CVEProject · ccoffin · Sep 3, 2025 · Aug 29, 2025
diff --git a/schema/docs/CVE_Record_Format_bundled.json b/schema/docs/CVE_Record_Format_bundled.json
@@ -2,7 +2,7 @@
   "$schema": "http://json-schema.org/draft-07/schema#",
   "$id": "https://cveproject.github.io/cve-schema/schema/CVE_Record_Format.json",
   "title": "CVE JSON record format",
-  "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).",
+  "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://www.cve.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).",
   "definitions": {
     "uriType": {
       "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).",
@@ -77,6 +77,7 @@
     },
     "cveId": {
       "type": "string",
+      "description": "The official CVE identifier contains the string 'CVE', followed by the year, followed by a 4 to 19 digit number. Note that the year-part of the identifier should indicate either the year the vulnerability was discovered, or the year the CVE ID is published in. CVE IDs must be unique.",
       "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
     },
     "cpe22and23": {
@@ -345,7 +346,7 @@
         },
         "versions": {
           "type": "array",
-          "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.",
+          "description": "Set of product versions or version ranges related to the vulnerability. The versions help satisfy the CNA Rules [5.1.3 requirement](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_5-1_Required_CVE_Record_Content). Versions or defaultStatus may be omitted, but not both.",
           "minItems": 1,
           "uniqueItems": true,
           "items": {
@@ -443,6 +444,28 @@
             },
             "additionalProperties": false
           }
+        },
+        "packageURL": {
+          "description": "A Package URL, a unified URL specification for identifying packages hosted by known package hosts. The Package URL MUST NOT include a version.",
+          "$ref": "#/definitions/uriType",
+          "examples": [
+            "pkg:bitbucket/birkenfeld/pygments-main",
+            "pkg:deb/debian/curl?arch=i386&distro=jessie",
+            "pkg:docker/cassandra",
+            "pkg:docker/customer/dockerimage?repository_url=gcr.io",
+            "pkg:gem/jruby-launcher?platform=java",
+            "pkg:gem/ruby-advisory-db-check",
+            "pkg:github/package-url/purl-spec",
+            "pkg:golang/google.golang.org/genproto#googleapis/api/annotations",
+            "pkg:maven/org.apache.xmlgraphics/batik-anim?packaging=sources",
+            "pkg:maven/org.apache.xmlgraphics/batik-anim?repository_url=repo.spring.io/release",
+            "pkg:npm/%40angular/animation",
+            "pkg:npm/foobar",
+            "pkg:nuget/EnterpriseLibrary.Common",
+            "pkg:pypi/django",
+            "pkg:rpm/fedora/curl?arch=i386&distro=fedora-25",
+            "pkg:rpm/opensuse/curl?arch=i386&distro=opensuse-tumbleweed"
+          ]
         }
       }
     },
@@ -3519,4 +3542,4 @@
       "additionalProperties": false
     }
   ]
-}
+}
diff --git a/schema/docs/CVE_Record_Format_bundled_adpContainer.json b/schema/docs/CVE_Record_Format_bundled_adpContainer.json
@@ -77,6 +77,7 @@
     },
     "cveId": {
       "type": "string",
+      "description": "The official CVE identifier contains the string 'CVE', followed by the year, followed by a 4 to 19 digit number. Note that the year-part of the identifier should indicate either the year the vulnerability was discovered, or the year the CVE ID is published in. CVE IDs must be unique.",
       "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
     },
     "cpe22and23": {
@@ -345,7 +346,7 @@
         },
         "versions": {
           "type": "array",
-          "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.",
+          "description": "Set of product versions or version ranges related to the vulnerability. The versions help satisfy the CNA Rules [5.1.3 requirement](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_5-1_Required_CVE_Record_Content). Versions or defaultStatus may be omitted, but not both.",
           "minItems": 1,
           "uniqueItems": true,
           "items": {
@@ -443,6 +444,28 @@
             },
             "additionalProperties": false
           }
+        },
+        "packageURL": {
+          "description": "A Package URL, a unified URL specification for identifying packages hosted by known package hosts. The Package URL MUST NOT include a version.",
+          "$ref": "#/definitions/uriType",
+          "examples": [
+            "pkg:bitbucket/birkenfeld/pygments-main",
+            "pkg:deb/debian/curl?arch=i386&distro=jessie",
+            "pkg:docker/cassandra",
+            "pkg:docker/customer/dockerimage?repository_url=gcr.io",
+            "pkg:gem/jruby-launcher?platform=java",
+            "pkg:gem/ruby-advisory-db-check",
+            "pkg:github/package-url/purl-spec",
+            "pkg:golang/google.golang.org/genproto#googleapis/api/annotations",
+            "pkg:maven/org.apache.xmlgraphics/batik-anim?packaging=sources",
+            "pkg:maven/org.apache.xmlgraphics/batik-anim?repository_url=repo.spring.io/release",
+            "pkg:npm/%40angular/animation",
+            "pkg:npm/foobar",
+            "pkg:nuget/EnterpriseLibrary.Common",
+            "pkg:pypi/django",
+            "pkg:rpm/fedora/curl?arch=i386&distro=fedora-25",
+            "pkg:rpm/opensuse/curl?arch=i386&distro=opensuse-tumbleweed"
+          ]
         }
       }
     },
@@ -3437,10 +3460,11 @@
       }
     }
   },
+  "type": "object",
   "properties": {
     "adpContainer": {
       "$ref": "#/definitions/adpContainer"
     }
   },
   "additionalProperties": false
-}
+}
diff --git a/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json
@@ -77,6 +77,7 @@
     },
     "cveId": {
       "type": "string",
+      "description": "The official CVE identifier contains the string 'CVE', followed by the year, followed by a 4 to 19 digit number. Note that the year-part of the identifier should indicate either the year the vulnerability was discovered, or the year the CVE ID is published in. CVE IDs must be unique.",
       "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
     },
     "cpe22and23": {
@@ -345,7 +346,7 @@
         },
         "versions": {
           "type": "array",
-          "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.",
+          "description": "Set of product versions or version ranges related to the vulnerability. The versions help satisfy the CNA Rules [5.1.3 requirement](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_5-1_Required_CVE_Record_Content). Versions or defaultStatus may be omitted, but not both.",
           "minItems": 1,
           "uniqueItems": true,
           "items": {
@@ -443,6 +444,28 @@
             },
             "additionalProperties": false
           }
+        },
+        "packageURL": {
+          "description": "A Package URL, a unified URL specification for identifying packages hosted by known package hosts. The Package URL MUST NOT include a version.",
+          "$ref": "#/definitions/uriType",
+          "examples": [
+            "pkg:bitbucket/birkenfeld/pygments-main",
+            "pkg:deb/debian/curl?arch=i386&distro=jessie",
+            "pkg:docker/cassandra",
+            "pkg:docker/customer/dockerimage?repository_url=gcr.io",
+            "pkg:gem/jruby-launcher?platform=java",
+            "pkg:gem/ruby-advisory-db-check",
+            "pkg:github/package-url/purl-spec",
+            "pkg:golang/google.golang.org/genproto#googleapis/api/annotations",
+            "pkg:maven/org.apache.xmlgraphics/batik-anim?packaging=sources",
+            "pkg:maven/org.apache.xmlgraphics/batik-anim?repository_url=repo.spring.io/release",
+            "pkg:npm/%40angular/animation",
+            "pkg:npm/foobar",
+            "pkg:nuget/EnterpriseLibrary.Common",
+            "pkg:pypi/django",
+            "pkg:rpm/fedora/curl?arch=i386&distro=fedora-25",
+            "pkg:rpm/opensuse/curl?arch=i386&distro=opensuse-tumbleweed"
+          ]
         }
       }
     },
@@ -3437,10 +3460,11 @@
       }
     }
   },
+  "type": "object",
   "properties": {
     "cnaContainer": {
       "$ref": "#/definitions/cnaPublishedContainer"
     }
   },
   "additionalProperties": false
-}
+}
diff --git a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json
@@ -77,6 +77,7 @@
     },
     "cveId": {
       "type": "string",
+      "description": "The official CVE identifier contains the string 'CVE', followed by the year, followed by a 4 to 19 digit number. Note that the year-part of the identifier should indicate either the year the vulnerability was discovered, or the year the CVE ID is published in. CVE IDs must be unique.",
       "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
     },
     "cpe22and23": {
@@ -345,7 +346,7 @@
         },
         "versions": {
           "type": "array",
-          "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.",
+          "description": "Set of product versions or version ranges related to the vulnerability. The versions help satisfy the CNA Rules [5.1.3 requirement](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_5-1_Required_CVE_Record_Content). Versions or defaultStatus may be omitted, but not both.",
           "minItems": 1,
           "uniqueItems": true,
           "items": {
@@ -443,6 +444,28 @@
             },
             "additionalProperties": false
           }
+        },
+        "packageURL": {
+          "description": "A Package URL, a unified URL specification for identifying packages hosted by known package hosts. The Package URL MUST NOT include a version.",
+          "$ref": "#/definitions/uriType",
+          "examples": [
+            "pkg:bitbucket/birkenfeld/pygments-main",
+            "pkg:deb/debian/curl?arch=i386&distro=jessie",
+            "pkg:docker/cassandra",
+            "pkg:docker/customer/dockerimage?repository_url=gcr.io",
+            "pkg:gem/jruby-launcher?platform=java",
+            "pkg:gem/ruby-advisory-db-check",
+            "pkg:github/package-url/purl-spec",
+            "pkg:golang/google.golang.org/genproto#googleapis/api/annotations",
+            "pkg:maven/org.apache.xmlgraphics/batik-anim?packaging=sources",
+            "pkg:maven/org.apache.xmlgraphics/batik-anim?repository_url=repo.spring.io/release",
+            "pkg:npm/%40angular/animation",
+            "pkg:npm/foobar",
+            "pkg:nuget/EnterpriseLibrary.Common",
+            "pkg:pypi/django",
+            "pkg:rpm/fedora/curl?arch=i386&distro=fedora-25",
+            "pkg:rpm/opensuse/curl?arch=i386&distro=opensuse-tumbleweed"
+          ]
         }
       }
     },
@@ -3437,10 +3460,11 @@
       }
     }
   },
+  "type": "object",
   "properties": {
     "cnaContainer": {
       "$ref": "#/definitions/cnaRejectedContainer"
     }
   },
   "additionalProperties": false
-}
+}