diff --git a/schema/docs/CVE_Record_Format_bundled.json b/schema/docs/CVE_Record_Format_bundled.json index f7fffebf8f..b3cc91f8e3 100644 --- a/schema/docs/CVE_Record_Format_bundled.json +++ b/schema/docs/CVE_Record_Format_bundled.json @@ -2,7 +2,7 @@ "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://cveproject.github.io/cve-schema/schema/CVE_Record_Format.json", "title": "CVE JSON record format", - "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).", + "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://www.cve.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).", "definitions": { "uriType": { "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).", @@ -77,6 +77,7 @@ }, "cveId": { "type": "string", + "description": "The official CVE identifier contains the string 'CVE', followed by the year, followed by a 4 to 19 digit number. Note that the year-part of the identifier should indicate either the year the vulnerability was discovered, or the year the CVE ID is published in. CVE IDs must be unique.", "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$" }, "cpe22and23": { @@ -345,7 +346,7 @@ }, "versions": { "type": "array", - "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.", + "description": "Set of product versions or version ranges related to the vulnerability. The versions help satisfy the CNA Rules [5.1.3 requirement](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_5-1_Required_CVE_Record_Content). Versions or defaultStatus may be omitted, but not both.", "minItems": 1, "uniqueItems": true, "items": { @@ -443,6 +444,28 @@ }, "additionalProperties": false } + }, + "packageURL": { + "description": "A Package URL, a unified URL specification for identifying packages hosted by known package hosts. The Package URL MUST NOT include a version.", + "$ref": "#/definitions/uriType", + "examples": [ + "pkg:bitbucket/birkenfeld/pygments-main", + "pkg:deb/debian/curl?arch=i386&distro=jessie", + "pkg:docker/cassandra", + "pkg:docker/customer/dockerimage?repository_url=gcr.io", + "pkg:gem/jruby-launcher?platform=java", + "pkg:gem/ruby-advisory-db-check", + "pkg:github/package-url/purl-spec", + "pkg:golang/google.golang.org/genproto#googleapis/api/annotations", + "pkg:maven/org.apache.xmlgraphics/batik-anim?packaging=sources", + "pkg:maven/org.apache.xmlgraphics/batik-anim?repository_url=repo.spring.io/release", + "pkg:npm/%40angular/animation", + "pkg:npm/foobar", + "pkg:nuget/EnterpriseLibrary.Common", + "pkg:pypi/django", + "pkg:rpm/fedora/curl?arch=i386&distro=fedora-25", + "pkg:rpm/opensuse/curl?arch=i386&distro=opensuse-tumbleweed" + ] } } }, @@ -3519,4 +3542,4 @@ "additionalProperties": false } ] -} +} \ No newline at end of file diff --git a/schema/docs/CVE_Record_Format_bundled_adpContainer.json b/schema/docs/CVE_Record_Format_bundled_adpContainer.json index 5f041e44ae..860009668d 100644 --- a/schema/docs/CVE_Record_Format_bundled_adpContainer.json +++ b/schema/docs/CVE_Record_Format_bundled_adpContainer.json @@ -77,6 +77,7 @@ }, "cveId": { "type": "string", + "description": "The official CVE identifier contains the string 'CVE', followed by the year, followed by a 4 to 19 digit number. Note that the year-part of the identifier should indicate either the year the vulnerability was discovered, or the year the CVE ID is published in. CVE IDs must be unique.", "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$" }, "cpe22and23": { @@ -345,7 +346,7 @@ }, "versions": { "type": "array", - "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.", + "description": "Set of product versions or version ranges related to the vulnerability. The versions help satisfy the CNA Rules [5.1.3 requirement](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_5-1_Required_CVE_Record_Content). Versions or defaultStatus may be omitted, but not both.", "minItems": 1, "uniqueItems": true, "items": { @@ -443,6 +444,28 @@ }, "additionalProperties": false } + }, + "packageURL": { + "description": "A Package URL, a unified URL specification for identifying packages hosted by known package hosts. The Package URL MUST NOT include a version.", + "$ref": "#/definitions/uriType", + "examples": [ + "pkg:bitbucket/birkenfeld/pygments-main", + "pkg:deb/debian/curl?arch=i386&distro=jessie", + "pkg:docker/cassandra", + "pkg:docker/customer/dockerimage?repository_url=gcr.io", + "pkg:gem/jruby-launcher?platform=java", + "pkg:gem/ruby-advisory-db-check", + "pkg:github/package-url/purl-spec", + "pkg:golang/google.golang.org/genproto#googleapis/api/annotations", + "pkg:maven/org.apache.xmlgraphics/batik-anim?packaging=sources", + "pkg:maven/org.apache.xmlgraphics/batik-anim?repository_url=repo.spring.io/release", + "pkg:npm/%40angular/animation", + "pkg:npm/foobar", + "pkg:nuget/EnterpriseLibrary.Common", + "pkg:pypi/django", + "pkg:rpm/fedora/curl?arch=i386&distro=fedora-25", + "pkg:rpm/opensuse/curl?arch=i386&distro=opensuse-tumbleweed" + ] } } }, @@ -3437,10 +3460,11 @@ } } }, + "type": "object", "properties": { "adpContainer": { "$ref": "#/definitions/adpContainer" } }, "additionalProperties": false -} +} \ No newline at end of file diff --git a/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json index 393d59873b..a7d4749f62 100644 --- a/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json +++ b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json @@ -77,6 +77,7 @@ }, "cveId": { "type": "string", + "description": "The official CVE identifier contains the string 'CVE', followed by the year, followed by a 4 to 19 digit number. Note that the year-part of the identifier should indicate either the year the vulnerability was discovered, or the year the CVE ID is published in. CVE IDs must be unique.", "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$" }, "cpe22and23": { @@ -345,7 +346,7 @@ }, "versions": { "type": "array", - "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.", + "description": "Set of product versions or version ranges related to the vulnerability. The versions help satisfy the CNA Rules [5.1.3 requirement](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_5-1_Required_CVE_Record_Content). Versions or defaultStatus may be omitted, but not both.", "minItems": 1, "uniqueItems": true, "items": { @@ -443,6 +444,28 @@ }, "additionalProperties": false } + }, + "packageURL": { + "description": "A Package URL, a unified URL specification for identifying packages hosted by known package hosts. The Package URL MUST NOT include a version.", + "$ref": "#/definitions/uriType", + "examples": [ + "pkg:bitbucket/birkenfeld/pygments-main", + "pkg:deb/debian/curl?arch=i386&distro=jessie", + "pkg:docker/cassandra", + "pkg:docker/customer/dockerimage?repository_url=gcr.io", + "pkg:gem/jruby-launcher?platform=java", + "pkg:gem/ruby-advisory-db-check", + "pkg:github/package-url/purl-spec", + "pkg:golang/google.golang.org/genproto#googleapis/api/annotations", + "pkg:maven/org.apache.xmlgraphics/batik-anim?packaging=sources", + "pkg:maven/org.apache.xmlgraphics/batik-anim?repository_url=repo.spring.io/release", + "pkg:npm/%40angular/animation", + "pkg:npm/foobar", + "pkg:nuget/EnterpriseLibrary.Common", + "pkg:pypi/django", + "pkg:rpm/fedora/curl?arch=i386&distro=fedora-25", + "pkg:rpm/opensuse/curl?arch=i386&distro=opensuse-tumbleweed" + ] } } }, @@ -3437,10 +3460,11 @@ } } }, + "type": "object", "properties": { "cnaContainer": { "$ref": "#/definitions/cnaPublishedContainer" } }, "additionalProperties": false -} +} \ No newline at end of file diff --git a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json index d32f0da06a..5a49b4910d 100644 --- a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json +++ b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json @@ -77,6 +77,7 @@ }, "cveId": { "type": "string", + "description": "The official CVE identifier contains the string 'CVE', followed by the year, followed by a 4 to 19 digit number. Note that the year-part of the identifier should indicate either the year the vulnerability was discovered, or the year the CVE ID is published in. CVE IDs must be unique.", "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$" }, "cpe22and23": { @@ -345,7 +346,7 @@ }, "versions": { "type": "array", - "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.", + "description": "Set of product versions or version ranges related to the vulnerability. The versions help satisfy the CNA Rules [5.1.3 requirement](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_5-1_Required_CVE_Record_Content). Versions or defaultStatus may be omitted, but not both.", "minItems": 1, "uniqueItems": true, "items": { @@ -443,6 +444,28 @@ }, "additionalProperties": false } + }, + "packageURL": { + "description": "A Package URL, a unified URL specification for identifying packages hosted by known package hosts. The Package URL MUST NOT include a version.", + "$ref": "#/definitions/uriType", + "examples": [ + "pkg:bitbucket/birkenfeld/pygments-main", + "pkg:deb/debian/curl?arch=i386&distro=jessie", + "pkg:docker/cassandra", + "pkg:docker/customer/dockerimage?repository_url=gcr.io", + "pkg:gem/jruby-launcher?platform=java", + "pkg:gem/ruby-advisory-db-check", + "pkg:github/package-url/purl-spec", + "pkg:golang/google.golang.org/genproto#googleapis/api/annotations", + "pkg:maven/org.apache.xmlgraphics/batik-anim?packaging=sources", + "pkg:maven/org.apache.xmlgraphics/batik-anim?repository_url=repo.spring.io/release", + "pkg:npm/%40angular/animation", + "pkg:npm/foobar", + "pkg:nuget/EnterpriseLibrary.Common", + "pkg:pypi/django", + "pkg:rpm/fedora/curl?arch=i386&distro=fedora-25", + "pkg:rpm/opensuse/curl?arch=i386&distro=opensuse-tumbleweed" + ] } } }, @@ -3437,10 +3460,11 @@ } } }, + "type": "object", "properties": { "cnaContainer": { "$ref": "#/definitions/cnaRejectedContainer" } }, "additionalProperties": false -} +} \ No newline at end of file