diff --git a/.env b/.env index d53ac3ea7..fec7bf5f6 100644 --- a/.env +++ b/.env @@ -1,4 +1,8 @@ PORT = 3000 LOCAL_KEY=TCF25YM-39C4H6D-KA32EGF-V5XSHN3 +# The duration of the rate limiting window in seconds. +# This defines the time frame for which the rate limit is applied. RATE_LIMIT_WINDOW_SECONDS=60 +# The maximum number of connections allowed within the rate limiting window. +# This sets the threshold for how many requests can be made in the specified time frame. RATE_LIMIT_MAX_CONNECTIONS=1000 diff --git a/api-docs/openapi.json b/api-docs/openapi.json index 0169e993e..13b4b127c 100644 --- a/api-docs/openapi.json +++ b/api-docs/openapi.json @@ -1,12 +1,12 @@ { "openapi": "3.0.2", "info": { - "version": "2.4.0", + "version": "2.5.1", "title": "CVE Services API", - "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are required for most service endpoints. Representatives of CVE Numbering Authorities (CNAs) should use one of the methods below to obtain credentials:

CVE data is to be in the JSON 5.1 CVE Record format. Details of the JSON 5.1 schema are located here.

Contact the CVE Services team", + "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are required for most service endpoints. Representatives of CVE Numbering Authorities (CNAs) should use one of the methods below to obtain credentials:

CVE data is to be in the JSON 5.1 CVE Record format. Details of the JSON 5.1 schema are located here.

Contact the CVE Services team", "contact": { "name": "CVE Services Overview", - "url": "https://cveproject.github.io/automation-cve-services#services-overview" + "url": "https://www.cve.org/AllResources/CveServices" } }, "servers": [ @@ -1323,6 +1323,9 @@ }, { "$ref": "#/components/parameters/apiSecretHeader" + }, + { + "$ref": "#/components/parameters/erlCheck" } ], "responses": { @@ -1432,6 +1435,9 @@ }, { "$ref": "#/components/parameters/apiSecretHeader" + }, + { + "$ref": "#/components/parameters/erlCheck" } ], "responses": { @@ -3036,6 +3042,15 @@ "type": "string" } }, + "erlCheck": { + "in": "query", + "name": "erlcheck", + "description": "Enables stricter validation that ensures submitted record meets enrichment data requirements. For a record to be enriched, a CVSS score and a CWE ID must be provided.", + "required": false, + "schema": { + "type": "boolean" + } + }, "batch_type": { "in": "query", "name": "batch_type", @@ -3958,6 +3973,11 @@ "items": { "type": "object", "anyOf": [ + { + "required": [ + "cvssV4_0" + ] + }, { "required": [ "cvssV3_1" @@ -4003,6 +4023,271 @@ ] } }, + "cvssV4_0": { + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "allOf": [ + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + } + ], + "definitions": { + "attackComplexityType": { + "type": "string" + }, + "attackRequirementsType": { + "type": "string" + }, + "attackVectorType": { + "type": "string" + }, + "automatableType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "criticalScoreType": { + "type": "number" + }, + "criticalSeverityType": { + "const": "string" + }, + "exploitMaturityType": { + "type": "string" + }, + "highScoreType": { + "type": "number" + }, + "highSeverityType": { + "type": "string" + }, + "lowScoreType": { + "type": "number" + }, + "lowSeverityType": { + "type": "string" + }, + "mediumScoreType": { + "type": "number" + }, + "mediumSeverityType": { + "const": "string" + }, + "modifiedAttackComplexityType": { + "type": "string" + }, + "modifiedAttackRequirementsType": { + "type": "string" + }, + "modifiedAttackVectorType": { + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "type": "string" + }, + "modifiedSubCType": { + "type": "string" + }, + "modifiedSubIaType": { + "type": "string" + }, + "modifiedUserInteractionType": { + "type": "string" + }, + "modifiedVulnCiaType": { + "type": "string" + }, + "noneScoreType": { + "type": "number" + }, + "noneSeverityType": { + "const": "string" + }, + "privilegesRequiredType": { + "type": "string" + }, + "providerUrgencyType": { + "type": "string" + }, + "recoveryType": { + "type": "string" + }, + "safetyType": { + "type": "string" + }, + "scoreType": { + "type": "number" + }, + "severityType": { + "type": "string" + }, + "subCiaType": { + "type": "string" + }, + "userInteractionType": { + "type": "string" + }, + "valueDensityType": { + "type": "string" + }, + "vulnCiaType": { + "type": "string" + }, + "vulnerabilityResponseEffortType": { + "type": "string" + } + }, + "properties": { + "Automatable": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType" + }, + "Recovery": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType" + }, + "Safety": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType" + }, + "attackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "exploitMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType" + }, + "modifiedAttackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedSubAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedSubConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType" + }, + "modifiedSubIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType" + }, + "modifiedVulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType" + }, + "providerUrgency": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType" + }, + "subAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType" + }, + "valueDensity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType" + }, + "vectorString": { + "type": "string" + }, + "version": { + "description": "CVSS Version", + "enum": [ + "4.0" + ], + "type": "string" + }, + "vulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnerabilityResponseEffort": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType" + } + }, + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ], + "title": "JSON Schema for Common Vulnerability Scoring System version 4.0", + "type": "object" + }, "cvssV3_1": { "$schema": "http://json-schema.org/draft-07/schema#", "type": "object", diff --git a/package-lock.json b/package-lock.json index 21698ac59..572a65e35 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "cve-services", - "version": "2.3.1", + "version": "2.5.1", "lockfileVersion": 2, "requires": true, "packages": { diff --git a/package.json b/package.json index 9aa412770..9b17b656b 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "cve-services", "author": "Automation Working Group", - "version": "2.3.1", + "version": "2.5.1", "license": "(CC0)", "devDependencies": { "@faker-js/faker": "^7.6.0", diff --git a/schemas/cve/create-adp-record-adp-request.json b/schemas/cve/create-adp-record-adp-request.json index 3a46ab774..c1264904e 100644 --- a/schemas/cve/create-adp-record-adp-request.json +++ b/schemas/cve/create-adp-record-adp-request.json @@ -581,6 +581,11 @@ "items": { "type": "object", "anyOf": [ + { + "required": [ + "cvssV4_0" + ] + }, { "required": [ "cvssV3_1" @@ -626,6 +631,271 @@ ] } }, + "cvssV4_0": { + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "allOf": [ + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + } + ], + "definitions": { + "attackComplexityType": { + "type": "string" + }, + "attackRequirementsType": { + "type": "string" + }, + "attackVectorType": { + "type": "string" + }, + "automatableType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "criticalScoreType": { + "type": "number" + }, + "criticalSeverityType": { + "const": "string" + }, + "exploitMaturityType": { + "type": "string" + }, + "highScoreType": { + "type": "number" + }, + "highSeverityType": { + "type": "string" + }, + "lowScoreType": { + "type": "number" + }, + "lowSeverityType": { + "type": "string" + }, + "mediumScoreType": { + "type": "number" + }, + "mediumSeverityType": { + "const": "string" + }, + "modifiedAttackComplexityType": { + "type": "string" + }, + "modifiedAttackRequirementsType": { + "type": "string" + }, + "modifiedAttackVectorType": { + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "type": "string" + }, + "modifiedSubCType": { + "type": "string" + }, + "modifiedSubIaType": { + "type": "string" + }, + "modifiedUserInteractionType": { + "type": "string" + }, + "modifiedVulnCiaType": { + "type": "string" + }, + "noneScoreType": { + "type": "number" + }, + "noneSeverityType": { + "const": "string" + }, + "privilegesRequiredType": { + "type": "string" + }, + "providerUrgencyType": { + "type": "string" + }, + "recoveryType": { + "type": "string" + }, + "safetyType": { + "type": "string" + }, + "scoreType": { + "type": "number" + }, + "severityType": { + "type": "string" + }, + "subCiaType": { + "type": "string" + }, + "userInteractionType": { + "type": "string" + }, + "valueDensityType": { + "type": "string" + }, + "vulnCiaType": { + "type": "string" + }, + "vulnerabilityResponseEffortType": { + "type": "string" + } + }, + "properties": { + "Automatable": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType" + }, + "Recovery": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType" + }, + "Safety": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType" + }, + "attackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "exploitMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType" + }, + "modifiedAttackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedSubAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedSubConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType" + }, + "modifiedSubIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType" + }, + "modifiedVulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType" + }, + "providerUrgency": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType" + }, + "subAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType" + }, + "valueDensity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType" + }, + "vectorString": { + "type": "string" + }, + "version": { + "description": "CVSS Version", + "enum": [ + "4.0" + ], + "type": "string" + }, + "vulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnerabilityResponseEffort": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType" + } + }, + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ], + "title": "JSON Schema for Common Vulnerability Scoring System version 4.0", + "type": "object" + }, "cvssV3_1": { "$schema": "http://json-schema.org/draft-07/schema#", "type": "object", @@ -1315,7 +1585,9 @@ "additionalProperties": false } }, - "required":["adpContainer"], + "required": [ + "adpContainer" + ], "properties": { "adpContainer": { "$ref": "#/definitions/adpContainer" diff --git a/schemas/cve/create-cve-record-cna-request.json b/schemas/cve/create-cve-record-cna-request.json index e46b76117..0f39c162e 100644 --- a/schemas/cve/create-cve-record-cna-request.json +++ b/schemas/cve/create-cve-record-cna-request.json @@ -1,1191 +1,1461 @@ { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.org/cve/record/v5_00/", - "type": "object", - "title": "CVE JSON record format", - "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).", - "definitions": { - "uriType": { - "type": "string", - "format": "uri" + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.org/cve/record/v5_00/", + "type": "object", + "title": "CVE JSON record format", + "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).", + "definitions": { + "uriType": { + "type": "string", + "format": "uri" + }, + "uuidType": { + "type": "string" + }, + "reference": { + "type": "object", + "required": [ + "url" + ], + "properties": { + "url": { + "$ref": "#/definitions/uriType" }, - "uuidType": { - "type": "string" + "name": { + "type": "string" }, - "reference": { - "type": "object", - "required": [ - "url" - ], - "properties": { - "url": { - "$ref": "#/definitions/uriType" - }, - "name": { - "type": "string" - }, - "tags": { - "type": "array", - "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/", - "type": "string" - } - ] - } - } + "tags": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/", + "type": "string" + } + ] + } + } + } + }, + "cveId": { + "type": "string" + }, + "orgId": { + "$ref": "#/definitions/uuidType" + }, + "userId": { + "$ref": "#/definitions/uuidType" + }, + "shortName": { + "type": "string" + }, + "datestamp": { + "type": "string", + "format": "date" + }, + "timestamp": { + "type": "string", + "format": "date-time" + }, + "version": { + "type": "string" + }, + "status": { + "type": "string" + }, + "product": { + "type": "object", + "allOf": [ + { + "anyOf": [ + { + "required": [ + "vendor", + "product" + ] + }, + { + "required": [ + "collectionURL", + "packageName" + ] } + ] }, - "cveId": { - "type": "string" + { + "anyOf": [ + { + "required": [ + "versions" + ] + }, + { + "required": [ + "defaultStatus" + ] + } + ] + } + ], + "properties": { + "vendor": { + "type": "string" }, - "orgId": { - "$ref": "#/definitions/uuidType" + "product": { + "type": "string" }, - "userId": { - "$ref": "#/definitions/uuidType" + "collectionURL": { + "$ref": "#/definitions/uriType" }, - "shortName": { - "type": "string" + "packageName": { + "type": "string" }, - "datestamp": { - "type": "string", - "format": "date" + "cpes": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } }, - "timestamp": { - "type": "string", - "format": "date-time" + "modules": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } }, - "version": { + "programFiles": { + "type": "array", + "uniqueItems": true, + "items": { "type": "string" + } + }, + "programRoutines": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + } + } + } }, - "status": { + "platforms": { + "type": "array", + "uniqueItems": true, + "items": { "type": "string" + } }, - "product": { + "repo": { + "$ref": "#/definitions/uriType" + }, + "defaultStatus": { + "$ref": "#/definitions/status" + }, + "versions": { + "type": "array", + "uniqueItems": true, + "items": { "type": "object", - "allOf": [ - { - "anyOf": [ - { - "required": [ - "vendor", - "product" - ] - }, - { - "required": [ - "collectionURL", - "packageName" - ] - } + "oneOf": [ + { + "required": [ + "version", + "status" + ], + "maxProperties": 2 + }, + { + "required": [ + "version", + "status", + "versionType" + ], + "oneOf": [ + { + "required": [ + "lessThan" ] - }, - { - "anyOf": [ - { - "required": [ - "versions" - ] - }, - { - "required": [ - "defaultStatus" - ] - } + }, + { + "required": [ + "lessThanOrEqual" ] - } + } + ] + } ], "properties": { - "vendor": { - "type": "string" - }, - "product": { - "type": "string" - }, - "collectionURL": { - "$ref": "#/definitions/uriType" - }, - "packageName": { - "type": "string" - }, - "cpes": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "modules": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "programFiles": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "programRoutines": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string" - } - } - } - }, - "platforms": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "repo": { - "$ref": "#/definitions/uriType" - }, - "defaultStatus": { - "$ref": "#/definitions/status" - }, - "versions": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "object", - "oneOf": [ - { - "required": [ - "version", - "status" - ], - "maxProperties": 2 - }, - { - "required": [ - "version", - "status", - "versionType" - ], - "oneOf": [ - { - "required": [ - "lessThan" - ] - }, - { - "required": [ - "lessThanOrEqual" - ] - } - ] - } - ], - "properties": { - "version": { - "$ref": "#/definitions/version" - }, - "status": { - "$ref": "#/definitions/status" - }, - "versionType": { - "type": "string" - }, - "lessThan": { - "$ref": "#/definitions/version" - }, - "lessThanOrEqual": { - "$ref": "#/definitions/version" - }, - "changes": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "at", - "status" - ], - "properties": { - "at": { - "$ref": "#/definitions/version" - }, - "status": { - "$ref": "#/definitions/status" - } - } - } - } - } + "version": { + "$ref": "#/definitions/version" + }, + "status": { + "$ref": "#/definitions/status" + }, + "versionType": { + "type": "string" + }, + "lessThan": { + "$ref": "#/definitions/version" + }, + "lessThanOrEqual": { + "$ref": "#/definitions/version" + }, + "changes": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "at", + "status" + ], + "properties": { + "at": { + "$ref": "#/definitions/version" + }, + "status": { + "$ref": "#/definitions/status" } + } } + } } + } + } + } + }, + "dataType": { + "type": "string" + }, + "dataVersion": { + "type": "string" + }, + "cveMetadataPublished": { + "type": "object", + "required": [ + "cveId", + "assignerOrgId", + "state" + ], + "properties": { + "cveId": { + "$ref": "#/definitions/cveId" }, - "dataType": { - "type": "string" + "assignerOrgId": { + "$ref": "#/definitions/orgId" }, - "dataVersion": { - "type": "string" + "assignerShortName": { + "$ref": "#/definitions/shortName" + }, + "requesterUserId": { + "$ref": "#/definitions/userId" + }, + "dateUpdated": { + "$ref": "#/definitions/timestamp" + }, + "serial": { + "type": "integer" + }, + "dateReserved": { + "$ref": "#/definitions/timestamp" + }, + "datePublished": { + "$ref": "#/definitions/timestamp" + }, + "state": { + "type": "string" + } + }, + "additionalProperties": false + }, + "providerMetadata": { + "type": "object", + "properties": { + "orgId": { + "$ref": "#/definitions/orgId" + }, + "shortName": { + "$ref": "#/definitions/shortName" + }, + "dateUpdated": { + "$ref": "#/definitions/timestamp" + } + }, + "required": [ + "orgId" + ] + }, + "affected": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/product" + } + }, + "description": { + "type": "object", + "properties": { + "lang": { + "$ref": "#/definitions/language" + }, + "value": { + "type": "string" }, - "cveMetadataPublished": { + "supportingMedia": { + "type": "array", + "uniqueItems": true, + "minItems": 1, + "items": { "type": "object", - "required": [ - "cveId", - "assignerOrgId", - "state" - ], "properties": { - "cveId": { - "$ref": "#/definitions/cveId" - }, - "assignerOrgId": { - "$ref": "#/definitions/orgId" - }, - "assignerShortName": { - "$ref": "#/definitions/shortName" - }, - "requesterUserId": { - "$ref": "#/definitions/userId" - }, - "dateUpdated": { - "$ref": "#/definitions/timestamp" - }, - "serial": { - "type": "integer" - }, - "dateReserved": { - "$ref": "#/definitions/timestamp" + "type": { + "type": "string" + }, + "base64": { + "type": "boolean", + "default": false + }, + "value": { + "type": "string" + } + }, + "required": [ + "type", + "value" + ] + } + } + }, + "required": [ + "lang", + "value" + ], + "additionalProperties": false + }, + "englishLanguageDescription": { + "type": "object", + "properties": { + "lang": { + "$ref": "#/definitions/englishLanguage" + } + }, + "required": [ + "lang" + ] + }, + "descriptions": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + }, + "contains": { + "$ref": "#/definitions/englishLanguageDescription" + } + }, + "problemTypes": { + "type": "array", + "items": { + "type": "object", + "required": [ + "descriptions" + ], + "properties": { + "descriptions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "lang", + "description" + ], + "properties": { + "lang": { + "$ref": "#/definitions/language" }, - "datePublished": { - "$ref": "#/definitions/timestamp" + "description": { + "type": "string" }, - "state": { - "type": "string" - } - }, - "additionalProperties": false - }, - "providerMetadata": { - "type": "object", - "properties": { - "orgId": { - "$ref": "#/definitions/orgId" + "cweId": { + "type": "string" }, - "shortName": { - "$ref": "#/definitions/shortName" + "type": { + "type": "string" }, - "dateUpdated": { - "$ref": "#/definitions/timestamp" + "references": { + "$ref": "#/definitions/references" } + } }, + "minItems": 1, + "uniqueItems": true + } + } + }, + "minItems": 1, + "uniqueItems": true + }, + "references": { + "type": "array", + "items": { + "$ref": "#/definitions/reference" + }, + "minItems": 1, + "maxItems": 512, + "uniqueItems": true + }, + "impacts": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "descriptions" + ], + "properties": { + "capecId": { + "type": "string" + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + } + } + } + }, + "metrics": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "anyOf": [ + { "required": [ - "orgId" + "cvssV4_0" ] - }, - "affected": { + }, + { + "required": [ + "cvssV3_1" + ] + }, + { + "required": [ + "cvssV3_0" + ] + }, + { + "required": [ + "cvssV2_0" + ] + }, + { + "required": [ + "other" + ] + } + ], + "properties": { + "format": { + "type": "string" + }, + "scenarios": { "type": "array", "minItems": 1, + "uniqueItems": true, "items": { - "$ref": "#/definitions/product" - } - }, - "description": { - "type": "object", - "properties": { + "type": "object", + "properties": { "lang": { - "$ref": "#/definitions/language" + "$ref": "#/definitions/language" }, "value": { - "type": "string" - }, - "supportingMedia": { - "type": "array", - "uniqueItems": true, - "minItems": 1, - "items": { - "type": "object", - "properties": { - "type": { - "type": "string" - }, - "base64": { - "type": "boolean", - "default": false - }, - "value": { - "type": "string" - } - }, - "required": [ - "type", - "value" - ] - } + "type": "string" } - }, - "required": [ + }, + "required": [ "lang", "value" + ] + } + }, + "cvssV4_0": { + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "allOf": [ + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + } ], - "additionalProperties": false - }, - "englishLanguageDescription": { + "definitions": { + "attackComplexityType": { + "type": "string" + }, + "attackRequirementsType": { + "type": "string" + }, + "attackVectorType": { + "type": "string" + }, + "automatableType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "criticalScoreType": { + "type": "number" + }, + "criticalSeverityType": { + "const": "string" + }, + "exploitMaturityType": { + "type": "string" + }, + "highScoreType": { + "type": "number" + }, + "highSeverityType": { + "type": "string" + }, + "lowScoreType": { + "type": "number" + }, + "lowSeverityType": { + "type": "string" + }, + "mediumScoreType": { + "type": "number" + }, + "mediumSeverityType": { + "const": "string" + }, + "modifiedAttackComplexityType": { + "type": "string" + }, + "modifiedAttackRequirementsType": { + "type": "string" + }, + "modifiedAttackVectorType": { + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "type": "string" + }, + "modifiedSubCType": { + "type": "string" + }, + "modifiedSubIaType": { + "type": "string" + }, + "modifiedUserInteractionType": { + "type": "string" + }, + "modifiedVulnCiaType": { + "type": "string" + }, + "noneScoreType": { + "type": "number" + }, + "noneSeverityType": { + "const": "string" + }, + "privilegesRequiredType": { + "type": "string" + }, + "providerUrgencyType": { + "type": "string" + }, + "recoveryType": { + "type": "string" + }, + "safetyType": { + "type": "string" + }, + "scoreType": { + "type": "number" + }, + "severityType": { + "type": "string" + }, + "subCiaType": { + "type": "string" + }, + "userInteractionType": { + "type": "string" + }, + "valueDensityType": { + "type": "string" + }, + "vulnCiaType": { + "type": "string" + }, + "vulnerabilityResponseEffortType": { + "type": "string" + } + }, + "properties": { + "Automatable": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType" + }, + "Recovery": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType" + }, + "Safety": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType" + }, + "attackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "exploitMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType" + }, + "modifiedAttackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedSubAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedSubConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType" + }, + "modifiedSubIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType" + }, + "modifiedVulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType" + }, + "providerUrgency": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType" + }, + "subAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType" + }, + "valueDensity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType" + }, + "vectorString": { + "type": "string" + }, + "version": { + "description": "CVSS Version", + "enum": [ + "4.0" + ], + "type": "string" + }, + "vulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnerabilityResponseEffort": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType" + } + }, + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ], + "title": "JSON Schema for Common Vulnerability Scoring System version 4.0", + "type": "object" + }, + "cvssV3_1": { + "$schema": "http://json-schema.org/draft-07/schema#", "type": "object", + "definitions": { + "attackVectorType": { + "type": "string" + }, + "modifiedAttackVectorType": { + "type": "string" + }, + "attackComplexityType": { + "type": "string" + }, + "modifiedAttackComplexityType": { + "type": "string" + }, + "privilegesRequiredType": { + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "type": "string" + }, + "userInteractionType": { + "type": "string" + }, + "modifiedUserInteractionType": { + "type": "string" + }, + "scopeType": { + "type": "string" + }, + "modifiedScopeType": { + "type": "string" + }, + "ciaType": { + "type": "string" + }, + "modifiedCiaType": { + "type": "string" + }, + "exploitCodeMaturityType": { + "type": "string" + }, + "remediationLevelType": { + "type": "string" + }, + "confidenceType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "scoreType": { + "type": "number" + }, + "severityType": { + "type": "string" + } + }, "properties": { - "lang": { - "$ref": "#/definitions/englishLanguage" - } + "version": { + "description": "CVSS Version", + "type": "string" + }, + "vectorString": { + "type": "string" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType" + }, + "scope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + }, + "exploitCodeMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "temporalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType" + }, + "modifiedScope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType" + }, + "modifiedConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "modifiedIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "modifiedAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + } + }, + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ] + }, + "cvssV3_0": { + "$schema": "http://json-schema.org/draft-04/schema#", + "type": "object", + "definitions": { + "attackVectorType": { + "type": "string" + }, + "modifiedAttackVectorType": { + "type": "string" + }, + "attackComplexityType": { + "type": "string" + }, + "modifiedAttackComplexityType": { + "type": "string" + }, + "privilegesRequiredType": { + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "type": "string" + }, + "userInteractionType": { + "type": "string" + }, + "modifiedUserInteractionType": { + "type": "string" + }, + "scopeType": { + "type": "string" + }, + "modifiedScopeType": { + "type": "string" + }, + "ciaType": { + "type": "string" + }, + "modifiedCiaType": { + "type": "string" + }, + "exploitCodeMaturityType": { + "type": "string" + }, + "remediationLevelType": { + "type": "string" + }, + "confidenceType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "scoreType": { + "type": "number" + }, + "severityType": { + "type": "string" + } + }, + "properties": { + "version": { + "type": "string" + }, + "vectorString": { + "type": "string" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType" + }, + "scope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + }, + "exploitCodeMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "temporalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType" + }, + "modifiedScope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType" + }, + "modifiedConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "modifiedIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "modifiedAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + } }, "required": [ - "lang" + "version", + "vectorString", + "baseScore", + "baseSeverity" ] + }, + "cvssV2_0": { + "$schema": "http://json-schema.org/draft-04/schema#", + "type": "object", + "definitions": { + "accessVectorType": { + "type": "string" + }, + "accessComplexityType": { + "type": "string" + }, + "authenticationType": { + "type": "string" + }, + "ciaType": { + "type": "string" + }, + "exploitabilityType": { + "type": "string" + }, + "remediationLevelType": { + "type": "string" + }, + "reportConfidenceType": { + "type": "string" + }, + "collateralDamagePotentialType": { + "type": "string" + }, + "targetDistributionType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "scoreType": { + "type": "number" + } + }, + "properties": { + "version": { + "type": "string" + }, + "vectorString": { + "type": "string" + }, + "accessVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType" + }, + "accessComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType" + }, + "authentication": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + }, + "exploitability": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + }, + "collateralDamagePotential": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType" + }, + "targetDistribution": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + } + }, + "required": [ + "version", + "vectorString", + "baseScore" + ] + }, + "other": { + "type": "object", + "required": [ + "type", + "content" + ], + "properties": { + "type": { + "type": "string" + }, + "content": { + "type": "object" + } + } + } + } + } + }, + "configurations": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "workarounds": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "solutions": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "exploits": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "timeline": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "time", + "lang", + "value" + ], + "properties": { + "time": { + "$ref": "#/definitions/timestamp" + }, + "lang": { + "$ref": "#/definitions/language" + }, + "value": { + "type": "string" + } + } + } + }, + "credits": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "properties": { + "lang": { + "$ref": "#/definitions/language" + }, + "value": { + "type": "string" + }, + "user": { + "$ref": "#/definitions/uuidType" + }, + "type": { + "type": "string" + } }, - "descriptions": { + "required": [ + "lang", + "value" + ] + } + }, + "source": { + "type": "object", + "minProperties": 1 + }, + "language": { + "type": "string" + }, + "englishLanguage": { + "type": "string" + }, + "taxonomyMappings": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "taxonomyName", + "taxonomyRelations" + ], + "properties": { + "taxonomyName": { + "type": "string", + "minLength": 1, + "maxLength": 128 + }, + "taxonomyVersion": { + "type": "string", + "minLength": 1, + "maxLength": 128 + }, + "taxonomyRelations": { "type": "array", "minItems": 1, "uniqueItems": true, "items": { - "$ref": "#/definitions/description" - }, - "contains": { - "$ref": "#/definitions/englishLanguageDescription" + "type": "object", + "required": [ + "taxonomyId", + "relationshipName", + "relationshipValue" + ], + "properties": { + "taxonomyId": { + "type": "string", + "minLength": 1, + "maxLength": 2048 + }, + "relationshipName": { + "type": "string", + "minLength": 1, + "maxLength": 128 + }, + "relationshipValue": { + "type": "string", + "minLength": 1, + "maxLength": 2048 + } + } } + } + } + } + }, + "tagExtension": { + "type": "string" + }, + "cnaTags": { + "type": "array", + "uniqueItems": true, + "minItems": 1, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/", + "type": "string" + } + ] + } + }, + "adpTags": { + "type": "array", + "uniqueItems": true, + "minItems": 1, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/", + "type": "string" + } + ] + } + } + }, + "required": [ + "cnaContainer" + ], + "properties": { + "cnaContainer": { + "type": "object", + "properties": { + "providerMetadata": { + "$ref": "#/definitions/providerMetadata" + }, + "dateAssigned": { + "$ref": "#/definitions/timestamp" + }, + "datePublic": { + "$ref": "#/definitions/timestamp" + }, + "title": { + "type": "string" + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + }, + "affected": { + "$ref": "#/definitions/affected" }, "problemTypes": { - "type": "array", - "items": { - "type": "object", - "required": [ - "descriptions" - ], - "properties": { - "descriptions": { - "type": "array", - "items": { - "type": "object", - "required": [ - "lang", - "description" - ], - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "description": { - "type": "string" - }, - "cweId": { - "type": "string" - }, - "type": { - "type": "string" - }, - "references": { - "$ref": "#/definitions/references" - } - } - }, - "minItems": 1, - "uniqueItems": true - } - } - }, - "minItems": 1, - "uniqueItems": true + "$ref": "#/definitions/problemTypes" }, "references": { - "type": "array", - "items": { - "$ref": "#/definitions/reference" - }, - "minItems": 1, - "maxItems": 512, - "uniqueItems": true + "$ref": "#/definitions/references" }, "impacts": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "descriptions" - ], - "properties": { - "capecId": { - "type": "string" - }, - "descriptions": { - "$ref": "#/definitions/descriptions" - } - } - } + "$ref": "#/definitions/impacts" }, "metrics": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "anyOf": [ - { - "required": [ - "cvssV3_1" - ] - }, - { - "required": [ - "cvssV3_0" - ] - }, - { - "required": [ - "cvssV2_0" - ] - }, - { - "required": [ - "other" - ] - } - ], - "properties": { - "format": { - "type": "string" - }, - "scenarios": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string" - } - }, - "required": [ - "lang", - "value" - ] - } - }, - "cvssV3_1": { - "$schema": "http://json-schema.org/draft-07/schema#", - "type": "object", - "definitions": { - "attackVectorType": { - "type": "string" - }, - "modifiedAttackVectorType": { - "type": "string" - }, - "attackComplexityType": { - "type": "string" - }, - "modifiedAttackComplexityType": { - "type": "string" - }, - "privilegesRequiredType": { - "type": "string" - }, - "modifiedPrivilegesRequiredType": { - "type": "string" - }, - "userInteractionType": { - "type": "string" - }, - "modifiedUserInteractionType": { - "type": "string" - }, - "scopeType": { - "type": "string" - }, - "modifiedScopeType": { - "type": "string" - }, - "ciaType": { - "type": "string" - }, - "modifiedCiaType": { - "type": "string" - }, - "exploitCodeMaturityType": { - "type": "string" - }, - "remediationLevelType": { - "type": "string" - }, - "confidenceType": { - "type": "string" - }, - "ciaRequirementType": { - "type": "string" - }, - "scoreType": { - "type": "number" - }, - "severityType": { - "type": "string" - } - }, - "properties": { - "version": { - "description": "CVSS Version", - "type": "string" - }, - "vectorString": { - "type": "string" - }, - "attackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType" - }, - "attackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType" - }, - "privilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType" - }, - "userInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType" - }, - "scope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - }, - "exploitCodeMaturity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "temporalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "modifiedAttackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType" - }, - "modifiedAttackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType" - }, - "modifiedPrivilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType" - }, - "modifiedUserInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType" - }, - "modifiedScope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType" - }, - "modifiedConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "modifiedIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "modifiedAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - } - }, - "required": [ - "version", - "vectorString", - "baseScore", - "baseSeverity" - ] - }, - "cvssV3_0": { - "$schema": "http://json-schema.org/draft-04/schema#", - "type": "object", - "definitions": { - "attackVectorType": { - "type": "string" - }, - "modifiedAttackVectorType": { - "type": "string" - }, - "attackComplexityType": { - "type": "string" - }, - "modifiedAttackComplexityType": { - "type": "string" - }, - "privilegesRequiredType": { - "type": "string" - }, - "modifiedPrivilegesRequiredType": { - "type": "string" - }, - "userInteractionType": { - "type": "string" - }, - "modifiedUserInteractionType": { - "type": "string" - }, - "scopeType": { - "type": "string" - }, - "modifiedScopeType": { - "type": "string" - }, - "ciaType": { - "type": "string" - }, - "modifiedCiaType": { - "type": "string" - }, - "exploitCodeMaturityType": { - "type": "string" - }, - "remediationLevelType": { - "type": "string" - }, - "confidenceType": { - "type": "string" - }, - "ciaRequirementType": { - "type": "string" - }, - "scoreType": { - "type": "number" - }, - "severityType": { - "type": "string" - } - }, - "properties": { - "version": { - "type": "string" - }, - "vectorString": { - "type": "string" - }, - "attackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType" - }, - "attackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType" - }, - "privilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType" - }, - "userInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType" - }, - "scope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - }, - "exploitCodeMaturity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "temporalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "modifiedAttackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType" - }, - "modifiedAttackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType" - }, - "modifiedPrivilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType" - }, - "modifiedUserInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType" - }, - "modifiedScope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType" - }, - "modifiedConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "modifiedIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "modifiedAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - } - }, - "required": [ - "version", - "vectorString", - "baseScore", - "baseSeverity" - ] - }, - "cvssV2_0": { - "$schema": "http://json-schema.org/draft-04/schema#", - "type": "object", - "definitions": { - "accessVectorType": { - "type": "string" - }, - "accessComplexityType": { - "type": "string" - }, - "authenticationType": { - "type": "string" - }, - "ciaType": { - "type": "string" - }, - "exploitabilityType": { - "type": "string" - }, - "remediationLevelType": { - "type": "string" - }, - "reportConfidenceType": { - "type": "string" - }, - "collateralDamagePotentialType": { - "type": "string" - }, - "targetDistributionType": { - "type": "string" - }, - "ciaRequirementType": { - "type": "string" - }, - "scoreType": { - "type": "number" - } - }, - "properties": { - "version": { - "type": "string" - }, - "vectorString": { - "type": "string" - }, - "accessVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType" - }, - "accessComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType" - }, - "authentication": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - }, - "exploitability": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - }, - "collateralDamagePotential": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType" - }, - "targetDistribution": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - } - }, - "required": [ - "version", - "vectorString", - "baseScore" - ] - }, - "other": { - "type": "object", - "required": [ - "type", - "content" - ], - "properties": { - "type": { - "type": "string" - }, - "content": { - "type": "object" - } - } - } - } - } + "$ref": "#/definitions/metrics" }, "configurations": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } + "$ref": "#/definitions/configurations" }, "workarounds": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } + "$ref": "#/definitions/workarounds" }, "solutions": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } + "$ref": "#/definitions/solutions" }, "exploits": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } + "$ref": "#/definitions/exploits" }, "timeline": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "time", - "lang", - "value" - ], - "properties": { - "time": { - "$ref": "#/definitions/timestamp" - }, - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string" - } - } - } + "$ref": "#/definitions/timeline" }, "credits": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string" - }, - "user": { - "$ref": "#/definitions/uuidType" - }, - "type": { - "type": "string" - } - }, - "required": [ - "lang", - "value" - ] - } + "$ref": "#/definitions/credits" }, "source": { - "type": "object", - "minProperties": 1 + "$ref": "#/definitions/source" }, - "language": { - "type": "string" - }, - "englishLanguage": { - "type": "string" + "tags": { + "$ref": "#/definitions/cnaTags" }, "taxonomyMappings": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "taxonomyName", - "taxonomyRelations" - ], - "properties": { - "taxonomyName": { - "type": "string", - "minLength": 1, - "maxLength": 128 - }, - "taxonomyVersion": { - "type": "string", - "minLength": 1, - "maxLength": 128 - }, - "taxonomyRelations": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "taxonomyId", - "relationshipName", - "relationshipValue" - ], - "properties": { - "taxonomyId": { - "type": "string", - "minLength": 1, - "maxLength": 2048 - }, - "relationshipName": { - "type": "string", - "minLength": 1, - "maxLength": 128 - }, - "relationshipValue": { - "type": "string", - "minLength": 1, - "maxLength": 2048 - } - } - } - } - } - } - }, - "tagExtension": { - "type": "string" - }, - "cnaTags": { - "type": "array", - "uniqueItems": true, - "minItems": 1, - "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/", - "type": "string" - } - ] - } - }, - "adpTags": { - "type": "array", - "uniqueItems": true, - "minItems": 1, - "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/", - "type": "string" - } - ] - } - } - }, - "required": [ - "cnaContainer" - ], - "properties": { - "cnaContainer": { - "type": "object", - "properties": { - "providerMetadata": { - "$ref": "#/definitions/providerMetadata" - }, - "dateAssigned": { - "$ref": "#/definitions/timestamp" - }, - "datePublic": { - "$ref": "#/definitions/timestamp" - }, - "title": { - "type": "string" - }, - "descriptions": { - "$ref": "#/definitions/descriptions" - }, - "affected": { - "$ref": "#/definitions/affected" - }, - "problemTypes": { - "$ref": "#/definitions/problemTypes" - }, - "references": { - "$ref": "#/definitions/references" - }, - "impacts": { - "$ref": "#/definitions/impacts" - }, - "metrics": { - "$ref": "#/definitions/metrics" - }, - "configurations": { - "$ref": "#/definitions/configurations" - }, - "workarounds": { - "$ref": "#/definitions/workarounds" - }, - "solutions": { - "$ref": "#/definitions/solutions" - }, - "exploits": { - "$ref": "#/definitions/exploits" - }, - "timeline": { - "$ref": "#/definitions/timeline" - }, - "credits": { - "$ref": "#/definitions/credits" - }, - "source": { - "$ref": "#/definitions/source" - }, - "tags": { - "$ref": "#/definitions/cnaTags" - }, - "taxonomyMappings": { - "$ref": "#/definitions/taxonomyMappings" - } - }, - "required": [ - "providerMetadata", - "descriptions", - "affected", - "references" - ], - "patternProperties": { - "^x_[^.]*$": {} - }, - "additionalProperties": false + "$ref": "#/definitions/taxonomyMappings" } + }, + "required": [ + "providerMetadata", + "descriptions", + "affected", + "references" + ], + "patternProperties": { + "^x_[^.]*$": {} + }, + "additionalProperties": false } + } } \ No newline at end of file diff --git a/schemas/cve/create-cve-record-secretariat-request.json b/schemas/cve/create-cve-record-secretariat-request.json index 755ab39b8..39ebaac07 100644 --- a/schemas/cve/create-cve-record-secretariat-request.json +++ b/schemas/cve/create-cve-record-secretariat-request.json @@ -1,1339 +1,1609 @@ { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.org/cve/record/v5_00/", - "type": "object", - "title": "CVE JSON record format", - "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).", - "definitions": { - "uriType": { - "type": "string", - "format": "uri" + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.org/cve/record/v5_00/", + "type": "object", + "title": "CVE JSON record format", + "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).", + "definitions": { + "uriType": { + "type": "string", + "format": "uri" + }, + "uuidType": { + "type": "string" + }, + "reference": { + "type": "object", + "required": [ + "url" + ], + "properties": { + "url": { + "$ref": "#/definitions/uriType" }, - "uuidType": { - "type": "string" + "name": { + "type": "string" }, - "reference": { - "type": "object", - "required": [ - "url" - ], - "properties": { - "url": { - "$ref": "#/definitions/uriType" - }, - "name": { - "type": "string" - }, - "tags": { - "type": "array", - "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/", - "type": "string" - } - ] - } - } + "tags": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/", + "type": "string" + } + ] + } + } + } + }, + "cveId": { + "type": "string" + }, + "orgId": { + "$ref": "#/definitions/uuidType" + }, + "userId": { + "$ref": "#/definitions/uuidType" + }, + "shortName": { + "type": "string" + }, + "datestamp": { + "type": "string", + "format": "date" + }, + "timestamp": { + "type": "string", + "format": "date-time" + }, + "version": { + "type": "string" + }, + "status": { + "type": "string" + }, + "product": { + "type": "object", + "allOf": [ + { + "anyOf": [ + { + "required": [ + "vendor", + "product" + ] + }, + { + "required": [ + "collectionURL", + "packageName" + ] } + ] }, - "cveId": { - "type": "string" - }, - "orgId": { - "$ref": "#/definitions/uuidType" + { + "anyOf": [ + { + "required": [ + "versions" + ] + }, + { + "required": [ + "defaultStatus" + ] + } + ] + } + ], + "properties": { + "vendor": { + "type": "string" }, - "userId": { - "$ref": "#/definitions/uuidType" + "product": { + "type": "string" }, - "shortName": { - "type": "string" + "collectionURL": { + "$ref": "#/definitions/uriType" }, - "datestamp": { - "type": "string", - "format": "date" + "packageName": { + "type": "string" }, - "timestamp": { - "type": "string", - "format": "date-time" + "cpes": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } }, - "version": { + "modules": { + "type": "array", + "uniqueItems": true, + "items": { "type": "string" + } }, - "status": { + "programFiles": { + "type": "array", + "uniqueItems": true, + "items": { "type": "string" + } }, - "product": { + "programRoutines": { + "type": "array", + "uniqueItems": true, + "items": { "type": "object", - "allOf": [ - { - "anyOf": [ - { - "required": [ - "vendor", - "product" - ] - }, - { - "required": [ - "collectionURL", - "packageName" - ] - } - ] - }, - { - "anyOf": [ - { - "required": [ - "versions" - ] - }, - { - "required": [ - "defaultStatus" - ] - } - ] - } + "required": [ + "name" ], "properties": { - "vendor": { - "type": "string" - }, - "product": { - "type": "string" - }, - "collectionURL": { - "$ref": "#/definitions/uriType" - }, - "packageName": { - "type": "string" - }, - "cpes": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "modules": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "programFiles": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "programRoutines": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string" - } - } - } - }, - "platforms": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "repo": { - "$ref": "#/definitions/uriType" - }, - "defaultStatus": { - "$ref": "#/definitions/status" - }, - "versions": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "object", - "oneOf": [ - { - "required": [ - "version", - "status" - ], - "maxProperties": 2 - }, - { - "required": [ - "version", - "status", - "versionType" - ], - "oneOf": [ - { - "required": [ - "lessThan" - ] - }, - { - "required": [ - "lessThanOrEqual" - ] - } - ] - } - ], - "properties": { - "version": { - "$ref": "#/definitions/version" - }, - "status": { - "$ref": "#/definitions/status" - }, - "versionType": { - "type": "string" - }, - "lessThan": { - "$ref": "#/definitions/version" - }, - "lessThanOrEqual": { - "$ref": "#/definitions/version" - }, - "changes": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "at", - "status" - ], - "properties": { - "at": { - "$ref": "#/definitions/version" - }, - "status": { - "$ref": "#/definitions/status" - } - } - } - } - } - } - } + "name": { + "type": "string" + } } + } }, - "dataType": { + "platforms": { + "type": "array", + "uniqueItems": true, + "items": { "type": "string" + } }, - "dataVersion": { - "type": "string" + "repo": { + "$ref": "#/definitions/uriType" }, - "cveMetadataPublished": { - "type": "object", - "required": [ - "cveId", - "assignerOrgId", - "state" - ], - "properties": { - "cveId": { - "$ref": "#/definitions/cveId" - }, - "assignerOrgId": { - "$ref": "#/definitions/orgId" - }, - "assignerShortName": { - "$ref": "#/definitions/shortName" - }, - "requesterUserId": { - "$ref": "#/definitions/userId" - }, - "dateUpdated": { - "$ref": "#/definitions/timestamp" - }, - "serial": { - "type": "integer" - }, - "dateReserved": { - "$ref": "#/definitions/timestamp" - }, - "datePublished": { - "$ref": "#/definitions/timestamp" - }, - "state": { - "type": "string" - } - }, - "additionalProperties": false + "defaultStatus": { + "$ref": "#/definitions/status" }, - "cveMetadataRejected": { + "versions": { + "type": "array", + "uniqueItems": true, + "items": { "type": "object", - "required": [ - "cveId", - "assignerOrgId", - "state" + "oneOf": [ + { + "required": [ + "version", + "status" + ], + "maxProperties": 2 + }, + { + "required": [ + "version", + "status", + "versionType" + ], + "oneOf": [ + { + "required": [ + "lessThan" + ] + }, + { + "required": [ + "lessThanOrEqual" + ] + } + ] + } ], "properties": { - "cveId": { - "$ref": "#/definitions/cveId" - }, - "assignerOrgId": { - "$ref": "#/definitions/orgId" - }, - "assignerShortName": { - "$ref": "#/definitions/shortName" - }, - "serial": { - "type": "integer" - }, - "dateUpdated": { - "$ref": "#/definitions/timestamp" - }, - "datePublished": { - "$ref": "#/definitions/timestamp" - }, - "dateRejected": { - "$ref": "#/definitions/timestamp" - }, - "state": { - "type": "string" - }, - "dateReserved": { - "$ref": "#/definitions/timestamp" + "version": { + "$ref": "#/definitions/version" + }, + "status": { + "$ref": "#/definitions/status" + }, + "versionType": { + "type": "string" + }, + "lessThan": { + "$ref": "#/definitions/version" + }, + "lessThanOrEqual": { + "$ref": "#/definitions/version" + }, + "changes": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "at", + "status" + ], + "properties": { + "at": { + "$ref": "#/definitions/version" + }, + "status": { + "$ref": "#/definitions/status" + } + } } - }, - "additionalProperties": false + } + } + } + } + } + }, + "dataType": { + "type": "string" + }, + "dataVersion": { + "type": "string" + }, + "cveMetadataPublished": { + "type": "object", + "required": [ + "cveId", + "assignerOrgId", + "state" + ], + "properties": { + "cveId": { + "$ref": "#/definitions/cveId" + }, + "assignerOrgId": { + "$ref": "#/definitions/orgId" + }, + "assignerShortName": { + "$ref": "#/definitions/shortName" + }, + "requesterUserId": { + "$ref": "#/definitions/userId" + }, + "dateUpdated": { + "$ref": "#/definitions/timestamp" + }, + "serial": { + "type": "integer" + }, + "dateReserved": { + "$ref": "#/definitions/timestamp" + }, + "datePublished": { + "$ref": "#/definitions/timestamp" + }, + "state": { + "type": "string" + } + }, + "additionalProperties": false + }, + "cveMetadataRejected": { + "type": "object", + "required": [ + "cveId", + "assignerOrgId", + "state" + ], + "properties": { + "cveId": { + "$ref": "#/definitions/cveId" + }, + "assignerOrgId": { + "$ref": "#/definitions/orgId" + }, + "assignerShortName": { + "$ref": "#/definitions/shortName" + }, + "serial": { + "type": "integer" + }, + "dateUpdated": { + "$ref": "#/definitions/timestamp" + }, + "datePublished": { + "$ref": "#/definitions/timestamp" + }, + "dateRejected": { + "$ref": "#/definitions/timestamp" + }, + "state": { + "type": "string" + }, + "dateReserved": { + "$ref": "#/definitions/timestamp" + } + }, + "additionalProperties": false + }, + "providerMetadata": { + "type": "object", + "properties": { + "orgId": { + "$ref": "#/definitions/orgId" + }, + "shortName": { + "$ref": "#/definitions/shortName" + }, + "dateUpdated": { + "$ref": "#/definitions/timestamp" + } + }, + "required": [ + "orgId" + ] + }, + "cnaPublishedContainer": { + "type": "object", + "properties": { + "providerMetadata": { + "$ref": "#/definitions/providerMetadata" + }, + "dateAssigned": { + "$ref": "#/definitions/timestamp" + }, + "datePublic": { + "$ref": "#/definitions/timestamp" + }, + "title": { + "type": "string" + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + }, + "affected": { + "$ref": "#/definitions/affected" + }, + "problemTypes": { + "$ref": "#/definitions/problemTypes" + }, + "references": { + "$ref": "#/definitions/references" + }, + "impacts": { + "$ref": "#/definitions/impacts" + }, + "metrics": { + "$ref": "#/definitions/metrics" + }, + "configurations": { + "$ref": "#/definitions/configurations" + }, + "workarounds": { + "$ref": "#/definitions/workarounds" + }, + "solutions": { + "$ref": "#/definitions/solutions" + }, + "exploits": { + "$ref": "#/definitions/exploits" + }, + "timeline": { + "$ref": "#/definitions/timeline" + }, + "credits": { + "$ref": "#/definitions/credits" + }, + "source": { + "$ref": "#/definitions/source" + }, + "tags": { + "$ref": "#/definitions/cnaTags" }, + "taxonomyMappings": { + "$ref": "#/definitions/taxonomyMappings" + } + }, + "required": [ + "providerMetadata", + "descriptions", + "affected", + "references" + ], + "patternProperties": { + "^x_[^.]*$": {} + }, + "additionalProperties": false + }, + "cnaRejectedContainer": { + "type": "object", + "properties": { + "providerMetadata": { + "$ref": "#/definitions/providerMetadata" + }, + "rejectedReasons": { + "$ref": "#/definitions/descriptions" + }, + "replacedBy": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/cveId" + } + } + }, + "required": [ + "providerMetadata", + "rejectedReasons" + ], + "patternProperties": { + "^x_[^.]*$": {} + }, + "additionalProperties": false + }, + "adpContainer": { + "type": "object", + "properties": { "providerMetadata": { + "$ref": "#/definitions/providerMetadata" + }, + "datePublic": { + "$ref": "#/definitions/timestamp" + }, + "title": { + "type": "string" + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + }, + "affected": { + "$ref": "#/definitions/affected" + }, + "problemTypes": { + "$ref": "#/definitions/problemTypes" + }, + "references": { + "$ref": "#/definitions/references" + }, + "impacts": { + "$ref": "#/definitions/impacts" + }, + "metrics": { + "$ref": "#/definitions/metrics" + }, + "configurations": { + "$ref": "#/definitions/configurations" + }, + "workarounds": { + "$ref": "#/definitions/workarounds" + }, + "solutions": { + "$ref": "#/definitions/solutions" + }, + "exploits": { + "$ref": "#/definitions/exploits" + }, + "timeline": { + "$ref": "#/definitions/timeline" + }, + "credits": { + "$ref": "#/definitions/credits" + }, + "source": { + "$ref": "#/definitions/source" + }, + "tags": { + "$ref": "#/definitions/adpTags" + }, + "taxonomyMappings": { + "$ref": "#/definitions/taxonomyMappings" + } + }, + "required": [ + "providerMetadata" + ], + "minProperties": 2, + "patternProperties": { + "^x_[^.]*$": {} + }, + "additionalProperties": false + }, + "affected": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/product" + } + }, + "description": { + "type": "object", + "properties": { + "lang": { + "$ref": "#/definitions/language" + }, + "value": { + "type": "string" + }, + "supportingMedia": { + "type": "array", + "uniqueItems": true, + "minItems": 1, + "items": { "type": "object", "properties": { - "orgId": { - "$ref": "#/definitions/orgId" - }, - "shortName": { - "$ref": "#/definitions/shortName" - }, - "dateUpdated": { - "$ref": "#/definitions/timestamp" - } + "type": { + "type": "string" + }, + "base64": { + "type": "boolean", + "default": false + }, + "value": { + "type": "string" + } }, "required": [ - "orgId" + "type", + "value" ] - }, - "cnaPublishedContainer": { - "type": "object", - "properties": { - "providerMetadata": { - "$ref": "#/definitions/providerMetadata" - }, - "dateAssigned": { - "$ref": "#/definitions/timestamp" - }, - "datePublic": { - "$ref": "#/definitions/timestamp" - }, - "title": { - "type": "string" + } + } + }, + "required": [ + "lang", + "value" + ], + "additionalProperties": false + }, + "englishLanguageDescription": { + "type": "object", + "properties": { + "lang": { + "$ref": "#/definitions/englishLanguage" + } + }, + "required": [ + "lang" + ] + }, + "descriptions": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + }, + "contains": { + "$ref": "#/definitions/englishLanguageDescription" + } + }, + "problemTypes": { + "type": "array", + "items": { + "type": "object", + "required": [ + "descriptions" + ], + "properties": { + "descriptions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "lang", + "description" + ], + "properties": { + "lang": { + "$ref": "#/definitions/language" }, - "descriptions": { - "$ref": "#/definitions/descriptions" + "description": { + "type": "string" }, - "affected": { - "$ref": "#/definitions/affected" + "cweId": { + "type": "string" }, - "problemTypes": { - "$ref": "#/definitions/problemTypes" + "type": { + "type": "string" }, "references": { - "$ref": "#/definitions/references" - }, - "impacts": { - "$ref": "#/definitions/impacts" - }, - "metrics": { - "$ref": "#/definitions/metrics" - }, - "configurations": { - "$ref": "#/definitions/configurations" - }, - "workarounds": { - "$ref": "#/definitions/workarounds" - }, - "solutions": { - "$ref": "#/definitions/solutions" - }, - "exploits": { - "$ref": "#/definitions/exploits" - }, - "timeline": { - "$ref": "#/definitions/timeline" - }, - "credits": { - "$ref": "#/definitions/credits" - }, - "source": { - "$ref": "#/definitions/source" - }, - "tags": { - "$ref": "#/definitions/cnaTags" - }, - "taxonomyMappings": { - "$ref": "#/definitions/taxonomyMappings" + "$ref": "#/definitions/references" } + } }, + "minItems": 1, + "uniqueItems": true + } + } + }, + "minItems": 1, + "uniqueItems": true + }, + "references": { + "type": "array", + "items": { + "$ref": "#/definitions/reference" + }, + "minItems": 1, + "maxItems": 512, + "uniqueItems": true + }, + "impacts": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "descriptions" + ], + "properties": { + "capecId": { + "type": "string" + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + } + } + } + }, + "metrics": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "anyOf": [ + { "required": [ - "providerMetadata", - "descriptions", - "affected", - "references" - ], - "patternProperties": { - "^x_[^.]*$": {} - }, - "additionalProperties": false - }, - "cnaRejectedContainer": { - "type": "object", - "properties": { - "providerMetadata": { - "$ref": "#/definitions/providerMetadata" - }, - "rejectedReasons": { - "$ref": "#/definitions/descriptions" - }, - "replacedBy": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/cveId" - } - } - }, + "cvssV4_0" + ] + }, + { "required": [ - "providerMetadata", - "rejectedReasons" - ], - "patternProperties": { - "^x_[^.]*$": {} - }, - "additionalProperties": false - }, - "adpContainer": { - "type": "object", - "properties": { - "providerMetadata": { - "$ref": "#/definitions/providerMetadata" - }, - "datePublic": { - "$ref": "#/definitions/timestamp" - }, - "title": { - "type": "string" - }, - "descriptions": { - "$ref": "#/definitions/descriptions" - }, - "affected": { - "$ref": "#/definitions/affected" - }, - "problemTypes": { - "$ref": "#/definitions/problemTypes" - }, - "references": { - "$ref": "#/definitions/references" - }, - "impacts": { - "$ref": "#/definitions/impacts" - }, - "metrics": { - "$ref": "#/definitions/metrics" - }, - "configurations": { - "$ref": "#/definitions/configurations" - }, - "workarounds": { - "$ref": "#/definitions/workarounds" - }, - "solutions": { - "$ref": "#/definitions/solutions" - }, - "exploits": { - "$ref": "#/definitions/exploits" - }, - "timeline": { - "$ref": "#/definitions/timeline" - }, - "credits": { - "$ref": "#/definitions/credits" - }, - "source": { - "$ref": "#/definitions/source" - }, - "tags": { - "$ref": "#/definitions/adpTags" - }, - "taxonomyMappings": { - "$ref": "#/definitions/taxonomyMappings" - } - }, + "cvssV3_1" + ] + }, + { "required": [ - "providerMetadata" - ], - "minProperties": 2, - "patternProperties": { - "^x_[^.]*$": {} - }, - "additionalProperties": false - }, - "affected": { + "cvssV3_0" + ] + }, + { + "required": [ + "cvssV2_0" + ] + }, + { + "required": [ + "other" + ] + } + ], + "properties": { + "format": { + "type": "string" + }, + "scenarios": { "type": "array", "minItems": 1, + "uniqueItems": true, "items": { - "$ref": "#/definitions/product" - } - }, - "description": { - "type": "object", - "properties": { + "type": "object", + "properties": { "lang": { - "$ref": "#/definitions/language" + "$ref": "#/definitions/language" }, "value": { - "type": "string" - }, - "supportingMedia": { - "type": "array", - "uniqueItems": true, - "minItems": 1, - "items": { - "type": "object", - "properties": { - "type": { - "type": "string" - }, - "base64": { - "type": "boolean", - "default": false - }, - "value": { - "type": "string" - } - }, - "required": [ - "type", - "value" - ] - } + "type": "string" } - }, - "required": [ + }, + "required": [ "lang", "value" + ] + } + }, + "cvssV4_0": { + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "allOf": [ + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + } ], - "additionalProperties": false - }, - "englishLanguageDescription": { + "definitions": { + "attackComplexityType": { + "type": "string" + }, + "attackRequirementsType": { + "type": "string" + }, + "attackVectorType": { + "type": "string" + }, + "automatableType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "criticalScoreType": { + "type": "number" + }, + "criticalSeverityType": { + "const": "string" + }, + "exploitMaturityType": { + "type": "string" + }, + "highScoreType": { + "type": "number" + }, + "highSeverityType": { + "type": "string" + }, + "lowScoreType": { + "type": "number" + }, + "lowSeverityType": { + "type": "string" + }, + "mediumScoreType": { + "type": "number" + }, + "mediumSeverityType": { + "const": "string" + }, + "modifiedAttackComplexityType": { + "type": "string" + }, + "modifiedAttackRequirementsType": { + "type": "string" + }, + "modifiedAttackVectorType": { + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "type": "string" + }, + "modifiedSubCType": { + "type": "string" + }, + "modifiedSubIaType": { + "type": "string" + }, + "modifiedUserInteractionType": { + "type": "string" + }, + "modifiedVulnCiaType": { + "type": "string" + }, + "noneScoreType": { + "type": "number" + }, + "noneSeverityType": { + "const": "string" + }, + "privilegesRequiredType": { + "type": "string" + }, + "providerUrgencyType": { + "type": "string" + }, + "recoveryType": { + "type": "string" + }, + "safetyType": { + "type": "string" + }, + "scoreType": { + "type": "number" + }, + "severityType": { + "type": "string" + }, + "subCiaType": { + "type": "string" + }, + "userInteractionType": { + "type": "string" + }, + "valueDensityType": { + "type": "string" + }, + "vulnCiaType": { + "type": "string" + }, + "vulnerabilityResponseEffortType": { + "type": "string" + } + }, + "properties": { + "Automatable": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType" + }, + "Recovery": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType" + }, + "Safety": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType" + }, + "attackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "exploitMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType" + }, + "modifiedAttackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedSubAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedSubConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType" + }, + "modifiedSubIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType" + }, + "modifiedVulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType" + }, + "providerUrgency": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType" + }, + "subAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType" + }, + "valueDensity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType" + }, + "vectorString": { + "type": "string" + }, + "version": { + "description": "CVSS Version", + "enum": [ + "4.0" + ], + "type": "string" + }, + "vulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnerabilityResponseEffort": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType" + } + }, + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ], + "title": "JSON Schema for Common Vulnerability Scoring System version 4.0", + "type": "object" + }, + "cvssV3_1": { + "$schema": "http://json-schema.org/draft-07/schema#", "type": "object", + "definitions": { + "attackVectorType": { + "type": "string" + }, + "modifiedAttackVectorType": { + "type": "string" + }, + "attackComplexityType": { + "type": "string" + }, + "modifiedAttackComplexityType": { + "type": "string" + }, + "privilegesRequiredType": { + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "type": "string" + }, + "userInteractionType": { + "type": "string" + }, + "modifiedUserInteractionType": { + "type": "string" + }, + "scopeType": { + "type": "string" + }, + "modifiedScopeType": { + "type": "string" + }, + "ciaType": { + "type": "string" + }, + "modifiedCiaType": { + "type": "string" + }, + "exploitCodeMaturityType": { + "type": "string" + }, + "remediationLevelType": { + "type": "string" + }, + "confidenceType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "scoreType": { + "type": "number" + }, + "severityType": { + "type": "string" + } + }, "properties": { - "lang": { - "$ref": "#/definitions/englishLanguage" - } + "version": { + "description": "CVSS Version", + "type": "string" + }, + "vectorString": { + "type": "string" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType" + }, + "scope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + }, + "exploitCodeMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "temporalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType" + }, + "modifiedScope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType" + }, + "modifiedConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "modifiedIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "modifiedAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + } }, "required": [ - "lang" + "version", + "vectorString", + "baseScore", + "baseSeverity" ] - }, - "descriptions": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" + }, + "cvssV3_0": { + "$schema": "http://json-schema.org/draft-04/schema#", + "type": "object", + "definitions": { + "attackVectorType": { + "type": "string" + }, + "modifiedAttackVectorType": { + "type": "string" + }, + "attackComplexityType": { + "type": "string" + }, + "modifiedAttackComplexityType": { + "type": "string" + }, + "privilegesRequiredType": { + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "type": "string" + }, + "userInteractionType": { + "type": "string" + }, + "modifiedUserInteractionType": { + "type": "string" + }, + "scopeType": { + "type": "string" + }, + "modifiedScopeType": { + "type": "string" + }, + "ciaType": { + "type": "string" + }, + "modifiedCiaType": { + "type": "string" + }, + "exploitCodeMaturityType": { + "type": "string" + }, + "remediationLevelType": { + "type": "string" + }, + "confidenceType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "scoreType": { + "type": "number" + }, + "severityType": { + "type": "string" + } }, - "contains": { - "$ref": "#/definitions/englishLanguageDescription" - } - }, - "problemTypes": { - "type": "array", - "items": { - "type": "object", - "required": [ - "descriptions" - ], - "properties": { - "descriptions": { - "type": "array", - "items": { - "type": "object", - "required": [ - "lang", - "description" - ], - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "description": { - "type": "string" - }, - "cweId": { - "type": "string" - }, - "type": { - "type": "string" - }, - "references": { - "$ref": "#/definitions/references" - } - } - }, - "minItems": 1, - "uniqueItems": true - } - } + "properties": { + "version": { + "type": "string" + }, + "vectorString": { + "type": "string" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType" + }, + "scope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + }, + "exploitCodeMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "temporalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType" + }, + "modifiedScope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType" + }, + "modifiedConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "modifiedIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "modifiedAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + } }, - "minItems": 1, - "uniqueItems": true - }, - "references": { - "type": "array", - "items": { - "$ref": "#/definitions/reference" + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ] + }, + "cvssV2_0": { + "$schema": "http://json-schema.org/draft-04/schema#", + "type": "object", + "definitions": { + "accessVectorType": { + "type": "string" + }, + "accessComplexityType": { + "type": "string" + }, + "authenticationType": { + "type": "string" + }, + "ciaType": { + "type": "string" + }, + "exploitabilityType": { + "type": "string" + }, + "remediationLevelType": { + "type": "string" + }, + "reportConfidenceType": { + "type": "string" + }, + "collateralDamagePotentialType": { + "type": "string" + }, + "targetDistributionType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "scoreType": { + "type": "number" + } }, - "minItems": 1, - "maxItems": 512, - "uniqueItems": true - }, - "impacts": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "descriptions" - ], - "properties": { - "capecId": { - "type": "string" - }, - "descriptions": { - "$ref": "#/definitions/descriptions" - } - } - } - }, - "metrics": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "anyOf": [ - { - "required": [ - "cvssV3_1" - ] - }, - { - "required": [ - "cvssV3_0" - ] - }, - { - "required": [ - "cvssV2_0" - ] - }, - { - "required": [ - "other" - ] - } - ], - "properties": { - "format": { - "type": "string" - }, - "scenarios": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string" - } - }, - "required": [ - "lang", - "value" - ] - } - }, - "cvssV3_1": { - "$schema": "http://json-schema.org/draft-07/schema#", - "type": "object", - "definitions": { - "attackVectorType": { - "type": "string" - }, - "modifiedAttackVectorType": { - "type": "string" - }, - "attackComplexityType": { - "type": "string" - }, - "modifiedAttackComplexityType": { - "type": "string" - }, - "privilegesRequiredType": { - "type": "string" - }, - "modifiedPrivilegesRequiredType": { - "type": "string" - }, - "userInteractionType": { - "type": "string" - }, - "modifiedUserInteractionType": { - "type": "string" - }, - "scopeType": { - "type": "string" - }, - "modifiedScopeType": { - "type": "string" - }, - "ciaType": { - "type": "string" - }, - "modifiedCiaType": { - "type": "string" - }, - "exploitCodeMaturityType": { - "type": "string" - }, - "remediationLevelType": { - "type": "string" - }, - "confidenceType": { - "type": "string" - }, - "ciaRequirementType": { - "type": "string" - }, - "scoreType": { - "type": "number" - }, - "severityType": { - "type": "string" - } - }, - "properties": { - "version": { - "description": "CVSS Version", - "type": "string" - }, - "vectorString": { - "type": "string" - }, - "attackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType" - }, - "attackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType" - }, - "privilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType" - }, - "userInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType" - }, - "scope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - }, - "exploitCodeMaturity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "temporalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "modifiedAttackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType" - }, - "modifiedAttackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType" - }, - "modifiedPrivilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType" - }, - "modifiedUserInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType" - }, - "modifiedScope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType" - }, - "modifiedConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "modifiedIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "modifiedAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - } - }, - "required": [ - "version", - "vectorString", - "baseScore", - "baseSeverity" - ] - }, - "cvssV3_0": { - "$schema": "http://json-schema.org/draft-04/schema#", - "type": "object", - "definitions": { - "attackVectorType": { - "type": "string" - }, - "modifiedAttackVectorType": { - "type": "string" - }, - "attackComplexityType": { - "type": "string" - }, - "modifiedAttackComplexityType": { - "type": "string" - }, - "privilegesRequiredType": { - "type": "string" - }, - "modifiedPrivilegesRequiredType": { - "type": "string" - }, - "userInteractionType": { - "type": "string" - }, - "modifiedUserInteractionType": { - "type": "string" - }, - "scopeType": { - "type": "string" - }, - "modifiedScopeType": { - "type": "string" - }, - "ciaType": { - "type": "string" - }, - "modifiedCiaType": { - "type": "string" - }, - "exploitCodeMaturityType": { - "type": "string" - }, - "remediationLevelType": { - "type": "string" - }, - "confidenceType": { - "type": "string" - }, - "ciaRequirementType": { - "type": "string" - }, - "scoreType": { - "type": "number" - }, - "severityType": { - "type": "string" - } - }, - "properties": { - "version": { - "type": "string" - }, - "vectorString": { - "type": "string" - }, - "attackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType" - }, - "attackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType" - }, - "privilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType" - }, - "userInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType" - }, - "scope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - }, - "exploitCodeMaturity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "temporalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "modifiedAttackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType" - }, - "modifiedAttackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType" - }, - "modifiedPrivilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType" - }, - "modifiedUserInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType" - }, - "modifiedScope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType" - }, - "modifiedConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "modifiedIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "modifiedAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - } - }, - "required": [ - "version", - "vectorString", - "baseScore", - "baseSeverity" - ] - }, - "cvssV2_0": { - "$schema": "http://json-schema.org/draft-04/schema#", - "type": "object", - "definitions": { - "accessVectorType": { - "type": "string" - }, - "accessComplexityType": { - "type": "string" - }, - "authenticationType": { - "type": "string" - }, - "ciaType": { - "type": "string" - }, - "exploitabilityType": { - "type": "string" - }, - "remediationLevelType": { - "type": "string" - }, - "reportConfidenceType": { - "type": "string" - }, - "collateralDamagePotentialType": { - "type": "string" - }, - "targetDistributionType": { - "type": "string" - }, - "ciaRequirementType": { - "type": "string" - }, - "scoreType": { - "type": "number" - } - }, - "properties": { - "version": { - "type": "string" - }, - "vectorString": { - "type": "string" - }, - "accessVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType" - }, - "accessComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType" - }, - "authentication": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - }, - "exploitability": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - }, - "collateralDamagePotential": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType" - }, - "targetDistribution": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - } - }, - "required": [ - "version", - "vectorString", - "baseScore" - ] - }, - "other": { - "type": "object", - "required": [ - "type", - "content" - ], - "properties": { - "type": { - "type": "string" - }, - "content": { - "type": "object" - } - } - } - } - } - }, - "configurations": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } - }, - "workarounds": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } - }, - "solutions": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } - }, - "exploits": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } - }, - "timeline": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "time", - "lang", - "value" - ], - "properties": { - "time": { - "$ref": "#/definitions/timestamp" - }, - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string" - } - } - } - }, - "credits": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string" - }, - "user": { - "$ref": "#/definitions/uuidType" - }, - "type": { - "type": "string" - } - }, - "required": [ - "lang", - "value" - ] - } - }, - "source": { + "properties": { + "version": { + "type": "string" + }, + "vectorString": { + "type": "string" + }, + "accessVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType" + }, + "accessComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType" + }, + "authentication": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + }, + "exploitability": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + }, + "collateralDamagePotential": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType" + }, + "targetDistribution": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + } + }, + "required": [ + "version", + "vectorString", + "baseScore" + ] + }, + "other": { "type": "object", - "minProperties": 1 - }, - "language": { - "type": "string" - }, - "englishLanguage": { - "type": "string" - }, - "taxonomyMappings": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "taxonomyName", - "taxonomyRelations" - ], - "properties": { - "taxonomyName": { - "type": "string", - "minLength": 1, - "maxLength": 128 - }, - "taxonomyVersion": { - "type": "string", - "minLength": 1, - "maxLength": 128 - }, - "taxonomyRelations": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "taxonomyId", - "relationshipName", - "relationshipValue" - ], - "properties": { - "taxonomyId": { - "type": "string", - "minLength": 1, - "maxLength": 2048 - }, - "relationshipName": { - "type": "string", - "minLength": 1, - "maxLength": 128 - }, - "relationshipValue": { - "type": "string", - "minLength": 1, - "maxLength": 2048 - } - } - } - } - } + "required": [ + "type", + "content" + ], + "properties": { + "type": { + "type": "string" + }, + "content": { + "type": "object" + } } - }, - "tagExtension": { + } + } + } + }, + "configurations": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "workarounds": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "solutions": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "exploits": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "timeline": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "time", + "lang", + "value" + ], + "properties": { + "time": { + "$ref": "#/definitions/timestamp" + }, + "lang": { + "$ref": "#/definitions/language" + }, + "value": { "type": "string" + } + } + } + }, + "credits": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "properties": { + "lang": { + "$ref": "#/definitions/language" + }, + "value": { + "type": "string" + }, + "user": { + "$ref": "#/definitions/uuidType" + }, + "type": { + "type": "string" + } }, - "cnaTags": { + "required": [ + "lang", + "value" + ] + } + }, + "source": { + "type": "object", + "minProperties": 1 + }, + "language": { + "type": "string" + }, + "englishLanguage": { + "type": "string" + }, + "taxonomyMappings": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "taxonomyName", + "taxonomyRelations" + ], + "properties": { + "taxonomyName": { + "type": "string", + "minLength": 1, + "maxLength": 128 + }, + "taxonomyVersion": { + "type": "string", + "minLength": 1, + "maxLength": 128 + }, + "taxonomyRelations": { "type": "array", - "uniqueItems": true, "minItems": 1, - "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/", - "type": "string" - } - ] - } - }, - "adpTags": { - "type": "array", "uniqueItems": true, - "minItems": 1, "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/", - "type": "string" - } - ] + "type": "object", + "required": [ + "taxonomyId", + "relationshipName", + "relationshipValue" + ], + "properties": { + "taxonomyId": { + "type": "string", + "minLength": 1, + "maxLength": 2048 + }, + "relationshipName": { + "type": "string", + "minLength": 1, + "maxLength": 128 + }, + "relationshipValue": { + "type": "string", + "minLength": 1, + "maxLength": 2048 + } + } } + } } + } }, - "oneOf": [ - { - "title": "Create", - "description": "When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.", - "properties": { - "containers": { - "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information and the 'cna' container requires the CNA include certain fields, while the 'adp' container does not.", - "type": "object", - "properties": { - "cna": { - "$ref": "#/definitions/cnaPublishedContainer" - } - }, - "required": [ - "cna" - ], - "additionalProperties": false + "tagExtension": { + "type": "string" + }, + "cnaTags": { + "type": "array", + "uniqueItems": true, + "minItems": 1, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/", + "type": "string" } + ] + } + }, + "adpTags": { + "type": "array", + "uniqueItems": true, + "minItems": 1, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/", + "type": "string" + } + ] + } + } + }, + "oneOf": [ + { + "title": "Create", + "description": "When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.", + "properties": { + "containers": { + "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information and the 'cna' container requires the CNA include certain fields, while the 'adp' container does not.", + "type": "object", + "properties": { + "cna": { + "$ref": "#/definitions/cnaPublishedContainer" + } + }, + "required": [ + "cna" + ], + "additionalProperties": false } } - ] + } + ] } \ No newline at end of file diff --git a/src/constants/index.js b/src/constants/index.js index 2b424b94b..b733add14 100644 --- a/src/constants/index.js +++ b/src/constants/index.js @@ -100,7 +100,9 @@ function getConstants () { CVE_ID_PATTERN: cveSchemaV5.definitions.cveId.pattern, // Ajv's pattern validation uses the "u" (unicode) flag: // https://ajv.js.org/json-schema.html#pattern - CVE_ID_REGEX: new RegExp(cveSchemaV5.definitions.cveId.pattern, 'u') + CVE_ID_REGEX: new RegExp(cveSchemaV5.definitions.cveId.pattern, 'u'), + DATE_FIELDS: ['cveMetadata.datePublished', 'cveMetadata.dateUpdated', 'cveMetadata.dateReserved', 'providerMetadata.dateUpdated', 'datePublic', 'dateAssigned' + ] } return defaults diff --git a/src/controller/cve-id.controller/cve-id.controller.js b/src/controller/cve-id.controller/cve-id.controller.js index 4dd2c0eb5..6d8865696 100644 --- a/src/controller/cve-id.controller/cve-id.controller.js +++ b/src/controller/cve-id.controller/cve-id.controller.js @@ -455,9 +455,22 @@ async function priorityReservation (year, amount, shortName, orgShortName, reque // Cve Id Range for 'year' does not exists if (!result) { - logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' cannot be reserved at this time.' }) - res.header(CONSTANTS.QUOTA_HEADER, availableIds) - return res.status(403).json(error.cannotReserveForYear(year)) + // If there are less than or equal to 90 days until the end of the year, auto reserve it and move on. + // Otherwise throw failure + if (daysUntilYear(year) <= 90) { + // Auto reserve the year + const successfullyReservedYear = await reserveYear(year, req) + if (!successfullyReservedYear) { + logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' failed to be automatically reserved at this time.' }) + res.header(CONSTANTS.QUOTA_HEADER, availableIds) + return res.status(403).json(error.cannotReserveForYear(year)) + } + result = await cveIdRangeRepo.findOne({ cve_year: year }) + } else { + logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' cannot be reserved at this time.' }) + res.header(CONSTANTS.QUOTA_HEADER, availableIds) + return res.status(403).json(error.cannotReserveForYear(year)) + } } const endRange = parseInt(result.ranges.priority.end) @@ -531,9 +544,22 @@ async function sequentialReservation (year, amount, shortName, orgShortName, req // Cve Id Range for 'year' does not exists if (!result) { - logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' cannot be reserved at this time.' }) - res.header(CONSTANTS.QUOTA_HEADER, availableIds) - return res.status(403).json(error.cannotReserveForYear(year)) + // If there are less than or equal to 90 days until the end of the year, auto reserve it and move on. + // Otherwise throw failure + if (daysUntilYear(year) <= 90) { + // Auto reserve the year + const successfullyReservedYear = await reserveYear(year, req) + if (!successfullyReservedYear) { + logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' failed to be automatically reserved at this time.' }) + res.header(CONSTANTS.QUOTA_HEADER, availableIds) + return res.status(403).json(error.cannotReserveForYear(year)) + } + result = await cveIdRangeRepo.findOne({ cve_year: year }) + } else { + logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' cannot be reserved at this time.' }) + res.header(CONSTANTS.QUOTA_HEADER, availableIds) + return res.status(403).json(error.cannotReserveForYear(year)) + } } const topId = parseInt(result.ranges.general.top_id) @@ -627,9 +653,22 @@ async function nonSequentialReservation (year, amount, shortName, orgShortName, // Cve Id Range for 'year' does not exists if (!result) { - logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' cannot be reserved at this time.' }) - res.header(CONSTANTS.QUOTA_HEADER, availableIds) - return res.status(403).json(error.cannotReserveForYear(year)) + // If there are less than or equal to 90 days until the end of the year, auto reserve it and move on. + // Otherwise throw failure + if (daysUntilYear(year) <= 90) { + // Auto reserve the year + const successfullyReservedYear = await reserveYear(year, req) + if (!successfullyReservedYear) { + logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' failed to be automatically reserved at this time.' }) + res.header(CONSTANTS.QUOTA_HEADER, availableIds) + return res.status(403).json(error.cannotReserveForYear(year)) + } + result = await cveIdRangeRepo.findOne({ cve_year: year }) + } else { + logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' cannot be reserved at this time.' }) + res.header(CONSTANTS.QUOTA_HEADER, availableIds) + return res.status(403).json(error.cannotReserveForYear(year)) + } } available = await cveIdRepo.find({ cve_year: year, state: 'AVAILABLE' }, { limit: availableLimit }) // get available ids @@ -944,6 +983,36 @@ function setMinAggregateObj (query) { ] } +function daysUntilYear (targetYear) { + // Get today's date + const today = new Date() + + // Create a date object for January 1st of the target year + const targetDate = new Date(targetYear, 0, 1) // Month is 0-indexed, so 0 is January + + // Calculate the difference in milliseconds + const differenceInMilliseconds = targetDate - today + + // Convert milliseconds to days + const millisecondsPerDay = 1000 * 60 * 60 * 24 + const differenceInDays = Math.ceil(differenceInMilliseconds / millisecondsPerDay) + + return differenceInDays +} + +async function reserveYear (targetYear, req) { + try { + const CONSTANTS = getConstants() + const cveIdRangeRepo = req.ctx.repositories.getCveIdRangeRepository() + const defaultDoc = CONSTANTS.DEFAULT_CVE_ID_RANGE + defaultDoc.cve_year = targetYear + await cveIdRangeRepo.findOneAndUpdate({ cve_year: targetYear }, defaultDoc, { upsert: true }) + return true + } catch (err) { + return false + } +} + module.exports = { CVEID_GET_FILTER: getFilteredCveId, CVEID_RESERVE: reserveCveId, diff --git a/src/controller/cve.controller/cve.controller.js b/src/controller/cve.controller/cve.controller.js index d8e62db7a..687c315fb 100644 --- a/src/controller/cve.controller/cve.controller.js +++ b/src/controller/cve.controller/cve.controller.js @@ -4,8 +4,12 @@ const errors = require('./error') const getConstants = require('../../constants').getConstants const error = new errors.CveControllerError() const booleanIsTrue = require('../../utils/utils').booleanIsTrue +const convertDatesToISO = require('../../utils/utils').convertDatesToISO +const isEnrichedContainer = require('../../utils/utils').isEnrichedContainer const url = process.env.NODE_ENV === 'staging' ? 'https://test.cve.org/' : 'https://cve.org/' +const _ = require('lodash') + // Helper function to create providerMetadata object function createProviderMetadata (orgId, shortName, updateDate) { return { orgId: orgId, shortName: shortName, dateUpdated: updateDate } @@ -331,7 +335,7 @@ async function submitCve (req, res, next) { const CONSTANTS = getConstants() try { - const newCve = new Cve({ cve: req.ctx.body }) + const newCve = new Cve({ cve: convertDatesToISO(req.ctx.body, CONSTANTS.DATE_FIELDS) }) const id = req.ctx.params.id const cveId = newCve.cve.cveMetadata.cveId const state = newCve.cve.cveMetadata.state @@ -351,6 +355,7 @@ async function submitCve (req, res, next) { // check that cve id exists let result = await cveIdRepo.findOneByCveId(id) + const oldCveID = _.cloneDeep(result) if (!result || result.state === CONSTANTS.CVE_STATES.AVAILABLE) { return res.status(403).json(error.cveDne()) } @@ -362,7 +367,10 @@ async function submitCve (req, res, next) { } await cveRepo.updateByCveId(cveId, newCve, { upsert: true }) - await cveIdRepo.updateByCveId(cveId, { state: state }) + + if (oldCveID.state !== state && (state === CONSTANTS.CVE_STATES.PUBLISHED || state === CONSTANTS.CVE_STATES.REJECTED)) { + await cveIdRepo.updateByCveId(cveId, { state: state }) + } const responseMessage = { message: cveId + ' record was successfully created.', @@ -391,7 +399,8 @@ async function updateCve (req, res, next) { const CONSTANTS = getConstants() try { - const newCve = new Cve({ cve: req.ctx.body }) + // All CVE fields are stored in UTC format, we need to check and convert dates to ISO before storing in the database. + const newCve = new Cve({ cve: convertDatesToISO(req.ctx.body, CONSTANTS.DATE_FIELDS) }) const cveId = req.ctx.params.id const cveRepo = req.ctx.repositories.getCveRepository() const cveIdRepo = req.ctx.repositories.getCveIdRepository() @@ -413,6 +422,7 @@ async function updateCve (req, res, next) { logger.info(cveId + ' does not exist.') return res.status(403).json(error.cveDne()) } + const oldCveID = _.cloneDeep(result) result = await cveRepo.findOneByCveId(cveId) if (!result) { @@ -421,7 +431,9 @@ async function updateCve (req, res, next) { } await cveRepo.updateByCveId(cveId, newCve) - await cveIdRepo.updateByCveId(cveId, { state: newCveState }) + if (oldCveID.state !== newCveState && (newCveState === CONSTANTS.CVE_STATES.PUBLISHED || newCveState === CONSTANTS.CVE_STATES.REJECTED)) { + await cveIdRepo.updateByCveId(cveId, { state: newCveState }) + } const responseMessage = { message: cveId + ' record was successfully updated.', @@ -458,6 +470,14 @@ async function submitCna (req, res, next) { const orgUuid = await orgRepo.getOrgUUID(req.ctx.org) const userUuid = await userRepo.getUserUUID(req.ctx.user, orgUuid) + // To avoid breaking legacy behavior in the "booleanIsTrue" function, we need to check to make sure that undefined is set to false + let erlCheck + if (typeof req.query.erlcheck === 'undefined') { + erlCheck = false + } else { + erlCheck = booleanIsTrue(req.query.erlcheck) || false + } + // check that cve id exists let result = await cveIdRepo.findOneByCveId(id) if (!result || result.state === CONSTANTS.CVE_STATES.AVAILABLE) { @@ -477,10 +497,15 @@ async function submitCna (req, res, next) { return res.status(403).json(error.cveRecordExists()) } + const cnaContainer = convertDatesToISO(req.ctx.body.cnaContainer, CONSTANTS.DATE_FIELDS) + if (erlCheck && !isEnrichedContainer(cnaContainer)) { + // Process the ERL check here + return res.status(403).json(error.erlCheckFailed()) + } + // create full cve record here const owningCna = await orgRepo.findOneByUUID(cveId.owning_cna) const assignerShortName = owningCna.short_name - const cnaContainer = req.ctx.body.cnaContainer const dateUpdated = (new Date()).toISOString() const additionalCveMetadataFields = { assignerShortName: assignerShortName, @@ -541,6 +566,14 @@ async function updateCna (req, res, next) { const orgUuid = await orgRepo.getOrgUUID(req.ctx.org) const userUuid = await userRepo.getUserUUID(req.ctx.user, orgUuid) + // To avoid breaking legacy behavior in the "booleanIsTrue" function, we need to check to make sure that undefined is set to false + let erlCheck + if (typeof req.query.erlcheck === 'undefined') { + erlCheck = false + } else { + erlCheck = booleanIsTrue(req.query.erlcheck) || false + } + // check that cve id exists let result = await cveIdRepo.findOneByCveId(id) if (!result || result.state === CONSTANTS.CVE_STATES.AVAILABLE) { @@ -560,9 +593,14 @@ async function updateCna (req, res, next) { return res.status(403).json(error.cveRecordDne()) } + const cnaContainer = convertDatesToISO(req.ctx.body.cnaContainer, CONSTANTS.DATE_FIELDS) + if (erlCheck && !isEnrichedContainer(cnaContainer)) { + // Process the ERL check here + return res.status(403).json(error.erlCheckFailed()) + } + // update cve record here const cveRecord = result.cve - const cnaContainer = req.ctx.body.cnaContainer const dateUpdated = (new Date()).toISOString() cveRecord.cveMetadata.dateUpdated = dateUpdated @@ -657,7 +695,7 @@ async function rejectCVE (req, res, next) { const providerMetadata = createProviderMetadata(providerOrgObj.UUID, req.ctx.org, (new Date()).toISOString()) const rejectedCve = Cve.newRejectedCve(cveIdObj, req.ctx.body, owningCnaShortName, providerMetadata) - const newCveObj = new Cve({ cve: rejectedCve }) + const newCveObj = new Cve({ cve: convertDatesToISO(rejectedCve, CONSTANTS.DATE_FIELDS) }) result = Cve.validateCveRecord(newCveObj.cve) if (!result.isValid) { @@ -728,9 +766,11 @@ async function rejectExistingCve (req, res, next) { result.cve.dataVersion = CONSTANTS.SCHEMA_VERSION } + // old cve record + const oldCveRecord = _.cloneDeep(result) // update CVE record to rejected const updatedRecord = Cve.updateCveToRejected(id, providerMetadata, result.cve, req.ctx.body) - const updatedCve = new Cve({ cve: updatedRecord }) + const updatedCve = new Cve({ cve: convertDatesToISO(updatedRecord, CONSTANTS.DATE_FIELDS) }) result = Cve.validateCveRecord(updatedCve.cve) if (!result.isValid) { @@ -742,10 +782,12 @@ async function rejectExistingCve (req, res, next) { return res.status(500).json(error.unableToUpdateByCveID()) } - // update cveID to rejected - result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED }) - if (!result) { - return res.status(500).json(error.serverError()) + // update cveID to rejected only if the previous state was not already rejected + if (oldCveRecord.cve.cveMetadata.state !== CONSTANTS.CVE_STATES.REJECTED) { + result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED }) + if (!result) { + return res.status(500).json(error.serverError()) + } } const responseMessage = { @@ -840,7 +882,7 @@ async function insertAdp (req, res, next) { cveRecord.containers.adp.push(adpContainer) } - const cveModel = new Cve({ cve: cveRecord }) + const cveModel = new Cve({ cve: convertDatesToISO(cveRecord, CONSTANTS.DATE_FIELDS) }) result = Cve.validateCveRecord(cveModel.cve) if (!result.isValid) { logger.error(JSON.stringify({ uuid: req.ctx.uuid, message: 'CVE JSON schema validation FAILED.' })) diff --git a/src/controller/cve.controller/error.js b/src/controller/cve.controller/error.js index a270f0c75..2ccd9b3df 100644 --- a/src/controller/cve.controller/error.js +++ b/src/controller/cve.controller/error.js @@ -111,6 +111,13 @@ class CveControllerError extends idrErr.IDRError { err.message = 'The ADP data does not begin with adpContainer.' return err } + + erlCheckFailed () { + const err = {} + err.error = 'ERL_CHECK_FAILED' + err.message = 'The ERL check failed. The CNA container is not enriched and the ERLCheck flag is set.' + return err + } } module.exports = { diff --git a/src/controller/cve.controller/index.js b/src/controller/cve.controller/index.js index d7ae0f586..3d6ef4570 100644 --- a/src/controller/cve.controller/index.js +++ b/src/controller/cve.controller/index.js @@ -549,7 +549,8 @@ router.post('/cve/:id/cna', #swagger.parameters['$ref'] = [ '#/components/parameters/apiEntityHeader', '#/components/parameters/apiUserHeader', - '#/components/parameters/apiSecretHeader' + '#/components/parameters/apiSecretHeader', + '#/components/parameters/erlCheck' ] #swagger.requestBody = { description: '

Notes:

@@ -620,6 +621,8 @@ router.post('/cve/:id/cna', mw.validateUser, mw.onlyCnas, mw.trimJSONWhitespace, + query().custom((query) => { return mw.validateQueryParameterNames(query, ['erlcheck']) }), + query(['erlcheck']).optional().isBoolean({ loose: true }).withMessage(errorMsgs.ERLCHECK), validateCveCnaContainerJsonSchema, validateUniqueEnglishEntry('cnaContainer.descriptions'), validateDescription(['cnaContainer.descriptions', 'cnaContainer.problemTypes[0].descriptions']), @@ -645,7 +648,8 @@ router.put('/cve/:id/cna', #swagger.parameters['$ref'] = [ '#/components/parameters/apiEntityHeader', '#/components/parameters/apiUserHeader', - '#/components/parameters/apiSecretHeader' + '#/components/parameters/apiSecretHeader', + '#/components/parameters/erlCheck' ] #swagger.requestBody = { description: '

Notes:

@@ -717,6 +721,8 @@ router.put('/cve/:id/cna', mw.validateUser, mw.onlyCnas, mw.trimJSONWhitespace, + query().custom((query) => { return mw.validateQueryParameterNames(query, ['erlcheck']) }), + query(['erlcheck']).optional().isBoolean({ loose: true }).withMessage(errorMsgs.ERLCHECK), validateCveCnaContainerJsonSchema, validateUniqueEnglishEntry('cnaContainer.descriptions'), validateDescription(['cnaContainer.descriptions', 'cnaContainer.problemTypes[0].descriptions']), diff --git a/src/middleware/errorMessages.js b/src/middleware/errorMessages.js index 9aa7b9c5c..c7aa7db12 100644 --- a/src/middleware/errorMessages.js +++ b/src/middleware/errorMessages.js @@ -10,6 +10,7 @@ module.exports = { COUNT_ONLY: 'Invalid count_only value. Value should be 1, true, or yes to indicate true, or 0, false, or no to indicate false', TIMESTAMP_FORMAT: "Bad date, or invalid timestamp format: valid format is yyyy-MM-ddTHH:mm:ss or yyyy-MM-ddTHH:mm:ssZZ:ZZ (to use '+' in timezone offset, encode as '%2B). ZZ:ZZ (if used) must be between 00:00 and 23:59.", CNA_MODIFIED: 'Invalid cna_modified value. Value should be 1, true, or yes to indicate true, or 0, false, or no to indicate false', + ERLCHECK: 'Invalid erlcheck value. Value should be 1, true, or yes to indicate true, or 0, false, or no to indicate false', FIRSTNAME_LENGTH: 'Invalid name.first. Name must be between 1 and 100 characters in length.', LASTNAME_LENGTH: 'Invalid name.last. Name must be between 1 and 100 characters in length.', MIDDLENAME_LENGTH: 'Invalid name.middle. Name must be between 1 and 100 characters in length.', diff --git a/src/swagger.js b/src/swagger.js index 29cdbc7f4..2a385396d 100644 --- a/src/swagger.js +++ b/src/swagger.js @@ -18,7 +18,7 @@ const fullCnaContainerRequest = require('../schemas/cve/create-cve-record-cna-re /* eslint-disable no-multi-str */ const doc = { info: { - version: '2.4.0', + version: '2.5.1', title: 'CVE Services API', description: "The CVE Services API supports automation tooling for the CVE Program. Credentials are \ required for most service endpoints. Representatives of \ @@ -34,11 +34,11 @@ const doc = { or MITRE) to request credentials \ \

CVE data is to be in the JSON 5.1 CVE Record format. Details of the JSON 5.1 schema are \ - located here.

\ + located here.

\ Contact the CVE Services team", contact: { name: 'CVE Services Overview', - url: 'https://cveproject.github.io/automation-cve-services#services-overview' + url: 'https://www.cve.org/AllResources/CveServices' } }, @@ -168,6 +168,15 @@ const doc = { type: 'string' } }, + erlCheck: { + in: 'query', + name: 'erlcheck', + description: 'Enables stricter validation that ensures submitted record meets enrichment data requirements. For a record to be enriched, a CVSS score and a CWE ID must be provided.', + required: false, + schema: { + type: 'boolean' + } + }, batch_type: { in: 'query', name: 'batch_type', diff --git a/src/utils/utils.js b/src/utils/utils.js index f6ec5d2a1..1ef6d63d5 100644 --- a/src/utils/utils.js +++ b/src/utils/utils.js @@ -1,6 +1,7 @@ const Org = require('../model/org') const User = require('../model/user') const getConstants = require('../constants').getConstants +const _ = require('lodash') const { DateTime } = require('luxon') async function getOrgUUID (shortName) { @@ -123,6 +124,7 @@ function reqCtxMapping (req, keyType, keys) { } // Return true if boolean is 0, true, or yes, with any mix of casing +// Please note that this function does NOT evaluate "undefined" as false. - A tired developer who lost way too much time to this. function booleanIsTrue (val) { if ((val.toString() === '1') || (val.toString().toLowerCase() === 'true') || @@ -153,15 +155,83 @@ function toDate (val) { return result } +// Covert Dates to ISO format +function convertDatesToISO (obj, dateKeys) { + // Helper function to check if a value is a valid date + function isValidDate (value) { + return value instanceof Date && !isNaN(value) + } + + // Helper function to check if a string is a valid date + function isStringDate (value) { + const date = new Date(value) + return !isNaN(date.getTime()) + } + + function updateDateValue (objectToUpdate, key, value) { + if (isValidDate(value)) { + _.set(objectToUpdate, key, value.toISOString()) + } else if (typeof value === 'string' && isStringDate(value)) { + _.set(objectToUpdate, key, new Date(value).toISOString()) + } + } + + // For the top layer object + for (const key of dateKeys) { + if (_.has(obj, key)) { + const value = _.get(obj, key) + updateDateValue(obj, key, value) + } + } + + // For the ADP(s) + if (_.has(obj, 'containers.adp')) { + // Use lodash for each to loop over array and check for date keys + _.each(obj.containers.adp, (adp) => { + for (const key of dateKeys) { + if (_.has(adp, key)) { + const value = _.get(adp, key) + updateDateValue(adp, key, value) + } + } + }) + } + // For the CNAs + + if (_.has(obj, 'containers.cna')) { + // Use lodash to check the containers.cna object for date keys + for (const key of dateKeys) { + if (_.has(obj.containers.cna, key)) { + const value = _.get(obj.containers.cna, key) + updateDateValue(obj.containers.cna, key, value) + } + } + } + + return obj +} + +function isEnrichedContainer (container) { + const hasCvss = container?.metrics?.some(item => 'cvssV4_0' in item || 'cvssV3_1' in item || 'cvssV3_0' in item || 'cvssV2_0' in item) + const hasCwe = container?.problemTypes?.some(pItem => pItem?.descriptions?.some(dItem => 'cweId' in dItem)) + if (!(hasCvss && hasCwe)) { + return false + } + return true +} + module.exports = { isSecretariat, isBulkDownload, isAdmin, isAdminUUID, isSecretariatUUID, + isEnrichedContainer, getOrgUUID, getUserUUID, reqCtxMapping, booleanIsTrue, - toDate + toDate, + convertDatesToISO + } diff --git a/test/integration-tests/constants.js b/test/integration-tests/constants.js index 87ef53c09..292602f14 100644 --- a/test/integration-tests/constants.js +++ b/test/integration-tests/constants.js @@ -241,6 +241,114 @@ const testAdp2 = { } } +const enrichedCve = { + + cnaContainer: { + affected: [ + { + vendor: 'n/da', + product: 'n/a', + versions: [ + { + version: 'n/a', + status: 'unknown' + } + ] + } + ], + descriptions: [ + { + lang: 'en', + value: "Cross-site scdfgfdgripting (XSS) vulnerability in Revive Adserver before 4.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the user's email address." + } + ], + problemTypes: [ + { + descriptions: [ + { + description: 'n/a', + lang: 'eng', + type: 'text', + cweId: 'CWE-79' + } + ] + } + ], + providerMetadata: { + orgId: '9cbfeea8-dea2-4923-b772-1ab41730e742' + }, + references: [ + { + name: '[oss-security] 20170202 Re: CVE request: multiples vulnerabilities in Revive Adserver', + url: 'http://www.openwall.com/lists/oss-security/2017/02/02/3' + }, + { + name: 'https://www.revive-adserver.com/security/revive-sa-2017-001/', + url: 'https://www.revive-adserver.com/security/revive-sa-2017-001/' + }, + { + name: '95dsf875', + url: 'http://www.securityfocus.com/bid/95875' + } + ], + metrics: [ + { + format: 'CVSS', + scenarios: [ + { + lang: 'en', + value: 'GENERAL' + } + ], + cvssV4_0: { + baseScore: 7.8, + baseSeverity: 'HIGH', + vectorString: 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L', + version: '4.0' + }, + cvssV3_1: { + version: '3.1', + attackVector: 'NETWORK', + attackComplexity: 'LOW', + privilegesRequired: 'NONE', + userInteraction: 'NONE', + scope: 'UNCHANGED', + confidentialityImpact: 'HIGH', + integrityImpact: 'HIGH', + availabilityImpact: 'HIGH', + baseScore: 9.8, + baseSeverity: 'CRITICAL', + vectorString: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H' + } + }, + { + format: 'CVSS', + scenarios: [ + { + lang: 'en', + value: "If the enhanced host protection mode is turned on, this vulnerability can only be exploited to run os commands as user 'nobody'. Privilege escalation is not possible." + } + ], + cvssV3_1: { + version: '3.1', + attackVector: 'NETWORK', + attackComplexity: 'LOW', + privilegesRequired: 'NONE', + userInteraction: 'NONE', + scope: 'UNCHANGED', + confidentialityImpact: 'LOW', + integrityImpact: 'LOW', + availabilityImpact: 'LOW', + baseScore: 7.3, + baseSeverity: 'HIGH', + vectorString: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L' + } + } + ] + } + +} + const testOrg = { short_name: 'test_org', @@ -278,6 +386,7 @@ module.exports = { nonSecretariatUserHeadersWithAdp2, testCve, testCveEdited, + enrichedCve, testAdp, testAdp2, testOrg, diff --git a/test/integration-tests/cve-id/getCveIdTest.js b/test/integration-tests/cve-id/getCveIdTest.js index 3209b822e..41dc671e0 100644 --- a/test/integration-tests/cve-id/getCveIdTest.js +++ b/test/integration-tests/cve-id/getCveIdTest.js @@ -12,7 +12,7 @@ const app = require('../../../src/index.js') describe('Testing Get CVE-ID endpoint', () => { // TODO: Update this test to dynamically calculate reserved count. - const RESESRVED_COUNT = 120 + const RESESRVED_COUNT = 122 const YEAR_COUNT = 10 const PUB_YEAR_COUNT = 4 const TIME_WINDOW_COUNT = 40 diff --git a/test/integration-tests/cve/erlCheckPOSTTest.js b/test/integration-tests/cve/erlCheckPOSTTest.js new file mode 100644 index 000000000..32da1e905 --- /dev/null +++ b/test/integration-tests/cve/erlCheckPOSTTest.js @@ -0,0 +1,80 @@ +/* eslint-disable no-unused-expressions */ + +const chai = require('chai') +chai.use(require('chai-http')) + +const expect = chai.expect + +const constants = require('../constants.js') +const app = require('../../../src/index.js') +const helpers = require('../helpers.js') + +const requestLength = 1 +const shortName = 'win_5' +const cveYear = '2023' +const batchType = 'non-sequential' + +describe('Testing POST ERLCheck field', () => { + let cveId + beforeEach(async () => { + cveId = await helpers.cveIdReserveHelper(requestLength, cveYear, shortName, batchType) + }) + context('ERL POST Check Tests', () => { + it('POST CVE that is ERL Checked with correct details', async () => { + await chai.request(app) + .post(`/api/cve/${cveId}/cna?erlcheck=true`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.enrichedCve) + .then((res, err) => { + // Safety Expect + expect(err).to.be.undefined + expect(res).to.have.status(200) + }) + }) + + it('POST CVE that is ERL checked with the incorrect details', async () => { + await chai.request(app) + .post(`/api/cve/${cveId}/cna?erlcheck=true`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.testCve) + .then((res, err) => { + // Safety Expect + expect(res).to.have.status(403) + }) + }) + + it('POST CVE that is ERL is false with correct details', async () => { + await chai.request(app) + .post(`/api/cve/${cveId}/cna?erlcheck=false`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.enrichedCve) + .then((res, err) => { + // Safety Expect + expect(err).to.be.undefined + expect(res).to.have.status(200) + }) + }) + + it('POST CVE that is ERL is false with the incorrect details', async () => { + await chai.request(app) + .post(`/api/cve/${cveId}/cna?erlcheck=false`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.testCve) + .then((res, err) => { + // Safety Expect + expect(res).to.have.status(200) + }) + }) + + it('POST CVE that is ERL is null with the incorrect details', async () => { + await chai.request(app) + .post(`/api/cve/${cveId}/cna?erlcheck=null`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.testCve) + .then((res, err) => { + // Safety Expect + expect(res).to.have.status(400) + }) + }) + }) +}) diff --git a/test/integration-tests/cve/erlCheckPUTTest.js b/test/integration-tests/cve/erlCheckPUTTest.js new file mode 100644 index 000000000..bec8bd1c6 --- /dev/null +++ b/test/integration-tests/cve/erlCheckPUTTest.js @@ -0,0 +1,83 @@ +/* eslint-disable no-unused-expressions */ + +const chai = require('chai') +chai.use(require('chai-http')) + +const expect = chai.expect + +const constants = require('../constants.js') +const app = require('../../../src/index.js') +const helpers = require('../helpers.js') + +const requestLength = 1 +const shortName = 'win_5' +const cveYear = '2023' +const batchType = 'non-sequential' + +describe('Testing PUT ERLCheck field', () => { + let cveId + before(async () => { + cveId = await helpers.cveIdReserveHelper(requestLength, cveYear, shortName, batchType) + await helpers.cveRequestAsCnaHelper(cveId) + console.log('HEre') + }) + context('ERL PUT Check Tests', () => { + it('PUT CVE that is ERL Checked with correct details', async () => { + await chai.request(app) + .put(`/api/cve/${cveId}/cna?erlcheck=true`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.enrichedCve) + .then((res, err) => { + // Safety Expect + expect(err).to.be.undefined + expect(res).to.have.status(200) + }) + }) + + it('PUT CVE that is ERL checked with the incorrect details', async () => { + await chai.request(app) + .put(`/api/cve/${cveId}/cna?erlcheck=true`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.testCve) + .then((res, err) => { + // Safety Expect + expect(res).to.have.status(403) + }) + }) + + it('PUT CVE that is ERL is false with correct details', async () => { + await chai.request(app) + .put(`/api/cve/${cveId}/cna?erlcheck=false`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.enrichedCve) + .then((res, err) => { + // Safety Expect + expect(err).to.be.undefined + expect(res).to.have.status(200) + }) + }) + + it('PUT CVE that is ERL is false with the incorrect details', async () => { + await chai.request(app) + .put(`/api/cve/${cveId}/cna?erlcheck=false`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.testCve) + .then((res, err) => { + // Safety Expect + expect(res).to.have.status(200) + }) + }) + + it('PUT CVE that is ERL is null with correct details', async () => { + await chai.request(app) + .put(`/api/cve/${cveId}/cna?erlcheck=null`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.enrichedCve) + .then((res, err) => { + // Safety Expect + expect(err).to.be.undefined + expect(res).to.have.status(400) + }) + }) + }) +}) diff --git a/test/unit-tests/cve/cveCreateTest.js b/test/unit-tests/cve/cveCreateTest.js index 728558df5..16057e821 100644 --- a/test/unit-tests/cve/cveCreateTest.js +++ b/test/unit-tests/cve/cveCreateTest.js @@ -1,3 +1,4 @@ +/* eslint-disable no-unused-vars */ const express = require('express') const app = express() const chai = require('chai') diff --git a/test/unit-tests/cve/cveRecordRejectionTest.js b/test/unit-tests/cve/cveRecordRejectionTest.js index e16e61577..0f3637e46 100644 --- a/test/unit-tests/cve/cveRecordRejectionTest.js +++ b/test/unit-tests/cve/cveRecordRejectionTest.js @@ -1,3 +1,4 @@ +/* eslint-disable no-unused-vars */ const express = require('express') const app = express() const chai = require('chai') diff --git a/test/unit-tests/cve/cveUpdateTest.js b/test/unit-tests/cve/cveUpdateTest.js index 356c9ed41..06f75adc0 100644 --- a/test/unit-tests/cve/cveUpdateTest.js +++ b/test/unit-tests/cve/cveUpdateTest.js @@ -1,3 +1,4 @@ +/* eslint-disable no-unused-vars */ const express = require('express') const app = express() const chai = require('chai') diff --git a/test/unit-tests/cve/updateCnaTest.js b/test/unit-tests/cve/updateCnaTest.js index 7b7beda39..b72cb009e 100644 --- a/test/unit-tests/cve/updateCnaTest.js +++ b/test/unit-tests/cve/updateCnaTest.js @@ -108,6 +108,9 @@ describe('updateCna function', () => { body: { cnaContainer: cnaContainerCopy } + }, + query: { + erlcheck: 'false' } } })