Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolves #1124, #1126, #1185, #1186 5.1 schema implementation #1190

Merged
merged 14 commits into from
Feb 27, 2024
Merged

Resolves #1124, #1126, #1185, #1186 5.1 schema implementation #1190

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
1a088c7
testing 5.1 schemas
jdaigneau5 Oct 23, 2023
1259dcd
more schema testing
jdaigneau5 Oct 23, 2023
2523cb2
fixes various issues with tests for the 5.1 schema
david-rocca Nov 1, 2023
ad27428
Merge branch 'dev' of https://github.com/CVEProject/cve-services into…
jdaigneau5 Jan 25, 2024
6ebe2f5
#1126 Began implementing 5.1 schema
jdaigneau5 Feb 2, 2024
519e7da
#1126 Added validation to CVSS 3.1 schema
jdaigneau5 Feb 7, 2024
8d14c53
Merge branch 'dev' of https://github.com/CVEProject/cve-services into…
jdaigneau5 Feb 13, 2024
147ba3a
#1126 updated test files to use new schema number
jdaigneau5 Feb 16, 2024
8f02808
Merge branch 'dev' of https://github.com/CVEProject/cve-services into…
jdaigneau5 Feb 16, 2024
8426dcd
Merge branch '5.1-schema-test' of https://github.com/CVEProject/cve-s…
jdaigneau5 Feb 19, 2024
a2dd995
#1126, #1124 Updated schema file paths and added cvss 3.0 score valid…
jdaigneau5 Feb 20, 2024
7deb719
#1126 update test data
jdaigneau5 Feb 21, 2024
ec03437
#1126 more test data updates
jdaigneau5 Feb 21, 2024
537a75e
removed file
jdaigneau5 Feb 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions schemas/cve/update-full-cve-record-response.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,9 +98,6 @@
"name": {
"type": "string"
},
"refsource": {
"type": "string"
},
"url": {
"type": "string"
}
Expand Down
2 changes: 1 addition & 1 deletion src/constants/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
const fs = require('fs')
const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/5.0_bundled_schema.json'))
const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1_bundled.json'))

/**
* Return default values.
Expand Down
4 changes: 2 additions & 2 deletions src/controller/cve.controller/cve.middleware.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ const errors = require('./error')
const error = new errors.CveControllerError()
const utils = require('../../utils/utils')
const fs = require('fs')
const RejectedSchema = JSON.parse(fs.readFileSync('src/middleware/Reject_5.0_Schema.json'))
const cnaContainerSchema = JSON.parse(fs.readFileSync('src/controller/cve.controller/cna_container_schema.json'))
const RejectedSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.1_rejected_cna_container.json'))
const cnaContainerSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.1_published_cna_container.json'))
const logger = require('../../middleware/logger')
const Ajv = require('ajv')
const addFormats = require('ajv-formats')
Expand Down
2,034 changes: 0 additions & 2,034 deletions src/middleware/5.0_bundled_schema.json
View file
Open in desktop

This file was deleted.

12 changes: 11 additions & 1 deletion src/middleware/Reject_5.0_Schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,10 +147,17 @@
"$ref": "#/definitions/providerMetadata"
},
"rejectedReasons": {
"description": "Reasons for rejecting this CVE Record.",
"$ref": "#/definitions/rejectedReasons"
},
"replacedBy": {
"$ref": "#/definitions/replacedBy"
"type": "array",
"description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.",
"minItems": 1,
"uniqueItems": true,
"items": {
"$ref": "#/definitions/cveId"
}
}
},
"required": [
Expand All @@ -162,5 +169,8 @@
"additionalProperties": false
}
},
"required": [
"cnaContainer"
],
"additionalProperties": false
}
4 changes: 2 additions & 2 deletions src/middleware/middleware.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
const getConstants = require('../constants').getConstants
const fs = require('fs')
const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/5.0_bundled_schema.json'))
const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1_bundled.json'))
const argon2 = require('argon2')
const logger = require('./logger')
const Ajv = require('ajv')
Expand Down Expand Up @@ -321,7 +321,7 @@ function validateCveJsonSchema (req, res, next) {
logger.info({ uuid: req.ctx.uuid, message: 'Validating CVE JSON schema.' })
let result

if (cveVersion === '5.0') {
if (cveVersion === '5.1') {
if (['PUBLISHED', 'RESERVED', 'REJECTED'].includes(cveState)) {
result = validate(cve)
} else {
Expand Down
2,300 changes: 2,300 additions & 0 deletions src/middleware/schemas/5.1_published_cna_container.json
View file
Open in desktop

Large diffs are not rendered by default.

188 changes: 188 additions & 0 deletions src/middleware/schemas/5.1_rejected_cna_container.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,188 @@
{
"definitions": {
"uuidType": {
"description": "A version 4 (random) universally unique identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122#section-4.1.3).",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"cveId": {
"type": "string",
"pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
},
"orgId": {
"description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.",
"$ref": "#/definitions/uuidType"
},
"shortName": {
"description": "A 2-32 character name that can be used to complement an organization's UUID.",
"type": "string",
"minLength": 2,
"maxLength": 32
},
"timestamp": {
"type": "string",
"format": "date-time",
"description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.",
"pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"
},
"providerMetadata": {
"type": "object",
"description": "Details related to the information container provider (CNA or ADP).",
"properties": {
"orgId": {
"$ref": "#/definitions/orgId",
"description": "The container provider's organizational UUID."
},
"shortName": {
"$ref": "#/definitions/shortName",
"description": "The container provider's organizational short name."
},
"dateUpdated": {
"$ref": "#/definitions/timestamp",
"description": "Timestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission."
}
},
"required": [
"orgId"
],
"additionalProperties": false
},
"description": {
"type": "object",
"description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.",
"properties": {
"lang": {
"$ref": "#/definitions/language"
},
"value": {
"type": "string",
"description": "Plain text description.",
"minLength": 1,
"maxLength": 4096
},
"supportingMedia": {
"type": "array",
"title": "Supporting media",
"description": "Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.",
"uniqueItems": true,
"minItems": 1,
"items": {
"type": "object",
"properties": {
"type": {
"type": "string",
"title": "Media type",
"minLength": 1,
"maxLength": 256,
"description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.",
"examples": [
"text/markdown",
"text/html",
"image/png",
"image/svg",
"audio/mp3"
]
},
"base64": {
"type": "boolean",
"title": "Encoding",
"description": "If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.",
"default": false
},
"value": {
"type": "string",
"description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.",
"minLength": 1,
"maxLength": 16384
}
},
"required": [
"type",
"value"
],
"additionalProperties": false
}
}
},
"required": [
"lang",
"value"
],
"additionalProperties": false
},
"englishLanguageDescription": {
"type": "object",
"description": "A description with lang set to an English language (en, en_US, en_UK, and so on).",
"properties": {
"lang": {
"$ref": "#/definitions/englishLanguage"
}
},
"required": [
"lang"
],
"$comment": "Cannot use additionalProperties: false here, as this prevents the other properties used by /definitions/description."
},
"descriptions": {
"type": "array",
"description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].",
"minItems": 1,
"uniqueItems": true,
"items": {
"$ref": "#/definitions/description"
},
"contains": {
"$ref": "#/definitions/englishLanguageDescription"
}
},
"language": {
"type": "string",
"description": "BCP 47 language code, language-region.",
"default": "en",
"pattern": "^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"
},
"englishLanguage": {
"type": "string",
"description": "BCP 47 language code, language-region, required to be English.",
"pattern": "^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"
}
},
"properties": {
"cnaContainer": {
"description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a rejected CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA.",
"type": "object",
"properties": {
"providerMetadata": {
"$ref": "#/definitions/providerMetadata"
},
"rejectedReasons": {
"description": "Reasons for rejecting this CVE Record.",
"$ref": "#/definitions/descriptions"
},
"replacedBy": {
"type": "array",
"description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.",
"minItems": 1,
"uniqueItems": true,
"items": {
"$ref": "#/definitions/cveId"
}
}
},
"required": [
"rejectedReasons"
],
"patternProperties": {
"^x_[^.]*$": {}
},
"additionalProperties": false
}
},
"required": [
"cnaContainer"
],
"$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
"additionalProperties": false,
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "rejected_cna_container_bundled"
}
Loading
Loading