From 50b038e4552b920ff75af6440f63ff5a41ec265f Mon Sep 17 00:00:00 2001 From: david-rocca Date: Wed, 4 Dec 2024 13:30:59 -0500 Subject: [PATCH 01/23] updating version to 2.5.0 --- api-docs/openapi.json | 2 +- src/swagger.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/api-docs/openapi.json b/api-docs/openapi.json index 0169e993e..0f88bb0dc 100644 --- a/api-docs/openapi.json +++ b/api-docs/openapi.json @@ -1,7 +1,7 @@ { "openapi": "3.0.2", "info": { - "version": "2.4.0", + "version": "2.5.0", "title": "CVE Services API", "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are required for most service endpoints. Representatives of CVE Numbering Authorities (CNAs) should use one of the methods below to obtain credentials:

CVE data is to be in the JSON 5.1 CVE Record format. Details of the JSON 5.1 schema are located here.

Contact the CVE Services team", "contact": { diff --git a/src/swagger.js b/src/swagger.js index 29cdbc7f4..fc8bcab90 100644 --- a/src/swagger.js +++ b/src/swagger.js @@ -18,7 +18,7 @@ const fullCnaContainerRequest = require('../schemas/cve/create-cve-record-cna-re /* eslint-disable no-multi-str */ const doc = { info: { - version: '2.4.0', + version: '2.5.0', title: 'CVE Services API', description: "The CVE Services API supports automation tooling for the CVE Program. Credentials are \ required for most service endpoints. Representatives of \ From fdc2c9b4f6ab689fa39f1da4f3882ec061ccc1f9 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Wed, 18 Dec 2024 10:26:52 -0500 Subject: [PATCH 02/23] Added tests for erlcheck parameter --- test/integration-tests/constants.js | 109 ++++++++++++++++++ test/integration-tests/cve-id/getCveIdTest.js | 2 +- .../integration-tests/cve/erlCheckPOSTTest.js | 82 +++++++++++++ test/integration-tests/cve/erlCheckPUTTest.js | 83 +++++++++++++ 4 files changed, 275 insertions(+), 1 deletion(-) create mode 100644 test/integration-tests/cve/erlCheckPOSTTest.js create mode 100644 test/integration-tests/cve/erlCheckPUTTest.js diff --git a/test/integration-tests/constants.js b/test/integration-tests/constants.js index 87ef53c09..292602f14 100644 --- a/test/integration-tests/constants.js +++ b/test/integration-tests/constants.js @@ -241,6 +241,114 @@ const testAdp2 = { } } +const enrichedCve = { + + cnaContainer: { + affected: [ + { + vendor: 'n/da', + product: 'n/a', + versions: [ + { + version: 'n/a', + status: 'unknown' + } + ] + } + ], + descriptions: [ + { + lang: 'en', + value: "Cross-site scdfgfdgripting (XSS) vulnerability in Revive Adserver before 4.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the user's email address." + } + ], + problemTypes: [ + { + descriptions: [ + { + description: 'n/a', + lang: 'eng', + type: 'text', + cweId: 'CWE-79' + } + ] + } + ], + providerMetadata: { + orgId: '9cbfeea8-dea2-4923-b772-1ab41730e742' + }, + references: [ + { + name: '[oss-security] 20170202 Re: CVE request: multiples vulnerabilities in Revive Adserver', + url: 'http://www.openwall.com/lists/oss-security/2017/02/02/3' + }, + { + name: 'https://www.revive-adserver.com/security/revive-sa-2017-001/', + url: 'https://www.revive-adserver.com/security/revive-sa-2017-001/' + }, + { + name: '95dsf875', + url: 'http://www.securityfocus.com/bid/95875' + } + ], + metrics: [ + { + format: 'CVSS', + scenarios: [ + { + lang: 'en', + value: 'GENERAL' + } + ], + cvssV4_0: { + baseScore: 7.8, + baseSeverity: 'HIGH', + vectorString: 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L', + version: '4.0' + }, + cvssV3_1: { + version: '3.1', + attackVector: 'NETWORK', + attackComplexity: 'LOW', + privilegesRequired: 'NONE', + userInteraction: 'NONE', + scope: 'UNCHANGED', + confidentialityImpact: 'HIGH', + integrityImpact: 'HIGH', + availabilityImpact: 'HIGH', + baseScore: 9.8, + baseSeverity: 'CRITICAL', + vectorString: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H' + } + }, + { + format: 'CVSS', + scenarios: [ + { + lang: 'en', + value: "If the enhanced host protection mode is turned on, this vulnerability can only be exploited to run os commands as user 'nobody'. Privilege escalation is not possible." + } + ], + cvssV3_1: { + version: '3.1', + attackVector: 'NETWORK', + attackComplexity: 'LOW', + privilegesRequired: 'NONE', + userInteraction: 'NONE', + scope: 'UNCHANGED', + confidentialityImpact: 'LOW', + integrityImpact: 'LOW', + availabilityImpact: 'LOW', + baseScore: 7.3, + baseSeverity: 'HIGH', + vectorString: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L' + } + } + ] + } + +} + const testOrg = { short_name: 'test_org', @@ -278,6 +386,7 @@ module.exports = { nonSecretariatUserHeadersWithAdp2, testCve, testCveEdited, + enrichedCve, testAdp, testAdp2, testOrg, diff --git a/test/integration-tests/cve-id/getCveIdTest.js b/test/integration-tests/cve-id/getCveIdTest.js index 3209b822e..41dc671e0 100644 --- a/test/integration-tests/cve-id/getCveIdTest.js +++ b/test/integration-tests/cve-id/getCveIdTest.js @@ -12,7 +12,7 @@ const app = require('../../../src/index.js') describe('Testing Get CVE-ID endpoint', () => { // TODO: Update this test to dynamically calculate reserved count. - const RESESRVED_COUNT = 120 + const RESESRVED_COUNT = 122 const YEAR_COUNT = 10 const PUB_YEAR_COUNT = 4 const TIME_WINDOW_COUNT = 40 diff --git a/test/integration-tests/cve/erlCheckPOSTTest.js b/test/integration-tests/cve/erlCheckPOSTTest.js new file mode 100644 index 000000000..b1df9a9a2 --- /dev/null +++ b/test/integration-tests/cve/erlCheckPOSTTest.js @@ -0,0 +1,82 @@ +/* eslint-disable no-unused-expressions */ + +const chai = require('chai') +chai.use(require('chai-http')) + +const expect = chai.expect + +const constants = require('../constants.js') +const app = require('../../../src/index.js') +const helpers = require('../helpers.js') + +const _ = require('lodash') + +const requestLength = 1 +const shortName = 'win_5' +const cveYear = '2023' +const batchType = 'non-sequential' + +describe('Testing POST ERLCheck field', () => { + let cveId + beforeEach(async () => { + cveId = await helpers.cveIdReserveHelper(requestLength, cveYear, shortName, batchType) + }) + context('ERL POST Check Tests', () => { + it('POST CVE that is ERL Checked with correct details', async () => { + await chai.request(app) + .post(`/api/cve/${cveId}/cna?erlcheck=true`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.enrichedCve) + .then((res, err) => { + // Safety Expect + expect(err).to.be.undefined + expect(res).to.have.status(200) + }) + }) + + it('POST CVE that is ERL checked with the incorrect details', async () => { + await chai.request(app) + .post(`/api/cve/${cveId}/cna?erlcheck=true`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.testCve) + .then((res, err) => { + // Safety Expect + expect(res).to.have.status(403) + }) + }) + + it('POST CVE that is ERL is false with correct details', async () => { + await chai.request(app) + .post(`/api/cve/${cveId}/cna?erlcheck=false`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.enrichedCve) + .then((res, err) => { + // Safety Expect + expect(err).to.be.undefined + expect(res).to.have.status(200) + }) + }) + + it('POST CVE that is ERL is false with the incorrect details', async () => { + await chai.request(app) + .post(`/api/cve/${cveId}/cna?erlcheck=false`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.testCve) + .then((res, err) => { + // Safety Expect + expect(res).to.have.status(200) + }) + }) + + it('POST CVE that is ERL is null with the incorrect details', async () => { + await chai.request(app) + .post(`/api/cve/${cveId}/cna?erlcheck=null`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.testCve) + .then((res, err) => { + // Safety Expect + expect(res).to.have.status(400) + }) + }) + }) +}) diff --git a/test/integration-tests/cve/erlCheckPUTTest.js b/test/integration-tests/cve/erlCheckPUTTest.js new file mode 100644 index 000000000..bec8bd1c6 --- /dev/null +++ b/test/integration-tests/cve/erlCheckPUTTest.js @@ -0,0 +1,83 @@ +/* eslint-disable no-unused-expressions */ + +const chai = require('chai') +chai.use(require('chai-http')) + +const expect = chai.expect + +const constants = require('../constants.js') +const app = require('../../../src/index.js') +const helpers = require('../helpers.js') + +const requestLength = 1 +const shortName = 'win_5' +const cveYear = '2023' +const batchType = 'non-sequential' + +describe('Testing PUT ERLCheck field', () => { + let cveId + before(async () => { + cveId = await helpers.cveIdReserveHelper(requestLength, cveYear, shortName, batchType) + await helpers.cveRequestAsCnaHelper(cveId) + console.log('HEre') + }) + context('ERL PUT Check Tests', () => { + it('PUT CVE that is ERL Checked with correct details', async () => { + await chai.request(app) + .put(`/api/cve/${cveId}/cna?erlcheck=true`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.enrichedCve) + .then((res, err) => { + // Safety Expect + expect(err).to.be.undefined + expect(res).to.have.status(200) + }) + }) + + it('PUT CVE that is ERL checked with the incorrect details', async () => { + await chai.request(app) + .put(`/api/cve/${cveId}/cna?erlcheck=true`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.testCve) + .then((res, err) => { + // Safety Expect + expect(res).to.have.status(403) + }) + }) + + it('PUT CVE that is ERL is false with correct details', async () => { + await chai.request(app) + .put(`/api/cve/${cveId}/cna?erlcheck=false`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.enrichedCve) + .then((res, err) => { + // Safety Expect + expect(err).to.be.undefined + expect(res).to.have.status(200) + }) + }) + + it('PUT CVE that is ERL is false with the incorrect details', async () => { + await chai.request(app) + .put(`/api/cve/${cveId}/cna?erlcheck=false`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.testCve) + .then((res, err) => { + // Safety Expect + expect(res).to.have.status(200) + }) + }) + + it('PUT CVE that is ERL is null with correct details', async () => { + await chai.request(app) + .put(`/api/cve/${cveId}/cna?erlcheck=null`) + .set(constants.nonSecretariatUserHeaders) + .send(constants.enrichedCve) + .then((res, err) => { + // Safety Expect + expect(err).to.be.undefined + expect(res).to.have.status(400) + }) + }) + }) +}) From 571b68f5c5951d643df1d5e2494164229cae3850 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Wed, 18 Dec 2024 11:08:17 -0500 Subject: [PATCH 03/23] Fix dead links in swagger, also updated documentation --- api-docs/openapi.json | 27 +++++++++++++++------------ src/swagger.js | 15 ++++++++++++--- 2 files changed, 27 insertions(+), 15 deletions(-) diff --git a/api-docs/openapi.json b/api-docs/openapi.json index 0169e993e..b7e573aa5 100644 --- a/api-docs/openapi.json +++ b/api-docs/openapi.json @@ -1,12 +1,12 @@ { "openapi": "3.0.2", "info": { - "version": "2.4.0", + "version": "2.5.0", "title": "CVE Services API", - "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are required for most service endpoints. Representatives of CVE Numbering Authorities (CNAs) should use one of the methods below to obtain credentials:
  • If your organization already has an Organizational Administrator (OA) account for the CVE Services, ask your admin for credentials
  • Contact your Root (Google, INCIBE, JPCERT/CC, or Red Hat) or Top-Level Root (CISA ICS or MITRE) to request credentials

CVE data is to be in the JSON 5.1 CVE Record format. Details of the JSON 5.1 schema are located here.

Contact the CVE Services team", + "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are required for most service endpoints. Representatives of CVE Numbering Authorities (CNAs) should use one of the methods below to obtain credentials:
  • If your organization already has an Organizational Administrator (OA) account for the CVE Services, ask your admin for credentials
  • Contact your Root (Google, INCIBE, JPCERT/CC, or Red Hat) or Top-Level Root (CISA ICS or MITRE) to request credentials

CVE data is to be in the JSON 5.1 CVE Record format. Details of the JSON 5.1 schema are located here.

Contact the CVE Services team", "contact": { "name": "CVE Services Overview", - "url": "https://cveproject.github.io/automation-cve-services#services-overview" + "url": "https://www.cve.org/AllResources/CveServices" } }, "servers": [ @@ -1323,6 +1323,9 @@ }, { "$ref": "#/components/parameters/apiSecretHeader" + }, + { + "$ref": "#/components/parameters/erlCheck" } ], "responses": { @@ -1423,15 +1426,6 @@ "type": "string" }, "description": "The CVE ID for which the record is being updated" - }, - { - "$ref": "#/components/parameters/apiEntityHeader" - }, - { - "$ref": "#/components/parameters/apiUserHeader" - }, - { - "$ref": "#/components/parameters/apiSecretHeader" } ], "responses": { @@ -3036,6 +3030,15 @@ "type": "string" } }, + "erlCheck": { + "in": "query", + "name": "erlcheck", + "description": "Enables stricter validation that ensures submitted record meets enrichment data requirements", + "required": false, + "schema": { + "type": "boolean" + } + }, "batch_type": { "in": "query", "name": "batch_type", diff --git a/src/swagger.js b/src/swagger.js index 29cdbc7f4..630c0a2c8 100644 --- a/src/swagger.js +++ b/src/swagger.js @@ -18,7 +18,7 @@ const fullCnaContainerRequest = require('../schemas/cve/create-cve-record-cna-re /* eslint-disable no-multi-str */ const doc = { info: { - version: '2.4.0', + version: '2.5.0', title: 'CVE Services API', description: "The CVE Services API supports automation tooling for the CVE Program. Credentials are \ required for most service endpoints. Representatives of \ @@ -34,11 +34,11 @@ const doc = { or MITRE) to request credentials \ \

CVE data is to be in the JSON 5.1 CVE Record format. Details of the JSON 5.1 schema are \ - located here.

\ + located here.

\ Contact the CVE Services team", contact: { name: 'CVE Services Overview', - url: 'https://cveproject.github.io/automation-cve-services#services-overview' + url: 'https://www.cve.org/AllResources/CveServices' } }, @@ -168,6 +168,15 @@ const doc = { type: 'string' } }, + erlCheck: { + in: 'query', + name: 'erlcheck', + description: 'Enables stricter validation that ensures submitted record meets enrichment data requirements', + required: false, + schema: { + type: 'boolean' + } + }, batch_type: { in: 'query', name: 'batch_type', From d08825bf6fe1a935b0cbcffc7ae905af7fd7d9ba Mon Sep 17 00:00:00 2001 From: david-rocca Date: Wed, 18 Dec 2024 11:11:37 -0500 Subject: [PATCH 04/23] Added erl check functionality --- .../cve.controller/cve.controller.js | 33 +++++++++++++++++-- src/controller/cve.controller/error.js | 7 ++++ src/controller/cve.controller/index.js | 8 ++++- src/middleware/errorMessages.js | 1 + src/utils/utils.js | 11 +++++++ 5 files changed, 57 insertions(+), 3 deletions(-) diff --git a/src/controller/cve.controller/cve.controller.js b/src/controller/cve.controller/cve.controller.js index d8e62db7a..0eba8b24f 100644 --- a/src/controller/cve.controller/cve.controller.js +++ b/src/controller/cve.controller/cve.controller.js @@ -4,6 +4,7 @@ const errors = require('./error') const getConstants = require('../../constants').getConstants const error = new errors.CveControllerError() const booleanIsTrue = require('../../utils/utils').booleanIsTrue +const isEnrichedContainer = require('../../utils/utils').isEnrichedContainer const url = process.env.NODE_ENV === 'staging' ? 'https://test.cve.org/' : 'https://cve.org/' // Helper function to create providerMetadata object @@ -458,6 +459,14 @@ async function submitCna (req, res, next) { const orgUuid = await orgRepo.getOrgUUID(req.ctx.org) const userUuid = await userRepo.getUserUUID(req.ctx.user, orgUuid) + // To avoid breaking legacy behavior in the "booleanIsTrue" function, we need to check to make sure that undefined is set to false + let erlCheck + if (typeof req.query.erlcheck === 'undefined') { + erlCheck = false + } else { + erlCheck = booleanIsTrue(req.query.erlcheck) || false + } + // check that cve id exists let result = await cveIdRepo.findOneByCveId(id) if (!result || result.state === CONSTANTS.CVE_STATES.AVAILABLE) { @@ -477,10 +486,15 @@ async function submitCna (req, res, next) { return res.status(403).json(error.cveRecordExists()) } + const cnaContainer = req.ctx.body.cnaContainer + if (erlCheck && !isEnrichedContainer(cnaContainer)) { + // Process the ERL check here + return res.status(403).json(error.erlCheckFailed()) + } + // create full cve record here const owningCna = await orgRepo.findOneByUUID(cveId.owning_cna) const assignerShortName = owningCna.short_name - const cnaContainer = req.ctx.body.cnaContainer const dateUpdated = (new Date()).toISOString() const additionalCveMetadataFields = { assignerShortName: assignerShortName, @@ -541,6 +555,16 @@ async function updateCna (req, res, next) { const orgUuid = await orgRepo.getOrgUUID(req.ctx.org) const userUuid = await userRepo.getUserUUID(req.ctx.user, orgUuid) + // To avoid breaking legacy behavior in the "booleanIsTrue" function, we need to check to make sure that undefined is set to false + let erlCheck + if (typeof req.query.erlcheck === 'undefined') { + erlCheck = false + } else { + erlCheck = booleanIsTrue(req.query.erlcheck) || false + } + + console.log('TEST') + // check that cve id exists let result = await cveIdRepo.findOneByCveId(id) if (!result || result.state === CONSTANTS.CVE_STATES.AVAILABLE) { @@ -560,9 +584,14 @@ async function updateCna (req, res, next) { return res.status(403).json(error.cveRecordDne()) } + const cnaContainer = req.ctx.body.cnaContainer + if (erlCheck && !isEnrichedContainer(cnaContainer)) { + // Process the ERL check here + return res.status(403).json(error.erlCheckFailed()) + } + // update cve record here const cveRecord = result.cve - const cnaContainer = req.ctx.body.cnaContainer const dateUpdated = (new Date()).toISOString() cveRecord.cveMetadata.dateUpdated = dateUpdated diff --git a/src/controller/cve.controller/error.js b/src/controller/cve.controller/error.js index a270f0c75..2ccd9b3df 100644 --- a/src/controller/cve.controller/error.js +++ b/src/controller/cve.controller/error.js @@ -111,6 +111,13 @@ class CveControllerError extends idrErr.IDRError { err.message = 'The ADP data does not begin with adpContainer.' return err } + + erlCheckFailed () { + const err = {} + err.error = 'ERL_CHECK_FAILED' + err.message = 'The ERL check failed. The CNA container is not enriched and the ERLCheck flag is set.' + return err + } } module.exports = { diff --git a/src/controller/cve.controller/index.js b/src/controller/cve.controller/index.js index d7ae0f586..78df94a1b 100644 --- a/src/controller/cve.controller/index.js +++ b/src/controller/cve.controller/index.js @@ -549,7 +549,8 @@ router.post('/cve/:id/cna', #swagger.parameters['$ref'] = [ '#/components/parameters/apiEntityHeader', '#/components/parameters/apiUserHeader', - '#/components/parameters/apiSecretHeader' + '#/components/parameters/apiSecretHeader', + '#/components/parameters/erlCheck' ] #swagger.requestBody = { description: '

Notes:

@@ -620,6 +621,8 @@ router.post('/cve/:id/cna', mw.validateUser, mw.onlyCnas, mw.trimJSONWhitespace, + query().custom((query) => { return mw.validateQueryParameterNames(query, ['erlcheck']) }), + query(['erlcheck']).optional().isBoolean({ loose: true }).withMessage(errorMsgs.ERLCHECK), validateCveCnaContainerJsonSchema, validateUniqueEnglishEntry('cnaContainer.descriptions'), validateDescription(['cnaContainer.descriptions', 'cnaContainer.problemTypes[0].descriptions']), @@ -646,6 +649,7 @@ router.put('/cve/:id/cna', '#/components/parameters/apiEntityHeader', '#/components/parameters/apiUserHeader', '#/components/parameters/apiSecretHeader' + '#/components/parameters/erlCheck', ] #swagger.requestBody = { description: '

Notes:

@@ -717,6 +721,8 @@ router.put('/cve/:id/cna', mw.validateUser, mw.onlyCnas, mw.trimJSONWhitespace, + query().custom((query) => { return mw.validateQueryParameterNames(query, ['erlcheck']) }), + query(['erlcheck']).optional().isBoolean({ loose: true }).withMessage(errorMsgs.ERLCHECK), validateCveCnaContainerJsonSchema, validateUniqueEnglishEntry('cnaContainer.descriptions'), validateDescription(['cnaContainer.descriptions', 'cnaContainer.problemTypes[0].descriptions']), diff --git a/src/middleware/errorMessages.js b/src/middleware/errorMessages.js index 9aa7b9c5c..c7aa7db12 100644 --- a/src/middleware/errorMessages.js +++ b/src/middleware/errorMessages.js @@ -10,6 +10,7 @@ module.exports = { COUNT_ONLY: 'Invalid count_only value. Value should be 1, true, or yes to indicate true, or 0, false, or no to indicate false', TIMESTAMP_FORMAT: "Bad date, or invalid timestamp format: valid format is yyyy-MM-ddTHH:mm:ss or yyyy-MM-ddTHH:mm:ssZZ:ZZ (to use '+' in timezone offset, encode as '%2B). ZZ:ZZ (if used) must be between 00:00 and 23:59.", CNA_MODIFIED: 'Invalid cna_modified value. Value should be 1, true, or yes to indicate true, or 0, false, or no to indicate false', + ERLCHECK: 'Invalid erlcheck value. Value should be 1, true, or yes to indicate true, or 0, false, or no to indicate false', FIRSTNAME_LENGTH: 'Invalid name.first. Name must be between 1 and 100 characters in length.', LASTNAME_LENGTH: 'Invalid name.last. Name must be between 1 and 100 characters in length.', MIDDLENAME_LENGTH: 'Invalid name.middle. Name must be between 1 and 100 characters in length.', diff --git a/src/utils/utils.js b/src/utils/utils.js index f6ec5d2a1..68b31aa14 100644 --- a/src/utils/utils.js +++ b/src/utils/utils.js @@ -123,6 +123,7 @@ function reqCtxMapping (req, keyType, keys) { } // Return true if boolean is 0, true, or yes, with any mix of casing +// Please note that this function does NOT evaluate "undefined" as false. - A tired developer who lost way too much time to this. function booleanIsTrue (val) { if ((val.toString() === '1') || (val.toString().toLowerCase() === 'true') || @@ -153,12 +154,22 @@ function toDate (val) { return result } +function isEnrichedContainer (container) { + const hasCvss = container?.metrics?.some(item => 'cvssV4_0' in item || 'cvssV3_1' in item || 'cvssV3_0' in item || 'cvssV2_0' in item) + const hasCwe = container?.problemTypes?.some(pItem => pItem?.descriptions?.some(dItem => 'cweId' in dItem)) + if (!(hasCvss && hasCwe)) { + return false + } + return true +} + module.exports = { isSecretariat, isBulkDownload, isAdmin, isAdminUUID, isSecretariatUUID, + isEnrichedContainer, getOrgUUID, getUserUUID, reqCtxMapping, From e7983a523edc418d00bf0621d1814609cfbfa126 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Tue, 26 Nov 2024 10:51:58 -0500 Subject: [PATCH 05/23] UTC is now enforced on the cve/id endpointss even for secretariat --- src/constants/index.js | 4 +- .../cve.controller/cve.controller.js | 6 +- src/utils/utils.js | 61 ++++++++++++++++++- 3 files changed, 67 insertions(+), 4 deletions(-) diff --git a/src/constants/index.js b/src/constants/index.js index 2b424b94b..b733add14 100644 --- a/src/constants/index.js +++ b/src/constants/index.js @@ -100,7 +100,9 @@ function getConstants () { CVE_ID_PATTERN: cveSchemaV5.definitions.cveId.pattern, // Ajv's pattern validation uses the "u" (unicode) flag: // https://ajv.js.org/json-schema.html#pattern - CVE_ID_REGEX: new RegExp(cveSchemaV5.definitions.cveId.pattern, 'u') + CVE_ID_REGEX: new RegExp(cveSchemaV5.definitions.cveId.pattern, 'u'), + DATE_FIELDS: ['cveMetadata.datePublished', 'cveMetadata.dateUpdated', 'cveMetadata.dateReserved', 'providerMetadata.dateUpdated', 'datePublic', 'dateAssigned' + ] } return defaults diff --git a/src/controller/cve.controller/cve.controller.js b/src/controller/cve.controller/cve.controller.js index d8e62db7a..94df0e6b7 100644 --- a/src/controller/cve.controller/cve.controller.js +++ b/src/controller/cve.controller/cve.controller.js @@ -4,6 +4,7 @@ const errors = require('./error') const getConstants = require('../../constants').getConstants const error = new errors.CveControllerError() const booleanIsTrue = require('../../utils/utils').booleanIsTrue +const convertDatesToISO = require('../../utils/utils').convertDatesToISO const url = process.env.NODE_ENV === 'staging' ? 'https://test.cve.org/' : 'https://cve.org/' // Helper function to create providerMetadata object @@ -331,7 +332,7 @@ async function submitCve (req, res, next) { const CONSTANTS = getConstants() try { - const newCve = new Cve({ cve: req.ctx.body }) + const newCve = new Cve({ cve: convertDatesToISO(req.ctx.body, CONSTANTS.DATE_FIELDS) }) const id = req.ctx.params.id const cveId = newCve.cve.cveMetadata.cveId const state = newCve.cve.cveMetadata.state @@ -391,7 +392,8 @@ async function updateCve (req, res, next) { const CONSTANTS = getConstants() try { - const newCve = new Cve({ cve: req.ctx.body }) + // All CVE fields are stored in UTC format, we need to check and convert dates to ISO before storing in the database. + const newCve = new Cve({ cve: convertDatesToISO(req.ctx.body, CONSTANTS.DATE_FIELDS) }) const cveId = req.ctx.params.id const cveRepo = req.ctx.repositories.getCveRepository() const cveIdRepo = req.ctx.repositories.getCveIdRepository() diff --git a/src/utils/utils.js b/src/utils/utils.js index f6ec5d2a1..5f5ddd758 100644 --- a/src/utils/utils.js +++ b/src/utils/utils.js @@ -1,6 +1,7 @@ const Org = require('../model/org') const User = require('../model/user') const getConstants = require('../constants').getConstants +const _ = require('lodash') const { DateTime } = require('luxon') async function getOrgUUID (shortName) { @@ -153,6 +154,62 @@ function toDate (val) { return result } +// Covert Dates to ISO format +function convertDatesToISO (obj, dateKeys) { + // Helper function to check if a value is a valid date + function isValidDate (value) { + return value instanceof Date && !isNaN(value) + } + + // Helper function to check if a string is a valid date + function isStringDate (value) { + const date = new Date(value) + return !isNaN(date.getTime()) + } + + function updateDateValue (objectToUpdate, key, value) { + if (isValidDate(value)) { + _.set(objectToUpdate, key, value.toISOString()) + } else if (typeof value === 'string' && isStringDate(value)) { + _.set(objectToUpdate, key, new Date(value).toISOString()) + } + } + + // For the top layer object + for (const key of dateKeys) { + if (_.has(obj, key)) { + const value = _.get(obj, key) + updateDateValue(obj, key, value) + } + } + + // For the ADP(s) + if (_.has(obj, 'containers.adp')) { + // Use lodash for each to loop over array and check for date keys + _.each(obj.containers.adp, (adp) => { + for (const key of dateKeys) { + if (_.has(adp, key)) { + const value = _.get(adp, key) + updateDateValue(adp, key, value) + } + } + }) + } + // For the CNAs + + if (_.has(obj, 'containers.cna')) { + // Use lodash to check the containers.cna object for date keys + for (const key of dateKeys) { + if (_.has(obj.containers.cna, key)) { + const value = _.get(obj.containers.cna, key) + updateDateValue(obj.containers.cna, key, value) + } + } + } + + return obj +} + module.exports = { isSecretariat, isBulkDownload, @@ -163,5 +220,7 @@ module.exports = { getUserUUID, reqCtxMapping, booleanIsTrue, - toDate + toDate, + convertDatesToISO + } From c8ebc8acac10873521f1178591a3e299d75aa247 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Tue, 26 Nov 2024 11:12:25 -0500 Subject: [PATCH 06/23] Add converting call to other needed endpoints --- src/controller/cve.controller/cve.controller.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/controller/cve.controller/cve.controller.js b/src/controller/cve.controller/cve.controller.js index 94df0e6b7..7b90c9950 100644 --- a/src/controller/cve.controller/cve.controller.js +++ b/src/controller/cve.controller/cve.controller.js @@ -482,7 +482,7 @@ async function submitCna (req, res, next) { // create full cve record here const owningCna = await orgRepo.findOneByUUID(cveId.owning_cna) const assignerShortName = owningCna.short_name - const cnaContainer = req.ctx.body.cnaContainer + const cnaContainer = convertDatesToISO(req.ctx.body.cnaContainer, CONSTANTS.DATE_FIELDS) const dateUpdated = (new Date()).toISOString() const additionalCveMetadataFields = { assignerShortName: assignerShortName, @@ -564,7 +564,7 @@ async function updateCna (req, res, next) { // update cve record here const cveRecord = result.cve - const cnaContainer = req.ctx.body.cnaContainer + const cnaContainer = convertDatesToISO(req.ctx.body.cnaContainer, CONSTANTS.DATE_FIELDS) const dateUpdated = (new Date()).toISOString() cveRecord.cveMetadata.dateUpdated = dateUpdated @@ -659,7 +659,7 @@ async function rejectCVE (req, res, next) { const providerMetadata = createProviderMetadata(providerOrgObj.UUID, req.ctx.org, (new Date()).toISOString()) const rejectedCve = Cve.newRejectedCve(cveIdObj, req.ctx.body, owningCnaShortName, providerMetadata) - const newCveObj = new Cve({ cve: rejectedCve }) + const newCveObj = new Cve({ cve: convertDatesToISO(rejectedCve, CONSTANTS.DATE_FIELDS) }) result = Cve.validateCveRecord(newCveObj.cve) if (!result.isValid) { @@ -732,7 +732,7 @@ async function rejectExistingCve (req, res, next) { // update CVE record to rejected const updatedRecord = Cve.updateCveToRejected(id, providerMetadata, result.cve, req.ctx.body) - const updatedCve = new Cve({ cve: updatedRecord }) + const updatedCve = new Cve({ cve: convertDatesToISO(updatedRecord, CONSTANTS.DATE_FIELDS) }) result = Cve.validateCveRecord(updatedCve.cve) if (!result.isValid) { @@ -842,7 +842,7 @@ async function insertAdp (req, res, next) { cveRecord.containers.adp.push(adpContainer) } - const cveModel = new Cve({ cve: cveRecord }) + const cveModel = new Cve({ cve: convertDatesToISO(cveRecord, CONSTANTS.DATE_FIELDS) }) result = Cve.validateCveRecord(cveModel.cve) if (!result.isValid) { logger.error(JSON.stringify({ uuid: req.ctx.uuid, message: 'CVE JSON schema validation FAILED.' })) From 4d65984bad962f026fe0a87b5df5cd0442afd3c8 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Wed, 18 Dec 2024 12:32:27 -0500 Subject: [PATCH 07/23] Fixed liniting test failure --- test/integration-tests/cve/erlCheckPOSTTest.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/test/integration-tests/cve/erlCheckPOSTTest.js b/test/integration-tests/cve/erlCheckPOSTTest.js index b1df9a9a2..32da1e905 100644 --- a/test/integration-tests/cve/erlCheckPOSTTest.js +++ b/test/integration-tests/cve/erlCheckPOSTTest.js @@ -9,8 +9,6 @@ const constants = require('../constants.js') const app = require('../../../src/index.js') const helpers = require('../helpers.js') -const _ = require('lodash') - const requestLength = 1 const shortName = 'win_5' const cveYear = '2023' From 1890bf5518e3f21a06e1ecf20f8880ca8553cf24 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Wed, 18 Dec 2024 12:37:20 -0500 Subject: [PATCH 08/23] remove testing console.log --- src/controller/cve.controller/cve.controller.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/controller/cve.controller/cve.controller.js b/src/controller/cve.controller/cve.controller.js index 0eba8b24f..e112b233a 100644 --- a/src/controller/cve.controller/cve.controller.js +++ b/src/controller/cve.controller/cve.controller.js @@ -563,8 +563,6 @@ async function updateCna (req, res, next) { erlCheck = booleanIsTrue(req.query.erlcheck) || false } - console.log('TEST') - // check that cve id exists let result = await cveIdRepo.findOneByCveId(id) if (!result || result.state === CONSTANTS.CVE_STATES.AVAILABLE) { From 23033305877768c8dd4a11b01865d4b8651d078a Mon Sep 17 00:00:00 2001 From: david-rocca Date: Wed, 18 Dec 2024 12:45:23 -0500 Subject: [PATCH 09/23] update unit tests to respect the new query parameter --- test/unit-tests/cve/updateCnaTest.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/unit-tests/cve/updateCnaTest.js b/test/unit-tests/cve/updateCnaTest.js index 7b7beda39..b72cb009e 100644 --- a/test/unit-tests/cve/updateCnaTest.js +++ b/test/unit-tests/cve/updateCnaTest.js @@ -108,6 +108,9 @@ describe('updateCna function', () => { body: { cnaContainer: cnaContainerCopy } + }, + query: { + erlcheck: 'false' } } }) From 00ce7bf5324ec93b798313a8cc2e28d5720baccb Mon Sep 17 00:00:00 2001 From: david-rocca Date: Thu, 19 Dec 2024 13:06:33 -0500 Subject: [PATCH 10/23] Added extra checks to protect the cve-id repo from being changed more than needed --- .../cve.controller/cve.controller.js | 21 ++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/src/controller/cve.controller/cve.controller.js b/src/controller/cve.controller/cve.controller.js index d8e62db7a..d074ca71e 100644 --- a/src/controller/cve.controller/cve.controller.js +++ b/src/controller/cve.controller/cve.controller.js @@ -362,7 +362,10 @@ async function submitCve (req, res, next) { } await cveRepo.updateByCveId(cveId, newCve, { upsert: true }) - await cveIdRepo.updateByCveId(cveId, { state: state }) + + if (result.cve.cveMetadata.state !== state && (state === CONSTANTS.CVE_STATES.PUBLISHED || state === CONSTANTS.CVE_STATES.REJECTED)) { + await cveIdRepo.updateByCveId(cveId, { state: state }) + } const responseMessage = { message: cveId + ' record was successfully created.', @@ -421,7 +424,9 @@ async function updateCve (req, res, next) { } await cveRepo.updateByCveId(cveId, newCve) - await cveIdRepo.updateByCveId(cveId, { state: newCveState }) + if (result.cve.cveMetadata.state !== newCveState && (newCveState === CONSTANTS.CVE_STATES.PUBLISHED || newCveState === CONSTANTS.CVE_STATES.REJECTED)) { + await cveIdRepo.updateByCveId(cveId, { state: newCveState }) + } const responseMessage = { message: cveId + ' record was successfully updated.', @@ -672,7 +677,10 @@ async function rejectCVE (req, res, next) { } // Update state of CVE ID - result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED }) + if (result.cve.cveMetadata.state !== CONSTANTS.CVE_STATES.REJECTED) { + result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED }) + } + if (!result) { return res.status(500).json(error.serverError()) } @@ -742,8 +750,11 @@ async function rejectExistingCve (req, res, next) { return res.status(500).json(error.unableToUpdateByCveID()) } - // update cveID to rejected - result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED }) + // update cveID to rejected only if the previous state was not already rejected + if (result.cve.cveMetadata.state !== CONSTANTS.CVE_STATES.REJECTED) { + result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED }) + } + if (!result) { return res.status(500).json(error.serverError()) } From f465b95638cccc7e1cb9db185b0b06d89cfc0cea Mon Sep 17 00:00:00 2001 From: david-rocca Date: Thu, 19 Dec 2024 14:06:49 -0500 Subject: [PATCH 11/23] Removing no longer valid unit tests. The functions have strayed away from the defined mocks. We are moving to a better testing solution, so instead of updating the mocks, we will create better integration tests --- test/unit-tests/cve/cveCreateTest.js | 56 -------- test/unit-tests/cve/cveRecordRejectionTest.js | 35 ----- test/unit-tests/cve/cveUpdateTest.js | 124 ------------------ 3 files changed, 215 deletions(-) diff --git a/test/unit-tests/cve/cveCreateTest.js b/test/unit-tests/cve/cveCreateTest.js index 728558df5..cca555977 100644 --- a/test/unit-tests/cve/cveCreateTest.js +++ b/test/unit-tests/cve/cveCreateTest.js @@ -240,60 +240,4 @@ describe('Testing the POST /cve/:id endpoint in Cve Controller', () => { }) }) }) - - context('Positive Tests', () => { - it('State PUBLISHED: should return the cve record because the cve record was created', (done) => { - const CONSTANTS = getConstants() - const cveIdTestRepo = new MyCveIdPositiveTests() - const doc = cveIdTestRepo.getCveIdPublished() // get internal state of cveId document - expect(doc).to.have.property('cve_id').and.to.equal(cveIdPublished5) - expect(doc).to.have.property('state').and.to.equal(CONSTANTS.CVE_STATES.RESERVED) - - chai.request(app) - .post(`/cve-create-record-positive-tests/${cveIdPublished5}`) - .set(cveFixtures.secretariatHeader) - .send(cvePublishedPass5) - .end((err, res) => { - if (err) { - done(err) - } - - expect(res).to.have.status(200) - expect(res).to.have.property('body').and.to.be.a('object') - expect(res.body).to.have.property('created').and.to.be.a('object') - expect(res.body.created).to.have.nested.property('cveMetadata.cveId').and.to.equal(cveIdPublished5) - expect(res.body.created).to.have.nested.property('cveMetadata.state').and.to.equal(CONSTANTS.CVE_STATES.PUBLISHED) - expect(doc).to.have.property('cve_id').and.to.equal(cveIdPublished5) - expect(doc).to.have.property('state').and.to.equal(CONSTANTS.CVE_STATES.PUBLISHED) - done() - }) - }) - - it('STATE REJECTED: should return the cve record because the cve record was created', (done) => { - const CONSTANTS = getConstants() - const cveIdTestRepo = new MyCveIdPositiveTests() - const doc = cveIdTestRepo.getCveIdRejected() // get internal state of cveId document - expect(doc).to.have.property('cve_id').and.to.equal(cveIdRejected5) - expect(doc).to.have.property('state').and.to.equal(CONSTANTS.CVE_STATES.RESERVED) - - chai.request(app) - .post(`/cve-create-record-positive-tests/${cveIdRejected5}`) - .set(cveFixtures.secretariatHeader) - .send(cveRejectedPass5) - .end((err, res) => { - if (err) { - done(err) - } - - expect(res).to.have.status(200) - expect(res).to.have.property('body').and.to.be.a('object') - expect(res.body).to.have.property('created').and.to.be.a('object') - expect(res.body.created).to.have.nested.property('cveMetadata.cveId').and.to.equal(cveIdRejected5) - expect(res.body.created).to.have.nested.property('cveMetadata.state').and.to.equal(CONSTANTS.CVE_STATES.REJECTED) - expect(doc).to.have.property('cve_id').and.to.equal(cveIdRejected5) - expect(doc).to.have.property('state').and.to.equal(CONSTANTS.CVE_STATES.REJECTED) - done() - }) - }) - }) }) diff --git a/test/unit-tests/cve/cveRecordRejectionTest.js b/test/unit-tests/cve/cveRecordRejectionTest.js index e16e61577..b5c873e9d 100644 --- a/test/unit-tests/cve/cveRecordRejectionTest.js +++ b/test/unit-tests/cve/cveRecordRejectionTest.js @@ -138,39 +138,4 @@ describe('Testing the POST /cve/:id/reject endpoint in Cve Controller', () => { }) }) }) - - context('Positive Tests', () => { - it('Reject record as secretariat', (done) => { - chai.request(app) - .post(`/cve-reject-positive-tests/${cveIdReserved}`) - .set(cveFixtures.secretariatHeader) - .send(rejectedBody) - .end((err, res) => { - if (err) { - done(err) - } - expect(res).to.have.status(200) - expect(res).to.have.property('body').and.to.be.a('object') - done() - }) - }) - - it('Reject record as user', (done) => { - const headers = Object.assign({}, cveFixtures.secretariatHeader) - headers['CVE-API-ORG'] = cveFixtures.regularOrg.short_name - headers['CVE-API-USER'] = cveFixtures.regularUser.username - chai.request(app) - .post(`/cve-reject-positive-tests/${cveIdReserved}`) - .set(headers) - .send(rejectedBody) - .end((err, res) => { - if (err) { - done(err) - } - expect(res).to.have.status(200) - expect(res).to.have.property('body').and.to.be.a('object') - done() - }) - }) - }) }) diff --git a/test/unit-tests/cve/cveUpdateTest.js b/test/unit-tests/cve/cveUpdateTest.js index 356c9ed41..f67407c6a 100644 --- a/test/unit-tests/cve/cveUpdateTest.js +++ b/test/unit-tests/cve/cveUpdateTest.js @@ -267,128 +267,4 @@ describe('Testing the PUT /cve/:id endpoint in Cve Controller', () => { }) }) }) - - context('Positive Tests', () => { - it('Update CVE record when requestor is secretariat', (done) => { - class OrgRepo { - async getOrgUUID () { - return null - } - } - class CveRepo { - async updateByCveId (cveId, newCve) { - expect(cveId).to.equal(cveIdPublished5) - expect(newCve).to.have.nested.property('cve.cveMetadata.state').and.to.equal('PUBLISHED') - return null - } - - async findOneByCveId () { - return true - } - } - class CveIdRepo { - async updateByCveId (cveId, newCve) { - expect(cveId).to.equal(cveIdPublished5) - expect(newCve).to.have.property('state') - return null - } - - async findOneByCveId () { - return true - } - } - class UserRepo { - async getUserUUID () { - return null - } - } - app.route('/cve-update-record/:id') - .put((req, res, next) => { - const factory = { - getCveIdRepository: () => { return new CveIdRepo() }, - getCveRepository: () => { return new CveRepo() }, - getOrgRepository: () => { return new OrgRepo() }, - getUserRepository: () => { return new UserRepo() } - } - req.ctx.repositories = factory - next() - }, cveParams.parsePostParams, cveController.CVE_UPDATE_SINGLE) - - chai.request(app) - .put(`/cve-update-record/${cveIdPublished5}`) - .set(cveFixtures.secretariatHeader) - .send(cvePublishedPass5) - .end((err, res) => { - if (err) { - done(err) - } - - expect(res).to.have.status(200) - expect(res).to.have.property('body').and.to.be.a('object') - expect(res.body).to.have.property('updated').and.to.be.a('object') - expect(res.body.updated).to.have.nested.property('cveMetadata.cveId').and.to.equal(cveIdPublished5) - expect(res.body.updated).to.have.nested.property('cveMetadata.state').and.to.equal('PUBLISHED') - done() - }) - }) - - it('Update CVE record when requestor is secretariat and valid REJECTED JSON', (done) => { - class OrgRepo { - async getOrgUUID () { - return null - } - } - class CveRepo { - async updateByCveId (cveId, newCve) { - return null - } - - async findOneByCveId () { - return true - } - } - class CveIdRepo { - async updateByCveId (cveId, newCve) { - return null - } - - async findOneByCveId () { - return true - } - } - class UserRepo { - async getUserUUID () { - return null - } - } - app.route('/cve-update-record-rejected/:id') - .put((req, res, next) => { - const factory = { - getCveIdRepository: () => { return new CveIdRepo() }, - getCveRepository: () => { return new CveRepo() }, - getOrgRepository: () => { return new OrgRepo() }, - getUserRepository: () => { return new UserRepo() } - } - req.ctx.repositories = factory - next() - }, cveParams.parsePostParams, cveController.CVE_UPDATE_SINGLE) - - chai.request(app) - .put(`/cve-update-record-rejected/${cveIdRejected5}`) - .set(cveFixtures.secretariatHeader) - .send(cveRejectedPass5) - .end((err, res) => { - if (err) { - done(err) - } - - expect(res).to.have.status(200) - expect(res).to.have.property('body').and.to.be.a('object') - expect(res.body).to.have.property('updated').and.to.be.a('object') - expect(res.body.updated).to.have.nested.property('cveMetadata.cveId').and.to.equal(cveIdRejected5) - expect(res.body.updated).to.have.nested.property('cveMetadata.state').and.to.equal('REJECTED') - done() - }) - }) - }) }) From 4cc95029e5f89c0a5c2753a46651d8504057d593 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Thu, 19 Dec 2024 14:09:23 -0500 Subject: [PATCH 12/23] Linting errors --- test/unit-tests/cve/cveCreateTest.js | 2 -- test/unit-tests/cve/cveRecordRejectionTest.js | 1 - test/unit-tests/cve/cveUpdateTest.js | 2 -- 3 files changed, 5 deletions(-) diff --git a/test/unit-tests/cve/cveCreateTest.js b/test/unit-tests/cve/cveCreateTest.js index cca555977..bade7bd40 100644 --- a/test/unit-tests/cve/cveCreateTest.js +++ b/test/unit-tests/cve/cveCreateTest.js @@ -15,10 +15,8 @@ const nonExistentCveId = 'CVE-2020-1425' const cveIdPublished5 = 'CVE-2017-4024' const cveIdReserved5 = 'CVE-2017-5833' const cveIdAvailable5 = 'CVE-2017-5834' -const cveIdRejected5 = 'CVE-2017-5835' const cvePublishedPass5 = require('../../schemas/5.0/' + cveIdPublished5 + '_published.json') const cveReservedPass5 = require('../../schemas/5.0/' + cveIdReserved5 + '_reserved.json') -const cveRejectedPass5 = require('../../schemas/5.0/' + cveIdRejected5 + '_rejected.json') const errors = require('../../../src/controller/cve.controller/error') const error = new errors.CveControllerError() diff --git a/test/unit-tests/cve/cveRecordRejectionTest.js b/test/unit-tests/cve/cveRecordRejectionTest.js index b5c873e9d..4fcad06d0 100644 --- a/test/unit-tests/cve/cveRecordRejectionTest.js +++ b/test/unit-tests/cve/cveRecordRejectionTest.js @@ -18,7 +18,6 @@ const cveMiddleware = require('../../../src/controller/cve.controller/cve.middle const rejectedBody = require('../../../test-http/src/test/cve_tests/cve_record_fixtures/rejectBody.json') const nonExistentId = 'CVE-1800-0001' -const cveIdReserved = 'CVE-2019-1421' class MyOrg { async findOneByShortName (shortName) { diff --git a/test/unit-tests/cve/cveUpdateTest.js b/test/unit-tests/cve/cveUpdateTest.js index f67407c6a..6121f8728 100644 --- a/test/unit-tests/cve/cveUpdateTest.js +++ b/test/unit-tests/cve/cveUpdateTest.js @@ -14,10 +14,8 @@ const getConstants = require('../../../src/constants').getConstants const nonExistentCveId = 'CVE-2020-1425' const cveIdPublished5 = 'CVE-2017-4024' const cveIdReserved5 = 'CVE-2017-5833' -const cveIdRejected5 = 'CVE-2017-5835' const cvePublishedPass5 = require('../../schemas/5.0/' + cveIdPublished5 + '_published.json') const cveReservedPass5 = require('../../schemas/5.0/' + cveIdReserved5 + '_reserved.json') -const cveRejectedPass5 = require('../../schemas/5.0/' + cveIdRejected5 + '_rejected.json') const errors = require('../../../src/controller/cve.controller/error') const error = new errors.CveControllerError() From 52ed97c157a6472a50a599956fe0429bcd19b847 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Thu, 19 Dec 2024 14:16:12 -0500 Subject: [PATCH 13/23] Apparently, these are used in other tests? --- test/unit-tests/cve/cveCreateTest.js | 3 +++ test/unit-tests/cve/cveRecordRejectionTest.js | 2 ++ test/unit-tests/cve/cveUpdateTest.js | 3 +++ 3 files changed, 8 insertions(+) diff --git a/test/unit-tests/cve/cveCreateTest.js b/test/unit-tests/cve/cveCreateTest.js index bade7bd40..71084e052 100644 --- a/test/unit-tests/cve/cveCreateTest.js +++ b/test/unit-tests/cve/cveCreateTest.js @@ -1,3 +1,4 @@ +/* eslint-disable no-unused-vars */ const express = require('express') const app = express() const chai = require('chai') @@ -15,8 +16,10 @@ const nonExistentCveId = 'CVE-2020-1425' const cveIdPublished5 = 'CVE-2017-4024' const cveIdReserved5 = 'CVE-2017-5833' const cveIdAvailable5 = 'CVE-2017-5834' +const cveIdRejected5 = 'CVE-2017-5835' const cvePublishedPass5 = require('../../schemas/5.0/' + cveIdPublished5 + '_published.json') const cveReservedPass5 = require('../../schemas/5.0/' + cveIdReserved5 + '_reserved.json') +const cveRejectedPass5 = require('../../schemas/5.0/' + cveIdRejected5 + '_rejected.json') const errors = require('../../../src/controller/cve.controller/error') const error = new errors.CveControllerError() diff --git a/test/unit-tests/cve/cveRecordRejectionTest.js b/test/unit-tests/cve/cveRecordRejectionTest.js index 4fcad06d0..67ee8f04b 100644 --- a/test/unit-tests/cve/cveRecordRejectionTest.js +++ b/test/unit-tests/cve/cveRecordRejectionTest.js @@ -1,3 +1,4 @@ +/* eslint-disable no-unused-vars */ const express = require('express') const app = express() const chai = require('chai') @@ -18,6 +19,7 @@ const cveMiddleware = require('../../../src/controller/cve.controller/cve.middle const rejectedBody = require('../../../test-http/src/test/cve_tests/cve_record_fixtures/rejectBody.json') const nonExistentId = 'CVE-1800-0001' +const cveIdReserved = 'CVE-2019-1421' class MyOrg { async findOneByShortName (shortName) { diff --git a/test/unit-tests/cve/cveUpdateTest.js b/test/unit-tests/cve/cveUpdateTest.js index 6121f8728..42d6151b0 100644 --- a/test/unit-tests/cve/cveUpdateTest.js +++ b/test/unit-tests/cve/cveUpdateTest.js @@ -1,3 +1,4 @@ +/* eslint-disable no-unused-vars */ const express = require('express') const app = express() const chai = require('chai') @@ -14,8 +15,10 @@ const getConstants = require('../../../src/constants').getConstants const nonExistentCveId = 'CVE-2020-1425' const cveIdPublished5 = 'CVE-2017-4024' const cveIdReserved5 = 'CVE-2017-5833' +const cveIdRejected5 = 'CVE-2017-5835' const cvePublishedPass5 = require('../../schemas/5.0/' + cveIdPublished5 + '_published.json') const cveReservedPass5 = require('../../schemas/5.0/' + cveIdReserved5 + '_reserved.json') +const cveRejectedPass5 = require('../../schemas/5.0/' + cveIdRejected5 + '_rejected.json') const errors = require('../../../src/controller/cve.controller/error') const error = new errors.CveControllerError() From 0a6532fe2d1a353c738b016d2e60684254b15ed5 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Thu, 19 Dec 2024 14:38:18 -0500 Subject: [PATCH 14/23] Revert "Removing no longer valid unit tests. The functions have strayed away from the defined mocks. We are moving to a better testing solution, so instead of updating the mocks, we will create better integration tests" This reverts commit f465b95638cccc7e1cb9db185b0b06d89cfc0cea. --- test/unit-tests/cve/cveCreateTest.js | 56 ++++++++ test/unit-tests/cve/cveRecordRejectionTest.js | 35 +++++ test/unit-tests/cve/cveUpdateTest.js | 124 ++++++++++++++++++ 3 files changed, 215 insertions(+) diff --git a/test/unit-tests/cve/cveCreateTest.js b/test/unit-tests/cve/cveCreateTest.js index 71084e052..16057e821 100644 --- a/test/unit-tests/cve/cveCreateTest.js +++ b/test/unit-tests/cve/cveCreateTest.js @@ -241,4 +241,60 @@ describe('Testing the POST /cve/:id endpoint in Cve Controller', () => { }) }) }) + + context('Positive Tests', () => { + it('State PUBLISHED: should return the cve record because the cve record was created', (done) => { + const CONSTANTS = getConstants() + const cveIdTestRepo = new MyCveIdPositiveTests() + const doc = cveIdTestRepo.getCveIdPublished() // get internal state of cveId document + expect(doc).to.have.property('cve_id').and.to.equal(cveIdPublished5) + expect(doc).to.have.property('state').and.to.equal(CONSTANTS.CVE_STATES.RESERVED) + + chai.request(app) + .post(`/cve-create-record-positive-tests/${cveIdPublished5}`) + .set(cveFixtures.secretariatHeader) + .send(cvePublishedPass5) + .end((err, res) => { + if (err) { + done(err) + } + + expect(res).to.have.status(200) + expect(res).to.have.property('body').and.to.be.a('object') + expect(res.body).to.have.property('created').and.to.be.a('object') + expect(res.body.created).to.have.nested.property('cveMetadata.cveId').and.to.equal(cveIdPublished5) + expect(res.body.created).to.have.nested.property('cveMetadata.state').and.to.equal(CONSTANTS.CVE_STATES.PUBLISHED) + expect(doc).to.have.property('cve_id').and.to.equal(cveIdPublished5) + expect(doc).to.have.property('state').and.to.equal(CONSTANTS.CVE_STATES.PUBLISHED) + done() + }) + }) + + it('STATE REJECTED: should return the cve record because the cve record was created', (done) => { + const CONSTANTS = getConstants() + const cveIdTestRepo = new MyCveIdPositiveTests() + const doc = cveIdTestRepo.getCveIdRejected() // get internal state of cveId document + expect(doc).to.have.property('cve_id').and.to.equal(cveIdRejected5) + expect(doc).to.have.property('state').and.to.equal(CONSTANTS.CVE_STATES.RESERVED) + + chai.request(app) + .post(`/cve-create-record-positive-tests/${cveIdRejected5}`) + .set(cveFixtures.secretariatHeader) + .send(cveRejectedPass5) + .end((err, res) => { + if (err) { + done(err) + } + + expect(res).to.have.status(200) + expect(res).to.have.property('body').and.to.be.a('object') + expect(res.body).to.have.property('created').and.to.be.a('object') + expect(res.body.created).to.have.nested.property('cveMetadata.cveId').and.to.equal(cveIdRejected5) + expect(res.body.created).to.have.nested.property('cveMetadata.state').and.to.equal(CONSTANTS.CVE_STATES.REJECTED) + expect(doc).to.have.property('cve_id').and.to.equal(cveIdRejected5) + expect(doc).to.have.property('state').and.to.equal(CONSTANTS.CVE_STATES.REJECTED) + done() + }) + }) + }) }) diff --git a/test/unit-tests/cve/cveRecordRejectionTest.js b/test/unit-tests/cve/cveRecordRejectionTest.js index 67ee8f04b..0f3637e46 100644 --- a/test/unit-tests/cve/cveRecordRejectionTest.js +++ b/test/unit-tests/cve/cveRecordRejectionTest.js @@ -139,4 +139,39 @@ describe('Testing the POST /cve/:id/reject endpoint in Cve Controller', () => { }) }) }) + + context('Positive Tests', () => { + it('Reject record as secretariat', (done) => { + chai.request(app) + .post(`/cve-reject-positive-tests/${cveIdReserved}`) + .set(cveFixtures.secretariatHeader) + .send(rejectedBody) + .end((err, res) => { + if (err) { + done(err) + } + expect(res).to.have.status(200) + expect(res).to.have.property('body').and.to.be.a('object') + done() + }) + }) + + it('Reject record as user', (done) => { + const headers = Object.assign({}, cveFixtures.secretariatHeader) + headers['CVE-API-ORG'] = cveFixtures.regularOrg.short_name + headers['CVE-API-USER'] = cveFixtures.regularUser.username + chai.request(app) + .post(`/cve-reject-positive-tests/${cveIdReserved}`) + .set(headers) + .send(rejectedBody) + .end((err, res) => { + if (err) { + done(err) + } + expect(res).to.have.status(200) + expect(res).to.have.property('body').and.to.be.a('object') + done() + }) + }) + }) }) diff --git a/test/unit-tests/cve/cveUpdateTest.js b/test/unit-tests/cve/cveUpdateTest.js index 42d6151b0..06f75adc0 100644 --- a/test/unit-tests/cve/cveUpdateTest.js +++ b/test/unit-tests/cve/cveUpdateTest.js @@ -268,4 +268,128 @@ describe('Testing the PUT /cve/:id endpoint in Cve Controller', () => { }) }) }) + + context('Positive Tests', () => { + it('Update CVE record when requestor is secretariat', (done) => { + class OrgRepo { + async getOrgUUID () { + return null + } + } + class CveRepo { + async updateByCveId (cveId, newCve) { + expect(cveId).to.equal(cveIdPublished5) + expect(newCve).to.have.nested.property('cve.cveMetadata.state').and.to.equal('PUBLISHED') + return null + } + + async findOneByCveId () { + return true + } + } + class CveIdRepo { + async updateByCveId (cveId, newCve) { + expect(cveId).to.equal(cveIdPublished5) + expect(newCve).to.have.property('state') + return null + } + + async findOneByCveId () { + return true + } + } + class UserRepo { + async getUserUUID () { + return null + } + } + app.route('/cve-update-record/:id') + .put((req, res, next) => { + const factory = { + getCveIdRepository: () => { return new CveIdRepo() }, + getCveRepository: () => { return new CveRepo() }, + getOrgRepository: () => { return new OrgRepo() }, + getUserRepository: () => { return new UserRepo() } + } + req.ctx.repositories = factory + next() + }, cveParams.parsePostParams, cveController.CVE_UPDATE_SINGLE) + + chai.request(app) + .put(`/cve-update-record/${cveIdPublished5}`) + .set(cveFixtures.secretariatHeader) + .send(cvePublishedPass5) + .end((err, res) => { + if (err) { + done(err) + } + + expect(res).to.have.status(200) + expect(res).to.have.property('body').and.to.be.a('object') + expect(res.body).to.have.property('updated').and.to.be.a('object') + expect(res.body.updated).to.have.nested.property('cveMetadata.cveId').and.to.equal(cveIdPublished5) + expect(res.body.updated).to.have.nested.property('cveMetadata.state').and.to.equal('PUBLISHED') + done() + }) + }) + + it('Update CVE record when requestor is secretariat and valid REJECTED JSON', (done) => { + class OrgRepo { + async getOrgUUID () { + return null + } + } + class CveRepo { + async updateByCveId (cveId, newCve) { + return null + } + + async findOneByCveId () { + return true + } + } + class CveIdRepo { + async updateByCveId (cveId, newCve) { + return null + } + + async findOneByCveId () { + return true + } + } + class UserRepo { + async getUserUUID () { + return null + } + } + app.route('/cve-update-record-rejected/:id') + .put((req, res, next) => { + const factory = { + getCveIdRepository: () => { return new CveIdRepo() }, + getCveRepository: () => { return new CveRepo() }, + getOrgRepository: () => { return new OrgRepo() }, + getUserRepository: () => { return new UserRepo() } + } + req.ctx.repositories = factory + next() + }, cveParams.parsePostParams, cveController.CVE_UPDATE_SINGLE) + + chai.request(app) + .put(`/cve-update-record-rejected/${cveIdRejected5}`) + .set(cveFixtures.secretariatHeader) + .send(cveRejectedPass5) + .end((err, res) => { + if (err) { + done(err) + } + + expect(res).to.have.status(200) + expect(res).to.have.property('body').and.to.be.a('object') + expect(res.body).to.have.property('updated').and.to.be.a('object') + expect(res.body.updated).to.have.nested.property('cveMetadata.cveId').and.to.equal(cveIdRejected5) + expect(res.body.updated).to.have.nested.property('cveMetadata.state').and.to.equal('REJECTED') + done() + }) + }) + }) }) From beb845995d523d2ca9f65a7823184ff00adbec6d Mon Sep 17 00:00:00 2001 From: david-rocca Date: Thu, 19 Dec 2024 14:48:36 -0500 Subject: [PATCH 15/23] Actually, tests were right, and I was wrong --- .../cve.controller/cve.controller.js | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/controller/cve.controller/cve.controller.js b/src/controller/cve.controller/cve.controller.js index d074ca71e..60f0a61ac 100644 --- a/src/controller/cve.controller/cve.controller.js +++ b/src/controller/cve.controller/cve.controller.js @@ -351,6 +351,7 @@ async function submitCve (req, res, next) { // check that cve id exists let result = await cveIdRepo.findOneByCveId(id) + const oldCveID = result if (!result || result.state === CONSTANTS.CVE_STATES.AVAILABLE) { return res.status(403).json(error.cveDne()) } @@ -363,7 +364,7 @@ async function submitCve (req, res, next) { await cveRepo.updateByCveId(cveId, newCve, { upsert: true }) - if (result.cve.cveMetadata.state !== state && (state === CONSTANTS.CVE_STATES.PUBLISHED || state === CONSTANTS.CVE_STATES.REJECTED)) { + if (oldCveID.state !== state && (state === CONSTANTS.CVE_STATES.PUBLISHED || state === CONSTANTS.CVE_STATES.REJECTED)) { await cveIdRepo.updateByCveId(cveId, { state: state }) } @@ -416,6 +417,7 @@ async function updateCve (req, res, next) { logger.info(cveId + ' does not exist.') return res.status(403).json(error.cveDne()) } + const oldCveID = result result = await cveRepo.findOneByCveId(cveId) if (!result) { @@ -424,7 +426,7 @@ async function updateCve (req, res, next) { } await cveRepo.updateByCveId(cveId, newCve) - if (result.cve.cveMetadata.state !== newCveState && (newCveState === CONSTANTS.CVE_STATES.PUBLISHED || newCveState === CONSTANTS.CVE_STATES.REJECTED)) { + if (oldCveID.state !== newCveState && (newCveState === CONSTANTS.CVE_STATES.PUBLISHED || newCveState === CONSTANTS.CVE_STATES.REJECTED)) { await cveIdRepo.updateByCveId(cveId, { state: newCveState }) } @@ -677,10 +679,7 @@ async function rejectCVE (req, res, next) { } // Update state of CVE ID - if (result.cve.cveMetadata.state !== CONSTANTS.CVE_STATES.REJECTED) { - result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED }) - } - + result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED }) if (!result) { return res.status(500).json(error.serverError()) } @@ -736,6 +735,8 @@ async function rejectExistingCve (req, res, next) { result.cve.dataVersion = CONSTANTS.SCHEMA_VERSION } + // old cve record + const oldCveRecord = result // update CVE record to rejected const updatedRecord = Cve.updateCveToRejected(id, providerMetadata, result.cve, req.ctx.body) const updatedCve = new Cve({ cve: updatedRecord }) @@ -751,12 +752,11 @@ async function rejectExistingCve (req, res, next) { } // update cveID to rejected only if the previous state was not already rejected - if (result.cve.cveMetadata.state !== CONSTANTS.CVE_STATES.REJECTED) { + if (oldCveRecord.cve.cveMetadata.state !== CONSTANTS.CVE_STATES.REJECTED) { result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED }) - } - - if (!result) { - return res.status(500).json(error.serverError()) + if (!result) { + return res.status(500).json(error.serverError()) + } } const responseMessage = { From f160f27f32f0b0b3482d079625626bed501ba4e9 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Fri, 20 Dec 2024 10:40:50 -0500 Subject: [PATCH 16/23] Fixed missing comma, and made docs more detailed --- api-docs/openapi.json | 14 +++++++++++++- src/controller/cve.controller/index.js | 4 ++-- src/swagger.js | 2 +- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/api-docs/openapi.json b/api-docs/openapi.json index b7e573aa5..de6ecbf6f 100644 --- a/api-docs/openapi.json +++ b/api-docs/openapi.json @@ -1426,6 +1426,18 @@ "type": "string" }, "description": "The CVE ID for which the record is being updated" + }, + { + "$ref": "#/components/parameters/apiEntityHeader" + }, + { + "$ref": "#/components/parameters/apiUserHeader" + }, + { + "$ref": "#/components/parameters/apiSecretHeader" + }, + { + "$ref": "#/components/parameters/erlCheck" } ], "responses": { @@ -3033,7 +3045,7 @@ "erlCheck": { "in": "query", "name": "erlcheck", - "description": "Enables stricter validation that ensures submitted record meets enrichment data requirements", + "description": "Enables stricter validation that ensures submitted record meets enrichment data requirements. For a record to be enriched, a CVSS score and a CWE ID must be provided.", "required": false, "schema": { "type": "boolean" diff --git a/src/controller/cve.controller/index.js b/src/controller/cve.controller/index.js index 78df94a1b..3d6ef4570 100644 --- a/src/controller/cve.controller/index.js +++ b/src/controller/cve.controller/index.js @@ -648,8 +648,8 @@ router.put('/cve/:id/cna', #swagger.parameters['$ref'] = [ '#/components/parameters/apiEntityHeader', '#/components/parameters/apiUserHeader', - '#/components/parameters/apiSecretHeader' - '#/components/parameters/erlCheck', + '#/components/parameters/apiSecretHeader', + '#/components/parameters/erlCheck' ] #swagger.requestBody = { description: '

Notes:

diff --git a/src/swagger.js b/src/swagger.js index 630c0a2c8..3e21fe402 100644 --- a/src/swagger.js +++ b/src/swagger.js @@ -171,7 +171,7 @@ const doc = { erlCheck: { in: 'query', name: 'erlcheck', - description: 'Enables stricter validation that ensures submitted record meets enrichment data requirements', + description: 'Enables stricter validation that ensures submitted record meets enrichment data requirements. For a record to be enriched, a CVSS score and a CWE ID must be provided.', required: false, schema: { type: 'boolean' From 6901b17d72942befc6429885e9445d3262f7a9b9 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Fri, 20 Dec 2024 11:28:25 -0500 Subject: [PATCH 17/23] Fix the actual conflict --- src/controller/cve.controller/cve.controller.js | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/controller/cve.controller/cve.controller.js b/src/controller/cve.controller/cve.controller.js index 3a374d534..dd280e346 100644 --- a/src/controller/cve.controller/cve.controller.js +++ b/src/controller/cve.controller/cve.controller.js @@ -488,7 +488,7 @@ async function submitCna (req, res, next) { return res.status(403).json(error.cveRecordExists()) } - const cnaContainer = req.ctx.body.cnaContainer + const cnaContainer = convertDatesToISO(req.ctx.body.cnaContainer, CONSTANTS.DATE_FIELDS) if (erlCheck && !isEnrichedContainer(cnaContainer)) { // Process the ERL check here return res.status(403).json(error.erlCheckFailed()) @@ -497,7 +497,6 @@ async function submitCna (req, res, next) { // create full cve record here const owningCna = await orgRepo.findOneByUUID(cveId.owning_cna) const assignerShortName = owningCna.short_name - const cnaContainer = convertDatesToISO(req.ctx.body.cnaContainer, CONSTANTS.DATE_FIELDS) const dateUpdated = (new Date()).toISOString() const additionalCveMetadataFields = { assignerShortName: assignerShortName, @@ -585,7 +584,7 @@ async function updateCna (req, res, next) { return res.status(403).json(error.cveRecordDne()) } - const cnaContainer = req.ctx.body.cnaContainer + const cnaContainer = convertDatesToISO(req.ctx.body.cnaContainer, CONSTANTS.DATE_FIELDS) if (erlCheck && !isEnrichedContainer(cnaContainer)) { // Process the ERL check here return res.status(403).json(error.erlCheckFailed()) @@ -593,7 +592,6 @@ async function updateCna (req, res, next) { // update cve record here const cveRecord = result.cve - const cnaContainer = convertDatesToISO(req.ctx.body.cnaContainer, CONSTANTS.DATE_FIELDS) const dateUpdated = (new Date()).toISOString() cveRecord.cveMetadata.dateUpdated = dateUpdated From 856dceead8cc4edb2d3ae67de2689484451a5f47 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Mon, 23 Dec 2024 13:29:24 -0500 Subject: [PATCH 18/23] Update reservations to allow new year reservations within 90 days --- .../cve-id.controller/cve-id.controller.js | 87 +++++++++++++++++-- 1 file changed, 78 insertions(+), 9 deletions(-) diff --git a/src/controller/cve-id.controller/cve-id.controller.js b/src/controller/cve-id.controller/cve-id.controller.js index 4dd2c0eb5..6d8865696 100644 --- a/src/controller/cve-id.controller/cve-id.controller.js +++ b/src/controller/cve-id.controller/cve-id.controller.js @@ -455,9 +455,22 @@ async function priorityReservation (year, amount, shortName, orgShortName, reque // Cve Id Range for 'year' does not exists if (!result) { - logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' cannot be reserved at this time.' }) - res.header(CONSTANTS.QUOTA_HEADER, availableIds) - return res.status(403).json(error.cannotReserveForYear(year)) + // If there are less than or equal to 90 days until the end of the year, auto reserve it and move on. + // Otherwise throw failure + if (daysUntilYear(year) <= 90) { + // Auto reserve the year + const successfullyReservedYear = await reserveYear(year, req) + if (!successfullyReservedYear) { + logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' failed to be automatically reserved at this time.' }) + res.header(CONSTANTS.QUOTA_HEADER, availableIds) + return res.status(403).json(error.cannotReserveForYear(year)) + } + result = await cveIdRangeRepo.findOne({ cve_year: year }) + } else { + logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' cannot be reserved at this time.' }) + res.header(CONSTANTS.QUOTA_HEADER, availableIds) + return res.status(403).json(error.cannotReserveForYear(year)) + } } const endRange = parseInt(result.ranges.priority.end) @@ -531,9 +544,22 @@ async function sequentialReservation (year, amount, shortName, orgShortName, req // Cve Id Range for 'year' does not exists if (!result) { - logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' cannot be reserved at this time.' }) - res.header(CONSTANTS.QUOTA_HEADER, availableIds) - return res.status(403).json(error.cannotReserveForYear(year)) + // If there are less than or equal to 90 days until the end of the year, auto reserve it and move on. + // Otherwise throw failure + if (daysUntilYear(year) <= 90) { + // Auto reserve the year + const successfullyReservedYear = await reserveYear(year, req) + if (!successfullyReservedYear) { + logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' failed to be automatically reserved at this time.' }) + res.header(CONSTANTS.QUOTA_HEADER, availableIds) + return res.status(403).json(error.cannotReserveForYear(year)) + } + result = await cveIdRangeRepo.findOne({ cve_year: year }) + } else { + logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' cannot be reserved at this time.' }) + res.header(CONSTANTS.QUOTA_HEADER, availableIds) + return res.status(403).json(error.cannotReserveForYear(year)) + } } const topId = parseInt(result.ranges.general.top_id) @@ -627,9 +653,22 @@ async function nonSequentialReservation (year, amount, shortName, orgShortName, // Cve Id Range for 'year' does not exists if (!result) { - logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' cannot be reserved at this time.' }) - res.header(CONSTANTS.QUOTA_HEADER, availableIds) - return res.status(403).json(error.cannotReserveForYear(year)) + // If there are less than or equal to 90 days until the end of the year, auto reserve it and move on. + // Otherwise throw failure + if (daysUntilYear(year) <= 90) { + // Auto reserve the year + const successfullyReservedYear = await reserveYear(year, req) + if (!successfullyReservedYear) { + logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' failed to be automatically reserved at this time.' }) + res.header(CONSTANTS.QUOTA_HEADER, availableIds) + return res.status(403).json(error.cannotReserveForYear(year)) + } + result = await cveIdRangeRepo.findOne({ cve_year: year }) + } else { + logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' cannot be reserved at this time.' }) + res.header(CONSTANTS.QUOTA_HEADER, availableIds) + return res.status(403).json(error.cannotReserveForYear(year)) + } } available = await cveIdRepo.find({ cve_year: year, state: 'AVAILABLE' }, { limit: availableLimit }) // get available ids @@ -944,6 +983,36 @@ function setMinAggregateObj (query) { ] } +function daysUntilYear (targetYear) { + // Get today's date + const today = new Date() + + // Create a date object for January 1st of the target year + const targetDate = new Date(targetYear, 0, 1) // Month is 0-indexed, so 0 is January + + // Calculate the difference in milliseconds + const differenceInMilliseconds = targetDate - today + + // Convert milliseconds to days + const millisecondsPerDay = 1000 * 60 * 60 * 24 + const differenceInDays = Math.ceil(differenceInMilliseconds / millisecondsPerDay) + + return differenceInDays +} + +async function reserveYear (targetYear, req) { + try { + const CONSTANTS = getConstants() + const cveIdRangeRepo = req.ctx.repositories.getCveIdRangeRepository() + const defaultDoc = CONSTANTS.DEFAULT_CVE_ID_RANGE + defaultDoc.cve_year = targetYear + await cveIdRangeRepo.findOneAndUpdate({ cve_year: targetYear }, defaultDoc, { upsert: true }) + return true + } catch (err) { + return false + } +} + module.exports = { CVEID_GET_FILTER: getFilteredCveId, CVEID_RESERVE: reserveCveId, From be57c9411c3af43cfce0fc2ba4859a1581413cdf Mon Sep 17 00:00:00 2001 From: david-rocca Date: Thu, 26 Dec 2024 09:40:35 -0500 Subject: [PATCH 19/23] added documentation for the rate limiting vars in the .env --- .env | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.env b/.env index d53ac3ea7..fec7bf5f6 100644 --- a/.env +++ b/.env @@ -1,4 +1,8 @@ PORT = 3000 LOCAL_KEY=TCF25YM-39C4H6D-KA32EGF-V5XSHN3 +# The duration of the rate limiting window in seconds. +# This defines the time frame for which the rate limit is applied. RATE_LIMIT_WINDOW_SECONDS=60 +# The maximum number of connections allowed within the rate limiting window. +# This sets the threshold for how many requests can be made in the specified time frame. RATE_LIMIT_MAX_CONNECTIONS=1000 From d175a7793f6f76885188adcd6e774d34077e15b0 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Fri, 27 Dec 2024 12:16:41 -0500 Subject: [PATCH 20/23] Javascript do be passing by reference --- src/controller/cve.controller/cve.controller.js | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/controller/cve.controller/cve.controller.js b/src/controller/cve.controller/cve.controller.js index 7c7934236..687c315fb 100644 --- a/src/controller/cve.controller/cve.controller.js +++ b/src/controller/cve.controller/cve.controller.js @@ -8,6 +8,8 @@ const convertDatesToISO = require('../../utils/utils').convertDatesToISO const isEnrichedContainer = require('../../utils/utils').isEnrichedContainer const url = process.env.NODE_ENV === 'staging' ? 'https://test.cve.org/' : 'https://cve.org/' +const _ = require('lodash') + // Helper function to create providerMetadata object function createProviderMetadata (orgId, shortName, updateDate) { return { orgId: orgId, shortName: shortName, dateUpdated: updateDate } @@ -353,7 +355,7 @@ async function submitCve (req, res, next) { // check that cve id exists let result = await cveIdRepo.findOneByCveId(id) - const oldCveID = result + const oldCveID = _.cloneDeep(result) if (!result || result.state === CONSTANTS.CVE_STATES.AVAILABLE) { return res.status(403).json(error.cveDne()) } @@ -420,7 +422,7 @@ async function updateCve (req, res, next) { logger.info(cveId + ' does not exist.') return res.status(403).json(error.cveDne()) } - const oldCveID = result + const oldCveID = _.cloneDeep(result) result = await cveRepo.findOneByCveId(cveId) if (!result) { @@ -765,7 +767,7 @@ async function rejectExistingCve (req, res, next) { } // old cve record - const oldCveRecord = result + const oldCveRecord = _.cloneDeep(result) // update CVE record to rejected const updatedRecord = Cve.updateCveToRejected(id, providerMetadata, result.cve, req.ctx.body) const updatedCve = new Cve({ cve: convertDatesToISO(updatedRecord, CONSTANTS.DATE_FIELDS) }) From 2c2cee915ae50a41d42f12d90a31a723009bc04e Mon Sep 17 00:00:00 2001 From: david-rocca Date: Thu, 2 Jan 2025 13:12:00 -0500 Subject: [PATCH 21/23] Updated examples to have cvssv4_0 --- api-docs/openapi.json | 270 ++ .../cve/create-adp-record-adp-request.json | 274 +- .../cve/create-cve-record-cna-request.json | 2482 ++++++++------- ...create-cve-record-secretariat-request.json | 2794 +++++++++-------- 4 files changed, 3451 insertions(+), 2369 deletions(-) diff --git a/api-docs/openapi.json b/api-docs/openapi.json index de6ecbf6f..6f9b15acc 100644 --- a/api-docs/openapi.json +++ b/api-docs/openapi.json @@ -3973,6 +3973,11 @@ "items": { "type": "object", "anyOf": [ + { + "required": [ + "cvssV4_0" + ] + }, { "required": [ "cvssV3_1" @@ -4018,6 +4023,271 @@ ] } }, + "cvssV4_0": { + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "allOf": [ + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + } + ], + "definitions": { + "attackComplexityType": { + "type": "string" + }, + "attackRequirementsType": { + "type": "string" + }, + "attackVectorType": { + "type": "string" + }, + "automatableType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "criticalScoreType": { + "type": "number" + }, + "criticalSeverityType": { + "const": "string" + }, + "exploitMaturityType": { + "type": "string" + }, + "highScoreType": { + "type": "number" + }, + "highSeverityType": { + "type": "string" + }, + "lowScoreType": { + "type": "number" + }, + "lowSeverityType": { + "type": "string" + }, + "mediumScoreType": { + "type": "number" + }, + "mediumSeverityType": { + "const": "string" + }, + "modifiedAttackComplexityType": { + "type": "string" + }, + "modifiedAttackRequirementsType": { + "type": "string" + }, + "modifiedAttackVectorType": { + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "type": "string" + }, + "modifiedSubCType": { + "type": "string" + }, + "modifiedSubIaType": { + "type": "string" + }, + "modifiedUserInteractionType": { + "type": "string" + }, + "modifiedVulnCiaType": { + "type": "string" + }, + "noneScoreType": { + "type": "number" + }, + "noneSeverityType": { + "const": "string" + }, + "privilegesRequiredType": { + "type": "string" + }, + "providerUrgencyType": { + "type": "string" + }, + "recoveryType": { + "type": "string" + }, + "safetyType": { + "type": "string" + }, + "scoreType": { + "type": "number" + }, + "severityType": { + "type": "string" + }, + "subCiaType": { + "type": "string" + }, + "userInteractionType": { + "type": "string" + }, + "valueDensityType": { + "type": "string" + }, + "vulnCiaType": { + "type": "string" + }, + "vulnerabilityResponseEffortType": { + "type": "string" + } + }, + "properties": { + "Automatable": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType" + }, + "Recovery": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType" + }, + "Safety": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType" + }, + "attackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "exploitMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType" + }, + "modifiedAttackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedSubAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedSubConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType" + }, + "modifiedSubIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType" + }, + "modifiedVulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType" + }, + "providerUrgency": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType" + }, + "subAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType" + }, + "valueDensity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType" + }, + "vectorString": { + "type": "string" + }, + "version": { + "description": "CVSS Version", + "enum": [ + "4.0" + ], + "type": "string" + }, + "vulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnerabilityResponseEffort": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType" + } + }, + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ], + "title": "JSON Schema for Common Vulnerability Scoring System version 4.0", + "type": "object" + }, "cvssV3_1": { "$schema": "http://json-schema.org/draft-07/schema#", "type": "object", diff --git a/schemas/cve/create-adp-record-adp-request.json b/schemas/cve/create-adp-record-adp-request.json index 3a46ab774..c1264904e 100644 --- a/schemas/cve/create-adp-record-adp-request.json +++ b/schemas/cve/create-adp-record-adp-request.json @@ -581,6 +581,11 @@ "items": { "type": "object", "anyOf": [ + { + "required": [ + "cvssV4_0" + ] + }, { "required": [ "cvssV3_1" @@ -626,6 +631,271 @@ ] } }, + "cvssV4_0": { + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "allOf": [ + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + } + ], + "definitions": { + "attackComplexityType": { + "type": "string" + }, + "attackRequirementsType": { + "type": "string" + }, + "attackVectorType": { + "type": "string" + }, + "automatableType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "criticalScoreType": { + "type": "number" + }, + "criticalSeverityType": { + "const": "string" + }, + "exploitMaturityType": { + "type": "string" + }, + "highScoreType": { + "type": "number" + }, + "highSeverityType": { + "type": "string" + }, + "lowScoreType": { + "type": "number" + }, + "lowSeverityType": { + "type": "string" + }, + "mediumScoreType": { + "type": "number" + }, + "mediumSeverityType": { + "const": "string" + }, + "modifiedAttackComplexityType": { + "type": "string" + }, + "modifiedAttackRequirementsType": { + "type": "string" + }, + "modifiedAttackVectorType": { + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "type": "string" + }, + "modifiedSubCType": { + "type": "string" + }, + "modifiedSubIaType": { + "type": "string" + }, + "modifiedUserInteractionType": { + "type": "string" + }, + "modifiedVulnCiaType": { + "type": "string" + }, + "noneScoreType": { + "type": "number" + }, + "noneSeverityType": { + "const": "string" + }, + "privilegesRequiredType": { + "type": "string" + }, + "providerUrgencyType": { + "type": "string" + }, + "recoveryType": { + "type": "string" + }, + "safetyType": { + "type": "string" + }, + "scoreType": { + "type": "number" + }, + "severityType": { + "type": "string" + }, + "subCiaType": { + "type": "string" + }, + "userInteractionType": { + "type": "string" + }, + "valueDensityType": { + "type": "string" + }, + "vulnCiaType": { + "type": "string" + }, + "vulnerabilityResponseEffortType": { + "type": "string" + } + }, + "properties": { + "Automatable": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType" + }, + "Recovery": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType" + }, + "Safety": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType" + }, + "attackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "exploitMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType" + }, + "modifiedAttackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedSubAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedSubConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType" + }, + "modifiedSubIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType" + }, + "modifiedVulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType" + }, + "providerUrgency": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType" + }, + "subAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType" + }, + "valueDensity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType" + }, + "vectorString": { + "type": "string" + }, + "version": { + "description": "CVSS Version", + "enum": [ + "4.0" + ], + "type": "string" + }, + "vulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnerabilityResponseEffort": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType" + } + }, + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ], + "title": "JSON Schema for Common Vulnerability Scoring System version 4.0", + "type": "object" + }, "cvssV3_1": { "$schema": "http://json-schema.org/draft-07/schema#", "type": "object", @@ -1315,7 +1585,9 @@ "additionalProperties": false } }, - "required":["adpContainer"], + "required": [ + "adpContainer" + ], "properties": { "adpContainer": { "$ref": "#/definitions/adpContainer" diff --git a/schemas/cve/create-cve-record-cna-request.json b/schemas/cve/create-cve-record-cna-request.json index e46b76117..0f39c162e 100644 --- a/schemas/cve/create-cve-record-cna-request.json +++ b/schemas/cve/create-cve-record-cna-request.json @@ -1,1191 +1,1461 @@ { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.org/cve/record/v5_00/", - "type": "object", - "title": "CVE JSON record format", - "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).", - "definitions": { - "uriType": { - "type": "string", - "format": "uri" + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.org/cve/record/v5_00/", + "type": "object", + "title": "CVE JSON record format", + "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).", + "definitions": { + "uriType": { + "type": "string", + "format": "uri" + }, + "uuidType": { + "type": "string" + }, + "reference": { + "type": "object", + "required": [ + "url" + ], + "properties": { + "url": { + "$ref": "#/definitions/uriType" }, - "uuidType": { - "type": "string" + "name": { + "type": "string" }, - "reference": { - "type": "object", - "required": [ - "url" - ], - "properties": { - "url": { - "$ref": "#/definitions/uriType" - }, - "name": { - "type": "string" - }, - "tags": { - "type": "array", - "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/", - "type": "string" - } - ] - } - } + "tags": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/", + "type": "string" + } + ] + } + } + } + }, + "cveId": { + "type": "string" + }, + "orgId": { + "$ref": "#/definitions/uuidType" + }, + "userId": { + "$ref": "#/definitions/uuidType" + }, + "shortName": { + "type": "string" + }, + "datestamp": { + "type": "string", + "format": "date" + }, + "timestamp": { + "type": "string", + "format": "date-time" + }, + "version": { + "type": "string" + }, + "status": { + "type": "string" + }, + "product": { + "type": "object", + "allOf": [ + { + "anyOf": [ + { + "required": [ + "vendor", + "product" + ] + }, + { + "required": [ + "collectionURL", + "packageName" + ] } + ] }, - "cveId": { - "type": "string" + { + "anyOf": [ + { + "required": [ + "versions" + ] + }, + { + "required": [ + "defaultStatus" + ] + } + ] + } + ], + "properties": { + "vendor": { + "type": "string" }, - "orgId": { - "$ref": "#/definitions/uuidType" + "product": { + "type": "string" }, - "userId": { - "$ref": "#/definitions/uuidType" + "collectionURL": { + "$ref": "#/definitions/uriType" }, - "shortName": { - "type": "string" + "packageName": { + "type": "string" }, - "datestamp": { - "type": "string", - "format": "date" + "cpes": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } }, - "timestamp": { - "type": "string", - "format": "date-time" + "modules": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } }, - "version": { + "programFiles": { + "type": "array", + "uniqueItems": true, + "items": { "type": "string" + } + }, + "programRoutines": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + } + } + } }, - "status": { + "platforms": { + "type": "array", + "uniqueItems": true, + "items": { "type": "string" + } }, - "product": { + "repo": { + "$ref": "#/definitions/uriType" + }, + "defaultStatus": { + "$ref": "#/definitions/status" + }, + "versions": { + "type": "array", + "uniqueItems": true, + "items": { "type": "object", - "allOf": [ - { - "anyOf": [ - { - "required": [ - "vendor", - "product" - ] - }, - { - "required": [ - "collectionURL", - "packageName" - ] - } + "oneOf": [ + { + "required": [ + "version", + "status" + ], + "maxProperties": 2 + }, + { + "required": [ + "version", + "status", + "versionType" + ], + "oneOf": [ + { + "required": [ + "lessThan" ] - }, - { - "anyOf": [ - { - "required": [ - "versions" - ] - }, - { - "required": [ - "defaultStatus" - ] - } + }, + { + "required": [ + "lessThanOrEqual" ] - } + } + ] + } ], "properties": { - "vendor": { - "type": "string" - }, - "product": { - "type": "string" - }, - "collectionURL": { - "$ref": "#/definitions/uriType" - }, - "packageName": { - "type": "string" - }, - "cpes": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "modules": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "programFiles": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "programRoutines": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string" - } - } - } - }, - "platforms": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "repo": { - "$ref": "#/definitions/uriType" - }, - "defaultStatus": { - "$ref": "#/definitions/status" - }, - "versions": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "object", - "oneOf": [ - { - "required": [ - "version", - "status" - ], - "maxProperties": 2 - }, - { - "required": [ - "version", - "status", - "versionType" - ], - "oneOf": [ - { - "required": [ - "lessThan" - ] - }, - { - "required": [ - "lessThanOrEqual" - ] - } - ] - } - ], - "properties": { - "version": { - "$ref": "#/definitions/version" - }, - "status": { - "$ref": "#/definitions/status" - }, - "versionType": { - "type": "string" - }, - "lessThan": { - "$ref": "#/definitions/version" - }, - "lessThanOrEqual": { - "$ref": "#/definitions/version" - }, - "changes": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "at", - "status" - ], - "properties": { - "at": { - "$ref": "#/definitions/version" - }, - "status": { - "$ref": "#/definitions/status" - } - } - } - } - } + "version": { + "$ref": "#/definitions/version" + }, + "status": { + "$ref": "#/definitions/status" + }, + "versionType": { + "type": "string" + }, + "lessThan": { + "$ref": "#/definitions/version" + }, + "lessThanOrEqual": { + "$ref": "#/definitions/version" + }, + "changes": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "at", + "status" + ], + "properties": { + "at": { + "$ref": "#/definitions/version" + }, + "status": { + "$ref": "#/definitions/status" } + } } + } } + } + } + } + }, + "dataType": { + "type": "string" + }, + "dataVersion": { + "type": "string" + }, + "cveMetadataPublished": { + "type": "object", + "required": [ + "cveId", + "assignerOrgId", + "state" + ], + "properties": { + "cveId": { + "$ref": "#/definitions/cveId" }, - "dataType": { - "type": "string" + "assignerOrgId": { + "$ref": "#/definitions/orgId" }, - "dataVersion": { - "type": "string" + "assignerShortName": { + "$ref": "#/definitions/shortName" + }, + "requesterUserId": { + "$ref": "#/definitions/userId" + }, + "dateUpdated": { + "$ref": "#/definitions/timestamp" + }, + "serial": { + "type": "integer" + }, + "dateReserved": { + "$ref": "#/definitions/timestamp" + }, + "datePublished": { + "$ref": "#/definitions/timestamp" + }, + "state": { + "type": "string" + } + }, + "additionalProperties": false + }, + "providerMetadata": { + "type": "object", + "properties": { + "orgId": { + "$ref": "#/definitions/orgId" + }, + "shortName": { + "$ref": "#/definitions/shortName" + }, + "dateUpdated": { + "$ref": "#/definitions/timestamp" + } + }, + "required": [ + "orgId" + ] + }, + "affected": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/product" + } + }, + "description": { + "type": "object", + "properties": { + "lang": { + "$ref": "#/definitions/language" + }, + "value": { + "type": "string" }, - "cveMetadataPublished": { + "supportingMedia": { + "type": "array", + "uniqueItems": true, + "minItems": 1, + "items": { "type": "object", - "required": [ - "cveId", - "assignerOrgId", - "state" - ], "properties": { - "cveId": { - "$ref": "#/definitions/cveId" - }, - "assignerOrgId": { - "$ref": "#/definitions/orgId" - }, - "assignerShortName": { - "$ref": "#/definitions/shortName" - }, - "requesterUserId": { - "$ref": "#/definitions/userId" - }, - "dateUpdated": { - "$ref": "#/definitions/timestamp" - }, - "serial": { - "type": "integer" - }, - "dateReserved": { - "$ref": "#/definitions/timestamp" + "type": { + "type": "string" + }, + "base64": { + "type": "boolean", + "default": false + }, + "value": { + "type": "string" + } + }, + "required": [ + "type", + "value" + ] + } + } + }, + "required": [ + "lang", + "value" + ], + "additionalProperties": false + }, + "englishLanguageDescription": { + "type": "object", + "properties": { + "lang": { + "$ref": "#/definitions/englishLanguage" + } + }, + "required": [ + "lang" + ] + }, + "descriptions": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + }, + "contains": { + "$ref": "#/definitions/englishLanguageDescription" + } + }, + "problemTypes": { + "type": "array", + "items": { + "type": "object", + "required": [ + "descriptions" + ], + "properties": { + "descriptions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "lang", + "description" + ], + "properties": { + "lang": { + "$ref": "#/definitions/language" }, - "datePublished": { - "$ref": "#/definitions/timestamp" + "description": { + "type": "string" }, - "state": { - "type": "string" - } - }, - "additionalProperties": false - }, - "providerMetadata": { - "type": "object", - "properties": { - "orgId": { - "$ref": "#/definitions/orgId" + "cweId": { + "type": "string" }, - "shortName": { - "$ref": "#/definitions/shortName" + "type": { + "type": "string" }, - "dateUpdated": { - "$ref": "#/definitions/timestamp" + "references": { + "$ref": "#/definitions/references" } + } }, + "minItems": 1, + "uniqueItems": true + } + } + }, + "minItems": 1, + "uniqueItems": true + }, + "references": { + "type": "array", + "items": { + "$ref": "#/definitions/reference" + }, + "minItems": 1, + "maxItems": 512, + "uniqueItems": true + }, + "impacts": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "descriptions" + ], + "properties": { + "capecId": { + "type": "string" + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + } + } + } + }, + "metrics": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "anyOf": [ + { "required": [ - "orgId" + "cvssV4_0" ] - }, - "affected": { + }, + { + "required": [ + "cvssV3_1" + ] + }, + { + "required": [ + "cvssV3_0" + ] + }, + { + "required": [ + "cvssV2_0" + ] + }, + { + "required": [ + "other" + ] + } + ], + "properties": { + "format": { + "type": "string" + }, + "scenarios": { "type": "array", "minItems": 1, + "uniqueItems": true, "items": { - "$ref": "#/definitions/product" - } - }, - "description": { - "type": "object", - "properties": { + "type": "object", + "properties": { "lang": { - "$ref": "#/definitions/language" + "$ref": "#/definitions/language" }, "value": { - "type": "string" - }, - "supportingMedia": { - "type": "array", - "uniqueItems": true, - "minItems": 1, - "items": { - "type": "object", - "properties": { - "type": { - "type": "string" - }, - "base64": { - "type": "boolean", - "default": false - }, - "value": { - "type": "string" - } - }, - "required": [ - "type", - "value" - ] - } + "type": "string" } - }, - "required": [ + }, + "required": [ "lang", "value" + ] + } + }, + "cvssV4_0": { + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "allOf": [ + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + } ], - "additionalProperties": false - }, - "englishLanguageDescription": { + "definitions": { + "attackComplexityType": { + "type": "string" + }, + "attackRequirementsType": { + "type": "string" + }, + "attackVectorType": { + "type": "string" + }, + "automatableType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "criticalScoreType": { + "type": "number" + }, + "criticalSeverityType": { + "const": "string" + }, + "exploitMaturityType": { + "type": "string" + }, + "highScoreType": { + "type": "number" + }, + "highSeverityType": { + "type": "string" + }, + "lowScoreType": { + "type": "number" + }, + "lowSeverityType": { + "type": "string" + }, + "mediumScoreType": { + "type": "number" + }, + "mediumSeverityType": { + "const": "string" + }, + "modifiedAttackComplexityType": { + "type": "string" + }, + "modifiedAttackRequirementsType": { + "type": "string" + }, + "modifiedAttackVectorType": { + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "type": "string" + }, + "modifiedSubCType": { + "type": "string" + }, + "modifiedSubIaType": { + "type": "string" + }, + "modifiedUserInteractionType": { + "type": "string" + }, + "modifiedVulnCiaType": { + "type": "string" + }, + "noneScoreType": { + "type": "number" + }, + "noneSeverityType": { + "const": "string" + }, + "privilegesRequiredType": { + "type": "string" + }, + "providerUrgencyType": { + "type": "string" + }, + "recoveryType": { + "type": "string" + }, + "safetyType": { + "type": "string" + }, + "scoreType": { + "type": "number" + }, + "severityType": { + "type": "string" + }, + "subCiaType": { + "type": "string" + }, + "userInteractionType": { + "type": "string" + }, + "valueDensityType": { + "type": "string" + }, + "vulnCiaType": { + "type": "string" + }, + "vulnerabilityResponseEffortType": { + "type": "string" + } + }, + "properties": { + "Automatable": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType" + }, + "Recovery": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType" + }, + "Safety": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType" + }, + "attackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "exploitMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType" + }, + "modifiedAttackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedSubAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedSubConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType" + }, + "modifiedSubIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType" + }, + "modifiedVulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType" + }, + "providerUrgency": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType" + }, + "subAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType" + }, + "valueDensity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType" + }, + "vectorString": { + "type": "string" + }, + "version": { + "description": "CVSS Version", + "enum": [ + "4.0" + ], + "type": "string" + }, + "vulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnerabilityResponseEffort": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType" + } + }, + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ], + "title": "JSON Schema for Common Vulnerability Scoring System version 4.0", + "type": "object" + }, + "cvssV3_1": { + "$schema": "http://json-schema.org/draft-07/schema#", "type": "object", + "definitions": { + "attackVectorType": { + "type": "string" + }, + "modifiedAttackVectorType": { + "type": "string" + }, + "attackComplexityType": { + "type": "string" + }, + "modifiedAttackComplexityType": { + "type": "string" + }, + "privilegesRequiredType": { + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "type": "string" + }, + "userInteractionType": { + "type": "string" + }, + "modifiedUserInteractionType": { + "type": "string" + }, + "scopeType": { + "type": "string" + }, + "modifiedScopeType": { + "type": "string" + }, + "ciaType": { + "type": "string" + }, + "modifiedCiaType": { + "type": "string" + }, + "exploitCodeMaturityType": { + "type": "string" + }, + "remediationLevelType": { + "type": "string" + }, + "confidenceType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "scoreType": { + "type": "number" + }, + "severityType": { + "type": "string" + } + }, "properties": { - "lang": { - "$ref": "#/definitions/englishLanguage" - } + "version": { + "description": "CVSS Version", + "type": "string" + }, + "vectorString": { + "type": "string" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType" + }, + "scope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + }, + "exploitCodeMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "temporalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType" + }, + "modifiedScope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType" + }, + "modifiedConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "modifiedIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "modifiedAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + } + }, + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ] + }, + "cvssV3_0": { + "$schema": "http://json-schema.org/draft-04/schema#", + "type": "object", + "definitions": { + "attackVectorType": { + "type": "string" + }, + "modifiedAttackVectorType": { + "type": "string" + }, + "attackComplexityType": { + "type": "string" + }, + "modifiedAttackComplexityType": { + "type": "string" + }, + "privilegesRequiredType": { + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "type": "string" + }, + "userInteractionType": { + "type": "string" + }, + "modifiedUserInteractionType": { + "type": "string" + }, + "scopeType": { + "type": "string" + }, + "modifiedScopeType": { + "type": "string" + }, + "ciaType": { + "type": "string" + }, + "modifiedCiaType": { + "type": "string" + }, + "exploitCodeMaturityType": { + "type": "string" + }, + "remediationLevelType": { + "type": "string" + }, + "confidenceType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "scoreType": { + "type": "number" + }, + "severityType": { + "type": "string" + } + }, + "properties": { + "version": { + "type": "string" + }, + "vectorString": { + "type": "string" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType" + }, + "scope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + }, + "exploitCodeMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "temporalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType" + }, + "modifiedScope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType" + }, + "modifiedConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "modifiedIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "modifiedAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + } }, "required": [ - "lang" + "version", + "vectorString", + "baseScore", + "baseSeverity" ] + }, + "cvssV2_0": { + "$schema": "http://json-schema.org/draft-04/schema#", + "type": "object", + "definitions": { + "accessVectorType": { + "type": "string" + }, + "accessComplexityType": { + "type": "string" + }, + "authenticationType": { + "type": "string" + }, + "ciaType": { + "type": "string" + }, + "exploitabilityType": { + "type": "string" + }, + "remediationLevelType": { + "type": "string" + }, + "reportConfidenceType": { + "type": "string" + }, + "collateralDamagePotentialType": { + "type": "string" + }, + "targetDistributionType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "scoreType": { + "type": "number" + } + }, + "properties": { + "version": { + "type": "string" + }, + "vectorString": { + "type": "string" + }, + "accessVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType" + }, + "accessComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType" + }, + "authentication": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + }, + "exploitability": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + }, + "collateralDamagePotential": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType" + }, + "targetDistribution": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + } + }, + "required": [ + "version", + "vectorString", + "baseScore" + ] + }, + "other": { + "type": "object", + "required": [ + "type", + "content" + ], + "properties": { + "type": { + "type": "string" + }, + "content": { + "type": "object" + } + } + } + } + } + }, + "configurations": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "workarounds": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "solutions": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "exploits": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "timeline": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "time", + "lang", + "value" + ], + "properties": { + "time": { + "$ref": "#/definitions/timestamp" + }, + "lang": { + "$ref": "#/definitions/language" + }, + "value": { + "type": "string" + } + } + } + }, + "credits": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "properties": { + "lang": { + "$ref": "#/definitions/language" + }, + "value": { + "type": "string" + }, + "user": { + "$ref": "#/definitions/uuidType" + }, + "type": { + "type": "string" + } }, - "descriptions": { + "required": [ + "lang", + "value" + ] + } + }, + "source": { + "type": "object", + "minProperties": 1 + }, + "language": { + "type": "string" + }, + "englishLanguage": { + "type": "string" + }, + "taxonomyMappings": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "taxonomyName", + "taxonomyRelations" + ], + "properties": { + "taxonomyName": { + "type": "string", + "minLength": 1, + "maxLength": 128 + }, + "taxonomyVersion": { + "type": "string", + "minLength": 1, + "maxLength": 128 + }, + "taxonomyRelations": { "type": "array", "minItems": 1, "uniqueItems": true, "items": { - "$ref": "#/definitions/description" - }, - "contains": { - "$ref": "#/definitions/englishLanguageDescription" + "type": "object", + "required": [ + "taxonomyId", + "relationshipName", + "relationshipValue" + ], + "properties": { + "taxonomyId": { + "type": "string", + "minLength": 1, + "maxLength": 2048 + }, + "relationshipName": { + "type": "string", + "minLength": 1, + "maxLength": 128 + }, + "relationshipValue": { + "type": "string", + "minLength": 1, + "maxLength": 2048 + } + } } + } + } + } + }, + "tagExtension": { + "type": "string" + }, + "cnaTags": { + "type": "array", + "uniqueItems": true, + "minItems": 1, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/", + "type": "string" + } + ] + } + }, + "adpTags": { + "type": "array", + "uniqueItems": true, + "minItems": 1, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/", + "type": "string" + } + ] + } + } + }, + "required": [ + "cnaContainer" + ], + "properties": { + "cnaContainer": { + "type": "object", + "properties": { + "providerMetadata": { + "$ref": "#/definitions/providerMetadata" + }, + "dateAssigned": { + "$ref": "#/definitions/timestamp" + }, + "datePublic": { + "$ref": "#/definitions/timestamp" + }, + "title": { + "type": "string" + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + }, + "affected": { + "$ref": "#/definitions/affected" }, "problemTypes": { - "type": "array", - "items": { - "type": "object", - "required": [ - "descriptions" - ], - "properties": { - "descriptions": { - "type": "array", - "items": { - "type": "object", - "required": [ - "lang", - "description" - ], - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "description": { - "type": "string" - }, - "cweId": { - "type": "string" - }, - "type": { - "type": "string" - }, - "references": { - "$ref": "#/definitions/references" - } - } - }, - "minItems": 1, - "uniqueItems": true - } - } - }, - "minItems": 1, - "uniqueItems": true + "$ref": "#/definitions/problemTypes" }, "references": { - "type": "array", - "items": { - "$ref": "#/definitions/reference" - }, - "minItems": 1, - "maxItems": 512, - "uniqueItems": true + "$ref": "#/definitions/references" }, "impacts": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "descriptions" - ], - "properties": { - "capecId": { - "type": "string" - }, - "descriptions": { - "$ref": "#/definitions/descriptions" - } - } - } + "$ref": "#/definitions/impacts" }, "metrics": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "anyOf": [ - { - "required": [ - "cvssV3_1" - ] - }, - { - "required": [ - "cvssV3_0" - ] - }, - { - "required": [ - "cvssV2_0" - ] - }, - { - "required": [ - "other" - ] - } - ], - "properties": { - "format": { - "type": "string" - }, - "scenarios": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string" - } - }, - "required": [ - "lang", - "value" - ] - } - }, - "cvssV3_1": { - "$schema": "http://json-schema.org/draft-07/schema#", - "type": "object", - "definitions": { - "attackVectorType": { - "type": "string" - }, - "modifiedAttackVectorType": { - "type": "string" - }, - "attackComplexityType": { - "type": "string" - }, - "modifiedAttackComplexityType": { - "type": "string" - }, - "privilegesRequiredType": { - "type": "string" - }, - "modifiedPrivilegesRequiredType": { - "type": "string" - }, - "userInteractionType": { - "type": "string" - }, - "modifiedUserInteractionType": { - "type": "string" - }, - "scopeType": { - "type": "string" - }, - "modifiedScopeType": { - "type": "string" - }, - "ciaType": { - "type": "string" - }, - "modifiedCiaType": { - "type": "string" - }, - "exploitCodeMaturityType": { - "type": "string" - }, - "remediationLevelType": { - "type": "string" - }, - "confidenceType": { - "type": "string" - }, - "ciaRequirementType": { - "type": "string" - }, - "scoreType": { - "type": "number" - }, - "severityType": { - "type": "string" - } - }, - "properties": { - "version": { - "description": "CVSS Version", - "type": "string" - }, - "vectorString": { - "type": "string" - }, - "attackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType" - }, - "attackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType" - }, - "privilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType" - }, - "userInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType" - }, - "scope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - }, - "exploitCodeMaturity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "temporalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "modifiedAttackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType" - }, - "modifiedAttackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType" - }, - "modifiedPrivilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType" - }, - "modifiedUserInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType" - }, - "modifiedScope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType" - }, - "modifiedConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "modifiedIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "modifiedAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - } - }, - "required": [ - "version", - "vectorString", - "baseScore", - "baseSeverity" - ] - }, - "cvssV3_0": { - "$schema": "http://json-schema.org/draft-04/schema#", - "type": "object", - "definitions": { - "attackVectorType": { - "type": "string" - }, - "modifiedAttackVectorType": { - "type": "string" - }, - "attackComplexityType": { - "type": "string" - }, - "modifiedAttackComplexityType": { - "type": "string" - }, - "privilegesRequiredType": { - "type": "string" - }, - "modifiedPrivilegesRequiredType": { - "type": "string" - }, - "userInteractionType": { - "type": "string" - }, - "modifiedUserInteractionType": { - "type": "string" - }, - "scopeType": { - "type": "string" - }, - "modifiedScopeType": { - "type": "string" - }, - "ciaType": { - "type": "string" - }, - "modifiedCiaType": { - "type": "string" - }, - "exploitCodeMaturityType": { - "type": "string" - }, - "remediationLevelType": { - "type": "string" - }, - "confidenceType": { - "type": "string" - }, - "ciaRequirementType": { - "type": "string" - }, - "scoreType": { - "type": "number" - }, - "severityType": { - "type": "string" - } - }, - "properties": { - "version": { - "type": "string" - }, - "vectorString": { - "type": "string" - }, - "attackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType" - }, - "attackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType" - }, - "privilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType" - }, - "userInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType" - }, - "scope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - }, - "exploitCodeMaturity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "temporalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "modifiedAttackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType" - }, - "modifiedAttackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType" - }, - "modifiedPrivilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType" - }, - "modifiedUserInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType" - }, - "modifiedScope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType" - }, - "modifiedConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "modifiedIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "modifiedAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - } - }, - "required": [ - "version", - "vectorString", - "baseScore", - "baseSeverity" - ] - }, - "cvssV2_0": { - "$schema": "http://json-schema.org/draft-04/schema#", - "type": "object", - "definitions": { - "accessVectorType": { - "type": "string" - }, - "accessComplexityType": { - "type": "string" - }, - "authenticationType": { - "type": "string" - }, - "ciaType": { - "type": "string" - }, - "exploitabilityType": { - "type": "string" - }, - "remediationLevelType": { - "type": "string" - }, - "reportConfidenceType": { - "type": "string" - }, - "collateralDamagePotentialType": { - "type": "string" - }, - "targetDistributionType": { - "type": "string" - }, - "ciaRequirementType": { - "type": "string" - }, - "scoreType": { - "type": "number" - } - }, - "properties": { - "version": { - "type": "string" - }, - "vectorString": { - "type": "string" - }, - "accessVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType" - }, - "accessComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType" - }, - "authentication": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - }, - "exploitability": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - }, - "collateralDamagePotential": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType" - }, - "targetDistribution": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - } - }, - "required": [ - "version", - "vectorString", - "baseScore" - ] - }, - "other": { - "type": "object", - "required": [ - "type", - "content" - ], - "properties": { - "type": { - "type": "string" - }, - "content": { - "type": "object" - } - } - } - } - } + "$ref": "#/definitions/metrics" }, "configurations": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } + "$ref": "#/definitions/configurations" }, "workarounds": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } + "$ref": "#/definitions/workarounds" }, "solutions": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } + "$ref": "#/definitions/solutions" }, "exploits": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } + "$ref": "#/definitions/exploits" }, "timeline": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "time", - "lang", - "value" - ], - "properties": { - "time": { - "$ref": "#/definitions/timestamp" - }, - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string" - } - } - } + "$ref": "#/definitions/timeline" }, "credits": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string" - }, - "user": { - "$ref": "#/definitions/uuidType" - }, - "type": { - "type": "string" - } - }, - "required": [ - "lang", - "value" - ] - } + "$ref": "#/definitions/credits" }, "source": { - "type": "object", - "minProperties": 1 + "$ref": "#/definitions/source" }, - "language": { - "type": "string" - }, - "englishLanguage": { - "type": "string" + "tags": { + "$ref": "#/definitions/cnaTags" }, "taxonomyMappings": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "taxonomyName", - "taxonomyRelations" - ], - "properties": { - "taxonomyName": { - "type": "string", - "minLength": 1, - "maxLength": 128 - }, - "taxonomyVersion": { - "type": "string", - "minLength": 1, - "maxLength": 128 - }, - "taxonomyRelations": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "taxonomyId", - "relationshipName", - "relationshipValue" - ], - "properties": { - "taxonomyId": { - "type": "string", - "minLength": 1, - "maxLength": 2048 - }, - "relationshipName": { - "type": "string", - "minLength": 1, - "maxLength": 128 - }, - "relationshipValue": { - "type": "string", - "minLength": 1, - "maxLength": 2048 - } - } - } - } - } - } - }, - "tagExtension": { - "type": "string" - }, - "cnaTags": { - "type": "array", - "uniqueItems": true, - "minItems": 1, - "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/", - "type": "string" - } - ] - } - }, - "adpTags": { - "type": "array", - "uniqueItems": true, - "minItems": 1, - "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/", - "type": "string" - } - ] - } - } - }, - "required": [ - "cnaContainer" - ], - "properties": { - "cnaContainer": { - "type": "object", - "properties": { - "providerMetadata": { - "$ref": "#/definitions/providerMetadata" - }, - "dateAssigned": { - "$ref": "#/definitions/timestamp" - }, - "datePublic": { - "$ref": "#/definitions/timestamp" - }, - "title": { - "type": "string" - }, - "descriptions": { - "$ref": "#/definitions/descriptions" - }, - "affected": { - "$ref": "#/definitions/affected" - }, - "problemTypes": { - "$ref": "#/definitions/problemTypes" - }, - "references": { - "$ref": "#/definitions/references" - }, - "impacts": { - "$ref": "#/definitions/impacts" - }, - "metrics": { - "$ref": "#/definitions/metrics" - }, - "configurations": { - "$ref": "#/definitions/configurations" - }, - "workarounds": { - "$ref": "#/definitions/workarounds" - }, - "solutions": { - "$ref": "#/definitions/solutions" - }, - "exploits": { - "$ref": "#/definitions/exploits" - }, - "timeline": { - "$ref": "#/definitions/timeline" - }, - "credits": { - "$ref": "#/definitions/credits" - }, - "source": { - "$ref": "#/definitions/source" - }, - "tags": { - "$ref": "#/definitions/cnaTags" - }, - "taxonomyMappings": { - "$ref": "#/definitions/taxonomyMappings" - } - }, - "required": [ - "providerMetadata", - "descriptions", - "affected", - "references" - ], - "patternProperties": { - "^x_[^.]*$": {} - }, - "additionalProperties": false + "$ref": "#/definitions/taxonomyMappings" } + }, + "required": [ + "providerMetadata", + "descriptions", + "affected", + "references" + ], + "patternProperties": { + "^x_[^.]*$": {} + }, + "additionalProperties": false } + } } \ No newline at end of file diff --git a/schemas/cve/create-cve-record-secretariat-request.json b/schemas/cve/create-cve-record-secretariat-request.json index 755ab39b8..39ebaac07 100644 --- a/schemas/cve/create-cve-record-secretariat-request.json +++ b/schemas/cve/create-cve-record-secretariat-request.json @@ -1,1339 +1,1609 @@ { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.org/cve/record/v5_00/", - "type": "object", - "title": "CVE JSON record format", - "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).", - "definitions": { - "uriType": { - "type": "string", - "format": "uri" + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.org/cve/record/v5_00/", + "type": "object", + "title": "CVE JSON record format", + "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).", + "definitions": { + "uriType": { + "type": "string", + "format": "uri" + }, + "uuidType": { + "type": "string" + }, + "reference": { + "type": "object", + "required": [ + "url" + ], + "properties": { + "url": { + "$ref": "#/definitions/uriType" }, - "uuidType": { - "type": "string" + "name": { + "type": "string" }, - "reference": { - "type": "object", - "required": [ - "url" - ], - "properties": { - "url": { - "$ref": "#/definitions/uriType" - }, - "name": { - "type": "string" - }, - "tags": { - "type": "array", - "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/", - "type": "string" - } - ] - } - } + "tags": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/", + "type": "string" + } + ] + } + } + } + }, + "cveId": { + "type": "string" + }, + "orgId": { + "$ref": "#/definitions/uuidType" + }, + "userId": { + "$ref": "#/definitions/uuidType" + }, + "shortName": { + "type": "string" + }, + "datestamp": { + "type": "string", + "format": "date" + }, + "timestamp": { + "type": "string", + "format": "date-time" + }, + "version": { + "type": "string" + }, + "status": { + "type": "string" + }, + "product": { + "type": "object", + "allOf": [ + { + "anyOf": [ + { + "required": [ + "vendor", + "product" + ] + }, + { + "required": [ + "collectionURL", + "packageName" + ] } + ] }, - "cveId": { - "type": "string" - }, - "orgId": { - "$ref": "#/definitions/uuidType" + { + "anyOf": [ + { + "required": [ + "versions" + ] + }, + { + "required": [ + "defaultStatus" + ] + } + ] + } + ], + "properties": { + "vendor": { + "type": "string" }, - "userId": { - "$ref": "#/definitions/uuidType" + "product": { + "type": "string" }, - "shortName": { - "type": "string" + "collectionURL": { + "$ref": "#/definitions/uriType" }, - "datestamp": { - "type": "string", - "format": "date" + "packageName": { + "type": "string" }, - "timestamp": { - "type": "string", - "format": "date-time" + "cpes": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } }, - "version": { + "modules": { + "type": "array", + "uniqueItems": true, + "items": { "type": "string" + } }, - "status": { + "programFiles": { + "type": "array", + "uniqueItems": true, + "items": { "type": "string" + } }, - "product": { + "programRoutines": { + "type": "array", + "uniqueItems": true, + "items": { "type": "object", - "allOf": [ - { - "anyOf": [ - { - "required": [ - "vendor", - "product" - ] - }, - { - "required": [ - "collectionURL", - "packageName" - ] - } - ] - }, - { - "anyOf": [ - { - "required": [ - "versions" - ] - }, - { - "required": [ - "defaultStatus" - ] - } - ] - } + "required": [ + "name" ], "properties": { - "vendor": { - "type": "string" - }, - "product": { - "type": "string" - }, - "collectionURL": { - "$ref": "#/definitions/uriType" - }, - "packageName": { - "type": "string" - }, - "cpes": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "modules": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "programFiles": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "programRoutines": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string" - } - } - } - }, - "platforms": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "repo": { - "$ref": "#/definitions/uriType" - }, - "defaultStatus": { - "$ref": "#/definitions/status" - }, - "versions": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "object", - "oneOf": [ - { - "required": [ - "version", - "status" - ], - "maxProperties": 2 - }, - { - "required": [ - "version", - "status", - "versionType" - ], - "oneOf": [ - { - "required": [ - "lessThan" - ] - }, - { - "required": [ - "lessThanOrEqual" - ] - } - ] - } - ], - "properties": { - "version": { - "$ref": "#/definitions/version" - }, - "status": { - "$ref": "#/definitions/status" - }, - "versionType": { - "type": "string" - }, - "lessThan": { - "$ref": "#/definitions/version" - }, - "lessThanOrEqual": { - "$ref": "#/definitions/version" - }, - "changes": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "at", - "status" - ], - "properties": { - "at": { - "$ref": "#/definitions/version" - }, - "status": { - "$ref": "#/definitions/status" - } - } - } - } - } - } - } + "name": { + "type": "string" + } } + } }, - "dataType": { + "platforms": { + "type": "array", + "uniqueItems": true, + "items": { "type": "string" + } }, - "dataVersion": { - "type": "string" + "repo": { + "$ref": "#/definitions/uriType" }, - "cveMetadataPublished": { - "type": "object", - "required": [ - "cveId", - "assignerOrgId", - "state" - ], - "properties": { - "cveId": { - "$ref": "#/definitions/cveId" - }, - "assignerOrgId": { - "$ref": "#/definitions/orgId" - }, - "assignerShortName": { - "$ref": "#/definitions/shortName" - }, - "requesterUserId": { - "$ref": "#/definitions/userId" - }, - "dateUpdated": { - "$ref": "#/definitions/timestamp" - }, - "serial": { - "type": "integer" - }, - "dateReserved": { - "$ref": "#/definitions/timestamp" - }, - "datePublished": { - "$ref": "#/definitions/timestamp" - }, - "state": { - "type": "string" - } - }, - "additionalProperties": false + "defaultStatus": { + "$ref": "#/definitions/status" }, - "cveMetadataRejected": { + "versions": { + "type": "array", + "uniqueItems": true, + "items": { "type": "object", - "required": [ - "cveId", - "assignerOrgId", - "state" + "oneOf": [ + { + "required": [ + "version", + "status" + ], + "maxProperties": 2 + }, + { + "required": [ + "version", + "status", + "versionType" + ], + "oneOf": [ + { + "required": [ + "lessThan" + ] + }, + { + "required": [ + "lessThanOrEqual" + ] + } + ] + } ], "properties": { - "cveId": { - "$ref": "#/definitions/cveId" - }, - "assignerOrgId": { - "$ref": "#/definitions/orgId" - }, - "assignerShortName": { - "$ref": "#/definitions/shortName" - }, - "serial": { - "type": "integer" - }, - "dateUpdated": { - "$ref": "#/definitions/timestamp" - }, - "datePublished": { - "$ref": "#/definitions/timestamp" - }, - "dateRejected": { - "$ref": "#/definitions/timestamp" - }, - "state": { - "type": "string" - }, - "dateReserved": { - "$ref": "#/definitions/timestamp" + "version": { + "$ref": "#/definitions/version" + }, + "status": { + "$ref": "#/definitions/status" + }, + "versionType": { + "type": "string" + }, + "lessThan": { + "$ref": "#/definitions/version" + }, + "lessThanOrEqual": { + "$ref": "#/definitions/version" + }, + "changes": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "at", + "status" + ], + "properties": { + "at": { + "$ref": "#/definitions/version" + }, + "status": { + "$ref": "#/definitions/status" + } + } } - }, - "additionalProperties": false + } + } + } + } + } + }, + "dataType": { + "type": "string" + }, + "dataVersion": { + "type": "string" + }, + "cveMetadataPublished": { + "type": "object", + "required": [ + "cveId", + "assignerOrgId", + "state" + ], + "properties": { + "cveId": { + "$ref": "#/definitions/cveId" + }, + "assignerOrgId": { + "$ref": "#/definitions/orgId" + }, + "assignerShortName": { + "$ref": "#/definitions/shortName" + }, + "requesterUserId": { + "$ref": "#/definitions/userId" + }, + "dateUpdated": { + "$ref": "#/definitions/timestamp" + }, + "serial": { + "type": "integer" + }, + "dateReserved": { + "$ref": "#/definitions/timestamp" + }, + "datePublished": { + "$ref": "#/definitions/timestamp" + }, + "state": { + "type": "string" + } + }, + "additionalProperties": false + }, + "cveMetadataRejected": { + "type": "object", + "required": [ + "cveId", + "assignerOrgId", + "state" + ], + "properties": { + "cveId": { + "$ref": "#/definitions/cveId" + }, + "assignerOrgId": { + "$ref": "#/definitions/orgId" + }, + "assignerShortName": { + "$ref": "#/definitions/shortName" + }, + "serial": { + "type": "integer" + }, + "dateUpdated": { + "$ref": "#/definitions/timestamp" + }, + "datePublished": { + "$ref": "#/definitions/timestamp" + }, + "dateRejected": { + "$ref": "#/definitions/timestamp" + }, + "state": { + "type": "string" + }, + "dateReserved": { + "$ref": "#/definitions/timestamp" + } + }, + "additionalProperties": false + }, + "providerMetadata": { + "type": "object", + "properties": { + "orgId": { + "$ref": "#/definitions/orgId" + }, + "shortName": { + "$ref": "#/definitions/shortName" + }, + "dateUpdated": { + "$ref": "#/definitions/timestamp" + } + }, + "required": [ + "orgId" + ] + }, + "cnaPublishedContainer": { + "type": "object", + "properties": { + "providerMetadata": { + "$ref": "#/definitions/providerMetadata" + }, + "dateAssigned": { + "$ref": "#/definitions/timestamp" + }, + "datePublic": { + "$ref": "#/definitions/timestamp" + }, + "title": { + "type": "string" + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + }, + "affected": { + "$ref": "#/definitions/affected" + }, + "problemTypes": { + "$ref": "#/definitions/problemTypes" + }, + "references": { + "$ref": "#/definitions/references" + }, + "impacts": { + "$ref": "#/definitions/impacts" + }, + "metrics": { + "$ref": "#/definitions/metrics" + }, + "configurations": { + "$ref": "#/definitions/configurations" + }, + "workarounds": { + "$ref": "#/definitions/workarounds" + }, + "solutions": { + "$ref": "#/definitions/solutions" + }, + "exploits": { + "$ref": "#/definitions/exploits" + }, + "timeline": { + "$ref": "#/definitions/timeline" + }, + "credits": { + "$ref": "#/definitions/credits" + }, + "source": { + "$ref": "#/definitions/source" + }, + "tags": { + "$ref": "#/definitions/cnaTags" }, + "taxonomyMappings": { + "$ref": "#/definitions/taxonomyMappings" + } + }, + "required": [ + "providerMetadata", + "descriptions", + "affected", + "references" + ], + "patternProperties": { + "^x_[^.]*$": {} + }, + "additionalProperties": false + }, + "cnaRejectedContainer": { + "type": "object", + "properties": { + "providerMetadata": { + "$ref": "#/definitions/providerMetadata" + }, + "rejectedReasons": { + "$ref": "#/definitions/descriptions" + }, + "replacedBy": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/cveId" + } + } + }, + "required": [ + "providerMetadata", + "rejectedReasons" + ], + "patternProperties": { + "^x_[^.]*$": {} + }, + "additionalProperties": false + }, + "adpContainer": { + "type": "object", + "properties": { "providerMetadata": { + "$ref": "#/definitions/providerMetadata" + }, + "datePublic": { + "$ref": "#/definitions/timestamp" + }, + "title": { + "type": "string" + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + }, + "affected": { + "$ref": "#/definitions/affected" + }, + "problemTypes": { + "$ref": "#/definitions/problemTypes" + }, + "references": { + "$ref": "#/definitions/references" + }, + "impacts": { + "$ref": "#/definitions/impacts" + }, + "metrics": { + "$ref": "#/definitions/metrics" + }, + "configurations": { + "$ref": "#/definitions/configurations" + }, + "workarounds": { + "$ref": "#/definitions/workarounds" + }, + "solutions": { + "$ref": "#/definitions/solutions" + }, + "exploits": { + "$ref": "#/definitions/exploits" + }, + "timeline": { + "$ref": "#/definitions/timeline" + }, + "credits": { + "$ref": "#/definitions/credits" + }, + "source": { + "$ref": "#/definitions/source" + }, + "tags": { + "$ref": "#/definitions/adpTags" + }, + "taxonomyMappings": { + "$ref": "#/definitions/taxonomyMappings" + } + }, + "required": [ + "providerMetadata" + ], + "minProperties": 2, + "patternProperties": { + "^x_[^.]*$": {} + }, + "additionalProperties": false + }, + "affected": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/product" + } + }, + "description": { + "type": "object", + "properties": { + "lang": { + "$ref": "#/definitions/language" + }, + "value": { + "type": "string" + }, + "supportingMedia": { + "type": "array", + "uniqueItems": true, + "minItems": 1, + "items": { "type": "object", "properties": { - "orgId": { - "$ref": "#/definitions/orgId" - }, - "shortName": { - "$ref": "#/definitions/shortName" - }, - "dateUpdated": { - "$ref": "#/definitions/timestamp" - } + "type": { + "type": "string" + }, + "base64": { + "type": "boolean", + "default": false + }, + "value": { + "type": "string" + } }, "required": [ - "orgId" + "type", + "value" ] - }, - "cnaPublishedContainer": { - "type": "object", - "properties": { - "providerMetadata": { - "$ref": "#/definitions/providerMetadata" - }, - "dateAssigned": { - "$ref": "#/definitions/timestamp" - }, - "datePublic": { - "$ref": "#/definitions/timestamp" - }, - "title": { - "type": "string" + } + } + }, + "required": [ + "lang", + "value" + ], + "additionalProperties": false + }, + "englishLanguageDescription": { + "type": "object", + "properties": { + "lang": { + "$ref": "#/definitions/englishLanguage" + } + }, + "required": [ + "lang" + ] + }, + "descriptions": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + }, + "contains": { + "$ref": "#/definitions/englishLanguageDescription" + } + }, + "problemTypes": { + "type": "array", + "items": { + "type": "object", + "required": [ + "descriptions" + ], + "properties": { + "descriptions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "lang", + "description" + ], + "properties": { + "lang": { + "$ref": "#/definitions/language" }, - "descriptions": { - "$ref": "#/definitions/descriptions" + "description": { + "type": "string" }, - "affected": { - "$ref": "#/definitions/affected" + "cweId": { + "type": "string" }, - "problemTypes": { - "$ref": "#/definitions/problemTypes" + "type": { + "type": "string" }, "references": { - "$ref": "#/definitions/references" - }, - "impacts": { - "$ref": "#/definitions/impacts" - }, - "metrics": { - "$ref": "#/definitions/metrics" - }, - "configurations": { - "$ref": "#/definitions/configurations" - }, - "workarounds": { - "$ref": "#/definitions/workarounds" - }, - "solutions": { - "$ref": "#/definitions/solutions" - }, - "exploits": { - "$ref": "#/definitions/exploits" - }, - "timeline": { - "$ref": "#/definitions/timeline" - }, - "credits": { - "$ref": "#/definitions/credits" - }, - "source": { - "$ref": "#/definitions/source" - }, - "tags": { - "$ref": "#/definitions/cnaTags" - }, - "taxonomyMappings": { - "$ref": "#/definitions/taxonomyMappings" + "$ref": "#/definitions/references" } + } }, + "minItems": 1, + "uniqueItems": true + } + } + }, + "minItems": 1, + "uniqueItems": true + }, + "references": { + "type": "array", + "items": { + "$ref": "#/definitions/reference" + }, + "minItems": 1, + "maxItems": 512, + "uniqueItems": true + }, + "impacts": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "descriptions" + ], + "properties": { + "capecId": { + "type": "string" + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + } + } + } + }, + "metrics": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "anyOf": [ + { "required": [ - "providerMetadata", - "descriptions", - "affected", - "references" - ], - "patternProperties": { - "^x_[^.]*$": {} - }, - "additionalProperties": false - }, - "cnaRejectedContainer": { - "type": "object", - "properties": { - "providerMetadata": { - "$ref": "#/definitions/providerMetadata" - }, - "rejectedReasons": { - "$ref": "#/definitions/descriptions" - }, - "replacedBy": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/cveId" - } - } - }, + "cvssV4_0" + ] + }, + { "required": [ - "providerMetadata", - "rejectedReasons" - ], - "patternProperties": { - "^x_[^.]*$": {} - }, - "additionalProperties": false - }, - "adpContainer": { - "type": "object", - "properties": { - "providerMetadata": { - "$ref": "#/definitions/providerMetadata" - }, - "datePublic": { - "$ref": "#/definitions/timestamp" - }, - "title": { - "type": "string" - }, - "descriptions": { - "$ref": "#/definitions/descriptions" - }, - "affected": { - "$ref": "#/definitions/affected" - }, - "problemTypes": { - "$ref": "#/definitions/problemTypes" - }, - "references": { - "$ref": "#/definitions/references" - }, - "impacts": { - "$ref": "#/definitions/impacts" - }, - "metrics": { - "$ref": "#/definitions/metrics" - }, - "configurations": { - "$ref": "#/definitions/configurations" - }, - "workarounds": { - "$ref": "#/definitions/workarounds" - }, - "solutions": { - "$ref": "#/definitions/solutions" - }, - "exploits": { - "$ref": "#/definitions/exploits" - }, - "timeline": { - "$ref": "#/definitions/timeline" - }, - "credits": { - "$ref": "#/definitions/credits" - }, - "source": { - "$ref": "#/definitions/source" - }, - "tags": { - "$ref": "#/definitions/adpTags" - }, - "taxonomyMappings": { - "$ref": "#/definitions/taxonomyMappings" - } - }, + "cvssV3_1" + ] + }, + { "required": [ - "providerMetadata" - ], - "minProperties": 2, - "patternProperties": { - "^x_[^.]*$": {} - }, - "additionalProperties": false - }, - "affected": { + "cvssV3_0" + ] + }, + { + "required": [ + "cvssV2_0" + ] + }, + { + "required": [ + "other" + ] + } + ], + "properties": { + "format": { + "type": "string" + }, + "scenarios": { "type": "array", "minItems": 1, + "uniqueItems": true, "items": { - "$ref": "#/definitions/product" - } - }, - "description": { - "type": "object", - "properties": { + "type": "object", + "properties": { "lang": { - "$ref": "#/definitions/language" + "$ref": "#/definitions/language" }, "value": { - "type": "string" - }, - "supportingMedia": { - "type": "array", - "uniqueItems": true, - "minItems": 1, - "items": { - "type": "object", - "properties": { - "type": { - "type": "string" - }, - "base64": { - "type": "boolean", - "default": false - }, - "value": { - "type": "string" - } - }, - "required": [ - "type", - "value" - ] - } + "type": "string" } - }, - "required": [ + }, + "required": [ "lang", "value" + ] + } + }, + "cvssV4_0": { + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "allOf": [ + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + } ], - "additionalProperties": false - }, - "englishLanguageDescription": { + "definitions": { + "attackComplexityType": { + "type": "string" + }, + "attackRequirementsType": { + "type": "string" + }, + "attackVectorType": { + "type": "string" + }, + "automatableType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "criticalScoreType": { + "type": "number" + }, + "criticalSeverityType": { + "const": "string" + }, + "exploitMaturityType": { + "type": "string" + }, + "highScoreType": { + "type": "number" + }, + "highSeverityType": { + "type": "string" + }, + "lowScoreType": { + "type": "number" + }, + "lowSeverityType": { + "type": "string" + }, + "mediumScoreType": { + "type": "number" + }, + "mediumSeverityType": { + "const": "string" + }, + "modifiedAttackComplexityType": { + "type": "string" + }, + "modifiedAttackRequirementsType": { + "type": "string" + }, + "modifiedAttackVectorType": { + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "type": "string" + }, + "modifiedSubCType": { + "type": "string" + }, + "modifiedSubIaType": { + "type": "string" + }, + "modifiedUserInteractionType": { + "type": "string" + }, + "modifiedVulnCiaType": { + "type": "string" + }, + "noneScoreType": { + "type": "number" + }, + "noneSeverityType": { + "const": "string" + }, + "privilegesRequiredType": { + "type": "string" + }, + "providerUrgencyType": { + "type": "string" + }, + "recoveryType": { + "type": "string" + }, + "safetyType": { + "type": "string" + }, + "scoreType": { + "type": "number" + }, + "severityType": { + "type": "string" + }, + "subCiaType": { + "type": "string" + }, + "userInteractionType": { + "type": "string" + }, + "valueDensityType": { + "type": "string" + }, + "vulnCiaType": { + "type": "string" + }, + "vulnerabilityResponseEffortType": { + "type": "string" + } + }, + "properties": { + "Automatable": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType" + }, + "Recovery": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType" + }, + "Safety": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType" + }, + "attackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "exploitMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType" + }, + "modifiedAttackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedSubAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedSubConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType" + }, + "modifiedSubIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType" + }, + "modifiedVulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType" + }, + "providerUrgency": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType" + }, + "subAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType" + }, + "valueDensity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType" + }, + "vectorString": { + "type": "string" + }, + "version": { + "description": "CVSS Version", + "enum": [ + "4.0" + ], + "type": "string" + }, + "vulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnerabilityResponseEffort": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType" + } + }, + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ], + "title": "JSON Schema for Common Vulnerability Scoring System version 4.0", + "type": "object" + }, + "cvssV3_1": { + "$schema": "http://json-schema.org/draft-07/schema#", "type": "object", + "definitions": { + "attackVectorType": { + "type": "string" + }, + "modifiedAttackVectorType": { + "type": "string" + }, + "attackComplexityType": { + "type": "string" + }, + "modifiedAttackComplexityType": { + "type": "string" + }, + "privilegesRequiredType": { + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "type": "string" + }, + "userInteractionType": { + "type": "string" + }, + "modifiedUserInteractionType": { + "type": "string" + }, + "scopeType": { + "type": "string" + }, + "modifiedScopeType": { + "type": "string" + }, + "ciaType": { + "type": "string" + }, + "modifiedCiaType": { + "type": "string" + }, + "exploitCodeMaturityType": { + "type": "string" + }, + "remediationLevelType": { + "type": "string" + }, + "confidenceType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "scoreType": { + "type": "number" + }, + "severityType": { + "type": "string" + } + }, "properties": { - "lang": { - "$ref": "#/definitions/englishLanguage" - } + "version": { + "description": "CVSS Version", + "type": "string" + }, + "vectorString": { + "type": "string" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType" + }, + "scope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + }, + "exploitCodeMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "temporalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType" + }, + "modifiedScope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType" + }, + "modifiedConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "modifiedIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "modifiedAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + } }, "required": [ - "lang" + "version", + "vectorString", + "baseScore", + "baseSeverity" ] - }, - "descriptions": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" + }, + "cvssV3_0": { + "$schema": "http://json-schema.org/draft-04/schema#", + "type": "object", + "definitions": { + "attackVectorType": { + "type": "string" + }, + "modifiedAttackVectorType": { + "type": "string" + }, + "attackComplexityType": { + "type": "string" + }, + "modifiedAttackComplexityType": { + "type": "string" + }, + "privilegesRequiredType": { + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "type": "string" + }, + "userInteractionType": { + "type": "string" + }, + "modifiedUserInteractionType": { + "type": "string" + }, + "scopeType": { + "type": "string" + }, + "modifiedScopeType": { + "type": "string" + }, + "ciaType": { + "type": "string" + }, + "modifiedCiaType": { + "type": "string" + }, + "exploitCodeMaturityType": { + "type": "string" + }, + "remediationLevelType": { + "type": "string" + }, + "confidenceType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "scoreType": { + "type": "number" + }, + "severityType": { + "type": "string" + } }, - "contains": { - "$ref": "#/definitions/englishLanguageDescription" - } - }, - "problemTypes": { - "type": "array", - "items": { - "type": "object", - "required": [ - "descriptions" - ], - "properties": { - "descriptions": { - "type": "array", - "items": { - "type": "object", - "required": [ - "lang", - "description" - ], - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "description": { - "type": "string" - }, - "cweId": { - "type": "string" - }, - "type": { - "type": "string" - }, - "references": { - "$ref": "#/definitions/references" - } - } - }, - "minItems": 1, - "uniqueItems": true - } - } + "properties": { + "version": { + "type": "string" + }, + "vectorString": { + "type": "string" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType" + }, + "scope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + }, + "exploitCodeMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "temporalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType" + }, + "modifiedScope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType" + }, + "modifiedConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "modifiedIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "modifiedAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + } }, - "minItems": 1, - "uniqueItems": true - }, - "references": { - "type": "array", - "items": { - "$ref": "#/definitions/reference" + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ] + }, + "cvssV2_0": { + "$schema": "http://json-schema.org/draft-04/schema#", + "type": "object", + "definitions": { + "accessVectorType": { + "type": "string" + }, + "accessComplexityType": { + "type": "string" + }, + "authenticationType": { + "type": "string" + }, + "ciaType": { + "type": "string" + }, + "exploitabilityType": { + "type": "string" + }, + "remediationLevelType": { + "type": "string" + }, + "reportConfidenceType": { + "type": "string" + }, + "collateralDamagePotentialType": { + "type": "string" + }, + "targetDistributionType": { + "type": "string" + }, + "ciaRequirementType": { + "type": "string" + }, + "scoreType": { + "type": "number" + } }, - "minItems": 1, - "maxItems": 512, - "uniqueItems": true - }, - "impacts": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "descriptions" - ], - "properties": { - "capecId": { - "type": "string" - }, - "descriptions": { - "$ref": "#/definitions/descriptions" - } - } - } - }, - "metrics": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "anyOf": [ - { - "required": [ - "cvssV3_1" - ] - }, - { - "required": [ - "cvssV3_0" - ] - }, - { - "required": [ - "cvssV2_0" - ] - }, - { - "required": [ - "other" - ] - } - ], - "properties": { - "format": { - "type": "string" - }, - "scenarios": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string" - } - }, - "required": [ - "lang", - "value" - ] - } - }, - "cvssV3_1": { - "$schema": "http://json-schema.org/draft-07/schema#", - "type": "object", - "definitions": { - "attackVectorType": { - "type": "string" - }, - "modifiedAttackVectorType": { - "type": "string" - }, - "attackComplexityType": { - "type": "string" - }, - "modifiedAttackComplexityType": { - "type": "string" - }, - "privilegesRequiredType": { - "type": "string" - }, - "modifiedPrivilegesRequiredType": { - "type": "string" - }, - "userInteractionType": { - "type": "string" - }, - "modifiedUserInteractionType": { - "type": "string" - }, - "scopeType": { - "type": "string" - }, - "modifiedScopeType": { - "type": "string" - }, - "ciaType": { - "type": "string" - }, - "modifiedCiaType": { - "type": "string" - }, - "exploitCodeMaturityType": { - "type": "string" - }, - "remediationLevelType": { - "type": "string" - }, - "confidenceType": { - "type": "string" - }, - "ciaRequirementType": { - "type": "string" - }, - "scoreType": { - "type": "number" - }, - "severityType": { - "type": "string" - } - }, - "properties": { - "version": { - "description": "CVSS Version", - "type": "string" - }, - "vectorString": { - "type": "string" - }, - "attackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType" - }, - "attackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType" - }, - "privilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType" - }, - "userInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType" - }, - "scope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - }, - "exploitCodeMaturity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "temporalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "modifiedAttackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType" - }, - "modifiedAttackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType" - }, - "modifiedPrivilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType" - }, - "modifiedUserInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType" - }, - "modifiedScope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType" - }, - "modifiedConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "modifiedIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "modifiedAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - } - }, - "required": [ - "version", - "vectorString", - "baseScore", - "baseSeverity" - ] - }, - "cvssV3_0": { - "$schema": "http://json-schema.org/draft-04/schema#", - "type": "object", - "definitions": { - "attackVectorType": { - "type": "string" - }, - "modifiedAttackVectorType": { - "type": "string" - }, - "attackComplexityType": { - "type": "string" - }, - "modifiedAttackComplexityType": { - "type": "string" - }, - "privilegesRequiredType": { - "type": "string" - }, - "modifiedPrivilegesRequiredType": { - "type": "string" - }, - "userInteractionType": { - "type": "string" - }, - "modifiedUserInteractionType": { - "type": "string" - }, - "scopeType": { - "type": "string" - }, - "modifiedScopeType": { - "type": "string" - }, - "ciaType": { - "type": "string" - }, - "modifiedCiaType": { - "type": "string" - }, - "exploitCodeMaturityType": { - "type": "string" - }, - "remediationLevelType": { - "type": "string" - }, - "confidenceType": { - "type": "string" - }, - "ciaRequirementType": { - "type": "string" - }, - "scoreType": { - "type": "number" - }, - "severityType": { - "type": "string" - } - }, - "properties": { - "version": { - "type": "string" - }, - "vectorString": { - "type": "string" - }, - "attackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType" - }, - "attackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType" - }, - "privilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType" - }, - "userInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType" - }, - "scope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - }, - "exploitCodeMaturity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "temporalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "modifiedAttackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType" - }, - "modifiedAttackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType" - }, - "modifiedPrivilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType" - }, - "modifiedUserInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType" - }, - "modifiedScope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType" - }, - "modifiedConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "modifiedIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "modifiedAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - } - }, - "required": [ - "version", - "vectorString", - "baseScore", - "baseSeverity" - ] - }, - "cvssV2_0": { - "$schema": "http://json-schema.org/draft-04/schema#", - "type": "object", - "definitions": { - "accessVectorType": { - "type": "string" - }, - "accessComplexityType": { - "type": "string" - }, - "authenticationType": { - "type": "string" - }, - "ciaType": { - "type": "string" - }, - "exploitabilityType": { - "type": "string" - }, - "remediationLevelType": { - "type": "string" - }, - "reportConfidenceType": { - "type": "string" - }, - "collateralDamagePotentialType": { - "type": "string" - }, - "targetDistributionType": { - "type": "string" - }, - "ciaRequirementType": { - "type": "string" - }, - "scoreType": { - "type": "number" - } - }, - "properties": { - "version": { - "type": "string" - }, - "vectorString": { - "type": "string" - }, - "accessVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType" - }, - "accessComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType" - }, - "authentication": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - }, - "exploitability": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - }, - "collateralDamagePotential": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType" - }, - "targetDistribution": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - } - }, - "required": [ - "version", - "vectorString", - "baseScore" - ] - }, - "other": { - "type": "object", - "required": [ - "type", - "content" - ], - "properties": { - "type": { - "type": "string" - }, - "content": { - "type": "object" - } - } - } - } - } - }, - "configurations": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } - }, - "workarounds": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } - }, - "solutions": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } - }, - "exploits": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } - }, - "timeline": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "time", - "lang", - "value" - ], - "properties": { - "time": { - "$ref": "#/definitions/timestamp" - }, - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string" - } - } - } - }, - "credits": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string" - }, - "user": { - "$ref": "#/definitions/uuidType" - }, - "type": { - "type": "string" - } - }, - "required": [ - "lang", - "value" - ] - } - }, - "source": { + "properties": { + "version": { + "type": "string" + }, + "vectorString": { + "type": "string" + }, + "accessVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType" + }, + "accessComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType" + }, + "authentication": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + }, + "exploitability": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + }, + "collateralDamagePotential": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType" + }, + "targetDistribution": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + } + }, + "required": [ + "version", + "vectorString", + "baseScore" + ] + }, + "other": { "type": "object", - "minProperties": 1 - }, - "language": { - "type": "string" - }, - "englishLanguage": { - "type": "string" - }, - "taxonomyMappings": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "taxonomyName", - "taxonomyRelations" - ], - "properties": { - "taxonomyName": { - "type": "string", - "minLength": 1, - "maxLength": 128 - }, - "taxonomyVersion": { - "type": "string", - "minLength": 1, - "maxLength": 128 - }, - "taxonomyRelations": { - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "taxonomyId", - "relationshipName", - "relationshipValue" - ], - "properties": { - "taxonomyId": { - "type": "string", - "minLength": 1, - "maxLength": 2048 - }, - "relationshipName": { - "type": "string", - "minLength": 1, - "maxLength": 128 - }, - "relationshipValue": { - "type": "string", - "minLength": 1, - "maxLength": 2048 - } - } - } - } - } + "required": [ + "type", + "content" + ], + "properties": { + "type": { + "type": "string" + }, + "content": { + "type": "object" + } } - }, - "tagExtension": { + } + } + } + }, + "configurations": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "workarounds": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "solutions": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "exploits": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "timeline": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "time", + "lang", + "value" + ], + "properties": { + "time": { + "$ref": "#/definitions/timestamp" + }, + "lang": { + "$ref": "#/definitions/language" + }, + "value": { "type": "string" + } + } + } + }, + "credits": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "properties": { + "lang": { + "$ref": "#/definitions/language" + }, + "value": { + "type": "string" + }, + "user": { + "$ref": "#/definitions/uuidType" + }, + "type": { + "type": "string" + } }, - "cnaTags": { + "required": [ + "lang", + "value" + ] + } + }, + "source": { + "type": "object", + "minProperties": 1 + }, + "language": { + "type": "string" + }, + "englishLanguage": { + "type": "string" + }, + "taxonomyMappings": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "taxonomyName", + "taxonomyRelations" + ], + "properties": { + "taxonomyName": { + "type": "string", + "minLength": 1, + "maxLength": 128 + }, + "taxonomyVersion": { + "type": "string", + "minLength": 1, + "maxLength": 128 + }, + "taxonomyRelations": { "type": "array", - "uniqueItems": true, "minItems": 1, - "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/", - "type": "string" - } - ] - } - }, - "adpTags": { - "type": "array", "uniqueItems": true, - "minItems": 1, "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/", - "type": "string" - } - ] + "type": "object", + "required": [ + "taxonomyId", + "relationshipName", + "relationshipValue" + ], + "properties": { + "taxonomyId": { + "type": "string", + "minLength": 1, + "maxLength": 2048 + }, + "relationshipName": { + "type": "string", + "minLength": 1, + "maxLength": 128 + }, + "relationshipValue": { + "type": "string", + "minLength": 1, + "maxLength": 2048 + } + } } + } } + } }, - "oneOf": [ - { - "title": "Create", - "description": "When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.", - "properties": { - "containers": { - "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information and the 'cna' container requires the CNA include certain fields, while the 'adp' container does not.", - "type": "object", - "properties": { - "cna": { - "$ref": "#/definitions/cnaPublishedContainer" - } - }, - "required": [ - "cna" - ], - "additionalProperties": false + "tagExtension": { + "type": "string" + }, + "cnaTags": { + "type": "array", + "uniqueItems": true, + "minItems": 1, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/", + "type": "string" } + ] + } + }, + "adpTags": { + "type": "array", + "uniqueItems": true, + "minItems": 1, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/", + "type": "string" + } + ] + } + } + }, + "oneOf": [ + { + "title": "Create", + "description": "When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.", + "properties": { + "containers": { + "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information and the 'cna' container requires the CNA include certain fields, while the 'adp' container does not.", + "type": "object", + "properties": { + "cna": { + "$ref": "#/definitions/cnaPublishedContainer" + } + }, + "required": [ + "cna" + ], + "additionalProperties": false } } - ] + } + ] } \ No newline at end of file From d9838b612886dbe9fb2a802ddcbed458898d88fa Mon Sep 17 00:00:00 2001 From: david-rocca Date: Wed, 8 Jan 2025 10:05:15 -0500 Subject: [PATCH 22/23] Updating version number to 2.5.1 --- api-docs/openapi.json | 2 +- src/swagger.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/api-docs/openapi.json b/api-docs/openapi.json index 6f9b15acc..13b4b127c 100644 --- a/api-docs/openapi.json +++ b/api-docs/openapi.json @@ -1,7 +1,7 @@ { "openapi": "3.0.2", "info": { - "version": "2.5.0", + "version": "2.5.1", "title": "CVE Services API", "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are required for most service endpoints. Representatives of CVE Numbering Authorities (CNAs) should use one of the methods below to obtain credentials:
  • If your organization already has an Organizational Administrator (OA) account for the CVE Services, ask your admin for credentials
  • Contact your Root (Google, INCIBE, JPCERT/CC, or Red Hat) or Top-Level Root (CISA ICS or MITRE) to request credentials

CVE data is to be in the JSON 5.1 CVE Record format. Details of the JSON 5.1 schema are located here.

Contact the CVE Services team", "contact": { diff --git a/src/swagger.js b/src/swagger.js index 3e21fe402..2a385396d 100644 --- a/src/swagger.js +++ b/src/swagger.js @@ -18,7 +18,7 @@ const fullCnaContainerRequest = require('../schemas/cve/create-cve-record-cna-re /* eslint-disable no-multi-str */ const doc = { info: { - version: '2.5.0', + version: '2.5.1', title: 'CVE Services API', description: "The CVE Services API supports automation tooling for the CVE Program. Credentials are \ required for most service endpoints. Representatives of \ From 1712e8bb6e9ddc92e5bc64f73258bd4a3369dbd0 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Wed, 8 Jan 2025 10:11:52 -0500 Subject: [PATCH 23/23] A few more version numbers --- package-lock.json | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index 21698ac59..572a65e35 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "cve-services", - "version": "2.3.1", + "version": "2.5.1", "lockfileVersion": 2, "requires": true, "packages": { diff --git a/package.json b/package.json index 9aa412770..9b17b656b 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "cve-services", "author": "Automation Working Group", - "version": "2.3.1", + "version": "2.5.1", "license": "(CC0)", "devDependencies": { "@faker-js/faker": "^7.6.0",