsCpe OR a affectsSwid", + "anyOf": [ + { + "required": [ + "vendors" + ] + }, + { + "required": [ + "affectsCpe" + ] + }, + { + "required": [ + "affectsSwid" + ] + } + ], + "properties": { + "vendors": { + "type": "array", + "description": "This is the container for affected vendors, it only goes in the affects container.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "", + "required": [ + "vendorName", + "products" + ], + "properties": { + "vendorName": { + "type": "string", + "description": "Name of the vendor that produced this product.", + "minLength": 1 + }, + "products": { + "description": "This is the container for affected technologies, products, hardware, etc.", + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/product" + } + } + } + } + }, + "affectsCpe": { + "type": "array", + "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "", + "properties": {}, + "minProperties": 1 + } + }, + "affectsSwid": { + "type": "array", + "description": "", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "", + "properties": {}, + "minProperties": 1 + } + } }, - "containers": { - "$ref": "#/definitions/containers" + "additionalProperties": false + }, + "descriptions": { + "type": "array", + "description": "multi-lingual description of the vulnerability", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "", + "properties": { + "lang": { + "type": "string", + "description": "ISO 639-2 language code", + "default": "EN", + "minLength": 1 + }, + "value": { + "type": "string", + "description": "Plain text description of the vulnerability. Eg., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].", + "minLength": 1 + }, + "supportingMedia": { + "type": "array", + "title": "Supporting media", + "description": "Supporting media data for the description such as markdown, diagrams, .. (optional)", + "uniqItems": true, + "items": { + "type": "object", + "properties": { + "type": { + "type": "string", + "title": "Media type", + "description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.", + "examples": [ + "text/markdown", + "text/html", + "image/png", + "image/svg", + "audio/mp3" + ] + }, + "encoding": { + "type": "string", + "title": "Encoding", + "description": "Encoding used for this media eg., base64 (optional)", + "examples": [ + "base64", + "utf8" + ] + }, + "value": { + "type": "string", + "description": "Supporting media value", + "minLength": 1 + } + } + }, + "required": [ + "type", + "value" + ] + } + }, + "required": [ + "lang", + "value" + ], + "additionalProperties": false } - }, - "required": [ - "dataType", - "dataFormat", - "dataVersion", - "cveDataMeta", - "containers" - ], - "additionalProperties": false - }, - { - "properties": { - "dataType": { - "$ref": "#/definitions/dataType" - }, - "dataFormat": { - "$ref": "#/definitions/dataFormat" - }, - "dataVersion": { - "$ref": "#/definitions/dataVersion" - }, - "cveDataMeta": { - "$ref": "#/definitions/cveDataMetaReserved" + }, + "problemTypes": { + "type": "array", + "description": "This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE])", + "items": { + "type": "object", + "description": "text, OWASP, or CWE", + "required": [ + "descriptions" + ], + "properties": { + "descriptions": { + "type": "array", + "items": { + "type": "object", + "description": "problem type description", + "required": [ + "lang", + "description" + ], + "properties": { + "lang": { + "type": "string", + "description": "ISO 639-2 language code", + "minLength": 1 + }, + "description": { + "type": "string", + "description": "string description of problemType, or title from CWE, OWASP", + "minLength": 1 + }, + "cweId": { + "type": "string", + "description": "CWE ID of the CWE that best describes this problemType entry", + "minLength": 5, + "pattern": "^CWE-[0-9]+$" + }, + "type": { + "type": "string", + "description": "problemtype source, text, OWASP, CWE, etc", + "minLength": 1 + }, + "references": { + "$ref": "#/definitions/references" + } + } + }, + "minItems": 1, + "uniqueItems": true + } + } }, - "descriptions": { - "$ref": "#/definitions/descriptions" + "minItems": 1, + "uniqueItems": true + }, + "references": { + "type": "array", + "description": "This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are \"dangerous\").", + "items": { + "$ref": "#/definitions/reference" + }, + "minItems": 1, + "maxItems": 500, + "uniqueItems": true + }, + "impacts": { + "type": "array", + "description": "collection of impact scores with attribution", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "This is impact type information (e.g. a text description", + "required": [ + "descriptions" + ], + "properties": { + "capecId": { + "type": "string", + "description": "CAPEC ID that best relates to this impact", + "minLength": 1 + }, + "descriptions": { + "description": "Prose description of the impact scenario. At a minimum provide the description given by CAPEC", + "$ref": "#/definitions/descriptions" + } + } } - }, - "required": [ - "dataType", - "dataFormat", - "dataVersion", - "cveDataMeta" - ], - "additionalProperties": false - }, - { - "properties": { - "dataType": { - "$ref": "#/definitions/dataType" - }, - "dataFormat": { - "$ref": "#/definitions/dataFormat" + }, + "metrics": { + "type": "array", + "description": "collection of impact scores with attribution", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "This is impact type information (e.g. a text description, CVSSv2, CVSSv3, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added", + "anyOf": [ + { + "required": [ + "cvssV3_1" + ] + }, + { + "required": [ + "cvssV3_0" + ] + }, + { + "required": [ + "cvssV2_0" + ] + }, + { + "required": [ + "other" + ] + } + ], + "properties": { + "format": { + "type": "string", + "descriptions": "Name of the score format. This provides a bit future proofing. Additional properties are not prohibitied, so this will support inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV4_4, format = 'cvssV4_4', other = cvssV4_4 json object. In the future the other properties can be converted to score properties when they become part of the schema.", + "minLength": 1 + }, + "scenario": { + "type": "string", + "default": "GENERAL", + "description": "Description of the scenario this metrics object applies to. If no specific scenarion is given, GENERAL is used as the default and applies when no more specific metric matches.", + "minLength": 1 + }, + "cvssV3_1": { + "$ref": "file:cvss-v3.1.json" + }, + "cvssV3_0": { + "$ref": "file:cvss-v3.0.json" + }, + "cvssV2_0": { + "$ref": "file:cvss-v2.0.json" + }, + "other": { + "type": "object", + "description": "non-standard impact description, may be prose or JSON block", + "required": [ + "type", + "content" + ], + "properties": { + "type": { + "type": "string", + "minLength": 1 + }, + "content": { + "type": "object", + "description": "JSON object not covered by another metrics format", + "minProperties": 1 + } + } + } + } + } + }, + "configurations": { + "type": "array", + "description": "This is configuration information. It is generally meant to contain additional containers (e.g. cveDescription, cveImpact). Must contain: At least one configuration", + "minItems": 1, + "uniqueItems": true, + "items": { + "properties": { + "lang": { + "type": "string", + "description": "ISO 639-2 language code", + "minLength": 1 + }, + "value": { + "description": "Configurations required for exploiting this vulnerability.", + "type": "string", + "minLength": 1 + } + }, + "required": [ + "lang", + "value" + ] + } + }, + "workarounds": { + "type": "array", + "description": "Workarounds and mitigations for this vulnerability.", + "minItems": 1, + "uniqueItems": true, + "items": { + "properties": { + "lang": { + "type": "string", + "description": "ISO 639-2 language code", + "minLength": 1 + }, + "value": { + "type": "string", + "minLength": 1 + } + }, + "required": [ + "lang", + "value" + ] + } + }, + "exploits": { + "type": "array", + "description": "Information about exploits of the vulnerability", + "minItems": 1, + "uniqueItems": true, + "items": { + "properties": { + "lang": { + "type": "string", + "description": "ISO 639-2 language code", + "minLength": 1 + }, + "value": { + "type": "string", + "minLength": 1 + } + }, + "required": [ + "lang", + "value" + ] + } + }, + "timeline": { + "type": "array", + "description": "This is timeline information for significant events about this vulnerability or changes to CVE entry", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "time", + "lang", + "value" + ], + "properties": { + "time": { + "$ref": "#/definitions/timestamp" + }, + "lang": { + "type": "string", + "description": "ISO 639-2 language code", + "minLength": 1 + }, + "value": { + "description": "Description of event", + "type": "string", + "minLength": 1 + } + } + } + }, + "credits": { + "type": "array", + "description": "Statements acknowledging specific people/organizations/etc.,", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "properties": { + "lang": { + "type": "string", + "description": "ISO 639-2 language code", + "minLength": 1 + }, + "value": { + "type": "string", + "minLength": 1 + } + }, + "required": [ + "lang", + "value" + ] + } + }, + "source": { + "type": "object", + "description": "This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.\n Mandatory in: none | Optional in: all containers", + "minProperties": 1 + } + }, + "oneOf": [ + { + "properties": { + "dataType": { + "$ref": "#/definitions/dataType" + }, + "dataFormat": { + "$ref": "#/definitions/dataFormat" + }, + "dataVersion": { + "$ref": "#/definitions/dataVersion" + }, + "cveDataMeta": { + "$ref": "#/definitions/cveDataMetaPublic" + }, + "containers": { + "$ref": "#/definitions/containers" + } }, - "dataVersion": { - "$ref": "#/definitions/dataVersion" + "required": [ + "dataType", + "dataFormat", + "dataVersion", + "cveDataMeta", + "containers" + ], + "additionalProperties": false + }, + { + "properties": { + "dataType": { + "$ref": "#/definitions/dataType" + }, + "dataFormat": { + "$ref": "#/definitions/dataFormat" + }, + "dataVersion": { + "$ref": "#/definitions/dataVersion" + }, + "cveDataMeta": { + "$ref": "#/definitions/cveDataMetaReserved" + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + } }, - "cveDataMeta": { - "$ref": "#/definitions/cveDataMetaReject" + "required": [ + "dataType", + "dataFormat", + "dataVersion", + "cveDataMeta" + ], + "additionalProperties": false + }, + { + "properties": { + "dataType": { + "$ref": "#/definitions/dataType" + }, + "dataFormat": { + "$ref": "#/definitions/dataFormat" + }, + "dataVersion": { + "$ref": "#/definitions/dataVersion" + }, + "cveDataMeta": { + "$ref": "#/definitions/cveDataMetaReject" + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + } }, - "descriptions": { - "$ref": "#/definitions/descriptions" - } - }, - "required": [ - "dataType", - "dataFormat", - "dataVersion", - "cveDataMeta" - ], - "additionalProperties": false - } - ] -} + "required": [ + "dataType", + "dataFormat", + "dataVersion", + "cveDataMeta" + ], + "additionalProperties": false + } + ] +} \ No newline at end of file