From 821815af9d6efa2efcfdff574124fc3f09d9e5fa Mon Sep 17 00:00:00 2001 From: david-rocca Date: Thu, 24 Oct 2024 14:20:38 -0400 Subject: [PATCH 1/2] Migrate to the 5.1.1 schemas --- src/constants/index.js | 4 +- .../cve.controller/cve.middleware.js | 4 +- src/middleware/middleware.js | 2 +- .../5.1.1_published_cna_container.json | 3173 +++++++++++++++ .../schemas/5.1.1_rejected_cna_container.json | 186 + .../schemas/5.1_published_cna_container.json | 2496 ------------ .../schemas/5.1_rejected_cna_container.json | 188 - .../schemas/CVE_JSON_5.1.1_bundled.json | 3521 +++++++++++++++++ .../schemas/CVE_JSON_5.1_bundled.json | 2936 -------------- src/model/cve.js | 2 +- 10 files changed, 6886 insertions(+), 5626 deletions(-) create mode 100644 src/middleware/schemas/5.1.1_published_cna_container.json create mode 100644 src/middleware/schemas/5.1.1_rejected_cna_container.json delete mode 100644 src/middleware/schemas/5.1_published_cna_container.json delete mode 100644 src/middleware/schemas/5.1_rejected_cna_container.json create mode 100644 src/middleware/schemas/CVE_JSON_5.1.1_bundled.json delete mode 100644 src/middleware/schemas/CVE_JSON_5.1_bundled.json diff --git a/src/constants/index.js b/src/constants/index.js index fb3fa2a8c..11646d007 100644 --- a/src/constants/index.js +++ b/src/constants/index.js @@ -1,5 +1,5 @@ const fs = require('fs') -const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1_bundled.json')) +const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1.1_bundled.json')) /** * Return default values. @@ -16,7 +16,7 @@ function getConstants () { * @lends defaults */ const defaults = { - SCHEMA_VERSION: '5.1', + SCHEMA_VERSION: '5.1.1', MONGOOSE_VALIDATION: { Org_policies_id_quota_min: 0, Org_policies_id_quota_min_message: 'Org.policies.id_quota cannot be a negative number.', diff --git a/src/controller/cve.controller/cve.middleware.js b/src/controller/cve.controller/cve.middleware.js index b04a5178a..8efe4063c 100644 --- a/src/controller/cve.controller/cve.middleware.js +++ b/src/controller/cve.controller/cve.middleware.js @@ -3,8 +3,8 @@ const errors = require('./error') const error = new errors.CveControllerError() const utils = require('../../utils/utils') const fs = require('fs') -const RejectedSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.1_rejected_cna_container.json')) -const cnaContainerSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.1_published_cna_container.json')) +const RejectedSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.1.1_rejected_cna_container.json')) +const cnaContainerSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.1.1_published_cna_container.json')) const logger = require('../../middleware/logger') const Ajv = require('ajv') const addFormats = require('ajv-formats') diff --git a/src/middleware/middleware.js b/src/middleware/middleware.js index 35e505103..8fbd8fc92 100644 --- a/src/middleware/middleware.js +++ b/src/middleware/middleware.js @@ -1,6 +1,6 @@ const getConstants = require('../constants').getConstants const fs = require('fs') -const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1_bundled.json')) +const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1.1_bundled.json')) const argon2 = require('argon2') const logger = require('./logger') const Ajv = require('ajv') diff --git a/src/middleware/schemas/5.1.1_published_cna_container.json b/src/middleware/schemas/5.1.1_published_cna_container.json new file mode 100644 index 000000000..80fd7a9e8 --- /dev/null +++ b/src/middleware/schemas/5.1.1_published_cna_container.json @@ -0,0 +1,3173 @@ +{ + "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.", + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "definitions": { + "affected": { + "description": "List of affected products.", + "items": { + "$ref": "#/definitions/product" + }, + "minItems": 1, + "type": "array" + }, + "cnaTags": { + "description": "Tags provided by a CNA describing the CVE Record.", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/", + "$schema": "http://json-schema.org/draft-07/schema#", + "description": "exclusively-hosted-service: All known software and/or hardware affected by this CVE Record is known to exist only in the affected hosted service. If the vulnerability affects both hosted and on-prem software and/or hardware, then the tag should not be used.\n\nunsupported-when-assigned: Used by the assigning CNA to indicate that when a request for a CVE assignment was received, the product was already end-of-life (EOL) or a product or specific version was deemed not to be supported by the vendor. This tag should only be applied to a CVE Record when all affected products or version lines referenced in the CVE-Record are EOL.\n\ndisputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.", + "enum": [ + "unsupported-when-assigned", + "exclusively-hosted-service", + "disputed" + ], + "type": "string" + } + ] + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + }, + "configurations": { + "description": "Configurations required for exploiting this vulnerability.", + "items": { + "$ref": "#/definitions/description" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + }, + "cpe22and23": { + "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", + "maxLength": 2048, + "minLength": 1, + "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", + "type": "string" + }, + "cpe23": { + "description": "Common Platform Enumeration (CPE) Name in 2.3 format", + "maxLength": 2048, + "minLength": 1, + "pattern": "(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", + "type": "string" + }, + "cpeApplicabilityElement": { + "description": "Affected products defined using an implementation of the CPE Applicability Language, mostly copied/forked from the NIST NVD CVE API v2.0 schema (optional). An operator property allows AND or OR logic between CPEs or combinations of CPEs. The negate and vulnerable Boolean properties allow CPEs to be inverted and/or defined as vulnerable or not. Multiple version fields are provided for capturing ranges of products when defining a CPE Match String Range. NOTE: When defining a cpeApplicability block, it is recommended that it align with (as much as possible) the product data provided within the affected block.", + "properties": { + "negate": { + "type": "boolean" + }, + "nodes": { + "items": { + "$ref": "#/definitions/cpe_node" + }, + "type": "array" + }, + "operator": { + "enum": [ + "AND", + "OR" + ], + "type": "string" + } + }, + "required": [ + "nodes" + ] + }, + "cpe_match": { + "additionalProperties": false, + "description": "CPE match string or range", + "properties": { + "criteria": { + "$ref": "#/definitions/cpe23" + }, + "matchCriteriaId": { + "$ref": "#/definitions/uuidType" + }, + "versionEndExcluding": { + "$ref": "#/definitions/version" + }, + "versionEndIncluding": { + "$ref": "#/definitions/version" + }, + "versionStartExcluding": { + "$ref": "#/definitions/version" + }, + "versionStartIncluding": { + "$ref": "#/definitions/version" + }, + "vulnerable": { + "type": "boolean" + } + }, + "required": [ + "vulnerable", + "criteria" + ], + "type": "object" + }, + "cpe_node": { + "description": "Defines a CPE configuration node in an applicability statement.", + "properties": { + "cpeMatch": { + "items": { + "$ref": "#/definitions/cpe_match" + }, + "type": "array" + }, + "negate": { + "type": "boolean" + }, + "operator": { + "enum": [ + "AND", + "OR" + ], + "type": "string" + } + }, + "required": [ + "operator", + "cpeMatch" + ] + }, + "credits": { + "description": "Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.", + "items": { + "additionalProperties": false, + "properties": { + "lang": { + "$ref": "#/definitions/language", + "description": "The language used when describing the credits. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code." + }, + "type": { + "default": "finder", + "description": "Type or role of the entity being credited (optional). finder: identifies the vulnerability.\nreporter: notifies the vendor of the vulnerability to a CNA.\nanalyst: validates the vulnerability to ensure accuracy or severity.\ncoordinator: facilitates the coordinated response process.\nremediation developer: prepares a code change or other remediation plans.\nremediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness.\nremediation verifier: tests and verifies the vulnerability or its remediation.\ntool: names of tools used in vulnerability discovery or identification.\nsponsor: supports the vulnerability identification or remediation activities.", + "enum": [ + "finder", + "reporter", + "analyst", + "coordinator", + "remediation developer", + "remediation reviewer", + "remediation verifier", + "tool", + "sponsor", + "other" + ], + "type": "string" + }, + "user": { + "$ref": "#/definitions/uuidType", + "description": "UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service." + }, + "value": { + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "lang", + "value" + ], + "type": "object" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + }, + "description": { + "additionalProperties": false, + "description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.", + "properties": { + "lang": { + "$ref": "#/definitions/language" + }, + "supportingMedia": { + "description": "Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.", + "items": { + "additionalProperties": false, + "properties": { + "base64": { + "default": false, + "description": "If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.", + "title": "Encoding", + "type": "boolean" + }, + "type": { + "description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.", + "examples": [ + "text/markdown", + "text/html", + "image/png", + "image/svg", + "audio/mp3" + ], + "maxLength": 256, + "minLength": 1, + "title": "Media type", + "type": "string" + }, + "value": { + "description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.", + "maxLength": 16384, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "type", + "value" + ], + "type": "object" + }, + "minItems": 1, + "title": "Supporting media", + "type": "array", + "uniqueItems": true + }, + "value": { + "description": "Plain text description.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "lang", + "value" + ], + "type": "object" + }, + "descriptions": { + "contains": { + "$ref": "#/definitions/englishLanguageDescription" + }, + "description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].", + "items": { + "$ref": "#/definitions/description" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + }, + "englishLanguage": { + "description": "BCP 47 language code, language-region, required to be English.", + "pattern": "^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$", + "type": "string" + }, + "englishLanguageDescription": { + "$comment": "Cannot use additionalProperties: false here, as this prevents the other properties used by /definitions/description.", + "description": "A description with lang set to an English language (en, en_US, en_UK, and so on).", + "properties": { + "lang": { + "$ref": "#/definitions/englishLanguage" + } + }, + "required": [ + "lang" + ], + "type": "object" + }, + "exploits": { + "description": "Information about exploits of the vulnerability.", + "items": { + "$ref": "#/definitions/description" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + }, + "impacts": { + "description": "Collection of impacts of this vulnerability.", + "items": { + "additionalProperties": false, + "description": "This is impact type information (e.g. a text description.", + "properties": { + "capecId": { + "description": "CAPEC ID that best relates to this impact.", + "maxLength": 11, + "minLength": 7, + "pattern": "^CAPEC-[1-9][0-9]{0,4}$", + "type": "string" + }, + "descriptions": { + "$ref": "#/definitions/descriptions", + "description": "Prose description of the impact scenario. At a minimum provide the description given by CAPEC." + } + }, + "required": [ + "descriptions" + ], + "type": "object" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + }, + "language": { + "default": "en", + "description": "BCP 47 language code, language-region.", + "pattern": "^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$", + "type": "string" + }, + "metrics": { + "description": "Collection of impact scores with attribution.", + "items": { + "additionalProperties": false, + "anyOf": [ + { + "required": [ + "cvssV4_0" + ] + }, + { + "required": [ + "cvssV3_1" + ] + }, + { + "required": [ + "cvssV3_0" + ] + }, + { + "required": [ + "cvssV2_0" + ] + }, + { + "required": [ + "other" + ] + } + ], + "description": "This is impact type information (e.g. a text description, CVSSv2, CVSSv3, CVSSV4, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added.", + "properties": { + "cvssV2_0": { + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "definitions": { + "accessComplexityType": { + "enum": [ + "HIGH", + "MEDIUM", + "LOW" + ], + "type": "string" + }, + "accessVectorType": { + "enum": [ + "NETWORK", + "ADJACENT_NETWORK", + "LOCAL" + ], + "type": "string" + }, + "authenticationType": { + "enum": [ + "MULTIPLE", + "SINGLE", + "NONE" + ], + "type": "string" + }, + "ciaRequirementType": { + "enum": [ + "LOW", + "MEDIUM", + "HIGH", + "NOT_DEFINED" + ], + "type": "string" + }, + "ciaType": { + "enum": [ + "NONE", + "PARTIAL", + "COMPLETE" + ], + "type": "string" + }, + "collateralDamagePotentialType": { + "enum": [ + "NONE", + "LOW", + "LOW_MEDIUM", + "MEDIUM_HIGH", + "HIGH", + "NOT_DEFINED" + ], + "type": "string" + }, + "exploitabilityType": { + "enum": [ + "UNPROVEN", + "PROOF_OF_CONCEPT", + "FUNCTIONAL", + "HIGH", + "NOT_DEFINED" + ], + "type": "string" + }, + "remediationLevelType": { + "enum": [ + "OFFICIAL_FIX", + "TEMPORARY_FIX", + "WORKAROUND", + "UNAVAILABLE", + "NOT_DEFINED" + ], + "type": "string" + }, + "reportConfidenceType": { + "enum": [ + "UNCONFIRMED", + "UNCORROBORATED", + "CONFIRMED", + "NOT_DEFINED" + ], + "type": "string" + }, + "scoreType": { + "maximum": 10, + "minimum": 0, + "type": "number" + }, + "targetDistributionType": { + "enum": [ + "NONE", + "LOW", + "MEDIUM", + "HIGH", + "NOT_DEFINED" + ], + "type": "string" + } + }, + "properties": { + "accessComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType" + }, + "accessVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType" + }, + "authentication": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + }, + "collateralDamagePotential": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + }, + "exploitability": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType" + }, + "targetDistribution": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + }, + "vectorString": { + "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$", + "type": "string" + }, + "version": { + "description": "CVSS Version", + "enum": [ + "2.0" + ], + "type": "string" + } + }, + "required": [ + "version", + "vectorString", + "baseScore" + ], + "title": "JSON Schema for Common Vulnerability Scoring System version 2.0", + "type": "object" + }, + "cvssV3_0": { + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "anyOf": [ + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/noneScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/lowScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/lowSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/mediumScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/mediumSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/highScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/highSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/criticalScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/criticalSeverityType" + } + } + } + ], + "definitions": { + "attackComplexityType": { + "enum": [ + "HIGH", + "LOW" + ], + "type": "string" + }, + "attackVectorType": { + "enum": [ + "NETWORK", + "ADJACENT_NETWORK", + "LOCAL", + "PHYSICAL" + ], + "type": "string" + }, + "ciaRequirementType": { + "enum": [ + "LOW", + "MEDIUM", + "HIGH", + "NOT_DEFINED" + ], + "type": "string" + }, + "ciaType": { + "enum": [ + "NONE", + "LOW", + "HIGH" + ], + "type": "string" + }, + "confidenceType": { + "enum": [ + "UNKNOWN", + "REASONABLE", + "CONFIRMED", + "NOT_DEFINED" + ], + "type": "string" + }, + "criticalScoreType": { + "enum": [ + 9, + 9.1, + 9.2, + 9.3, + 9.4, + 9.5, + 9.6, + 9.7, + 9.8, + 9.9, + 10 + ], + "type": "number" + }, + "criticalSeverityType": { + "const": "CRITICAL" + }, + "exploitCodeMaturityType": { + "enum": [ + "UNPROVEN", + "PROOF_OF_CONCEPT", + "FUNCTIONAL", + "HIGH", + "NOT_DEFINED" + ], + "type": "string" + }, + "highScoreType": { + "enum": [ + 7, + 7.1, + 7.2, + 7.3, + 7.4, + 7.5, + 7.6, + 7.7, + 7.8, + 7.9, + 8, + 8.1, + 8.2, + 8.3, + 8.4, + 8.5, + 8.6, + 8.7, + 8.8, + 8.9 + ], + "type": "number" + }, + "highSeverityType": { + "const": "HIGH" + }, + "lowScoreType": { + "enum": [ + 0.1, + 0.2, + 0.3, + 0.4, + 0.5, + 0.6, + 0.7, + 0.8, + 0.9, + 1, + 1.1, + 1.2, + 1.3, + 1.4, + 1.5, + 1.6, + 1.7, + 1.8, + 1.9, + 2, + 2.1, + 2.2, + 2.3, + 2.4, + 2.5, + 2.6, + 2.7, + 2.8, + 2.9, + 3, + 3.1, + 3.2, + 3.3, + 3.4, + 3.5, + 3.6, + 3.7, + 3.8, + 3.9 + ], + "type": "number" + }, + "lowSeverityType": { + "const": "LOW" + }, + "mediumScoreType": { + "enum": [ + 4, + 4.1, + 4.2, + 4.3, + 4.4, + 4.5, + 4.6, + 4.7, + 4.8, + 4.9, + 5, + 5.1, + 5.2, + 5.3, + 5.4, + 5.5, + 5.6, + 5.7, + 5.8, + 5.9, + 6, + 6.1, + 6.2, + 6.3, + 6.4, + 6.5, + 6.6, + 6.7, + 6.8, + 6.9 + ], + "type": "number" + }, + "mediumSeverityType": { + "const": "MEDIUM" + }, + "modifiedAttackComplexityType": { + "enum": [ + "HIGH", + "LOW", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedAttackVectorType": { + "enum": [ + "NETWORK", + "ADJACENT_NETWORK", + "LOCAL", + "PHYSICAL", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedCiaType": { + "enum": [ + "NONE", + "LOW", + "HIGH", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "enum": [ + "HIGH", + "LOW", + "NONE", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedScopeType": { + "enum": [ + "UNCHANGED", + "CHANGED", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedUserInteractionType": { + "enum": [ + "NONE", + "REQUIRED", + "NOT_DEFINED" + ], + "type": "string" + }, + "noneScoreType": { + "maximum": 0, + "minimum": 0, + "type": "number" + }, + "noneSeverityType": { + "const": "NONE" + }, + "privilegesRequiredType": { + "enum": [ + "HIGH", + "LOW", + "NONE" + ], + "type": "string" + }, + "remediationLevelType": { + "enum": [ + "OFFICIAL_FIX", + "TEMPORARY_FIX", + "WORKAROUND", + "UNAVAILABLE", + "NOT_DEFINED" + ], + "type": "string" + }, + "scopeType": { + "enum": [ + "UNCHANGED", + "CHANGED" + ], + "type": "string" + }, + "scoreType": { + "enum": [ + 0, + 0.1, + 0.2, + 0.3, + 0.4, + 0.5, + 0.6, + 0.7, + 0.8, + 0.9, + 1, + 1.1, + 1.2, + 1.3, + 1.4, + 1.5, + 1.6, + 1.7, + 1.8, + 1.9, + 2, + 2.1, + 2.2, + 2.3, + 2.4, + 2.5, + 2.6, + 2.7, + 2.8, + 2.9, + 3, + 3.1, + 3.2, + 3.3, + 3.4, + 3.5, + 3.6, + 3.7, + 3.8, + 3.9, + 4, + 4.1, + 4.2, + 4.3, + 4.4, + 4.5, + 4.6, + 4.7, + 4.8, + 4.9, + 5, + 5.1, + 5.2, + 5.3, + 5.4, + 5.5, + 5.6, + 5.7, + 5.8, + 5.9, + 6, + 6.1, + 6.2, + 6.3, + 6.4, + 6.5, + 6.6, + 6.7, + 6.8, + 6.9, + 7, + 7.1, + 7.2, + 7.3, + 7.4, + 7.5, + 7.6, + 7.7, + 7.8, + 7.9, + 8, + 8.1, + 8.2, + 8.3, + 8.4, + 8.5, + 8.6, + 8.7, + 8.8, + 8.9, + 9, + 9.1, + 9.2, + 9.3, + 9.4, + 9.5, + 9.6, + 9.7, + 9.8, + 9.9, + 10 + ], + "type": "number" + }, + "severityType": { + "enum": [ + "NONE", + "LOW", + "MEDIUM", + "HIGH", + "CRITICAL" + ], + "type": "string" + }, + "userInteractionType": { + "enum": [ + "NONE", + "REQUIRED" + ], + "type": "string" + } + }, + "properties": { + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + }, + "exploitCodeMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType" + }, + "modifiedAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "modifiedConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "modifiedIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedScope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType" + }, + "scope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "temporalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType" + }, + "vectorString": { + "pattern": "^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$", + "type": "string" + }, + "version": { + "description": "CVSS Version", + "enum": [ + "3.0" + ], + "type": "string" + } + }, + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ], + "title": "JSON Schema for Common Vulnerability Scoring System version 3.0", + "type": "object" + }, + "cvssV3_1": { + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "anyOf": [ + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/noneScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/lowScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/lowSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/mediumScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/mediumSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/highScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/highSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/criticalScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/criticalSeverityType" + } + } + } + ], + "definitions": { + "attackComplexityType": { + "enum": [ + "HIGH", + "LOW" + ], + "type": "string" + }, + "attackVectorType": { + "enum": [ + "NETWORK", + "ADJACENT_NETWORK", + "LOCAL", + "PHYSICAL" + ], + "type": "string" + }, + "ciaRequirementType": { + "enum": [ + "LOW", + "MEDIUM", + "HIGH", + "NOT_DEFINED" + ], + "type": "string" + }, + "ciaType": { + "enum": [ + "NONE", + "LOW", + "HIGH" + ], + "type": "string" + }, + "confidenceType": { + "enum": [ + "UNKNOWN", + "REASONABLE", + "CONFIRMED", + "NOT_DEFINED" + ], + "type": "string" + }, + "criticalScoreType": { + "enum": [ + 9, + 9.1, + 9.2, + 9.3, + 9.4, + 9.5, + 9.6, + 9.7, + 9.8, + 9.9, + 10 + ], + "type": "number" + }, + "criticalSeverityType": { + "const": "CRITICAL" + }, + "exploitCodeMaturityType": { + "enum": [ + "UNPROVEN", + "PROOF_OF_CONCEPT", + "FUNCTIONAL", + "HIGH", + "NOT_DEFINED" + ], + "type": "string" + }, + "highScoreType": { + "enum": [ + 7, + 7.1, + 7.2, + 7.3, + 7.4, + 7.5, + 7.6, + 7.7, + 7.8, + 7.9, + 8, + 8.1, + 8.2, + 8.3, + 8.4, + 8.5, + 8.6, + 8.7, + 8.8, + 8.9 + ], + "type": "number" + }, + "highSeverityType": { + "const": "HIGH" + }, + "lowScoreType": { + "enum": [ + 0.1, + 0.2, + 0.3, + 0.4, + 0.5, + 0.6, + 0.7, + 0.8, + 0.9, + 1, + 1.1, + 1.2, + 1.3, + 1.4, + 1.5, + 1.6, + 1.7, + 1.8, + 1.9, + 2, + 2.1, + 2.2, + 2.3, + 2.4, + 2.5, + 2.6, + 2.7, + 2.8, + 2.9, + 3, + 3.1, + 3.2, + 3.3, + 3.4, + 3.5, + 3.6, + 3.7, + 3.8, + 3.9 + ], + "type": "number" + }, + "lowSeverityType": { + "const": "LOW" + }, + "mediumScoreType": { + "enum": [ + 4, + 4.1, + 4.2, + 4.3, + 4.4, + 4.5, + 4.6, + 4.7, + 4.8, + 4.9, + 5, + 5.1, + 5.2, + 5.3, + 5.4, + 5.5, + 5.6, + 5.7, + 5.8, + 5.9, + 6, + 6.1, + 6.2, + 6.3, + 6.4, + 6.5, + 6.6, + 6.7, + 6.8, + 6.9 + ], + "type": "number" + }, + "mediumSeverityType": { + "const": "MEDIUM" + }, + "modifiedAttackComplexityType": { + "enum": [ + "HIGH", + "LOW", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedAttackVectorType": { + "enum": [ + "NETWORK", + "ADJACENT_NETWORK", + "LOCAL", + "PHYSICAL", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedCiaType": { + "enum": [ + "NONE", + "LOW", + "HIGH", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "enum": [ + "HIGH", + "LOW", + "NONE", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedScopeType": { + "enum": [ + "UNCHANGED", + "CHANGED", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedUserInteractionType": { + "enum": [ + "NONE", + "REQUIRED", + "NOT_DEFINED" + ], + "type": "string" + }, + "noneScoreType": { + "maximum": 0, + "minimum": 0, + "type": "number" + }, + "noneSeverityType": { + "const": "NONE" + }, + "privilegesRequiredType": { + "enum": [ + "HIGH", + "LOW", + "NONE" + ], + "type": "string" + }, + "remediationLevelType": { + "enum": [ + "OFFICIAL_FIX", + "TEMPORARY_FIX", + "WORKAROUND", + "UNAVAILABLE", + "NOT_DEFINED" + ], + "type": "string" + }, + "scopeType": { + "enum": [ + "UNCHANGED", + "CHANGED" + ], + "type": "string" + }, + "scoreType": { + "enum": [ + 0, + 0.1, + 0.2, + 0.3, + 0.4, + 0.5, + 0.6, + 0.7, + 0.8, + 0.9, + 1, + 1.1, + 1.2, + 1.3, + 1.4, + 1.5, + 1.6, + 1.7, + 1.8, + 1.9, + 2, + 2.1, + 2.2, + 2.3, + 2.4, + 2.5, + 2.6, + 2.7, + 2.8, + 2.9, + 3, + 3.1, + 3.2, + 3.3, + 3.4, + 3.5, + 3.6, + 3.7, + 3.8, + 3.9, + 4, + 4.1, + 4.2, + 4.3, + 4.4, + 4.5, + 4.6, + 4.7, + 4.8, + 4.9, + 5, + 5.1, + 5.2, + 5.3, + 5.4, + 5.5, + 5.6, + 5.7, + 5.8, + 5.9, + 6, + 6.1, + 6.2, + 6.3, + 6.4, + 6.5, + 6.6, + 6.7, + 6.8, + 6.9, + 7, + 7.1, + 7.2, + 7.3, + 7.4, + 7.5, + 7.6, + 7.7, + 7.8, + 7.9, + 8, + 8.1, + 8.2, + 8.3, + 8.4, + 8.5, + 8.6, + 8.7, + 8.8, + 8.9, + 9, + 9.1, + 9.2, + 9.3, + 9.4, + 9.5, + 9.6, + 9.7, + 9.8, + 9.9, + 10 + ], + "type": "number" + }, + "severityType": { + "enum": [ + "NONE", + "LOW", + "MEDIUM", + "HIGH", + "CRITICAL" + ], + "type": "string" + }, + "userInteractionType": { + "enum": [ + "NONE", + "REQUIRED" + ], + "type": "string" + } + }, + "properties": { + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + }, + "exploitCodeMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType" + }, + "modifiedAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "modifiedConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "modifiedIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedScope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType" + }, + "scope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "temporalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType" + }, + "vectorString": { + "pattern": "^CVSS:3[.]1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$", + "type": "string" + }, + "version": { + "description": "CVSS Version", + "enum": [ + "3.1" + ], + "type": "string" + } + }, + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ], + "title": "JSON Schema for Common Vulnerability Scoring System version 3.1", + "type": "object" + }, + "cvssV4_0": { + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "allOf": [ + { + "anyOf": [ + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType" + } + } + } + ] + }, + { + "anyOf": [ + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType" + } + } + }, + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType" + } + } + }, + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType" + } + } + }, + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType" + } + } + } + ] + }, + { + "anyOf": [ + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType" + } + } + }, + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType" + } + } + }, + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType" + } + } + }, + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType" + } + } + } + ] + } + ], + "definitions": { + "attackComplexityType": { + "enum": [ + "HIGH", + "LOW" + ], + "type": "string" + }, + "attackRequirementsType": { + "enum": [ + "NONE", + "PRESENT" + ], + "type": "string" + }, + "attackVectorType": { + "enum": [ + "NETWORK", + "ADJACENT", + "LOCAL", + "PHYSICAL" + ], + "type": "string" + }, + "automatableType": { + "default": "NOT_DEFINED", + "enum": [ + "NO", + "YES", + "NOT_DEFINED" + ], + "type": "string" + }, + "ciaRequirementType": { + "default": "NOT_DEFINED", + "enum": [ + "LOW", + "MEDIUM", + "HIGH", + "NOT_DEFINED" + ], + "type": "string" + }, + "criticalScoreType": { + "enum": [ + 9, + 9.1, + 9.2, + 9.3, + 9.4, + 9.5, + 9.6, + 9.7, + 9.8, + 9.9, + 10 + ], + "type": "number" + }, + "criticalSeverityType": { + "const": "CRITICAL" + }, + "exploitMaturityType": { + "default": "NOT_DEFINED", + "enum": [ + "UNREPORTED", + "PROOF_OF_CONCEPT", + "ATTACKED", + "NOT_DEFINED" + ], + "type": "string" + }, + "highScoreType": { + "enum": [ + 7, + 7.1, + 7.2, + 7.3, + 7.4, + 7.5, + 7.6, + 7.7, + 7.8, + 7.9, + 8, + 8.1, + 8.2, + 8.3, + 8.4, + 8.5, + 8.6, + 8.7, + 8.8, + 8.9 + ], + "type": "number" + }, + "highSeverityType": { + "const": "HIGH" + }, + "lowScoreType": { + "enum": [ + 0.1, + 0.2, + 0.3, + 0.4, + 0.5, + 0.6, + 0.7, + 0.8, + 0.9, + 1, + 1.1, + 1.2, + 1.3, + 1.4, + 1.5, + 1.6, + 1.7, + 1.8, + 1.9, + 2, + 2.1, + 2.2, + 2.3, + 2.4, + 2.5, + 2.6, + 2.7, + 2.8, + 2.9, + 3, + 3.1, + 3.2, + 3.3, + 3.4, + 3.5, + 3.6, + 3.7, + 3.8, + 3.9 + ], + "type": "number" + }, + "lowSeverityType": { + "const": "LOW" + }, + "mediumScoreType": { + "enum": [ + 4, + 4.1, + 4.2, + 4.3, + 4.4, + 4.5, + 4.6, + 4.7, + 4.8, + 4.9, + 5, + 5.1, + 5.2, + 5.3, + 5.4, + 5.5, + 5.6, + 5.7, + 5.8, + 5.9, + 6, + 6.1, + 6.2, + 6.3, + 6.4, + 6.5, + 6.6, + 6.7, + 6.8, + 6.9 + ], + "type": "number" + }, + "mediumSeverityType": { + "const": "MEDIUM" + }, + "modifiedAttackComplexityType": { + "default": "NOT_DEFINED", + "enum": [ + "HIGH", + "LOW", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedAttackRequirementsType": { + "default": "NOT_DEFINED", + "enum": [ + "NONE", + "PRESENT", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedAttackVectorType": { + "default": "NOT_DEFINED", + "enum": [ + "NETWORK", + "ADJACENT", + "LOCAL", + "PHYSICAL", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedPrivilegesRequiredType": { + "default": "NOT_DEFINED", + "enum": [ + "HIGH", + "LOW", + "NONE", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedSubCType": { + "default": "NOT_DEFINED", + "enum": [ + "NONE", + "LOW", + "HIGH", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedSubIaType": { + "default": "NOT_DEFINED", + "enum": [ + "NONE", + "LOW", + "HIGH", + "SAFETY", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedUserInteractionType": { + "default": "NOT_DEFINED", + "enum": [ + "NONE", + "PASSIVE", + "ACTIVE", + "NOT_DEFINED" + ], + "type": "string" + }, + "modifiedVulnCiaType": { + "default": "NOT_DEFINED", + "enum": [ + "NONE", + "LOW", + "HIGH", + "NOT_DEFINED" + ], + "type": "string" + }, + "noneScoreType": { + "maximum": 0, + "minimum": 0, + "type": "number" + }, + "noneSeverityType": { + "const": "NONE" + }, + "privilegesRequiredType": { + "enum": [ + "HIGH", + "LOW", + "NONE" + ], + "type": "string" + }, + "providerUrgencyType": { + "default": "NOT_DEFINED", + "enum": [ + "CLEAR", + "GREEN", + "AMBER", + "RED", + "NOT_DEFINED" + ], + "type": "string" + }, + "recoveryType": { + "default": "NOT_DEFINED", + "enum": [ + "AUTOMATIC", + "USER", + "IRRECOVERABLE", + "NOT_DEFINED" + ], + "type": "string" + }, + "safetyType": { + "default": "NOT_DEFINED", + "enum": [ + "NEGLIGIBLE", + "PRESENT", + "NOT_DEFINED" + ], + "type": "string" + }, + "scoreType": { + "enum": [ + 0, + 0.1, + 0.2, + 0.3, + 0.4, + 0.5, + 0.6, + 0.7, + 0.8, + 0.9, + 1, + 1.1, + 1.2, + 1.3, + 1.4, + 1.5, + 1.6, + 1.7, + 1.8, + 1.9, + 2, + 2.1, + 2.2, + 2.3, + 2.4, + 2.5, + 2.6, + 2.7, + 2.8, + 2.9, + 3, + 3.1, + 3.2, + 3.3, + 3.4, + 3.5, + 3.6, + 3.7, + 3.8, + 3.9, + 4, + 4.1, + 4.2, + 4.3, + 4.4, + 4.5, + 4.6, + 4.7, + 4.8, + 4.9, + 5, + 5.1, + 5.2, + 5.3, + 5.4, + 5.5, + 5.6, + 5.7, + 5.8, + 5.9, + 6, + 6.1, + 6.2, + 6.3, + 6.4, + 6.5, + 6.6, + 6.7, + 6.8, + 6.9, + 7, + 7.1, + 7.2, + 7.3, + 7.4, + 7.5, + 7.6, + 7.7, + 7.8, + 7.9, + 8, + 8.1, + 8.2, + 8.3, + 8.4, + 8.5, + 8.6, + 8.7, + 8.8, + 8.9, + 9, + 9.1, + 9.2, + 9.3, + 9.4, + 9.5, + 9.6, + 9.7, + 9.8, + 9.9, + 10 + ], + "type": "number" + }, + "severityType": { + "enum": [ + "NONE", + "LOW", + "MEDIUM", + "HIGH", + "CRITICAL" + ], + "type": "string" + }, + "subCiaType": { + "enum": [ + "NONE", + "LOW", + "HIGH" + ], + "type": "string" + }, + "userInteractionType": { + "enum": [ + "NONE", + "PASSIVE", + "ACTIVE" + ], + "type": "string" + }, + "valueDensityType": { + "default": "NOT_DEFINED", + "enum": [ + "DIFFUSE", + "CONCENTRATED", + "NOT_DEFINED" + ], + "type": "string" + }, + "vulnCiaType": { + "enum": [ + "NONE", + "LOW", + "HIGH" + ], + "type": "string" + }, + "vulnerabilityResponseEffortType": { + "default": "NOT_DEFINED", + "enum": [ + "LOW", + "MODERATE", + "HIGH", + "NOT_DEFINED" + ], + "type": "string" + } + }, + "properties": { + "Automatable": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType" + }, + "Recovery": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType" + }, + "Safety": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType" + }, + "attackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "exploitMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType" + }, + "modifiedAttackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedSubAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedSubConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType" + }, + "modifiedSubIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType" + }, + "modifiedVulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType" + }, + "providerUrgency": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType" + }, + "subAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType" + }, + "valueDensity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType" + }, + "vectorString": { + "pattern": "^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/E:[XAPU])?(/CR:[XHML])?(/IR:[XHML])?(/AR:[XHML])?(/MAV:[XNALP])?(/MAC:[XLH])?(/MAT:[XNP])?(/MPR:[XNLH])?(/MUI:[XNPA])?(/MVC:[XNLH])?(/MVI:[XNLH])?(/MVA:[XNLH])?(/MSC:[XNLH])?(/MSI:[XNLHS])?(/MSA:[XNLHS])?(/S:[XNP])?(/AU:[XNY])?(/R:[XAUI])?(/V:[XDC])?(/RE:[XLMH])?(/U:(X|Clear|Green|Amber|Red))?$", + "type": "string" + }, + "version": { + "description": "CVSS Version", + "enum": [ + "4.0" + ], + "type": "string" + }, + "vulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnerabilityResponseEffort": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType" + } + }, + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ], + "title": "JSON Schema for Common Vulnerability Scoring System version 4.0", + "type": "object" + }, + "format": { + "description": "Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.", + "maxLength": 64, + "minLength": 1, + "type": "string" + }, + "other": { + "additionalProperties": false, + "description": "A non-standard impact description, may be prose or JSON block.", + "properties": { + "content": { + "$comment": "additionalProperties are allowed here, since this construct supports arbitrary JSON.", + "description": "JSON object not covered by another metrics format.", + "minProperties": 1, + "type": "object" + }, + "type": { + "description": "Name of the non-standard impact metrics format used.", + "maxLength": 128, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "type", + "content" + ], + "type": "object" + }, + "scenarios": { + "description": "Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.", + "items": { + "additionalProperties": false, + "properties": { + "lang": { + "$ref": "#/definitions/language" + }, + "value": { + "default": "GENERAL", + "description": "Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "lang", + "value" + ], + "type": "object" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + } + }, + "type": "object" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + }, + "orgId": { + "$ref": "#/definitions/uuidType", + "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service." + }, + "problemTypes": { + "description": "This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).", + "items": { + "additionalProperties": false, + "properties": { + "descriptions": { + "items": { + "additionalProperties": false, + "properties": { + "cweId": { + "description": "CWE ID of the CWE that best describes this problemType entry.", + "maxLength": 9, + "minLength": 5, + "pattern": "^CWE-[1-9][0-9]*$", + "type": "string" + }, + "description": { + "description": "Text description of problemType, or title from CWE or OWASP.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + }, + "lang": { + "$ref": "#/definitions/language" + }, + "references": { + "$ref": "#/definitions/references" + }, + "type": { + "description": "Problemtype source, text, OWASP, CWE, etc.,", + "maxLength": 128, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "lang", + "description" + ], + "type": "object" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + } + }, + "required": [ + "descriptions" + ], + "type": "object" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + }, + "product": { + "allOf": [ + { + "anyOf": [ + { + "required": [ + "vendor", + "product" + ] + }, + { + "required": [ + "collectionURL", + "packageName" + ] + } + ] + }, + { + "anyOf": [ + { + "required": [ + "versions" + ] + }, + { + "required": [ + "defaultStatus" + ] + } + ] + } + ], + "description": "Provides information about the set of products and services affected by this vulnerability.", + "properties": { + "collectionURL": { + "$ref": "#/definitions/uriType", + "description": "URL identifying a package collection (determines the meaning of packageName).", + "examples": [ + "https://access.redhat.com/downloads/content/package-browser", + "https://addons.mozilla.org", + "https://addons.thunderbird.net", + "https://anaconda.org/anaconda/repo", + "https://app.vagrantup.com/boxes/search", + "https://apps.apple.com", + "https://archlinux.org/packages", + "https://atmospherejs.meteor.com", + "https://atom.io/packages", + "https://bitbucket.org", + "https://bower.io", + "https://brew.sh/", + "https://chocolatey.org/packages", + "https://chrome.google.com/webstore", + "https://clojars.org", + "https://cocoapods.org", + "https://code.dlang.org", + "https://conan.io/center", + "https://cpan.org/modules", + "https://cran.r-project.org", + "https://crates.io", + "https://ctan.org/pkg", + "https://drupal.org", + "https://exchange.adobe.com", + "https://forge.puppet.com/modules", + "https://github.com", + "https://gitlab.com/explore", + "https://golang.org/pkg", + "https://guix.gnu.org/packages", + "https://hackage.haskell.org", + "https://helm.sh", + "https://hub.docker.com", + "https://juliahub.com", + "https://lib.haxe.org", + "https://luarocks.org", + "https://marketplace.visualstudio.com", + "https://melpa.org", + "https://microsoft.com/en-us/store/apps", + "https://nimble.directory", + "https://nuget.org/packages", + "https://opam.ocaml.org/packages", + "https://openwrt.org/packages/index", + "https://package.elm-lang.org", + "https://packagecontrol.io", + "https://packages.debian.org", + "https://packages.gentoo.org", + "https://packagist.org", + "https://pear.php.net/packages.php", + "https://pecl.php.net", + "https://platformio.org/lib", + "https://play.google.com/store", + "https://plugins.gradle.org", + "https://projects.eclipse.org", + "https://pub.dev", + "https://pypi.python.org", + "https://registry.npmjs.org", + "https://registry.terraform.io", + "https://repo.hex.pm", + "https://repo.maven.apache.org/maven2", + "https://rubygems.org", + "https://search.nixos.org/packages", + "https://sourceforge.net", + "https://wordpress.org/plugins" + ] + }, + "cpes": { + "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here. NOTE: Consider using the newer cpeApplicability block for defining CPE data using the CPE Applicability Language which includes more options for defining CPE Names.", + "items": { + "$ref": "#/definitions/cpe22and23", + "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", + "title": "CPE Name" + }, + "type": "array", + "uniqueItems": true + }, + "defaultStatus": { + "$ref": "#/definitions/status", + "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both." + }, + "modules": { + "description": "A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional).", + "items": { + "description": "Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).", + "maxLength": 4096, + "minLength": 1, + "type": "string" + }, + "type": "array", + "uniqueItems": true + }, + "packageName": { + "description": "Name or identifier of the affected software package as used in the package collection.", + "maxLength": 2048, + "minLength": 1, + "type": "string" + }, + "platforms": { + "description": "List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field or an empty array implies that the other fields are applicable to all relevant platforms.", + "items": { + "examples": [ + "iOS", + "Android", + "Windows", + "macOS", + "x86", + "ARM", + "64 bit", + "Big Endian", + "iPad", + "Chromebook", + "Docker", + "Model T" + ], + "maxLength": 1024, + "type": "string" + }, + "minItems": 1, + "title": "Platforms", + "type": "array", + "uniqueItems": true + }, + "product": { + "description": "Name of the affected product.", + "maxLength": 2048, + "minLength": 1, + "type": "string" + }, + "programFiles": { + "description": "A list of the affected source code files (optional).", + "items": { + "description": "Name or path or location of the affected source code file.", + "maxLength": 1024, + "minLength": 1, + "type": "string" + }, + "type": "array", + "uniqueItems": true + }, + "programRoutines": { + "description": "A list of the affected source code functions, methods, subroutines, or procedures (optional).", + "items": { + "additionalProperties": false, + "description": "An object describing program routine.", + "properties": { + "name": { + "description": "Name of the affected source code file, function, method, subroutine, or procedure.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "type": "array", + "uniqueItems": true + }, + "repo": { + "$ref": "#/definitions/uriType", + "description": "The URL of the source code repository, for informational purposes and/or to resolve git hash version ranges." + }, + "vendor": { + "description": "Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.", + "maxLength": 512, + "minLength": 1, + "type": "string" + }, + "versions": { + "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.", + "items": { + "additionalProperties": false, + "description": "A single version or a range of versions, with vulnerability status.\n\nAn entry with only 'version' and 'status' indicates the status of a single version.\n\nOtherwise, an entry describes a range; it must include the 'versionType' property, to define the version numbering semantics in use, and 'limit', to indicate the non-inclusive upper limit of the range. The object describes the status for versions V such that 'version' <= V and V < 'limit', using the <= and < semantics defined for the specific kind of 'versionType'. Status changes within the range can be specified by an optional 'changes' list.\n\nThe algorithm to decide the status specified for a version V is:\n\n\tfor entry in product.versions {\n\t\tif entry.lessThan is not present and entry.lessThanOrEqual is not present and v == entry.version {\n\t\t\treturn entry.status\n\t\t}\n\t\tif (entry.lessThan is present and entry.version <= v and v < entry.lessThan) or\n\t\t (entry.lessThanOrEqual is present and entry.version <= v and v <= entry.lessThanOrEqual) { // <= and < defined by entry.versionType\n\t\t\tstatus = entry.status\n\t\t\tfor change in entry.changes {\n\t\t\t\tif change.at <= v {\n\t\t\t\t\tstatus = change.status\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn status\n\t\t}\n\t}\n\treturn product.defaultStatus\n\n.", + "oneOf": [ + { + "maxProperties": 2, + "required": [ + "version", + "status" + ] + }, + { + "maxProperties": 3, + "required": [ + "version", + "status", + "versionType" + ] + }, + { + "required": [ + "version", + "status", + "versionType", + "lessThan" + ] + }, + { + "required": [ + "version", + "status", + "versionType", + "lessThanOrEqual" + ] + } + ], + "properties": { + "changes": { + "description": "A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.", + "items": { + "additionalProperties": false, + "description": "The start of a single status change during the range.", + "properties": { + "at": { + "$ref": "#/definitions/version", + "description": "The version at which a status change occurs." + }, + "status": { + "$ref": "#/definitions/status", + "description": "The new status in the range starting at the given version." + } + }, + "required": [ + "at", + "status" + ], + "type": "object" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + }, + "lessThan": { + "$ref": "#/definitions/version", + "description": "The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk `(*)`, indicating an arbitrarily large number in the version ordering. For example, `{version: 1.0 lessThan: 1.*}` would describe the entire 1.X branch for most range kinds, and `{version: 2.0, lessThan: *}` describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified." + }, + "lessThanOrEqual": { + "$ref": "#/definitions/version", + "description": "The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, `{version: 1.0, lessThanOrEqual: 1.3}` covers all versions from 1.0 up to and including 1.3." + }, + "status": { + "$ref": "#/definitions/status", + "description": "The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list." + }, + "version": { + "$ref": "#/definitions/version", + "description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version." + }, + "versionType": { + "description": "The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.", + "examples": [ + "custom", + "git", + "maven", + "python", + "rpm", + "semver" + ], + "maxLength": 128, + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + } + }, + "type": "object" + }, + "providerMetadata": { + "additionalProperties": false, + "description": "Details related to the information container provider (CNA or ADP).", + "properties": { + "dateUpdated": { + "$ref": "#/definitions/timestamp", + "description": "Timestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission." + }, + "orgId": { + "$ref": "#/definitions/orgId", + "description": "The container provider's organizational UUID." + }, + "shortName": { + "$ref": "#/definitions/shortName", + "description": "The container provider's organizational short name." + } + }, + "required": [ + "orgId" + ], + "type": "object" + }, + "reference": { + "additionalProperties": false, + "properties": { + "name": { + "description": "User created name for the reference, often the title of the page.", + "maxLength": 512, + "minLength": 1, + "type": "string" + }, + "tags": { + "description": "An array of one or more tags that describe the resource referenced by 'url'.", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/", + "$schema": "http://json-schema.org/draft-07/schema#", + "description": "broken-link: The reference link is returning a 404 error, or the site is no longer online.\n\ncustomer-entitlement: Similar to Privileges Required, but specific to references that require non-public/paid access for customers of the particular vendor.\n\nexploit: Reference contains an in-depth/detailed description of steps to exploit a vulnerability OR the reference contains any legitimate Proof of Concept (PoC) code or exploit kit.\n\ngovernment-resource: All reference links that are from a government agency or organization should be given the Government Resource tag.\n\nissue-tracking: The reference is a post from a bug tracking tool such as MantisBT, Bugzilla, JIRA, Github Issues, etc...\n\nmailing-list: The reference is from a mailing list -- often specific to a product or vendor.\n\nmitigation: The reference contains information on steps to mitigate against the vulnerability in the event a patch can't be applied or is unavailable or for EOL product situations.\n\nnot-applicable: The reference link is not applicable to the vulnerability and was likely associated by MITRE accidentally (should be used sparingly).\n\npatch: The reference contains an update to the software that fixes the vulnerability.\n\npermissions-required: The reference link provided is blocked by a logon page. If credentials are required to see any information this tag must be applied.\n\nmedia-coverage: The reference is from a media outlet such as a newspaper, magazine, social media, or weblog. This tag is not intended to apply to any individual's personal social media account. It is strictly intended for public media entities.\n\nproduct: A reference appropriate for describing a product for the purpose of CPE or SWID.\n\nrelated: A reference that is for a related (but not the same) vulnerability.\n\nrelease-notes: The reference is in the format of a vendor or open source project's release notes or change log.\n\nsignature: The reference contains a method to detect or prevent the presence or exploitation of the vulnerability.\n\ntechnical-description: The reference contains in-depth technical information about a vulnerability and its exploitation process, typically in the form of a presentation or whitepaper.\n\nthird-party-advisory: Advisory is from an organization that is not the vulnerable product's vendor/publisher/maintainer.\n\nvendor-advisory: Advisory is from the vendor/publisher/maintainer of the product or the parent organization.\n\nvdb-entry: VDBs are loosely defined as sites that provide information about this vulnerability, such as advisories, with identifiers. Included VDBs are free to access, substantially public, and have broad scope and coverage (not limited to a single vendor or research organization). See: https://www.first.org/global/sigs/vrdx/vdb-catalog", + "enum": [ + "broken-link", + "customer-entitlement", + "exploit", + "government-resource", + "issue-tracking", + "mailing-list", + "mitigation", + "not-applicable", + "patch", + "permissions-required", + "media-coverage", + "product", + "related", + "release-notes", + "signature", + "technical-description", + "third-party-advisory", + "vendor-advisory", + "vdb-entry" + ], + "type": "string" + } + ] + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + }, + "url": { + "$ref": "#/definitions/uriType", + "description": "The uniform resource locator (URL), according to [RFC 3986](https://tools.ietf.org/html/rfc3986#section-1.1.3), that can be used to retrieve the referenced resource." + } + }, + "required": [ + "url" + ], + "type": "object" + }, + "references": { + "description": "This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are \"dangerous\").", + "items": { + "$ref": "#/definitions/reference" + }, + "maxItems": 512, + "minItems": 1, + "type": "array", + "uniqueItems": true + }, + "shortName": { + "description": "A 2-32 character name that can be used to complement an organization's UUID.", + "maxLength": 32, + "minLength": 2, + "type": "string" + }, + "solutions": { + "description": "Information about solutions or remediations available for this vulnerability.", + "items": { + "$ref": "#/definitions/description" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + }, + "source": { + "description": "This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.", + "minProperties": 1, + "type": "object" + }, + "status": { + "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.", + "enum": [ + "affected", + "unaffected", + "unknown" + ], + "type": "string" + }, + "tagExtension": { + "$comment": "These values are not used as JSON property names, so there is not a need to work-around property naming limitations in some common implementations.", + "maxLength": 128, + "minLength": 2, + "pattern": "^x_.*$", + "type": "string" + }, + "taxonomyMappings": { + "description": "List of taxonomy items related to the vulnerability.", + "items": { + "additionalProperties": false, + "description": "A taxonomy mapping object identifies the taxonomy by a name and version (eg., ATT&CK v13.1, CVSS 3.1, CWE 4.12) along with a list of relations relevant to this CVE.", + "properties": { + "taxonomyName": { + "description": "The name of the taxonomy, eg., ATT&CK, D3FEND, CWE, CVSS", + "maxLength": 128, + "minLength": 1, + "type": "string" + }, + "taxonomyRelations": { + "description": "List of relationships to the taxonomy for the vulnerability.", + "items": { + "additionalProperties": false, + "description": "A relationship between the taxonomy and the CVE or two taxonomy items.", + "properties": { + "relationshipName": { + "description": "A description of the relationship.", + "maxLength": 128, + "minLength": 1, + "type": "string" + }, + "relationshipValue": { + "description": "The target of the relationship. Can be the CVE ID or another taxonomy identifier.", + "maxLength": 2048, + "minLength": 1, + "type": "string" + }, + "taxonomyId": { + "description": "Identifier of the item in the taxonomy. Used as the subject of the relationship.", + "maxLength": 2048, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "taxonomyId", + "relationshipName", + "relationshipValue" + ], + "type": "object" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + }, + "taxonomyVersion": { + "description": "The version of taxonomy the identifiers come from.", + "maxLength": 128, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "taxonomyName", + "taxonomyRelations" + ], + "type": "object" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + }, + "timeline": { + "description": "This is timeline information for significant events about this vulnerability or changes to the CVE Record.", + "items": { + "additionalProperties": false, + "properties": { + "lang": { + "$ref": "#/definitions/language", + "description": "The language used in the description of the event. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code." + }, + "time": { + "$ref": "#/definitions/timestamp", + "description": "Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00) is assumed." + }, + "value": { + "description": "A summary of the event.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "time", + "lang", + "value" + ], + "type": "object" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + }, + "timestamp": { + "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.", + "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$", + "type": "string" + }, + "uriType": { + "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).", + "format": "uri", + "maxLength": 2048, + "minLength": 1, + "type": "string" + }, + "uuidType": { + "description": "A version 4 (random) universally unique identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122#section-4.1.3).", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$", + "type": "string" + }, + "version": { + "description": "A single version of a product, as expressed in its own version numbering scheme.", + "maxLength": 1024, + "minLength": 1, + "type": "string" + }, + "workarounds": { + "description": "Workarounds and mitigations for this vulnerability.", + "items": { + "$ref": "#/definitions/description" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + } + }, + "properties": { + "cnaContainer": { + "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.", + "patternProperties": { + "^x_[^.]*$": {} + }, + "properties": { + "affected": { + "$ref": "#/definitions/affected" + }, + "configurations": { + "$ref": "#/definitions/configurations" + }, + "cpeApplicability": { + "items": { + "$ref": "#/definitions/cpeApplicabilityElement" + }, + "type": "array" + }, + "credits": { + "$ref": "#/definitions/credits" + }, + "dateAssigned": { + "$ref": "#/definitions/timestamp", + "description": "The date/time this CVE ID was associated with a vulnerability by a CNA." + }, + "datePublic": { + "$ref": "#/definitions/timestamp", + "description": "If known, the date/time the vulnerability was disclosed publicly." + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + }, + "exploits": { + "$ref": "#/definitions/exploits" + }, + "impacts": { + "$ref": "#/definitions/impacts" + }, + "metrics": { + "$ref": "#/definitions/metrics" + }, + "problemTypes": { + "$ref": "#/definitions/problemTypes" + }, + "providerMetadata": { + "$ref": "#/definitions/providerMetadata" + }, + "references": { + "$ref": "#/definitions/references" + }, + "solutions": { + "$ref": "#/definitions/solutions" + }, + "source": { + "$ref": "#/definitions/source" + }, + "tags": { + "$ref": "#/definitions/cnaTags" + }, + "taxonomyMappings": { + "$ref": "#/definitions/taxonomyMappings" + }, + "timeline": { + "$ref": "#/definitions/timeline" + }, + "title": { + "description": "A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.", + "maxLength": 256, + "minLength": 1, + "type": "string" + }, + "workarounds": { + "$ref": "#/definitions/workarounds" + } + } + } + }, + "required": [ + "cnaContainer" + ], + "title": "published_cna_container_bundled", + "type": "object" +} \ No newline at end of file diff --git a/src/middleware/schemas/5.1.1_rejected_cna_container.json b/src/middleware/schemas/5.1.1_rejected_cna_container.json new file mode 100644 index 000000000..389abce4c --- /dev/null +++ b/src/middleware/schemas/5.1.1_rejected_cna_container.json @@ -0,0 +1,186 @@ +{ + "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.", + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "definitions": { + "cveId": { + "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$", + "type": "string" + }, + "description": { + "additionalProperties": false, + "description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.", + "properties": { + "lang": { + "$ref": "#/definitions/language" + }, + "supportingMedia": { + "description": "Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.", + "items": { + "additionalProperties": false, + "properties": { + "base64": { + "default": false, + "description": "If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.", + "title": "Encoding", + "type": "boolean" + }, + "type": { + "description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.", + "examples": [ + "text/markdown", + "text/html", + "image/png", + "image/svg", + "audio/mp3" + ], + "maxLength": 256, + "minLength": 1, + "title": "Media type", + "type": "string" + }, + "value": { + "description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.", + "maxLength": 16384, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "type", + "value" + ], + "type": "object" + }, + "minItems": 1, + "title": "Supporting media", + "type": "array", + "uniqueItems": true + }, + "value": { + "description": "Plain text description.", + "maxLength": 4096, + "minLength": 1, + "type": "string" + } + }, + "required": [ + "lang", + "value" + ], + "type": "object" + }, + "descriptions": { + "contains": { + "$ref": "#/definitions/englishLanguageDescription" + }, + "description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].", + "items": { + "$ref": "#/definitions/description" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + }, + "englishLanguage": { + "description": "BCP 47 language code, language-region, required to be English.", + "pattern": "^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$", + "type": "string" + }, + "englishLanguageDescription": { + "$comment": "Cannot use additionalProperties: false here, as this prevents the other properties used by /definitions/description.", + "description": "A description with lang set to an English language (en, en_US, en_UK, and so on).", + "properties": { + "lang": { + "$ref": "#/definitions/englishLanguage" + } + }, + "required": [ + "lang" + ], + "type": "object" + }, + "language": { + "default": "en", + "description": "BCP 47 language code, language-region.", + "pattern": "^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$", + "type": "string" + }, + "orgId": { + "$ref": "#/definitions/uuidType", + "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service." + }, + "providerMetadata": { + "additionalProperties": false, + "description": "Details related to the information container provider (CNA or ADP).", + "properties": { + "dateUpdated": { + "$ref": "#/definitions/timestamp", + "description": "Timestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission." + }, + "orgId": { + "$ref": "#/definitions/orgId", + "description": "The container provider's organizational UUID." + }, + "shortName": { + "$ref": "#/definitions/shortName", + "description": "The container provider's organizational short name." + } + }, + "required": [ + "orgId" + ], + "type": "object" + }, + "shortName": { + "description": "A 2-32 character name that can be used to complement an organization's UUID.", + "maxLength": 32, + "minLength": 2, + "type": "string" + }, + "timestamp": { + "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.", + "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$", + "type": "string" + }, + "uuidType": { + "description": "A version 4 (random) universally unique identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122#section-4.1.3).", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$", + "type": "string" + } + }, + "properties": { + "cnaContainer": { + "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a rejected CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA.", + "patternProperties": { + "^x_[^.]*$": {} + }, + "properties": { + "providerMetadata": { + "$ref": "#/definitions/providerMetadata" + }, + "rejectedReasons": { + "$ref": "#/definitions/descriptions", + "description": "Reasons for rejecting this CVE Record." + }, + "replacedBy": { + "description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.", + "items": { + "$ref": "#/definitions/cveId" + }, + "minItems": 1, + "type": "array", + "uniqueItems": true + } + }, + "required": [ + "rejectedReasons" + ] + } + }, + "required": [ + "cnaContainer" + ], + "title": "CVE_JSON_cnaRejectedContainer_bundled", + "type": "object" +} \ No newline at end of file diff --git a/src/middleware/schemas/5.1_published_cna_container.json b/src/middleware/schemas/5.1_published_cna_container.json deleted file mode 100644 index 005dac39c..000000000 --- a/src/middleware/schemas/5.1_published_cna_container.json +++ /dev/null @@ -1,2496 +0,0 @@ -{ - "definitions": { - "uriType": { - "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).", - "type": "string", - "format": "uri", - "minLength": 1, - "maxLength": 2048 - }, - "uuidType": { - "description": "A version 4 (random) universally unique identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122#section-4.1.3).", - "type": "string", - "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" - }, - "reference": { - "type": "object", - "required": [ - "url" - ], - "properties": { - "url": { - "description": "The uniform resource locator (URL), according to [RFC 3986](https://tools.ietf.org/html/rfc3986#section-1.1.3), that can be used to retrieve the referenced resource.", - "$ref": "#/definitions/uriType" - }, - "name": { - "description": "User created name for the reference, often the title of the page.", - "type": "string", - "maxLength": 512, - "minLength": 1 - }, - "tags": { - "description": "An array of one or more tags that describe the resource referenced by 'url'.", - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/", - "type": "string", - "description": "broken-link: The reference link is returning a 404 error, or the site is no longer online.\n\ncustomer-entitlement: Similar to Privileges Required, but specific to references that require non-public/paid access for customers of the particular vendor.\n\nexploit: Reference contains an in-depth/detailed description of steps to exploit a vulnerability OR the reference contains any legitimate Proof of Concept (PoC) code or exploit kit.\n\ngovernment-resource: All reference links that are from a government agency or organization should be given the Government Resource tag.\n\nissue-tracking: The reference is a post from a bug tracking tool such as MantisBT, Bugzilla, JIRA, Github Issues, etc...\n\nmailing-list: The reference is from a mailing list -- often specific to a product or vendor.\n\nmitigation: The reference contains information on steps to mitigate against the vulnerability in the event a patch can't be applied or is unavailable or for EOL product situations.\n\nnot-applicable: The reference link is not applicable to the vulnerability and was likely associated by MITRE accidentally (should be used sparingly).\n\npatch: The reference contains an update to the software that fixes the vulnerability.\n\npermissions-required: The reference link provided is blocked by a logon page. If credentials are required to see any information this tag must be applied.\n\nmedia-coverage: The reference is from a media outlet such as a newspaper, magazine, social media, or weblog. This tag is not intended to apply to any individual's personal social media account. It is strictly intended for public media entities.\n\nproduct: A reference appropriate for describing a product for the purpose of CPE or SWID.\n\nrelated: A reference that is for a related (but not the same) vulnerability.\n\nrelease-notes: The reference is in the format of a vendor or open source project's release notes or change log.\n\nsignature: The reference contains a method to detect or prevent the presence or exploitation of the vulnerability.\n\ntechnical-description: The reference contains in-depth technical information about a vulnerability and its exploitation process, typically in the form of a presentation or whitepaper.\n\nthird-party-advisory: Advisory is from an organization that is not the vulnerable product's vendor/publisher/maintainer.\n\nvendor-advisory: Advisory is from the vendor/publisher/maintainer of the product or the parent organization.\n\nvdb-entry: VDBs are loosely defined as sites that provide information about this vulnerability, such as advisories, with identifiers. Included VDBs are free to access, substantially public, and have broad scope and coverage (not limited to a single vendor or research organization). See: https://www.first.org/global/sigs/vrdx/vdb-catalog", - "enum": [ - "broken-link", - "customer-entitlement", - "exploit", - "government-resource", - "issue-tracking", - "mailing-list", - "mitigation", - "not-applicable", - "patch", - "permissions-required", - "media-coverage", - "product", - "related", - "release-notes", - "signature", - "technical-description", - "third-party-advisory", - "vendor-advisory", - "vdb-entry" - ] - } - ] - } - } - }, - "additionalProperties": false - }, - "orgId": { - "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.", - "$ref": "#/definitions/uuidType" - }, - "shortName": { - "description": "A 2-32 character name that can be used to complement an organization's UUID.", - "type": "string", - "minLength": 2, - "maxLength": 32 - }, - "timestamp": { - "type": "string", - "format": "date-time", - "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.", - "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$" - }, - "version": { - "description": "A single version of a product, as expressed in its own version numbering scheme.", - "type": "string", - "minLength": 1, - "maxLength": 1024 - }, - "status": { - "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.", - "type": "string", - "enum": [ - "affected", - "unaffected", - "unknown" - ] - }, - "product": { - "type": "object", - "description": "Provides information about the set of products and services affected by this vulnerability.", - "allOf": [ - { - "anyOf": [ - { - "required": [ - "vendor", - "product" - ] - }, - { - "required": [ - "collectionURL", - "packageName" - ] - } - ] - }, - { - "anyOf": [ - { - "required": [ - "versions" - ] - }, - { - "required": [ - "defaultStatus" - ] - } - ] - } - ], - "properties": { - "vendor": { - "type": "string", - "description": "Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.", - "minLength": 1, - "maxLength": 512 - }, - "product": { - "type": "string", - "description": "Name of the affected product.", - "minLength": 1, - "maxLength": 2048 - }, - "collectionURL": { - "description": "URL identifying a package collection (determines the meaning of packageName).", - "$ref": "#/definitions/uriType", - "examples": [ - "https://access.redhat.com/downloads/content/package-browser", - "https://addons.mozilla.org", - "https://addons.thunderbird.net", - "https://anaconda.org/anaconda/repo", - "https://app.vagrantup.com/boxes/search", - "https://apps.apple.com", - "https://archlinux.org/packages", - "https://atmospherejs.meteor.com", - "https://atom.io/packages", - "https://bitbucket.org", - "https://bower.io", - "https://brew.sh/", - "https://chocolatey.org/packages", - "https://chrome.google.com/webstore", - "https://clojars.org", - "https://cocoapods.org", - "https://code.dlang.org", - "https://conan.io/center", - "https://cpan.org/modules", - "https://cran.r-project.org", - "https://crates.io", - "https://ctan.org/pkg", - "https://drupal.org", - "https://exchange.adobe.com", - "https://forge.puppet.com/modules", - "https://github.com", - "https://gitlab.com/explore", - "https://golang.org/pkg", - "https://guix.gnu.org/packages", - "https://hackage.haskell.org", - "https://helm.sh", - "https://hub.docker.com", - "https://juliahub.com", - "https://lib.haxe.org", - "https://luarocks.org", - "https://marketplace.visualstudio.com", - "https://melpa.org", - "https://microsoft.com/en-us/store/apps", - "https://nimble.directory", - "https://nuget.org/packages", - "https://opam.ocaml.org/packages", - "https://openwrt.org/packages/index", - "https://package.elm-lang.org", - "https://packagecontrol.io", - "https://packages.debian.org", - "https://packages.gentoo.org", - "https://packagist.org", - "https://pear.php.net/packages.php", - "https://pecl.php.net", - "https://platformio.org/lib", - "https://play.google.com/store", - "https://plugins.gradle.org", - "https://projects.eclipse.org", - "https://pub.dev", - "https://pypi.python.org", - "https://registry.npmjs.org", - "https://registry.terraform.io", - "https://repo.hex.pm", - "https://repo.maven.apache.org/maven2", - "https://rubygems.org", - "https://search.nixos.org/packages", - "https://sourceforge.net", - "https://wordpress.org/plugins" - ] - }, - "packageName": { - "type": "string", - "description": "Name or identifier of the affected software package as used in the package collection.", - "minLength": 1, - "maxLength": 2048 - }, - "cpes": { - "type": "array", - "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.", - "uniqueItems": true, - "items": { - "title": "CPE Name", - "type": "string", - "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", - "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", - "minLength": 1, - "maxLength": 2048 - } - }, - "modules": { - "type": "array", - "description": "A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional).", - "uniqueItems": true, - "items": { - "type": "string", - "description": "Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).", - "minLength": 1, - "maxLength": 4096 - } - }, - "programFiles": { - "type": "array", - "description": "A list of the affected source code files (optional).", - "uniqueItems": true, - "items": { - "description": "Name or path or location of the affected source code file.", - "type": "string", - "minLength": 1, - "maxLength": 1024 - } - }, - "programRoutines": { - "type": "array", - "description": "A list of the affected source code functions, methods, subroutines, or procedures (optional).", - "uniqueItems": true, - "items": { - "type": "object", - "description": "An object describing program routine.", - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string", - "description": "Name of the affected source code file, function, method, subroutine, or procedure.", - "minLength": 1, - "maxLength": 4096 - } - }, - "additionalProperties": false - } - }, - "platforms": { - "title": "Platforms", - "description": "List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field or an empty array implies that the other fields are applicable to all relevant platforms.", - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "string", - "examples": [ - "iOS", - "Android", - "Windows", - "macOS", - "x86", - "ARM", - "64 bit", - "Big Endian", - "iPad", - "Chromebook", - "Docker", - "Model T" - ], - "maxLength": 1024 - } - }, - "repo": { - "description": "The URL of the source code repository, for informational purposes and/or to resolve git hash version ranges.", - "$ref": "#/definitions/uriType" - }, - "defaultStatus": { - "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.", - "$ref": "#/definitions/status" - }, - "versions": { - "type": "array", - "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "description": "A single version or a range of versions, with vulnerability status.\n\nAn entry with only 'version' and 'status' indicates the status of a single version.\n\nOtherwise, an entry describes a range; it must include the 'versionType' property, to define the version numbering semantics in use, and 'limit', to indicate the non-inclusive upper limit of the range. The object describes the status for versions V such that 'version' <= V and V < 'limit', using the <= and < semantics defined for the specific kind of 'versionType'. Status changes within the range can be specified by an optional 'changes' list.\n\nThe algorithm to decide the status specified for a version V is:\n\n\tfor entry in product.versions {\n\t\tif entry.lessThan is not present and entry.lessThanOrEqual is not present and v == entry.version {\n\t\t\treturn entry.status\n\t\t}\n\t\tif (entry.lessThan is present and entry.version <= v and v < entry.lessThan) or\n\t\t (entry.lessThanOrEqual is present and entry.version <= v and v <= entry.lessThanOrEqual) { // <= and < defined by entry.versionType\n\t\t\tstatus = entry.status\n\t\t\tfor change in entry.changes {\n\t\t\t\tif change.at <= v {\n\t\t\t\t\tstatus = change.status\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn status\n\t\t}\n\t}\n\treturn product.defaultStatus\n\n.", - "oneOf": [ - { - "required": [ - "version", - "status" - ], - "maxProperties": 2 - }, - { - "required": [ - "version", - "status", - "versionType" - ], - "maxProperties": 3 - }, - { - "required": [ - "version", - "status", - "versionType", - "lessThan" - ] - }, - { - "required": [ - "version", - "status", - "versionType", - "lessThanOrEqual" - ] - } - ], - "properties": { - "version": { - "description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.", - "$ref": "#/definitions/version" - }, - "status": { - "description": "The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.", - "$ref": "#/definitions/status" - }, - "versionType": { - "type": "string", - "description": "The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.", - "minLength": 1, - "maxLength": 128, - "examples": [ - "custom", - "git", - "maven", - "python", - "rpm", - "semver" - ] - }, - "lessThan": { - "description": "The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk `(*)`, indicating an arbitrarily large number in the version ordering. For example, `{version: 1.0 lessThan: 1.*}` would describe the entire 1.X branch for most range kinds, and `{version: 2.0, lessThan: *}` describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified.", - "$ref": "#/definitions/version" - }, - "lessThanOrEqual": { - "description": "The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, `{version: 1.0, lessThanOrEqual: 1.3}` covers all versions from 1.0 up to and including 1.3.", - "$ref": "#/definitions/version" - }, - "changes": { - "type": "array", - "description": "A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "description": "The start of a single status change during the range.", - "required": [ - "at", - "status" - ], - "additionalProperties": false, - "properties": { - "at": { - "description": "The version at which a status change occurs.", - "$ref": "#/definitions/version" - }, - "status": { - "description": "The new status in the range starting at the given version.", - "$ref": "#/definitions/status" - } - } - } - } - }, - "additionalProperties": false - } - } - } - }, - "providerMetadata": { - "type": "object", - "description": "Details related to the information container provider (CNA or ADP).", - "properties": { - "orgId": { - "$ref": "#/definitions/orgId", - "description": "The container provider's organizational UUID." - }, - "shortName": { - "$ref": "#/definitions/shortName", - "description": "The container provider's organizational short name." - }, - "dateUpdated": { - "$ref": "#/definitions/timestamp", - "description": "Timestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission." - } - }, - "required": [ - "orgId" - ], - "additionalProperties": false - }, - "affected": { - "type": "array", - "description": "List of affected products.", - "minItems": 1, - "items": { - "$ref": "#/definitions/product" - } - }, - "description": { - "type": "object", - "description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.", - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string", - "description": "Plain text description.", - "minLength": 1, - "maxLength": 4096 - }, - "supportingMedia": { - "type": "array", - "title": "Supporting media", - "description": "Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.", - "uniqueItems": true, - "minItems": 1, - "items": { - "type": "object", - "properties": { - "type": { - "type": "string", - "title": "Media type", - "minLength": 1, - "maxLength": 256, - "description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.", - "examples": [ - "text/markdown", - "text/html", - "image/png", - "image/svg", - "audio/mp3" - ] - }, - "base64": { - "type": "boolean", - "title": "Encoding", - "description": "If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.", - "default": false - }, - "value": { - "type": "string", - "description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.", - "minLength": 1, - "maxLength": 16384 - } - }, - "required": [ - "type", - "value" - ], - "additionalProperties": false - } - } - }, - "required": [ - "lang", - "value" - ], - "additionalProperties": false - }, - "englishLanguageDescription": { - "type": "object", - "description": "A description with lang set to an English language (en, en_US, en_UK, and so on).", - "properties": { - "lang": { - "$ref": "#/definitions/englishLanguage" - } - }, - "required": [ - "lang" - ], - "$comment": "Cannot use additionalProperties: false here, as this prevents the other properties used by /definitions/description." - }, - "descriptions": { - "type": "array", - "description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - }, - "contains": { - "$ref": "#/definitions/englishLanguageDescription" - } - }, - "problemTypes": { - "type": "array", - "description": "This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).", - "items": { - "type": "object", - "required": [ - "descriptions" - ], - "properties": { - "descriptions": { - "type": "array", - "items": { - "type": "object", - "required": [ - "lang", - "description" - ], - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "description": { - "type": "string", - "description": "Text description of problemType, or title from CWE or OWASP.", - "minLength": 1, - "maxLength": 4096 - }, - "cweId": { - "type": "string", - "description": "CWE ID of the CWE that best describes this problemType entry.", - "minLength": 5, - "maxLength": 9, - "pattern": "^CWE-[1-9][0-9]*$" - }, - "type": { - "type": "string", - "description": "Problemtype source, text, OWASP, CWE, etc.,", - "minLength": 1, - "maxLength": 128 - }, - "references": { - "$ref": "#/definitions/references" - } - }, - "additionalProperties": false - }, - "minItems": 1, - "uniqueItems": true - } - }, - "additionalProperties": false - }, - "minItems": 1, - "uniqueItems": true - }, - "references": { - "type": "array", - "description": "This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are \"dangerous\").", - "items": { - "$ref": "#/definitions/reference" - }, - "minItems": 1, - "maxItems": 512, - "uniqueItems": true - }, - "impacts": { - "type": "array", - "description": "Collection of impacts of this vulnerability.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "description": "This is impact type information (e.g. a text description.", - "required": [ - "descriptions" - ], - "properties": { - "capecId": { - "type": "string", - "description": "CAPEC ID that best relates to this impact.", - "minLength": 7, - "maxLength": 11, - "pattern": "^CAPEC-[1-9][0-9]{0,4}$" - }, - "descriptions": { - "description": "Prose description of the impact scenario. At a minimum provide the description given by CAPEC.", - "$ref": "#/definitions/descriptions" - } - }, - "additionalProperties": false - } - }, - "metrics": { - "type": "array", - "description": "Collection of impact scores with attribution.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "description": "This is impact type information (e.g. a text description, CVSSv2, CVSSv3, CVSSV4, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added.", - "anyOf": [ - { - "required": [ - "cvssV4_0" - ] - }, - { - "required": [ - "cvssV3_1" - ] - }, - { - "required": [ - "cvssV3_0" - ] - }, - { - "required": [ - "cvssV2_0" - ] - }, - { - "required": [ - "other" - ] - } - ], - "properties": { - "format": { - "type": "string", - "description": "Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.", - "minLength": 1, - "maxLength": 64 - }, - "scenarios": { - "type": "array", - "description": "Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string", - "default": "GENERAL", - "description": "Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.", - "minLength": 1, - "maxLength": 4096 - } - }, - "required": [ - "lang", - "value" - ], - "additionalProperties": false - } - }, - "cvssV4_0": { - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "JSON Schema for Common Vulnerability Scoring System version 4.0", - "type": "object", - "definitions": { - "attackVectorType": { - "type": "string", - "enum": [ - "NETWORK", - "ADJACENT", - "LOCAL", - "PHYSICAL" - ] - }, - "modifiedAttackVectorType": { - "type": "string", - "enum": [ - "NETWORK", - "ADJACENT", - "LOCAL", - "PHYSICAL", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "attackComplexityType": { - "type": "string", - "enum": [ - "HIGH", - "LOW" - ] - }, - "modifiedAttackComplexityType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "attackRequirementsType": { - "type": "string", - "enum": [ - "NONE", - "PRESENT" - ] - }, - "modifiedAttackRequirementsType": { - "type": "string", - "enum": [ - "NONE", - "PRESENT", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "privilegesRequiredType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NONE" - ] - }, - "modifiedPrivilegesRequiredType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NONE", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "userInteractionType": { - "type": "string", - "enum": [ - "NONE", - "PASSIVE", - "ACTIVE" - ] - }, - "modifiedUserInteractionType": { - "type": "string", - "enum": [ - "NONE", - "PASSIVE", - "ACTIVE", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "vulnCiaType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH" - ] - }, - "modifiedVulnCiaType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "subCiaType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH" - ] - }, - "modifiedSubCType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "modifiedSubIaType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH", - "SAFETY", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "exploitMaturityType": { - "type": "string", - "enum": [ - "UNREPORTED", - "PROOF_OF_CONCEPT", - "ATTACKED", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "ciaRequirementType": { - "type": "string", - "enum": [ - "LOW", - "MEDIUM", - "HIGH", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "safetyType": { - "type": "string", - "enum": [ - "NEGLIGIBLE", - "PRESENT", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "automatableType": { - "type": "string", - "enum": [ - "NO", - "YES", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "recoveryType": { - "type": "string", - "enum": [ - "AUTOMATIC", - "USER", - "IRRECOVERABLE", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "valueDensityType": { - "type": "string", - "enum": [ - "DIFFUSE", - "CONCENTRATED", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "vulnerabilityResponseEffortType": { - "type": "string", - "enum": [ - "LOW", - "MODERATE", - "HIGH", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "providerUrgencyType": { - "type": "string", - "enum": [ - "CLEAR", - "GREEN", - "AMBER", - "RED", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "scoreType": { - "type": "number", - "enum": [ - 0.0, - 0.1, - 0.2, - 0.3, - 0.4, - 0.5, - 0.6, - 0.7, - 0.8, - 0.9, - 1.0, - 1.1, - 1.2, - 1.3, - 1.4, - 1.5, - 1.6, - 1.7, - 1.8, - 1.9, - 2.0, - 2.1, - 2.2, - 2.3, - 2.4, - 2.5, - 2.6, - 2.7, - 2.8, - 2.9, - 3.0, - 3.1, - 3.2, - 3.3, - 3.4, - 3.5, - 3.6, - 3.7, - 3.8, - 3.9, - 4.0, - 4.1, - 4.2, - 4.3, - 4.4, - 4.5, - 4.6, - 4.7, - 4.8, - 4.9, - 5.0, - 5.1, - 5.2, - 5.3, - 5.4, - 5.5, - 5.6, - 5.7, - 5.8, - 5.9, - 6.0, - 6.1, - 6.2, - 6.3, - 6.4, - 6.5, - 6.6, - 6.7, - 6.8, - 6.9, - 7.0, - 7.1, - 7.2, - 7.3, - 7.4, - 7.5, - 7.6, - 7.7, - 7.8, - 7.9, - 8.0, - 8.1, - 8.2, - 8.3, - 8.4, - 8.5, - 8.6, - 8.7, - 8.8, - 8.9, - 9.0, - 9.1, - 9.2, - 9.3, - 9.4, - 9.5, - 9.6, - 9.7, - 9.8, - 9.9, - 10.0 - ] - }, - "noneScoreType": { - "type": "number", - "minimum": 0, - "maximum": 0 - }, - "lowScoreType": { - "type": "number", - "enum": [ - 0.1, - 0.2, - 0.3, - 0.4, - 0.5, - 0.6, - 0.7, - 0.8, - 0.9, - 1.0, - 1.1, - 1.2, - 1.3, - 1.4, - 1.5, - 1.6, - 1.7, - 1.8, - 1.9, - 2.0, - 2.1, - 2.2, - 2.3, - 2.4, - 2.5, - 2.6, - 2.7, - 2.8, - 2.9, - 3.0, - 3.1, - 3.2, - 3.3, - 3.4, - 3.5, - 3.6, - 3.7, - 3.8, - 3.9 - ] - }, - "mediumScoreType": { - "type": "number", - "enum": [ - 4.0, - 4.1, - 4.2, - 4.3, - 4.4, - 4.5, - 4.6, - 4.7, - 4.8, - 4.9, - 5.0, - 5.1, - 5.2, - 5.3, - 5.4, - 5.5, - 5.6, - 5.7, - 5.8, - 5.9, - 6.0, - 6.1, - 6.2, - 6.3, - 6.4, - 6.5, - 6.6, - 6.7, - 6.8, - 6.9 - ] - }, - "highScoreType": { - "type": "number", - "enum": [ - 7.0, - 7.1, - 7.2, - 7.3, - 7.4, - 7.5, - 7.6, - 7.7, - 7.8, - 7.9, - 8.0, - 8.1, - 8.2, - 8.3, - 8.4, - 8.5, - 8.6, - 8.7, - 8.8, - 8.9 - ] - }, - "criticalScoreType": { - "type": "number", - "enum": [ - 9.0, - 9.1, - 9.2, - 9.3, - 9.4, - 9.5, - 9.6, - 9.7, - 9.8, - 9.9, - 10.0 - ] - }, - "severityType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "MEDIUM", - "HIGH", - "CRITICAL" - ] - }, - "noneSeverityType": { - "const": "NONE" - }, - "lowSeverityType": { - "const": "LOW" - }, - "mediumSeverityType": { - "const": "MEDIUM" - }, - "highSeverityType": { - "const": "HIGH" - }, - "criticalSeverityType": { - "const": "CRITICAL" - } - }, - "properties": { - "version": { - "description": "CVSS Version", - "type": "string", - "enum": [ - "4.0" - ] - }, - "vectorString": { - "type": "string", - "pattern": "^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/E:[XAPU])?(/CR:[XHML])?(/IR:[XHML])?(/AR:[XHML])?(/MAV:[XNALP])?(/MAC:[XLH])?(/MAT:[XNP])?(/MPR:[XNLH])?(/MUI:[XNPA])?(/MVC:[XNLH])?(/MVI:[XNLH])?(/MVA:[XNLH])?(/MSC:[XNLH])?(/MSI:[XNLHS])?(/MSA:[XNLHS])?(/S:[XNP])?(/AU:[XNY])?(/R:[XAUI])?(/V:[XDC])?(/RE:[XLMH])?(/U:(X|Clear|Green|Amber|Red))?$" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType" - }, - "attackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType" - }, - "attackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType" - }, - "attackRequirements": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType" - }, - "privilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType" - }, - "userInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType" - }, - "vulnConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" - }, - "vulnIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" - }, - "vulnAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" - }, - "subConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" - }, - "subIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" - }, - "subAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" - }, - "exploitMaturity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" - }, - "modifiedAttackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType" - }, - "modifiedAttackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType" - }, - "modifiedAttackRequirements": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType" - }, - "modifiedPrivilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType" - }, - "modifiedUserInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType" - }, - "modifiedVulnConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" - }, - "modifiedVulnIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" - }, - "modifiedVulnAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" - }, - "modifiedSubConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType" - }, - "modifiedSubIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" - }, - "modifiedSubAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" - }, - "Safety": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType" - }, - "Automatable": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType" - }, - "Recovery": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType" - }, - "valueDensity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType" - }, - "vulnerabilityResponseEffort": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType" - }, - "providerUrgency": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType" - } - }, - "allOf": [ - { - "anyOf": [ - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" - } - } - }, - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType" - } - } - }, - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType" - } - } - }, - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType" - } - } - }, - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType" - } - } - } - ] - }, - { - "anyOf": [ - { - "properties": { - "threatScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" - }, - "threatSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" - } - } - }, - { - "properties": { - "threatScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType" - }, - "threatSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType" - } - } - }, - { - "properties": { - "threatScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType" - }, - "threatSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType" - } - } - }, - { - "properties": { - "threatScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType" - }, - "threatSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType" - } - } - }, - { - "properties": { - "threatScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType" - }, - "threatSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType" - } - } - } - ] - }, - { - "anyOf": [ - { - "properties": { - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" - } - } - }, - { - "properties": { - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType" - } - } - }, - { - "properties": { - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType" - } - } - }, - { - "properties": { - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType" - } - } - }, - { - "properties": { - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType" - } - } - } - ] - } - ], - "required": [ - "version", - "vectorString", - "baseScore", - "baseSeverity" - ], - "additionalProperties": false - }, - "cvssV3_1": { - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "JSON Schema for Common Vulnerability Scoring System version 3.1", - "type": "object", - "definitions": { - "attackVectorType": { - "type": "string", - "enum": [ - "NETWORK", - "ADJACENT_NETWORK", - "LOCAL", - "PHYSICAL" - ] - }, - "modifiedAttackVectorType": { - "type": "string", - "enum": [ - "NETWORK", - "ADJACENT_NETWORK", - "LOCAL", - "PHYSICAL", - "NOT_DEFINED" - ] - }, - "attackComplexityType": { - "type": "string", - "enum": [ - "HIGH", - "LOW" - ] - }, - "modifiedAttackComplexityType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NOT_DEFINED" - ] - }, - "privilegesRequiredType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NONE" - ] - }, - "modifiedPrivilegesRequiredType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NONE", - "NOT_DEFINED" - ] - }, - "userInteractionType": { - "type": "string", - "enum": [ - "NONE", - "REQUIRED" - ] - }, - "modifiedUserInteractionType": { - "type": "string", - "enum": [ - "NONE", - "REQUIRED", - "NOT_DEFINED" - ] - }, - "scopeType": { - "type": "string", - "enum": [ - "UNCHANGED", - "CHANGED" - ] - }, - "modifiedScopeType": { - "type": "string", - "enum": [ - "UNCHANGED", - "CHANGED", - "NOT_DEFINED" - ] - }, - "ciaType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH" - ] - }, - "modifiedCiaType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH", - "NOT_DEFINED" - ] - }, - "exploitCodeMaturityType": { - "type": "string", - "enum": [ - "UNPROVEN", - "PROOF_OF_CONCEPT", - "FUNCTIONAL", - "HIGH", - "NOT_DEFINED" - ] - }, - "remediationLevelType": { - "type": "string", - "enum": [ - "OFFICIAL_FIX", - "TEMPORARY_FIX", - "WORKAROUND", - "UNAVAILABLE", - "NOT_DEFINED" - ] - }, - "confidenceType": { - "type": "string", - "enum": [ - "UNKNOWN", - "REASONABLE", - "CONFIRMED", - "NOT_DEFINED" - ] - }, - "ciaRequirementType": { - "type": "string", - "enum": [ - "LOW", - "MEDIUM", - "HIGH", - "NOT_DEFINED" - ] - }, - "scoreType": { - "type": "number", - "minimum": 0, - "maximum": 10 - }, - "severityType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "MEDIUM", - "HIGH", - "CRITICAL" - ] - } - }, - "properties": { - "version": { - "description": "CVSS Version", - "type": "string", - "enum": [ - "3.1" - ] - }, - "vectorString": { - "type": "string", - "pattern": "^CVSS:3[.]1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" - }, - "attackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType" - }, - "attackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType" - }, - "privilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType" - }, - "userInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType" - }, - "scope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - }, - "exploitCodeMaturity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "temporalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "modifiedAttackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType" - }, - "modifiedAttackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType" - }, - "modifiedPrivilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType" - }, - "modifiedUserInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType" - }, - "modifiedScope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType" - }, - "modifiedConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "modifiedIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "modifiedAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - } - }, - "required": [ - "version", - "vectorString", - "baseScore", - "baseSeverity" - ], - "additionalProperties": false - }, - "cvssV3_0": { - "$schema": "http://json-schema.org/draft-04/schema#", - "title": "JSON Schema for Common Vulnerability Scoring System version 3.0", - "type": "object", - "definitions": { - "attackVectorType": { - "type": "string", - "enum": [ - "NETWORK", - "ADJACENT_NETWORK", - "LOCAL", - "PHYSICAL" - ] - }, - "modifiedAttackVectorType": { - "type": "string", - "enum": [ - "NETWORK", - "ADJACENT_NETWORK", - "LOCAL", - "PHYSICAL", - "NOT_DEFINED" - ] - }, - "attackComplexityType": { - "type": "string", - "enum": [ - "HIGH", - "LOW" - ] - }, - "modifiedAttackComplexityType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NOT_DEFINED" - ] - }, - "privilegesRequiredType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NONE" - ] - }, - "modifiedPrivilegesRequiredType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NONE", - "NOT_DEFINED" - ] - }, - "userInteractionType": { - "type": "string", - "enum": [ - "NONE", - "REQUIRED" - ] - }, - "modifiedUserInteractionType": { - "type": "string", - "enum": [ - "NONE", - "REQUIRED", - "NOT_DEFINED" - ] - }, - "scopeType": { - "type": "string", - "enum": [ - "UNCHANGED", - "CHANGED" - ] - }, - "modifiedScopeType": { - "type": "string", - "enum": [ - "UNCHANGED", - "CHANGED", - "NOT_DEFINED" - ] - }, - "ciaType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH" - ] - }, - "modifiedCiaType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH", - "NOT_DEFINED" - ] - }, - "exploitCodeMaturityType": { - "type": "string", - "enum": [ - "UNPROVEN", - "PROOF_OF_CONCEPT", - "FUNCTIONAL", - "HIGH", - "NOT_DEFINED" - ] - }, - "remediationLevelType": { - "type": "string", - "enum": [ - "OFFICIAL_FIX", - "TEMPORARY_FIX", - "WORKAROUND", - "UNAVAILABLE", - "NOT_DEFINED" - ] - }, - "confidenceType": { - "type": "string", - "enum": [ - "UNKNOWN", - "REASONABLE", - "CONFIRMED", - "NOT_DEFINED" - ] - }, - "ciaRequirementType": { - "type": "string", - "enum": [ - "LOW", - "MEDIUM", - "HIGH", - "NOT_DEFINED" - ] - }, - "scoreType": { - "type": "number", - "minimum": 0, - "maximum": 10 - }, - "severityType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "MEDIUM", - "HIGH", - "CRITICAL" - ] - } - }, - "properties": { - "version": { - "description": "CVSS Version", - "type": "string", - "enum": [ - "3.0" - ] - }, - "vectorString": { - "type": "string", - "pattern": "^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" - }, - "attackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType" - }, - "attackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType" - }, - "privilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType" - }, - "userInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType" - }, - "scope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - }, - "exploitCodeMaturity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "temporalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "modifiedAttackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType" - }, - "modifiedAttackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType" - }, - "modifiedPrivilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType" - }, - "modifiedUserInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType" - }, - "modifiedScope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType" - }, - "modifiedConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "modifiedIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "modifiedAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - } - }, - "required": [ - "version", - "vectorString", - "baseScore", - "baseSeverity" - ], - "additionalProperties": false - }, - "cvssV2_0": { - "$schema": "http://json-schema.org/draft-04/schema#", - "title": "JSON Schema for Common Vulnerability Scoring System version 2.0", - "type": "object", - "definitions": { - "accessVectorType": { - "type": "string", - "enum": [ - "NETWORK", - "ADJACENT_NETWORK", - "LOCAL" - ] - }, - "accessComplexityType": { - "type": "string", - "enum": [ - "HIGH", - "MEDIUM", - "LOW" - ] - }, - "authenticationType": { - "type": "string", - "enum": [ - "MULTIPLE", - "SINGLE", - "NONE" - ] - }, - "ciaType": { - "type": "string", - "enum": [ - "NONE", - "PARTIAL", - "COMPLETE" - ] - }, - "exploitabilityType": { - "type": "string", - "enum": [ - "UNPROVEN", - "PROOF_OF_CONCEPT", - "FUNCTIONAL", - "HIGH", - "NOT_DEFINED" - ] - }, - "remediationLevelType": { - "type": "string", - "enum": [ - "OFFICIAL_FIX", - "TEMPORARY_FIX", - "WORKAROUND", - "UNAVAILABLE", - "NOT_DEFINED" - ] - }, - "reportConfidenceType": { - "type": "string", - "enum": [ - "UNCONFIRMED", - "UNCORROBORATED", - "CONFIRMED", - "NOT_DEFINED" - ] - }, - "collateralDamagePotentialType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "LOW_MEDIUM", - "MEDIUM_HIGH", - "HIGH", - "NOT_DEFINED" - ] - }, - "targetDistributionType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "MEDIUM", - "HIGH", - "NOT_DEFINED" - ] - }, - "ciaRequirementType": { - "type": "string", - "enum": [ - "LOW", - "MEDIUM", - "HIGH", - "NOT_DEFINED" - ] - }, - "scoreType": { - "type": "number", - "minimum": 0, - "maximum": 10 - } - }, - "properties": { - "version": { - "description": "CVSS Version", - "type": "string", - "enum": [ - "2.0" - ] - }, - "vectorString": { - "type": "string", - "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$" - }, - "accessVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType" - }, - "accessComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType" - }, - "authentication": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - }, - "exploitability": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - }, - "collateralDamagePotential": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType" - }, - "targetDistribution": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - } - }, - "required": [ - "version", - "vectorString", - "baseScore" - ], - "additionalProperties": false - }, - "other": { - "type": "object", - "description": "A non-standard impact description, may be prose or JSON block.", - "required": [ - "type", - "content" - ], - "properties": { - "type": { - "description": "Name of the non-standard impact metrics format used.", - "type": "string", - "minLength": 1, - "maxLength": 128 - }, - "content": { - "type": "object", - "$comment": "additionalProperties are allowed here, since this construct supports arbitrary JSON.", - "description": "JSON object not covered by another metrics format.", - "minProperties": 1 - } - }, - "additionalProperties": false - } - }, - "additionalProperties": false - } - }, - "configurations": { - "type": "array", - "description": "Configurations required for exploiting this vulnerability.", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } - }, - "workarounds": { - "type": "array", - "description": "Workarounds and mitigations for this vulnerability.", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } - }, - "solutions": { - "type": "array", - "description": "Information about solutions or remediations available for this vulnerability.", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } - }, - "exploits": { - "type": "array", - "description": "Information about exploits of the vulnerability.", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } - }, - "timeline": { - "type": "array", - "description": "This is timeline information for significant events about this vulnerability or changes to the CVE Record.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "time", - "lang", - "value" - ], - "properties": { - "time": { - "description": "Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00) is assumed.", - "$ref": "#/definitions/timestamp" - }, - "lang": { - "description": "The language used in the description of the event. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.", - "$ref": "#/definitions/language" - }, - "value": { - "description": "A summary of the event.", - "type": "string", - "minLength": 1, - "maxLength": 4096 - } - }, - "additionalProperties": false - } - }, - "credits": { - "type": "array", - "description": "Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "properties": { - "lang": { - "description": "The language used when describing the credits. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.", - "$ref": "#/definitions/language" - }, - "value": { - "type": "string", - "minLength": 1, - "maxLength": 4096 - }, - "user": { - "description": "UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.", - "$ref": "#/definitions/uuidType" - }, - "type": { - "type": "string", - "description": "Type or role of the entity being credited (optional). finder: identifies the vulnerability.\nreporter: notifies the vendor of the vulnerability to a CNA.\nanalyst: validates the vulnerability to ensure accuracy or severity.\ncoordinator: facilitates the coordinated response process.\nremediation developer: prepares a code change or other remediation plans.\nremediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness.\nremediation verifier: tests and verifies the vulnerability or its remediation.\ntool: names of tools used in vulnerability discovery or identification.\nsponsor: supports the vulnerability identification or remediation activities.", - "default": "finder", - "enum": [ - "finder", - "reporter", - "analyst", - "coordinator", - "remediation developer", - "remediation reviewer", - "remediation verifier", - "tool", - "sponsor", - "other" - ] - } - }, - "additionalProperties": false, - "required": [ - "lang", - "value" - ] - } - }, - "source": { - "type": "object", - "description": "This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.", - "minProperties": 1 - }, - "language": { - "type": "string", - "description": "BCP 47 language code, language-region.", - "default": "en", - "pattern": "^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$" - }, - "englishLanguage": { - "type": "string", - "description": "BCP 47 language code, language-region, required to be English.", - "pattern": "^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$" - }, - "taxonomyMappings": { - "type": "array", - "description": "List of taxonomy items related to the vulnerability.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "description": "A taxonomy mapping object identifies the taxonomy by a name and version (eg., ATT&CK v13.1, CVSS 3.1, CWE 4.12) along with a list of relations relevant to this CVE.", - "required": [ - "taxonomyName", - "taxonomyRelations" - ], - "properties": { - "taxonomyName": { - "type": "string", - "description": "The name of the taxonomy, eg., ATT&CK, D3FEND, CWE, CVSS", - "minLength": 1, - "maxLength": 128 - }, - "taxonomyVersion": { - "type": "string", - "description": "The version of taxonomy the identifiers come from.", - "minLength": 1, - "maxLength": 128 - }, - "taxonomyRelations": { - "type": "array", - "description": "List of relationships to the taxonomy for the vulnerability.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "description": "A relationship between the taxonomy and the CVE or two taxonomy items.", - "required": [ - "taxonomyId", - "relationshipName", - "relationshipValue" - ], - "properties": { - "taxonomyId": { - "type": "string", - "description": "Identifier of the item in the taxonomy. Used as the subject of the relationship.", - "minLength": 1, - "maxLength": 2048 - }, - "relationshipName": { - "type": "string", - "description": "A description of the relationship.", - "minLength": 1, - "maxLength": 128 - }, - "relationshipValue": { - "type": "string", - "description": "The target of the relationship. Can be the CVE ID or another taxonomy identifier.", - "minLength": 1, - "maxLength": 2048 - } - }, - "additionalProperties": false - } - } - }, - "additionalProperties": false - } - }, - "tagExtension": { - "type": "string", - "minLength": 2, - "maxLength": 128, - "pattern": "^x_.*$", - "$comment": "These values are not used as JSON property names, so there is not a need to work-around property naming limitations in some common implementations." - }, - "cnaTags": { - "type": "array", - "description": "Tags provided by a CNA describing the CVE Record.", - "uniqueItems": true, - "minItems": 1, - "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/", - "type": "string", - "description": "exclusively-hosted-service: All known software and/or hardware affected by this CVE Record is known to exist only in the affected hosted service. If the vulnerability affects both hosted and on-prem software and/or hardware, then the tag should not be used.\n\nunsupported-when-assigned: Used by the assigning CNA to indicate that when a request for a CVE assignment was received, the product was already end-of-life (EOL) or a product or specific version was deemed not to be supported by the vendor. This tag should only be applied to a CVE Record when all affected products or version lines referenced in the CVE-Record are EOL.\n\ndisputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.", - "enum": [ - "unsupported-when-assigned", - "exclusively-hosted-service", - "disputed" - ] - } - ] - } - } - }, - "properties": { - "cnaContainer": { - "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.", - "type": "object", - "properties": { - "providerMetadata": { - "$ref": "#/definitions/providerMetadata" - }, - "dateAssigned": { - "$ref": "#/definitions/timestamp", - "description": "The date/time this CVE ID was associated with a vulnerability by a CNA." - }, - "datePublic": { - "$ref": "#/definitions/timestamp", - "description": "If known, the date/time the vulnerability was disclosed publicly." - }, - "title": { - "type": "string", - "description": "A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.", - "minLength": 1, - "maxLength": 256 - }, - "descriptions": { - "$ref": "#/definitions/descriptions" - }, - "affected": { - "$ref": "#/definitions/affected" - }, - "problemTypes": { - "$ref": "#/definitions/problemTypes" - }, - "references": { - "$ref": "#/definitions/references" - }, - "impacts": { - "$ref": "#/definitions/impacts" - }, - "metrics": { - "$ref": "#/definitions/metrics" - }, - "configurations": { - "$ref": "#/definitions/configurations" - }, - "workarounds": { - "$ref": "#/definitions/workarounds" - }, - "solutions": { - "$ref": "#/definitions/solutions" - }, - "exploits": { - "$ref": "#/definitions/exploits" - }, - "timeline": { - "$ref": "#/definitions/timeline" - }, - "credits": { - "$ref": "#/definitions/credits" - }, - "source": { - "$ref": "#/definitions/source" - }, - "tags": { - "$ref": "#/definitions/cnaTags" - }, - "taxonomyMappings": { - "$ref": "#/definitions/taxonomyMappings" - } - }, - "required": [ - "descriptions", - "affected", - "references" - ], - "patternProperties": { - "^x_[^.]*$": {} - }, - "additionalProperties": false - } - }, - "required": [ - "cnaContainer" - ], - "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.", - "additionalProperties": false, - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "published_cna_container_bundled" -} \ No newline at end of file diff --git a/src/middleware/schemas/5.1_rejected_cna_container.json b/src/middleware/schemas/5.1_rejected_cna_container.json deleted file mode 100644 index 7f2c65f96..000000000 --- a/src/middleware/schemas/5.1_rejected_cna_container.json +++ /dev/null @@ -1,188 +0,0 @@ -{ - "definitions": { - "uuidType": { - "description": "A version 4 (random) universally unique identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122#section-4.1.3).", - "type": "string", - "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" - }, - "cveId": { - "type": "string", - "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$" - }, - "orgId": { - "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.", - "$ref": "#/definitions/uuidType" - }, - "shortName": { - "description": "A 2-32 character name that can be used to complement an organization's UUID.", - "type": "string", - "minLength": 2, - "maxLength": 32 - }, - "timestamp": { - "type": "string", - "format": "date-time", - "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.", - "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$" - }, - "providerMetadata": { - "type": "object", - "description": "Details related to the information container provider (CNA or ADP).", - "properties": { - "orgId": { - "$ref": "#/definitions/orgId", - "description": "The container provider's organizational UUID." - }, - "shortName": { - "$ref": "#/definitions/shortName", - "description": "The container provider's organizational short name." - }, - "dateUpdated": { - "$ref": "#/definitions/timestamp", - "description": "Timestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission." - } - }, - "required": [ - "orgId" - ], - "additionalProperties": false - }, - "description": { - "type": "object", - "description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.", - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string", - "description": "Plain text description.", - "minLength": 1, - "maxLength": 4096 - }, - "supportingMedia": { - "type": "array", - "title": "Supporting media", - "description": "Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.", - "uniqueItems": true, - "minItems": 1, - "items": { - "type": "object", - "properties": { - "type": { - "type": "string", - "title": "Media type", - "minLength": 1, - "maxLength": 256, - "description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.", - "examples": [ - "text/markdown", - "text/html", - "image/png", - "image/svg", - "audio/mp3" - ] - }, - "base64": { - "type": "boolean", - "title": "Encoding", - "description": "If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.", - "default": false - }, - "value": { - "type": "string", - "description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.", - "minLength": 1, - "maxLength": 16384 - } - }, - "required": [ - "type", - "value" - ], - "additionalProperties": false - } - } - }, - "required": [ - "lang", - "value" - ], - "additionalProperties": false - }, - "englishLanguageDescription": { - "type": "object", - "description": "A description with lang set to an English language (en, en_US, en_UK, and so on).", - "properties": { - "lang": { - "$ref": "#/definitions/englishLanguage" - } - }, - "required": [ - "lang" - ], - "$comment": "Cannot use additionalProperties: false here, as this prevents the other properties used by /definitions/description." - }, - "descriptions": { - "type": "array", - "description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - }, - "contains": { - "$ref": "#/definitions/englishLanguageDescription" - } - }, - "language": { - "type": "string", - "description": "BCP 47 language code, language-region.", - "default": "en", - "pattern": "^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$" - }, - "englishLanguage": { - "type": "string", - "description": "BCP 47 language code, language-region, required to be English.", - "pattern": "^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$" - } - }, - "properties": { - "cnaContainer": { - "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a rejected CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA.", - "type": "object", - "properties": { - "providerMetadata": { - "$ref": "#/definitions/providerMetadata" - }, - "rejectedReasons": { - "description": "Reasons for rejecting this CVE Record.", - "$ref": "#/definitions/descriptions" - }, - "replacedBy": { - "type": "array", - "description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/cveId" - } - } - }, - "required": [ - "rejectedReasons" - ], - "patternProperties": { - "^x_[^.]*$": {} - }, - "additionalProperties": false - } - }, - "required": [ - "cnaContainer" - ], - "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.", - "additionalProperties": false, - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "rejected_cna_container_bundled" -} \ No newline at end of file diff --git a/src/middleware/schemas/CVE_JSON_5.1.1_bundled.json b/src/middleware/schemas/CVE_JSON_5.1.1_bundled.json new file mode 100644 index 000000000..5fff73a01 --- /dev/null +++ b/src/middleware/schemas/CVE_JSON_5.1.1_bundled.json @@ -0,0 +1,3521 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cveproject.github.io/cve-schema/schema/CVE_Record_Format.json", + "title": "CVE JSON record format", + "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).", + "definitions": { + "uriType": { + "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).", + "type": "string", + "format": "uri", + "minLength": 1, + "maxLength": 2048 + }, + "uuidType": { + "description": "A version 4 (random) universally unique identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122#section-4.1.3).", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "reference": { + "type": "object", + "required": [ + "url" + ], + "properties": { + "url": { + "description": "The uniform resource locator (URL), according to [RFC 3986](https://tools.ietf.org/html/rfc3986#section-1.1.3), that can be used to retrieve the referenced resource.", + "$ref": "#/definitions/uriType" + }, + "name": { + "description": "User created name for the reference, often the title of the page.", + "type": "string", + "maxLength": 512, + "minLength": 1 + }, + "tags": { + "description": "An array of one or more tags that describe the resource referenced by 'url'.", + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/", + "type": "string", + "description": "broken-link: The reference link is returning a 404 error, or the site is no longer online.\n\ncustomer-entitlement: Similar to Privileges Required, but specific to references that require non-public/paid access for customers of the particular vendor.\n\nexploit: Reference contains an in-depth/detailed description of steps to exploit a vulnerability OR the reference contains any legitimate Proof of Concept (PoC) code or exploit kit.\n\ngovernment-resource: All reference links that are from a government agency or organization should be given the Government Resource tag.\n\nissue-tracking: The reference is a post from a bug tracking tool such as MantisBT, Bugzilla, JIRA, Github Issues, etc...\n\nmailing-list: The reference is from a mailing list -- often specific to a product or vendor.\n\nmitigation: The reference contains information on steps to mitigate against the vulnerability in the event a patch can't be applied or is unavailable or for EOL product situations.\n\nnot-applicable: The reference link is not applicable to the vulnerability and was likely associated by MITRE accidentally (should be used sparingly).\n\npatch: The reference contains an update to the software that fixes the vulnerability.\n\npermissions-required: The reference link provided is blocked by a logon page. If credentials are required to see any information this tag must be applied.\n\nmedia-coverage: The reference is from a media outlet such as a newspaper, magazine, social media, or weblog. This tag is not intended to apply to any individual's personal social media account. It is strictly intended for public media entities.\n\nproduct: A reference appropriate for describing a product for the purpose of CPE or SWID.\n\nrelated: A reference that is for a related (but not the same) vulnerability.\n\nrelease-notes: The reference is in the format of a vendor or open source project's release notes or change log.\n\nsignature: The reference contains a method to detect or prevent the presence or exploitation of the vulnerability.\n\ntechnical-description: The reference contains in-depth technical information about a vulnerability and its exploitation process, typically in the form of a presentation or whitepaper.\n\nthird-party-advisory: Advisory is from an organization that is not the vulnerable product's vendor/publisher/maintainer.\n\nvendor-advisory: Advisory is from the vendor/publisher/maintainer of the product or the parent organization.\n\nvdb-entry: VDBs are loosely defined as sites that provide information about this vulnerability, such as advisories, with identifiers. Included VDBs are free to access, substantially public, and have broad scope and coverage (not limited to a single vendor or research organization). See: https://www.first.org/global/sigs/vrdx/vdb-catalog", + "enum": [ + "broken-link", + "customer-entitlement", + "exploit", + "government-resource", + "issue-tracking", + "mailing-list", + "mitigation", + "not-applicable", + "patch", + "permissions-required", + "media-coverage", + "product", + "related", + "release-notes", + "signature", + "technical-description", + "third-party-advisory", + "vendor-advisory", + "vdb-entry" + ] + } + ] + } + } + }, + "additionalProperties": false + }, + "cveId": { + "type": "string", + "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$" + }, + "cpe22and23": { + "type": "string", + "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", + "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", + "minLength": 1, + "maxLength": 2048 + }, + "cpe23": { + "type": "string", + "description": "Common Platform Enumeration (CPE) Name in 2.3 format", + "pattern": "(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", + "minLength": 1, + "maxLength": 2048 + }, + "orgId": { + "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.", + "$ref": "#/definitions/uuidType" + }, + "userId": { + "description": "A UUID for a user participating in the CVE program. This UUID can be used to lookup the user record in the user registry service.", + "$ref": "#/definitions/uuidType" + }, + "shortName": { + "description": "A 2-32 character name that can be used to complement an organization's UUID.", + "type": "string", + "minLength": 2, + "maxLength": 32 + }, + "datestamp": { + "description": "Date/time format based on RFC3339 and ISO ISO8601.", + "type": "string", + "format": "date", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$" + }, + "timestamp": { + "type": "string", + "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.", + "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$" + }, + "version": { + "description": "A single version of a product, as expressed in its own version numbering scheme.", + "type": "string", + "minLength": 1, + "maxLength": 1024 + }, + "status": { + "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.", + "type": "string", + "enum": [ + "affected", + "unaffected", + "unknown" + ] + }, + "product": { + "type": "object", + "description": "Provides information about the set of products and services affected by this vulnerability.", + "allOf": [ + { + "anyOf": [ + { + "required": [ + "vendor", + "product" + ] + }, + { + "required": [ + "collectionURL", + "packageName" + ] + } + ] + }, + { + "anyOf": [ + { + "required": [ + "versions" + ] + }, + { + "required": [ + "defaultStatus" + ] + } + ] + } + ], + "properties": { + "vendor": { + "type": "string", + "description": "Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.", + "minLength": 1, + "maxLength": 512 + }, + "product": { + "type": "string", + "description": "Name of the affected product.", + "minLength": 1, + "maxLength": 2048 + }, + "collectionURL": { + "description": "URL identifying a package collection (determines the meaning of packageName).", + "$ref": "#/definitions/uriType", + "examples": [ + "https://access.redhat.com/downloads/content/package-browser", + "https://addons.mozilla.org", + "https://addons.thunderbird.net", + "https://anaconda.org/anaconda/repo", + "https://app.vagrantup.com/boxes/search", + "https://apps.apple.com", + "https://archlinux.org/packages", + "https://atmospherejs.meteor.com", + "https://atom.io/packages", + "https://bitbucket.org", + "https://bower.io", + "https://brew.sh/", + "https://chocolatey.org/packages", + "https://chrome.google.com/webstore", + "https://clojars.org", + "https://cocoapods.org", + "https://code.dlang.org", + "https://conan.io/center", + "https://cpan.org/modules", + "https://cran.r-project.org", + "https://crates.io", + "https://ctan.org/pkg", + "https://drupal.org", + "https://exchange.adobe.com", + "https://forge.puppet.com/modules", + "https://github.com", + "https://gitlab.com/explore", + "https://golang.org/pkg", + "https://guix.gnu.org/packages", + "https://hackage.haskell.org", + "https://helm.sh", + "https://hub.docker.com", + "https://juliahub.com", + "https://lib.haxe.org", + "https://luarocks.org", + "https://marketplace.visualstudio.com", + "https://melpa.org", + "https://microsoft.com/en-us/store/apps", + "https://nimble.directory", + "https://nuget.org/packages", + "https://opam.ocaml.org/packages", + "https://openwrt.org/packages/index", + "https://package.elm-lang.org", + "https://packagecontrol.io", + "https://packages.debian.org", + "https://packages.gentoo.org", + "https://packagist.org", + "https://pear.php.net/packages.php", + "https://pecl.php.net", + "https://platformio.org/lib", + "https://play.google.com/store", + "https://plugins.gradle.org", + "https://projects.eclipse.org", + "https://pub.dev", + "https://pypi.python.org", + "https://registry.npmjs.org", + "https://registry.terraform.io", + "https://repo.hex.pm", + "https://repo.maven.apache.org/maven2", + "https://rubygems.org", + "https://search.nixos.org/packages", + "https://sourceforge.net", + "https://wordpress.org/plugins" + ] + }, + "packageName": { + "type": "string", + "description": "Name or identifier of the affected software package as used in the package collection.", + "minLength": 1, + "maxLength": 2048 + }, + "cpes": { + "type": "array", + "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here. NOTE: Consider using the newer cpeApplicability block for defining CPE data using the CPE Applicability Language which includes more options for defining CPE Names.", + "uniqueItems": true, + "items": { + "title": "CPE Name", + "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", + "$ref": "#/definitions/cpe22and23" + } + }, + "modules": { + "type": "array", + "description": "A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional).", + "uniqueItems": true, + "items": { + "type": "string", + "description": "Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).", + "minLength": 1, + "maxLength": 4096 + } + }, + "programFiles": { + "type": "array", + "description": "A list of the affected source code files (optional).", + "uniqueItems": true, + "items": { + "description": "Name or path or location of the affected source code file.", + "type": "string", + "minLength": 1, + "maxLength": 1024 + } + }, + "programRoutines": { + "type": "array", + "description": "A list of the affected source code functions, methods, subroutines, or procedures (optional).", + "uniqueItems": true, + "items": { + "type": "object", + "description": "An object describing program routine.", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "description": "Name of the affected source code file, function, method, subroutine, or procedure.", + "minLength": 1, + "maxLength": 4096 + } + }, + "additionalProperties": false + } + }, + "platforms": { + "title": "Platforms", + "description": "List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field or an empty array implies that the other fields are applicable to all relevant platforms.", + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "string", + "examples": [ + "iOS", + "Android", + "Windows", + "macOS", + "x86", + "ARM", + "64 bit", + "Big Endian", + "iPad", + "Chromebook", + "Docker", + "Model T" + ], + "maxLength": 1024 + } + }, + "repo": { + "description": "The URL of the source code repository, for informational purposes and/or to resolve git hash version ranges.", + "$ref": "#/definitions/uriType" + }, + "defaultStatus": { + "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.", + "$ref": "#/definitions/status" + }, + "versions": { + "type": "array", + "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "A single version or a range of versions, with vulnerability status.\n\nAn entry with only 'version' and 'status' indicates the status of a single version.\n\nOtherwise, an entry describes a range; it must include the 'versionType' property, to define the version numbering semantics in use, and 'limit', to indicate the non-inclusive upper limit of the range. The object describes the status for versions V such that 'version' <= V and V < 'limit', using the <= and < semantics defined for the specific kind of 'versionType'. Status changes within the range can be specified by an optional 'changes' list.\n\nThe algorithm to decide the status specified for a version V is:\n\n\tfor entry in product.versions {\n\t\tif entry.lessThan is not present and entry.lessThanOrEqual is not present and v == entry.version {\n\t\t\treturn entry.status\n\t\t}\n\t\tif (entry.lessThan is present and entry.version <= v and v < entry.lessThan) or\n\t\t (entry.lessThanOrEqual is present and entry.version <= v and v <= entry.lessThanOrEqual) { // <= and < defined by entry.versionType\n\t\t\tstatus = entry.status\n\t\t\tfor change in entry.changes {\n\t\t\t\tif change.at <= v {\n\t\t\t\t\tstatus = change.status\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn status\n\t\t}\n\t}\n\treturn product.defaultStatus\n\n.", + "oneOf": [ + { + "required": [ + "version", + "status" + ], + "maxProperties": 2 + }, + { + "required": [ + "version", + "status", + "versionType" + ], + "maxProperties": 3 + }, + { + "required": [ + "version", + "status", + "versionType", + "lessThan" + ] + }, + { + "required": [ + "version", + "status", + "versionType", + "lessThanOrEqual" + ] + } + ], + "properties": { + "version": { + "description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.", + "$ref": "#/definitions/version" + }, + "status": { + "description": "The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.", + "$ref": "#/definitions/status" + }, + "versionType": { + "type": "string", + "description": "The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.", + "minLength": 1, + "maxLength": 128, + "examples": [ + "custom", + "git", + "maven", + "python", + "rpm", + "semver" + ] + }, + "lessThan": { + "description": "The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk `(*)`, indicating an arbitrarily large number in the version ordering. For example, `{version: 1.0 lessThan: 1.*}` would describe the entire 1.X branch for most range kinds, and `{version: 2.0, lessThan: *}` describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified.", + "$ref": "#/definitions/version" + }, + "lessThanOrEqual": { + "description": "The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, `{version: 1.0, lessThanOrEqual: 1.3}` covers all versions from 1.0 up to and including 1.3.", + "$ref": "#/definitions/version" + }, + "changes": { + "type": "array", + "description": "A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "The start of a single status change during the range.", + "required": [ + "at", + "status" + ], + "additionalProperties": false, + "properties": { + "at": { + "description": "The version at which a status change occurs.", + "$ref": "#/definitions/version" + }, + "status": { + "description": "The new status in the range starting at the given version.", + "$ref": "#/definitions/status" + } + } + } + } + }, + "additionalProperties": false + } + } + } + }, + "dataType": { + "description": "Indicates the type of information represented in the JSON instance.", + "type": "string", + "enum": [ + "CVE_RECORD" + ] + }, + "dataVersion": { + "description": "The version of the CVE schema used for validating this record. Used to support multiple versions of this format.", + "type": "string", + "pattern": "^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$", + "default": "5.1.1" + }, + "cveMetadataPublished": { + "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.", + "type": "object", + "required": [ + "cveId", + "assignerOrgId", + "state" + ], + "properties": { + "cveId": { + "description": "The CVE identifier that this record pertains to.", + "$ref": "#/definitions/cveId" + }, + "assignerOrgId": { + "$ref": "#/definitions/orgId", + "description": "The UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service." + }, + "assignerShortName": { + "$ref": "#/definitions/shortName", + "description": "The short name for the organization to which the CVE ID was originally assigned." + }, + "requesterUserId": { + "$ref": "#/definitions/userId", + "description": "The user that requested the CVE identifier." + }, + "dateUpdated": { + "description": "The date/time the record was last updated.", + "$ref": "#/definitions/timestamp" + }, + "serial": { + "type": "integer", + "minimum": 1, + "description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition." + }, + "dateReserved": { + "$ref": "#/definitions/timestamp", + "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE." + }, + "datePublished": { + "$ref": "#/definitions/timestamp", + "description": "The date/time the CVE Record was first published in the CVE List." + }, + "state": { + "description": "State of CVE - PUBLISHED, REJECTED.", + "type": "string", + "enum": [ + "PUBLISHED" + ] + } + }, + "additionalProperties": false + }, + "cveMetadataRejected": { + "type": "object", + "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.", + "required": [ + "cveId", + "assignerOrgId", + "state" + ], + "properties": { + "cveId": { + "description": "The CVE identifier that this record pertains to.", + "$ref": "#/definitions/cveId" + }, + "assignerOrgId": { + "$ref": "#/definitions/orgId", + "description": "The UUID for the organization to which the CVE ID was originally assigned." + }, + "assignerShortName": { + "$ref": "#/definitions/shortName", + "description": "The short name for the organization to which the CVE ID was originally assigned." + }, + "serial": { + "type": "integer", + "minimum": 1, + "description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition." + }, + "dateUpdated": { + "description": "The date/time the record was last updated.", + "$ref": "#/definitions/timestamp" + }, + "datePublished": { + "$ref": "#/definitions/timestamp", + "description": "The date/time the CVE Record was first published in the CVE List." + }, + "dateRejected": { + "$ref": "#/definitions/timestamp", + "description": "The date/time the CVE ID was rejected." + }, + "state": { + "type": "string", + "description": "State of CVE - PUBLISHED, REJECTED.", + "enum": [ + "REJECTED" + ] + }, + "dateReserved": { + "$ref": "#/definitions/timestamp", + "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE." + } + }, + "additionalProperties": false + }, + "providerMetadata": { + "type": "object", + "description": "Details related to the information container provider (CNA or ADP).", + "properties": { + "orgId": { + "$ref": "#/definitions/orgId", + "description": "The container provider's organizational UUID." + }, + "shortName": { + "$ref": "#/definitions/shortName", + "description": "The container provider's organizational short name." + }, + "dateUpdated": { + "$ref": "#/definitions/timestamp", + "description": "Timestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission." + } + }, + "required": [ + "orgId" + ], + "additionalProperties": false + }, + "cpeApplicabilityElement": { + "description": "Affected products defined using an implementation of the CPE Applicability Language, mostly copied/forked from the NIST NVD CVE API v2.0 schema (optional). An operator property allows AND or OR logic between CPEs or combinations of CPEs. The negate and vulnerable Boolean properties allow CPEs to be inverted and/or defined as vulnerable or not. Multiple version fields are provided for capturing ranges of products when defining a CPE Match String Range. NOTE: When defining a cpeApplicability block, it is recommended that it align with (as much as possible) the product data provided within the affected block.", + "properties": { + "operator": { + "type": "string", + "enum": [ + "AND", + "OR" + ] + }, + "negate": { + "type": "boolean" + }, + "nodes": { + "type": "array", + "items": { + "$ref": "#/definitions/cpe_node" + } + } + }, + "required": [ + "nodes" + ] + }, + "cpe_node": { + "description": "Defines a CPE configuration node in an applicability statement.", + "properties": { + "operator": { + "type": "string", + "enum": [ + "AND", + "OR" + ] + }, + "negate": { + "type": "boolean" + }, + "cpeMatch": { + "type": "array", + "items": { + "$ref": "#/definitions/cpe_match" + } + } + }, + "required": [ + "operator", + "cpeMatch" + ] + }, + "cpe_match": { + "description": "CPE match string or range", + "type": "object", + "properties": { + "vulnerable": { + "type": "boolean" + }, + "criteria": { + "$ref": "#/definitions/cpe23" + }, + "matchCriteriaId": { + "$ref": "#/definitions/uuidType" + }, + "versionStartExcluding": { + "$ref": "#/definitions/version" + }, + "versionStartIncluding": { + "$ref": "#/definitions/version" + }, + "versionEndExcluding": { + "$ref": "#/definitions/version" + }, + "versionEndIncluding": { + "$ref": "#/definitions/version" + } + }, + "required": [ + "vulnerable", + "criteria" + ], + "additionalProperties": false + }, + "cnaPublishedContainer": { + "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.", + "type": "object", + "properties": { + "providerMetadata": { + "$ref": "#/definitions/providerMetadata" + }, + "dateAssigned": { + "$ref": "#/definitions/timestamp", + "description": "The date/time this CVE ID was associated with a vulnerability by a CNA." + }, + "datePublic": { + "$ref": "#/definitions/timestamp", + "description": "If known, the date/time the vulnerability was disclosed publicly." + }, + "title": { + "type": "string", + "description": "A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.", + "minLength": 1, + "maxLength": 256 + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + }, + "affected": { + "$ref": "#/definitions/affected" + }, + "cpeApplicability": { + "type": "array", + "items": { + "$ref": "#/definitions/cpeApplicabilityElement" + } + }, + "problemTypes": { + "$ref": "#/definitions/problemTypes" + }, + "references": { + "$ref": "#/definitions/references" + }, + "impacts": { + "$ref": "#/definitions/impacts" + }, + "metrics": { + "$ref": "#/definitions/metrics" + }, + "configurations": { + "$ref": "#/definitions/configurations" + }, + "workarounds": { + "$ref": "#/definitions/workarounds" + }, + "solutions": { + "$ref": "#/definitions/solutions" + }, + "exploits": { + "$ref": "#/definitions/exploits" + }, + "timeline": { + "$ref": "#/definitions/timeline" + }, + "credits": { + "$ref": "#/definitions/credits" + }, + "source": { + "$ref": "#/definitions/source" + }, + "tags": { + "$ref": "#/definitions/cnaTags" + }, + "taxonomyMappings": { + "$ref": "#/definitions/taxonomyMappings" + } + }, + "required": [ + "providerMetadata", + "descriptions", + "affected", + "references" + ], + "patternProperties": { + "^x_[^.]*$": {} + }, + "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.", + "additionalProperties": false + }, + "cnaRejectedContainer": { + "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a rejected CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA.", + "type": "object", + "properties": { + "providerMetadata": { + "$ref": "#/definitions/providerMetadata" + }, + "rejectedReasons": { + "description": "Reasons for rejecting this CVE Record.", + "$ref": "#/definitions/descriptions" + }, + "replacedBy": { + "type": "array", + "description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/cveId" + } + } + }, + "required": [ + "providerMetadata", + "rejectedReasons" + ], + "patternProperties": { + "^x_[^.]*$": {} + }, + "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.", + "additionalProperties": false + }, + "adpContainer": { + "description": "An object containing the vulnerability information provided by an Authorized Data Publisher (ADP). Since multiple ADPs can provide information for a CVE ID, an ADP container must indicate which ADP is the source of the information in the object.", + "type": "object", + "properties": { + "providerMetadata": { + "$ref": "#/definitions/providerMetadata" + }, + "datePublic": { + "$ref": "#/definitions/timestamp", + "description": "If known, the date/time the vulnerability was disclosed publicly." + }, + "title": { + "type": "string", + "description": "A title, headline, or a brief phrase summarizing the information in an ADP container.", + "minLength": 1, + "maxLength": 256 + }, + "descriptions": { + "$ref": "#/definitions/descriptions" + }, + "affected": { + "$ref": "#/definitions/affected" + }, + "cpeApplicability": { + "type": "array", + "items": { + "$ref": "#/definitions/cpeApplicabilityElement" + } + }, + "problemTypes": { + "$ref": "#/definitions/problemTypes" + }, + "references": { + "$ref": "#/definitions/references" + }, + "impacts": { + "$ref": "#/definitions/impacts" + }, + "metrics": { + "$ref": "#/definitions/metrics" + }, + "configurations": { + "$ref": "#/definitions/configurations" + }, + "workarounds": { + "$ref": "#/definitions/workarounds" + }, + "solutions": { + "$ref": "#/definitions/solutions" + }, + "exploits": { + "$ref": "#/definitions/exploits" + }, + "timeline": { + "$ref": "#/definitions/timeline" + }, + "credits": { + "$ref": "#/definitions/credits" + }, + "source": { + "$ref": "#/definitions/source" + }, + "tags": { + "$ref": "#/definitions/adpTags" + }, + "taxonomyMappings": { + "$ref": "#/definitions/taxonomyMappings" + } + }, + "required": [ + "providerMetadata" + ], + "minProperties": 2, + "patternProperties": { + "^x_[^.]*$": {} + }, + "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.", + "additionalProperties": false + }, + "affected": { + "type": "array", + "description": "List of affected products.", + "minItems": 1, + "items": { + "$ref": "#/definitions/product" + } + }, + "description": { + "type": "object", + "description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.", + "properties": { + "lang": { + "$ref": "#/definitions/language" + }, + "value": { + "type": "string", + "description": "Plain text description.", + "minLength": 1, + "maxLength": 4096 + }, + "supportingMedia": { + "type": "array", + "title": "Supporting media", + "description": "Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.", + "uniqueItems": true, + "minItems": 1, + "items": { + "type": "object", + "properties": { + "type": { + "type": "string", + "title": "Media type", + "minLength": 1, + "maxLength": 256, + "description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.", + "examples": [ + "text/markdown", + "text/html", + "image/png", + "image/svg", + "audio/mp3" + ] + }, + "base64": { + "type": "boolean", + "title": "Encoding", + "description": "If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.", + "default": false + }, + "value": { + "type": "string", + "description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.", + "minLength": 1, + "maxLength": 16384 + } + }, + "required": [ + "type", + "value" + ], + "additionalProperties": false + } + } + }, + "required": [ + "lang", + "value" + ], + "additionalProperties": false + }, + "englishLanguageDescription": { + "type": "object", + "description": "A description with lang set to an English language (en, en_US, en_UK, and so on).", + "properties": { + "lang": { + "$ref": "#/definitions/englishLanguage" + } + }, + "required": [ + "lang" + ], + "$comment": "Cannot use additionalProperties: false here, as this prevents the other properties used by /definitions/description." + }, + "descriptions": { + "type": "array", + "description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + }, + "contains": { + "$ref": "#/definitions/englishLanguageDescription" + } + }, + "problemTypes": { + "type": "array", + "description": "This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).", + "items": { + "type": "object", + "required": [ + "descriptions" + ], + "properties": { + "descriptions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "lang", + "description" + ], + "properties": { + "lang": { + "$ref": "#/definitions/language" + }, + "description": { + "type": "string", + "description": "Text description of problemType, or title from CWE or OWASP.", + "minLength": 1, + "maxLength": 4096 + }, + "cweId": { + "type": "string", + "description": "CWE ID of the CWE that best describes this problemType entry.", + "minLength": 5, + "maxLength": 9, + "pattern": "^CWE-[1-9][0-9]*$" + }, + "type": { + "type": "string", + "description": "Problemtype source, text, OWASP, CWE, etc.,", + "minLength": 1, + "maxLength": 128 + }, + "references": { + "$ref": "#/definitions/references" + } + }, + "additionalProperties": false + }, + "minItems": 1, + "uniqueItems": true + } + }, + "additionalProperties": false + }, + "minItems": 1, + "uniqueItems": true + }, + "references": { + "type": "array", + "description": "This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are \"dangerous\").", + "items": { + "$ref": "#/definitions/reference" + }, + "minItems": 1, + "maxItems": 512, + "uniqueItems": true + }, + "impacts": { + "type": "array", + "description": "Collection of impacts of this vulnerability.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "This is impact type information (e.g. a text description.", + "required": [ + "descriptions" + ], + "properties": { + "capecId": { + "type": "string", + "description": "CAPEC ID that best relates to this impact.", + "minLength": 7, + "maxLength": 11, + "pattern": "^CAPEC-[1-9][0-9]{0,4}$" + }, + "descriptions": { + "description": "Prose description of the impact scenario. At a minimum provide the description given by CAPEC.", + "$ref": "#/definitions/descriptions" + } + }, + "additionalProperties": false + } + }, + "metrics": { + "type": "array", + "description": "Collection of impact scores with attribution.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "This is impact type information (e.g. a text description, CVSSv2, CVSSv3, CVSSV4, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added.", + "anyOf": [ + { + "required": [ + "cvssV4_0" + ] + }, + { + "required": [ + "cvssV3_1" + ] + }, + { + "required": [ + "cvssV3_0" + ] + }, + { + "required": [ + "cvssV2_0" + ] + }, + { + "required": [ + "other" + ] + } + ], + "properties": { + "format": { + "type": "string", + "description": "Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.", + "minLength": 1, + "maxLength": 64 + }, + "scenarios": { + "type": "array", + "description": "Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "properties": { + "lang": { + "$ref": "#/definitions/language" + }, + "value": { + "type": "string", + "default": "GENERAL", + "description": "Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.", + "minLength": 1, + "maxLength": 4096 + } + }, + "required": [ + "lang", + "value" + ], + "additionalProperties": false + } + }, + "cvssV4_0": { + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "JSON Schema for Common Vulnerability Scoring System version 4.0", + "type": "object", + "definitions": { + "attackVectorType": { + "type": "string", + "enum": [ + "NETWORK", + "ADJACENT", + "LOCAL", + "PHYSICAL" + ] + }, + "modifiedAttackVectorType": { + "type": "string", + "enum": [ + "NETWORK", + "ADJACENT", + "LOCAL", + "PHYSICAL", + "NOT_DEFINED" + ], + "default": "NOT_DEFINED" + }, + "attackComplexityType": { + "type": "string", + "enum": [ + "HIGH", + "LOW" + ] + }, + "modifiedAttackComplexityType": { + "type": "string", + "enum": [ + "HIGH", + "LOW", + "NOT_DEFINED" + ], + "default": "NOT_DEFINED" + }, + "attackRequirementsType": { + "type": "string", + "enum": [ + "NONE", + "PRESENT" + ] + }, + "modifiedAttackRequirementsType": { + "type": "string", + "enum": [ + "NONE", + "PRESENT", + "NOT_DEFINED" + ], + "default": "NOT_DEFINED" + }, + "privilegesRequiredType": { + "type": "string", + "enum": [ + "HIGH", + "LOW", + "NONE" + ] + }, + "modifiedPrivilegesRequiredType": { + "type": "string", + "enum": [ + "HIGH", + "LOW", + "NONE", + "NOT_DEFINED" + ], + "default": "NOT_DEFINED" + }, + "userInteractionType": { + "type": "string", + "enum": [ + "NONE", + "PASSIVE", + "ACTIVE" + ] + }, + "modifiedUserInteractionType": { + "type": "string", + "enum": [ + "NONE", + "PASSIVE", + "ACTIVE", + "NOT_DEFINED" + ], + "default": "NOT_DEFINED" + }, + "vulnCiaType": { + "type": "string", + "enum": [ + "NONE", + "LOW", + "HIGH" + ] + }, + "modifiedVulnCiaType": { + "type": "string", + "enum": [ + "NONE", + "LOW", + "HIGH", + "NOT_DEFINED" + ], + "default": "NOT_DEFINED" + }, + "subCiaType": { + "type": "string", + "enum": [ + "NONE", + "LOW", + "HIGH" + ] + }, + "modifiedSubCType": { + "type": "string", + "enum": [ + "NONE", + "LOW", + "HIGH", + "NOT_DEFINED" + ], + "default": "NOT_DEFINED" + }, + "modifiedSubIaType": { + "type": "string", + "enum": [ + "NONE", + "LOW", + "HIGH", + "SAFETY", + "NOT_DEFINED" + ], + "default": "NOT_DEFINED" + }, + "exploitMaturityType": { + "type": "string", + "enum": [ + "UNREPORTED", + "PROOF_OF_CONCEPT", + "ATTACKED", + "NOT_DEFINED" + ], + "default": "NOT_DEFINED" + }, + "ciaRequirementType": { + "type": "string", + "enum": [ + "LOW", + "MEDIUM", + "HIGH", + "NOT_DEFINED" + ], + "default": "NOT_DEFINED" + }, + "safetyType": { + "type": "string", + "enum": [ + "NEGLIGIBLE", + "PRESENT", + "NOT_DEFINED" + ], + "default": "NOT_DEFINED" + }, + "automatableType": { + "type": "string", + "enum": [ + "NO", + "YES", + "NOT_DEFINED" + ], + "default": "NOT_DEFINED" + }, + "recoveryType": { + "type": "string", + "enum": [ + "AUTOMATIC", + "USER", + "IRRECOVERABLE", + "NOT_DEFINED" + ], + "default": "NOT_DEFINED" + }, + "valueDensityType": { + "type": "string", + "enum": [ + "DIFFUSE", + "CONCENTRATED", + "NOT_DEFINED" + ], + "default": "NOT_DEFINED" + }, + "vulnerabilityResponseEffortType": { + "type": "string", + "enum": [ + "LOW", + "MODERATE", + "HIGH", + "NOT_DEFINED" + ], + "default": "NOT_DEFINED" + }, + "providerUrgencyType": { + "type": "string", + "enum": [ + "CLEAR", + "GREEN", + "AMBER", + "RED", + "NOT_DEFINED" + ], + "default": "NOT_DEFINED" + }, + "scoreType": { + "type": "number", + "enum": [ + 0, + 0.1, + 0.2, + 0.3, + 0.4, + 0.5, + 0.6, + 0.7, + 0.8, + 0.9, + 1, + 1.1, + 1.2, + 1.3, + 1.4, + 1.5, + 1.6, + 1.7, + 1.8, + 1.9, + 2, + 2.1, + 2.2, + 2.3, + 2.4, + 2.5, + 2.6, + 2.7, + 2.8, + 2.9, + 3, + 3.1, + 3.2, + 3.3, + 3.4, + 3.5, + 3.6, + 3.7, + 3.8, + 3.9, + 4, + 4.1, + 4.2, + 4.3, + 4.4, + 4.5, + 4.6, + 4.7, + 4.8, + 4.9, + 5, + 5.1, + 5.2, + 5.3, + 5.4, + 5.5, + 5.6, + 5.7, + 5.8, + 5.9, + 6, + 6.1, + 6.2, + 6.3, + 6.4, + 6.5, + 6.6, + 6.7, + 6.8, + 6.9, + 7, + 7.1, + 7.2, + 7.3, + 7.4, + 7.5, + 7.6, + 7.7, + 7.8, + 7.9, + 8, + 8.1, + 8.2, + 8.3, + 8.4, + 8.5, + 8.6, + 8.7, + 8.8, + 8.9, + 9, + 9.1, + 9.2, + 9.3, + 9.4, + 9.5, + 9.6, + 9.7, + 9.8, + 9.9, + 10 + ] + }, + "noneScoreType": { + "type": "number", + "minimum": 0, + "maximum": 0 + }, + "lowScoreType": { + "type": "number", + "enum": [ + 0.1, + 0.2, + 0.3, + 0.4, + 0.5, + 0.6, + 0.7, + 0.8, + 0.9, + 1, + 1.1, + 1.2, + 1.3, + 1.4, + 1.5, + 1.6, + 1.7, + 1.8, + 1.9, + 2, + 2.1, + 2.2, + 2.3, + 2.4, + 2.5, + 2.6, + 2.7, + 2.8, + 2.9, + 3, + 3.1, + 3.2, + 3.3, + 3.4, + 3.5, + 3.6, + 3.7, + 3.8, + 3.9 + ] + }, + "mediumScoreType": { + "type": "number", + "enum": [ + 4, + 4.1, + 4.2, + 4.3, + 4.4, + 4.5, + 4.6, + 4.7, + 4.8, + 4.9, + 5, + 5.1, + 5.2, + 5.3, + 5.4, + 5.5, + 5.6, + 5.7, + 5.8, + 5.9, + 6, + 6.1, + 6.2, + 6.3, + 6.4, + 6.5, + 6.6, + 6.7, + 6.8, + 6.9 + ] + }, + "highScoreType": { + "type": "number", + "enum": [ + 7, + 7.1, + 7.2, + 7.3, + 7.4, + 7.5, + 7.6, + 7.7, + 7.8, + 7.9, + 8, + 8.1, + 8.2, + 8.3, + 8.4, + 8.5, + 8.6, + 8.7, + 8.8, + 8.9 + ] + }, + "criticalScoreType": { + "type": "number", + "enum": [ + 9, + 9.1, + 9.2, + 9.3, + 9.4, + 9.5, + 9.6, + 9.7, + 9.8, + 9.9, + 10 + ] + }, + "severityType": { + "type": "string", + "enum": [ + "NONE", + "LOW", + "MEDIUM", + "HIGH", + "CRITICAL" + ] + }, + "noneSeverityType": { + "const": "NONE" + }, + "lowSeverityType": { + "const": "LOW" + }, + "mediumSeverityType": { + "const": "MEDIUM" + }, + "highSeverityType": { + "const": "HIGH" + }, + "criticalSeverityType": { + "const": "CRITICAL" + } + }, + "properties": { + "version": { + "description": "CVSS Version", + "type": "string", + "enum": [ + "4.0" + ] + }, + "vectorString": { + "type": "string", + "pattern": "^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/E:[XAPU])?(/CR:[XHML])?(/IR:[XHML])?(/AR:[XHML])?(/MAV:[XNALP])?(/MAC:[XLH])?(/MAT:[XNP])?(/MPR:[XNLH])?(/MUI:[XNPA])?(/MVC:[XNLH])?(/MVI:[XNLH])?(/MVA:[XNLH])?(/MSC:[XNLH])?(/MSI:[XNLHS])?(/MSA:[XNLHS])?(/S:[XNP])?(/AU:[XNY])?(/R:[XAUI])?(/V:[XDC])?(/RE:[XLMH])?(/U:(X|Clear|Green|Amber|Red))?$" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType" + }, + "attackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType" + }, + "vulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "vulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" + }, + "subConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "subAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" + }, + "exploitMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType" + }, + "modifiedAttackRequirements": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType" + }, + "modifiedVulnConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedVulnAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" + }, + "modifiedSubConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType" + }, + "modifiedSubIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "modifiedSubAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" + }, + "Safety": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType" + }, + "Automatable": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType" + }, + "Recovery": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType" + }, + "valueDensity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType" + }, + "vulnerabilityResponseEffort": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType" + }, + "providerUrgency": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType" + } + }, + "allOf": [ + { + "anyOf": [ + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType" + } + } + } + ] + }, + { + "anyOf": [ + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType" + } + } + }, + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType" + } + } + }, + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType" + } + } + }, + { + "properties": { + "threatScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType" + }, + "threatSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType" + } + } + } + ] + }, + { + "anyOf": [ + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType" + } + } + }, + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType" + } + } + }, + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType" + } + } + }, + { + "properties": { + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType" + } + } + } + ] + } + ], + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ], + "additionalProperties": false + }, + "cvssV3_1": { + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "JSON Schema for Common Vulnerability Scoring System version 3.1", + "type": "object", + "definitions": { + "attackVectorType": { + "type": "string", + "enum": [ + "NETWORK", + "ADJACENT_NETWORK", + "LOCAL", + "PHYSICAL" + ] + }, + "modifiedAttackVectorType": { + "type": "string", + "enum": [ + "NETWORK", + "ADJACENT_NETWORK", + "LOCAL", + "PHYSICAL", + "NOT_DEFINED" + ] + }, + "attackComplexityType": { + "type": "string", + "enum": [ + "HIGH", + "LOW" + ] + }, + "modifiedAttackComplexityType": { + "type": "string", + "enum": [ + "HIGH", + "LOW", + "NOT_DEFINED" + ] + }, + "privilegesRequiredType": { + "type": "string", + "enum": [ + "HIGH", + "LOW", + "NONE" + ] + }, + "modifiedPrivilegesRequiredType": { + "type": "string", + "enum": [ + "HIGH", + "LOW", + "NONE", + "NOT_DEFINED" + ] + }, + "userInteractionType": { + "type": "string", + "enum": [ + "NONE", + "REQUIRED" + ] + }, + "modifiedUserInteractionType": { + "type": "string", + "enum": [ + "NONE", + "REQUIRED", + "NOT_DEFINED" + ] + }, + "scopeType": { + "type": "string", + "enum": [ + "UNCHANGED", + "CHANGED" + ] + }, + "modifiedScopeType": { + "type": "string", + "enum": [ + "UNCHANGED", + "CHANGED", + "NOT_DEFINED" + ] + }, + "ciaType": { + "type": "string", + "enum": [ + "NONE", + "LOW", + "HIGH" + ] + }, + "modifiedCiaType": { + "type": "string", + "enum": [ + "NONE", + "LOW", + "HIGH", + "NOT_DEFINED" + ] + }, + "exploitCodeMaturityType": { + "type": "string", + "enum": [ + "UNPROVEN", + "PROOF_OF_CONCEPT", + "FUNCTIONAL", + "HIGH", + "NOT_DEFINED" + ] + }, + "remediationLevelType": { + "type": "string", + "enum": [ + "OFFICIAL_FIX", + "TEMPORARY_FIX", + "WORKAROUND", + "UNAVAILABLE", + "NOT_DEFINED" + ] + }, + "confidenceType": { + "type": "string", + "enum": [ + "UNKNOWN", + "REASONABLE", + "CONFIRMED", + "NOT_DEFINED" + ] + }, + "ciaRequirementType": { + "type": "string", + "enum": [ + "LOW", + "MEDIUM", + "HIGH", + "NOT_DEFINED" + ] + }, + "scoreType": { + "type": "number", + "enum": [ + 0, + 0.1, + 0.2, + 0.3, + 0.4, + 0.5, + 0.6, + 0.7, + 0.8, + 0.9, + 1, + 1.1, + 1.2, + 1.3, + 1.4, + 1.5, + 1.6, + 1.7, + 1.8, + 1.9, + 2, + 2.1, + 2.2, + 2.3, + 2.4, + 2.5, + 2.6, + 2.7, + 2.8, + 2.9, + 3, + 3.1, + 3.2, + 3.3, + 3.4, + 3.5, + 3.6, + 3.7, + 3.8, + 3.9, + 4, + 4.1, + 4.2, + 4.3, + 4.4, + 4.5, + 4.6, + 4.7, + 4.8, + 4.9, + 5, + 5.1, + 5.2, + 5.3, + 5.4, + 5.5, + 5.6, + 5.7, + 5.8, + 5.9, + 6, + 6.1, + 6.2, + 6.3, + 6.4, + 6.5, + 6.6, + 6.7, + 6.8, + 6.9, + 7, + 7.1, + 7.2, + 7.3, + 7.4, + 7.5, + 7.6, + 7.7, + 7.8, + 7.9, + 8, + 8.1, + 8.2, + 8.3, + 8.4, + 8.5, + 8.6, + 8.7, + 8.8, + 8.9, + 9, + 9.1, + 9.2, + 9.3, + 9.4, + 9.5, + 9.6, + 9.7, + 9.8, + 9.9, + 10 + ] + }, + "severityType": { + "type": "string", + "enum": [ + "NONE", + "LOW", + "MEDIUM", + "HIGH", + "CRITICAL" + ] + }, + "noneScoreType": { + "type": "number", + "minimum": 0, + "maximum": 0 + }, + "lowScoreType": { + "type": "number", + "enum": [ + 0.1, + 0.2, + 0.3, + 0.4, + 0.5, + 0.6, + 0.7, + 0.8, + 0.9, + 1, + 1.1, + 1.2, + 1.3, + 1.4, + 1.5, + 1.6, + 1.7, + 1.8, + 1.9, + 2, + 2.1, + 2.2, + 2.3, + 2.4, + 2.5, + 2.6, + 2.7, + 2.8, + 2.9, + 3, + 3.1, + 3.2, + 3.3, + 3.4, + 3.5, + 3.6, + 3.7, + 3.8, + 3.9 + ] + }, + "mediumScoreType": { + "type": "number", + "enum": [ + 4, + 4.1, + 4.2, + 4.3, + 4.4, + 4.5, + 4.6, + 4.7, + 4.8, + 4.9, + 5, + 5.1, + 5.2, + 5.3, + 5.4, + 5.5, + 5.6, + 5.7, + 5.8, + 5.9, + 6, + 6.1, + 6.2, + 6.3, + 6.4, + 6.5, + 6.6, + 6.7, + 6.8, + 6.9 + ] + }, + "highScoreType": { + "type": "number", + "enum": [ + 7, + 7.1, + 7.2, + 7.3, + 7.4, + 7.5, + 7.6, + 7.7, + 7.8, + 7.9, + 8, + 8.1, + 8.2, + 8.3, + 8.4, + 8.5, + 8.6, + 8.7, + 8.8, + 8.9 + ] + }, + "criticalScoreType": { + "type": "number", + "enum": [ + 9, + 9.1, + 9.2, + 9.3, + 9.4, + 9.5, + 9.6, + 9.7, + 9.8, + 9.9, + 10 + ] + }, + "noneSeverityType": { + "const": "NONE" + }, + "lowSeverityType": { + "const": "LOW" + }, + "mediumSeverityType": { + "const": "MEDIUM" + }, + "highSeverityType": { + "const": "HIGH" + }, + "criticalSeverityType": { + "const": "CRITICAL" + } + }, + "properties": { + "version": { + "description": "CVSS Version", + "type": "string", + "enum": [ + "3.1" + ] + }, + "vectorString": { + "type": "string", + "pattern": "^CVSS:3[.]1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType" + }, + "scope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + }, + "exploitCodeMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "temporalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType" + }, + "modifiedScope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType" + }, + "modifiedConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "modifiedIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "modifiedAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" + } + }, + "anyOf": [ + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/noneScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/lowScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/lowSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/mediumScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/mediumSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/highScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/highSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/criticalScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/criticalSeverityType" + } + } + } + ], + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ], + "additionalProperties": false + }, + "cvssV3_0": { + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "JSON Schema for Common Vulnerability Scoring System version 3.0", + "type": "object", + "definitions": { + "attackVectorType": { + "type": "string", + "enum": [ + "NETWORK", + "ADJACENT_NETWORK", + "LOCAL", + "PHYSICAL" + ] + }, + "modifiedAttackVectorType": { + "type": "string", + "enum": [ + "NETWORK", + "ADJACENT_NETWORK", + "LOCAL", + "PHYSICAL", + "NOT_DEFINED" + ] + }, + "attackComplexityType": { + "type": "string", + "enum": [ + "HIGH", + "LOW" + ] + }, + "modifiedAttackComplexityType": { + "type": "string", + "enum": [ + "HIGH", + "LOW", + "NOT_DEFINED" + ] + }, + "privilegesRequiredType": { + "type": "string", + "enum": [ + "HIGH", + "LOW", + "NONE" + ] + }, + "modifiedPrivilegesRequiredType": { + "type": "string", + "enum": [ + "HIGH", + "LOW", + "NONE", + "NOT_DEFINED" + ] + }, + "userInteractionType": { + "type": "string", + "enum": [ + "NONE", + "REQUIRED" + ] + }, + "modifiedUserInteractionType": { + "type": "string", + "enum": [ + "NONE", + "REQUIRED", + "NOT_DEFINED" + ] + }, + "scopeType": { + "type": "string", + "enum": [ + "UNCHANGED", + "CHANGED" + ] + }, + "modifiedScopeType": { + "type": "string", + "enum": [ + "UNCHANGED", + "CHANGED", + "NOT_DEFINED" + ] + }, + "ciaType": { + "type": "string", + "enum": [ + "NONE", + "LOW", + "HIGH" + ] + }, + "modifiedCiaType": { + "type": "string", + "enum": [ + "NONE", + "LOW", + "HIGH", + "NOT_DEFINED" + ] + }, + "exploitCodeMaturityType": { + "type": "string", + "enum": [ + "UNPROVEN", + "PROOF_OF_CONCEPT", + "FUNCTIONAL", + "HIGH", + "NOT_DEFINED" + ] + }, + "remediationLevelType": { + "type": "string", + "enum": [ + "OFFICIAL_FIX", + "TEMPORARY_FIX", + "WORKAROUND", + "UNAVAILABLE", + "NOT_DEFINED" + ] + }, + "confidenceType": { + "type": "string", + "enum": [ + "UNKNOWN", + "REASONABLE", + "CONFIRMED", + "NOT_DEFINED" + ] + }, + "ciaRequirementType": { + "type": "string", + "enum": [ + "LOW", + "MEDIUM", + "HIGH", + "NOT_DEFINED" + ] + }, + "scoreType": { + "type": "number", + "enum": [ + 0, + 0.1, + 0.2, + 0.3, + 0.4, + 0.5, + 0.6, + 0.7, + 0.8, + 0.9, + 1, + 1.1, + 1.2, + 1.3, + 1.4, + 1.5, + 1.6, + 1.7, + 1.8, + 1.9, + 2, + 2.1, + 2.2, + 2.3, + 2.4, + 2.5, + 2.6, + 2.7, + 2.8, + 2.9, + 3, + 3.1, + 3.2, + 3.3, + 3.4, + 3.5, + 3.6, + 3.7, + 3.8, + 3.9, + 4, + 4.1, + 4.2, + 4.3, + 4.4, + 4.5, + 4.6, + 4.7, + 4.8, + 4.9, + 5, + 5.1, + 5.2, + 5.3, + 5.4, + 5.5, + 5.6, + 5.7, + 5.8, + 5.9, + 6, + 6.1, + 6.2, + 6.3, + 6.4, + 6.5, + 6.6, + 6.7, + 6.8, + 6.9, + 7, + 7.1, + 7.2, + 7.3, + 7.4, + 7.5, + 7.6, + 7.7, + 7.8, + 7.9, + 8, + 8.1, + 8.2, + 8.3, + 8.4, + 8.5, + 8.6, + 8.7, + 8.8, + 8.9, + 9, + 9.1, + 9.2, + 9.3, + 9.4, + 9.5, + 9.6, + 9.7, + 9.8, + 9.9, + 10 + ] + }, + "noneScoreType": { + "type": "number", + "minimum": 0, + "maximum": 0 + }, + "lowScoreType": { + "type": "number", + "enum": [ + 0.1, + 0.2, + 0.3, + 0.4, + 0.5, + 0.6, + 0.7, + 0.8, + 0.9, + 1, + 1.1, + 1.2, + 1.3, + 1.4, + 1.5, + 1.6, + 1.7, + 1.8, + 1.9, + 2, + 2.1, + 2.2, + 2.3, + 2.4, + 2.5, + 2.6, + 2.7, + 2.8, + 2.9, + 3, + 3.1, + 3.2, + 3.3, + 3.4, + 3.5, + 3.6, + 3.7, + 3.8, + 3.9 + ] + }, + "mediumScoreType": { + "type": "number", + "enum": [ + 4, + 4.1, + 4.2, + 4.3, + 4.4, + 4.5, + 4.6, + 4.7, + 4.8, + 4.9, + 5, + 5.1, + 5.2, + 5.3, + 5.4, + 5.5, + 5.6, + 5.7, + 5.8, + 5.9, + 6, + 6.1, + 6.2, + 6.3, + 6.4, + 6.5, + 6.6, + 6.7, + 6.8, + 6.9 + ] + }, + "highScoreType": { + "type": "number", + "enum": [ + 7, + 7.1, + 7.2, + 7.3, + 7.4, + 7.5, + 7.6, + 7.7, + 7.8, + 7.9, + 8, + 8.1, + 8.2, + 8.3, + 8.4, + 8.5, + 8.6, + 8.7, + 8.8, + 8.9 + ] + }, + "criticalScoreType": { + "type": "number", + "enum": [ + 9, + 9.1, + 9.2, + 9.3, + 9.4, + 9.5, + 9.6, + 9.7, + 9.8, + 9.9, + 10 + ] + }, + "severityType": { + "type": "string", + "enum": [ + "NONE", + "LOW", + "MEDIUM", + "HIGH", + "CRITICAL" + ] + }, + "noneSeverityType": { + "const": "NONE" + }, + "lowSeverityType": { + "const": "LOW" + }, + "mediumSeverityType": { + "const": "MEDIUM" + }, + "highSeverityType": { + "const": "HIGH" + }, + "criticalSeverityType": { + "const": "CRITICAL" + } + }, + "properties": { + "version": { + "description": "CVSS Version", + "type": "string", + "enum": [ + "3.0" + ] + }, + "vectorString": { + "type": "string", + "pattern": "^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" + }, + "attackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType" + }, + "attackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType" + }, + "privilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType" + }, + "userInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType" + }, + "scope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + }, + "exploitCodeMaturity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "temporalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" + }, + "modifiedAttackVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType" + }, + "modifiedAttackComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType" + }, + "modifiedPrivilegesRequired": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType" + }, + "modifiedUserInteraction": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType" + }, + "modifiedScope": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType" + }, + "modifiedConfidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "modifiedIntegrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "modifiedAvailabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" + }, + "environmentalSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" + } + }, + "anyOf": [ + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/noneScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/noneSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/lowScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/lowSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/mediumScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/mediumSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/highScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/highSeverityType" + } + } + }, + { + "properties": { + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/criticalScoreType" + }, + "baseSeverity": { + "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/criticalSeverityType" + } + } + } + ], + "required": [ + "version", + "vectorString", + "baseScore", + "baseSeverity" + ], + "additionalProperties": false + }, + "cvssV2_0": { + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "JSON Schema for Common Vulnerability Scoring System version 2.0", + "type": "object", + "definitions": { + "accessVectorType": { + "type": "string", + "enum": [ + "NETWORK", + "ADJACENT_NETWORK", + "LOCAL" + ] + }, + "accessComplexityType": { + "type": "string", + "enum": [ + "HIGH", + "MEDIUM", + "LOW" + ] + }, + "authenticationType": { + "type": "string", + "enum": [ + "MULTIPLE", + "SINGLE", + "NONE" + ] + }, + "ciaType": { + "type": "string", + "enum": [ + "NONE", + "PARTIAL", + "COMPLETE" + ] + }, + "exploitabilityType": { + "type": "string", + "enum": [ + "UNPROVEN", + "PROOF_OF_CONCEPT", + "FUNCTIONAL", + "HIGH", + "NOT_DEFINED" + ] + }, + "remediationLevelType": { + "type": "string", + "enum": [ + "OFFICIAL_FIX", + "TEMPORARY_FIX", + "WORKAROUND", + "UNAVAILABLE", + "NOT_DEFINED" + ] + }, + "reportConfidenceType": { + "type": "string", + "enum": [ + "UNCONFIRMED", + "UNCORROBORATED", + "CONFIRMED", + "NOT_DEFINED" + ] + }, + "collateralDamagePotentialType": { + "type": "string", + "enum": [ + "NONE", + "LOW", + "LOW_MEDIUM", + "MEDIUM_HIGH", + "HIGH", + "NOT_DEFINED" + ] + }, + "targetDistributionType": { + "type": "string", + "enum": [ + "NONE", + "LOW", + "MEDIUM", + "HIGH", + "NOT_DEFINED" + ] + }, + "ciaRequirementType": { + "type": "string", + "enum": [ + "LOW", + "MEDIUM", + "HIGH", + "NOT_DEFINED" + ] + }, + "scoreType": { + "type": "number", + "minimum": 0, + "maximum": 10 + } + }, + "properties": { + "version": { + "description": "CVSS Version", + "type": "string", + "enum": [ + "2.0" + ] + }, + "vectorString": { + "type": "string", + "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$" + }, + "accessVector": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType" + }, + "accessComplexity": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType" + }, + "authentication": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType" + }, + "confidentialityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "integrityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "availabilityImpact": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" + }, + "baseScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + }, + "exploitability": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType" + }, + "remediationLevel": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType" + }, + "reportConfidence": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType" + }, + "temporalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + }, + "collateralDamagePotential": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType" + }, + "targetDistribution": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType" + }, + "confidentialityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "integrityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "availabilityRequirement": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" + }, + "environmentalScore": { + "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" + } + }, + "required": [ + "version", + "vectorString", + "baseScore" + ], + "additionalProperties": false + }, + "other": { + "type": "object", + "description": "A non-standard impact description, may be prose or JSON block.", + "required": [ + "type", + "content" + ], + "properties": { + "type": { + "description": "Name of the non-standard impact metrics format used.", + "type": "string", + "minLength": 1, + "maxLength": 128 + }, + "content": { + "type": "object", + "$comment": "additionalProperties are allowed here, since this construct supports arbitrary JSON.", + "description": "JSON object not covered by another metrics format.", + "minProperties": 1 + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + } + }, + "configurations": { + "type": "array", + "description": "Configurations required for exploiting this vulnerability.", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "workarounds": { + "type": "array", + "description": "Workarounds and mitigations for this vulnerability.", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "solutions": { + "type": "array", + "description": "Information about solutions or remediations available for this vulnerability.", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "exploits": { + "type": "array", + "description": "Information about exploits of the vulnerability.", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/description" + } + }, + "timeline": { + "type": "array", + "description": "This is timeline information for significant events about this vulnerability or changes to the CVE Record.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "time", + "lang", + "value" + ], + "properties": { + "time": { + "description": "Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00) is assumed.", + "$ref": "#/definitions/timestamp" + }, + "lang": { + "description": "The language used in the description of the event. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.", + "$ref": "#/definitions/language" + }, + "value": { + "description": "A summary of the event.", + "type": "string", + "minLength": 1, + "maxLength": 4096 + } + }, + "additionalProperties": false + } + }, + "credits": { + "type": "array", + "description": "Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "properties": { + "lang": { + "description": "The language used when describing the credits. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.", + "$ref": "#/definitions/language" + }, + "value": { + "type": "string", + "minLength": 1, + "maxLength": 4096 + }, + "user": { + "description": "UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.", + "$ref": "#/definitions/uuidType" + }, + "type": { + "type": "string", + "description": "Type or role of the entity being credited (optional). finder: identifies the vulnerability.\nreporter: notifies the vendor of the vulnerability to a CNA.\nanalyst: validates the vulnerability to ensure accuracy or severity.\ncoordinator: facilitates the coordinated response process.\nremediation developer: prepares a code change or other remediation plans.\nremediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness.\nremediation verifier: tests and verifies the vulnerability or its remediation.\ntool: names of tools used in vulnerability discovery or identification.\nsponsor: supports the vulnerability identification or remediation activities.", + "default": "finder", + "enum": [ + "finder", + "reporter", + "analyst", + "coordinator", + "remediation developer", + "remediation reviewer", + "remediation verifier", + "tool", + "sponsor", + "other" + ] + } + }, + "additionalProperties": false, + "required": [ + "lang", + "value" + ] + } + }, + "source": { + "type": "object", + "description": "This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.", + "minProperties": 1 + }, + "language": { + "type": "string", + "description": "BCP 47 language code, language-region.", + "default": "en", + "pattern": "^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$" + }, + "englishLanguage": { + "type": "string", + "description": "BCP 47 language code, language-region, required to be English.", + "pattern": "^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$" + }, + "taxonomyMappings": { + "type": "array", + "description": "List of taxonomy items related to the vulnerability.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "A taxonomy mapping object identifies the taxonomy by a name and version (eg., ATT&CK v13.1, CVSS 3.1, CWE 4.12) along with a list of relations relevant to this CVE.", + "required": [ + "taxonomyName", + "taxonomyRelations" + ], + "properties": { + "taxonomyName": { + "type": "string", + "description": "The name of the taxonomy, eg., ATT&CK, D3FEND, CWE, CVSS", + "minLength": 1, + "maxLength": 128 + }, + "taxonomyVersion": { + "type": "string", + "description": "The version of taxonomy the identifiers come from.", + "minLength": 1, + "maxLength": 128 + }, + "taxonomyRelations": { + "type": "array", + "description": "List of relationships to the taxonomy for the vulnerability.", + "minItems": 1, + "uniqueItems": true, + "items": { + "type": "object", + "description": "A relationship between the taxonomy and the CVE or two taxonomy items.", + "required": [ + "taxonomyId", + "relationshipName", + "relationshipValue" + ], + "properties": { + "taxonomyId": { + "type": "string", + "description": "Identifier of the item in the taxonomy. Used as the subject of the relationship.", + "minLength": 1, + "maxLength": 2048 + }, + "relationshipName": { + "type": "string", + "description": "A description of the relationship.", + "minLength": 1, + "maxLength": 128 + }, + "relationshipValue": { + "type": "string", + "description": "The target of the relationship. Can be the CVE ID or another taxonomy identifier.", + "minLength": 1, + "maxLength": 2048 + } + }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + } + }, + "tagExtension": { + "type": "string", + "minLength": 2, + "maxLength": 128, + "pattern": "^x_.*$", + "$comment": "These values are not used as JSON property names, so there is not a need to work-around property naming limitations in some common implementations." + }, + "cnaTags": { + "type": "array", + "description": "Tags provided by a CNA describing the CVE Record.", + "uniqueItems": true, + "minItems": 1, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/", + "type": "string", + "description": "exclusively-hosted-service: All known software and/or hardware affected by this CVE Record is known to exist only in the affected hosted service. If the vulnerability affects both hosted and on-prem software and/or hardware, then the tag should not be used.\n\nunsupported-when-assigned: Used by the assigning CNA to indicate that when a request for a CVE assignment was received, the product was already end-of-life (EOL) or a product or specific version was deemed not to be supported by the vendor. This tag should only be applied to a CVE Record when all affected products or version lines referenced in the CVE-Record are EOL.\n\ndisputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.", + "enum": [ + "unsupported-when-assigned", + "exclusively-hosted-service", + "disputed" + ] + } + ] + } + }, + "adpTags": { + "type": "array", + "description": "Tags provided by an ADP describing the CVE Record.", + "uniqueItems": true, + "minItems": 1, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/tagExtension" + }, + { + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/", + "type": "string", + "description": "disputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.", + "enum": [ + "disputed" + ] + } + ] + } + } + }, + "oneOf": [ + { + "title": "Published", + "description": "When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.", + "type": "object", + "properties": { + "dataType": { + "$ref": "#/definitions/dataType" + }, + "dataVersion": { + "$ref": "#/definitions/dataVersion" + }, + "cveMetadata": { + "$ref": "#/definitions/cveMetadataPublished" + }, + "containers": { + "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt a minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information. The 'cna' container requires the CNA to include certain fields, while the 'adp' container does not.", + "type": "object", + "properties": { + "cna": { + "$ref": "#/definitions/cnaPublishedContainer" + }, + "adp": { + "type": "array", + "items": { + "$ref": "#/definitions/adpContainer" + }, + "minItems": 1, + "uniqueItems": true + } + }, + "required": [ + "cna" + ], + "additionalProperties": false + } + }, + "required": [ + "dataType", + "dataVersion", + "cveMetadata", + "containers" + ], + "additionalProperties": false + }, + { + "title": "Rejected", + "description": "If the CVE ID and associated CVE Record should no longer be used, the CVE Record is placed in the Rejected state. A Rejected CVE Record remains on the CVE List so that users can know when it is invalid.", + "type": "object", + "properties": { + "dataType": { + "$ref": "#/definitions/dataType" + }, + "dataVersion": { + "$ref": "#/definitions/dataVersion" + }, + "cveMetadata": { + "$ref": "#/definitions/cveMetadataRejected" + }, + "containers": { + "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA.", + "type": "object", + "properties": { + "cna": { + "$ref": "#/definitions/cnaRejectedContainer" + } + }, + "required": [ + "cna" + ], + "additionalProperties": false + } + }, + "required": [ + "dataType", + "dataVersion", + "cveMetadata", + "containers" + ], + "additionalProperties": false + } + ] +} \ No newline at end of file diff --git a/src/middleware/schemas/CVE_JSON_5.1_bundled.json b/src/middleware/schemas/CVE_JSON_5.1_bundled.json deleted file mode 100644 index ece69ebf7..000000000 --- a/src/middleware/schemas/CVE_JSON_5.1_bundled.json +++ /dev/null @@ -1,2936 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cveproject.github.io/cve-schema/schema/v5.0/docs/CVE_JSON_bundled.json", - "title": "CVE JSON record format", - "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).", - "definitions": { - "uriType": { - "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).", - "type": "string", - "format": "uri", - "minLength": 1, - "maxLength": 2048 - }, - "uuidType": { - "description": "A version 4 (random) universally unique identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122#section-4.1.3).", - "type": "string", - "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" - }, - "reference": { - "type": "object", - "required": [ - "url" - ], - "properties": { - "url": { - "description": "The uniform resource locator (URL), according to [RFC 3986](https://tools.ietf.org/html/rfc3986#section-1.1.3), that can be used to retrieve the referenced resource.", - "$ref": "#/definitions/uriType" - }, - "name": { - "description": "User created name for the reference, often the title of the page.", - "type": "string", - "maxLength": 512, - "minLength": 1 - }, - "tags": { - "description": "An array of one or more tags that describe the resource referenced by 'url'.", - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/", - "type": "string", - "description": "broken-link: The reference link is returning a 404 error, or the site is no longer online.\n\ncustomer-entitlement: Similar to Privileges Required, but specific to references that require non-public/paid access for customers of the particular vendor.\n\nexploit: Reference contains an in-depth/detailed description of steps to exploit a vulnerability OR the reference contains any legitimate Proof of Concept (PoC) code or exploit kit.\n\ngovernment-resource: All reference links that are from a government agency or organization should be given the Government Resource tag.\n\nissue-tracking: The reference is a post from a bug tracking tool such as MantisBT, Bugzilla, JIRA, Github Issues, etc...\n\nmailing-list: The reference is from a mailing list -- often specific to a product or vendor.\n\nmitigation: The reference contains information on steps to mitigate against the vulnerability in the event a patch can't be applied or is unavailable or for EOL product situations.\n\nnot-applicable: The reference link is not applicable to the vulnerability and was likely associated by MITRE accidentally (should be used sparingly).\n\npatch: The reference contains an update to the software that fixes the vulnerability.\n\npermissions-required: The reference link provided is blocked by a logon page. If credentials are required to see any information this tag must be applied.\n\nmedia-coverage: The reference is from a media outlet such as a newspaper, magazine, social media, or weblog. This tag is not intended to apply to any individual's personal social media account. It is strictly intended for public media entities.\n\nproduct: A reference appropriate for describing a product for the purpose of CPE or SWID.\n\nrelated: A reference that is for a related (but not the same) vulnerability.\n\nrelease-notes: The reference is in the format of a vendor or open source project's release notes or change log.\n\nsignature: The reference contains a method to detect or prevent the presence or exploitation of the vulnerability.\n\ntechnical-description: The reference contains in-depth technical information about a vulnerability and its exploitation process, typically in the form of a presentation or whitepaper.\n\nthird-party-advisory: Advisory is from an organization that is not the vulnerable product's vendor/publisher/maintainer.\n\nvendor-advisory: Advisory is from the vendor/publisher/maintainer of the product or the parent organization.\n\nvdb-entry: VDBs are loosely defined as sites that provide information about this vulnerability, such as advisories, with identifiers. Included VDBs are free to access, substantially public, and have broad scope and coverage (not limited to a single vendor or research organization). See: https://www.first.org/global/sigs/vrdx/vdb-catalog", - "enum": [ - "broken-link", - "customer-entitlement", - "exploit", - "government-resource", - "issue-tracking", - "mailing-list", - "mitigation", - "not-applicable", - "patch", - "permissions-required", - "media-coverage", - "product", - "related", - "release-notes", - "signature", - "technical-description", - "third-party-advisory", - "vendor-advisory", - "vdb-entry" - ] - } - ] - } - } - }, - "additionalProperties": false - }, - "cveId": { - "type": "string", - "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$" - }, - "orgId": { - "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.", - "$ref": "#/definitions/uuidType" - }, - "userId": { - "description": "A UUID for a user participating in the CVE program. This UUID can be used to lookup the user record in the user registry service.", - "$ref": "#/definitions/uuidType" - }, - "shortName": { - "description": "A 2-32 character name that can be used to complement an organization's UUID.", - "type": "string", - "minLength": 2, - "maxLength": 32 - }, - "datestamp": { - "description": "Date/time format based on RFC3339 and ISO ISO8601.", - "type": "string", - "format": "date", - "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$" - }, - "timestamp": { - "type": "string", - "format": "date-time", - "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.", - "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$" - }, - "version": { - "description": "A single version of a product, as expressed in its own version numbering scheme.", - "type": "string", - "minLength": 1, - "maxLength": 1024 - }, - "status": { - "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.", - "type": "string", - "enum": [ - "affected", - "unaffected", - "unknown" - ] - }, - "product": { - "type": "object", - "description": "Provides information about the set of products and services affected by this vulnerability.", - "allOf": [ - { - "anyOf": [ - { - "required": [ - "vendor", - "product" - ] - }, - { - "required": [ - "collectionURL", - "packageName" - ] - } - ] - }, - { - "anyOf": [ - { - "required": [ - "versions" - ] - }, - { - "required": [ - "defaultStatus" - ] - } - ] - } - ], - "properties": { - "vendor": { - "type": "string", - "description": "Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.", - "minLength": 1, - "maxLength": 512 - }, - "product": { - "type": "string", - "description": "Name of the affected product.", - "minLength": 1, - "maxLength": 2048 - }, - "collectionURL": { - "description": "URL identifying a package collection (determines the meaning of packageName).", - "$ref": "#/definitions/uriType", - "examples": [ - "https://access.redhat.com/downloads/content/package-browser", - "https://addons.mozilla.org", - "https://addons.thunderbird.net", - "https://anaconda.org/anaconda/repo", - "https://app.vagrantup.com/boxes/search", - "https://apps.apple.com", - "https://archlinux.org/packages", - "https://atmospherejs.meteor.com", - "https://atom.io/packages", - "https://bitbucket.org", - "https://bower.io", - "https://brew.sh/", - "https://chocolatey.org/packages", - "https://chrome.google.com/webstore", - "https://clojars.org", - "https://cocoapods.org", - "https://code.dlang.org", - "https://conan.io/center", - "https://cpan.org/modules", - "https://cran.r-project.org", - "https://crates.io", - "https://ctan.org/pkg", - "https://drupal.org", - "https://exchange.adobe.com", - "https://forge.puppet.com/modules", - "https://github.com", - "https://gitlab.com/explore", - "https://golang.org/pkg", - "https://guix.gnu.org/packages", - "https://hackage.haskell.org", - "https://helm.sh", - "https://hub.docker.com", - "https://juliahub.com", - "https://lib.haxe.org", - "https://luarocks.org", - "https://marketplace.visualstudio.com", - "https://melpa.org", - "https://microsoft.com/en-us/store/apps", - "https://nimble.directory", - "https://nuget.org/packages", - "https://opam.ocaml.org/packages", - "https://openwrt.org/packages/index", - "https://package.elm-lang.org", - "https://packagecontrol.io", - "https://packages.debian.org", - "https://packages.gentoo.org", - "https://packagist.org", - "https://pear.php.net/packages.php", - "https://pecl.php.net", - "https://platformio.org/lib", - "https://play.google.com/store", - "https://plugins.gradle.org", - "https://projects.eclipse.org", - "https://pub.dev", - "https://pypi.python.org", - "https://registry.npmjs.org", - "https://registry.terraform.io", - "https://repo.hex.pm", - "https://repo.maven.apache.org/maven2", - "https://rubygems.org", - "https://search.nixos.org/packages", - "https://sourceforge.net", - "https://wordpress.org/plugins" - ] - }, - "packageName": { - "type": "string", - "description": "Name or identifier of the affected software package as used in the package collection.", - "minLength": 1, - "maxLength": 2048 - }, - "cpes": { - "type": "array", - "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.", - "uniqueItems": true, - "items": { - "title": "CPE Name", - "type": "string", - "description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format", - "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})", - "minLength": 1, - "maxLength": 2048 - } - }, - "modules": { - "type": "array", - "description": "A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional).", - "uniqueItems": true, - "items": { - "type": "string", - "description": "Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).", - "minLength": 1, - "maxLength": 4096 - } - }, - "programFiles": { - "type": "array", - "description": "A list of the affected source code files (optional).", - "uniqueItems": true, - "items": { - "description": "Name or path or location of the affected source code file.", - "type": "string", - "minLength": 1, - "maxLength": 1024 - } - }, - "programRoutines": { - "type": "array", - "description": "A list of the affected source code functions, methods, subroutines, or procedures (optional).", - "uniqueItems": true, - "items": { - "type": "object", - "description": "An object describing program routine.", - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string", - "description": "Name of the affected source code file, function, method, subroutine, or procedure.", - "minLength": 1, - "maxLength": 4096 - } - }, - "additionalProperties": false - } - }, - "platforms": { - "title": "Platforms", - "description": "List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field or an empty array implies that the other fields are applicable to all relevant platforms.", - "type": "array", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "string", - "examples": [ - "iOS", - "Android", - "Windows", - "macOS", - "x86", - "ARM", - "64 bit", - "Big Endian", - "iPad", - "Chromebook", - "Docker", - "Model T" - ], - "maxLength": 1024 - } - }, - "repo": { - "description": "The URL of the source code repository, for informational purposes and/or to resolve git hash version ranges.", - "$ref": "#/definitions/uriType" - }, - "defaultStatus": { - "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.", - "$ref": "#/definitions/status" - }, - "versions": { - "type": "array", - "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "description": "A single version or a range of versions, with vulnerability status.\n\nAn entry with only 'version' and 'status' indicates the status of a single version.\n\nOtherwise, an entry describes a range; it must include the 'versionType' property, to define the version numbering semantics in use, and 'limit', to indicate the non-inclusive upper limit of the range. The object describes the status for versions V such that 'version' <= V and V < 'limit', using the <= and < semantics defined for the specific kind of 'versionType'. Status changes within the range can be specified by an optional 'changes' list.\n\nThe algorithm to decide the status specified for a version V is:\n\n\tfor entry in product.versions {\n\t\tif entry.lessThan is not present and entry.lessThanOrEqual is not present and v == entry.version {\n\t\t\treturn entry.status\n\t\t}\n\t\tif (entry.lessThan is present and entry.version <= v and v < entry.lessThan) or\n\t\t (entry.lessThanOrEqual is present and entry.version <= v and v <= entry.lessThanOrEqual) { // <= and < defined by entry.versionType\n\t\t\tstatus = entry.status\n\t\t\tfor change in entry.changes {\n\t\t\t\tif change.at <= v {\n\t\t\t\t\tstatus = change.status\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn status\n\t\t}\n\t}\n\treturn product.defaultStatus\n\n.", - "oneOf": [ - { - "required": [ - "version", - "status" - ], - "maxProperties": 2 - }, - { - "required": [ - "version", - "status", - "versionType" - ], - "maxProperties": 3 - }, - { - "required": [ - "version", - "status", - "versionType", - "lessThan" - ] - }, - { - "required": [ - "version", - "status", - "versionType", - "lessThanOrEqual" - ] - } - ], - "properties": { - "version": { - "description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.", - "$ref": "#/definitions/version" - }, - "status": { - "description": "The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.", - "$ref": "#/definitions/status" - }, - "versionType": { - "type": "string", - "description": "The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.", - "minLength": 1, - "maxLength": 128, - "examples": [ - "custom", - "git", - "maven", - "python", - "rpm", - "semver" - ] - }, - "lessThan": { - "description": "The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk `(*)`, indicating an arbitrarily large number in the version ordering. For example, `{version: 1.0 lessThan: 1.*}` would describe the entire 1.X branch for most range kinds, and `{version: 2.0, lessThan: *}` describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified.", - "$ref": "#/definitions/version" - }, - "lessThanOrEqual": { - "description": "The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, `{version: 1.0, lessThanOrEqual: 1.3}` covers all versions from 1.0 up to and including 1.3.", - "$ref": "#/definitions/version" - }, - "changes": { - "type": "array", - "description": "A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "description": "The start of a single status change during the range.", - "required": [ - "at", - "status" - ], - "additionalProperties": false, - "properties": { - "at": { - "description": "The version at which a status change occurs.", - "$ref": "#/definitions/version" - }, - "status": { - "description": "The new status in the range starting at the given version.", - "$ref": "#/definitions/status" - } - } - } - } - }, - "additionalProperties": false - } - } - } - }, - "dataType": { - "description": "Indicates the type of information represented in the JSON instance.", - "type": "string", - "enum": [ - "CVE_RECORD" - ] - }, - "dataVersion": { - "description": "The version of the CVE schema used for validating this record. Used to support multiple versions of this format.", - "type": "string", - "pattern": "^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$", - "default": "5.1.0" - }, - "cveMetadataPublished": { - "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.", - "type": "object", - "required": [ - "cveId", - "assignerOrgId", - "state" - ], - "properties": { - "cveId": { - "description": "The CVE identifier that this record pertains to.", - "$ref": "#/definitions/cveId" - }, - "assignerOrgId": { - "$ref": "#/definitions/orgId", - "description": "The UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service." - }, - "assignerShortName": { - "$ref": "#/definitions/shortName", - "description": "The short name for the organization to which the CVE ID was originally assigned." - }, - "requesterUserId": { - "$ref": "#/definitions/userId", - "description": "The user that requested the CVE identifier." - }, - "dateUpdated": { - "description": "The date/time the record was last updated.", - "$ref": "#/definitions/timestamp" - }, - "serial": { - "type": "integer", - "minimum": 1, - "description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition." - }, - "dateReserved": { - "$ref": "#/definitions/timestamp", - "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE." - }, - "datePublished": { - "$ref": "#/definitions/timestamp", - "description": "The date/time the CVE Record was first published in the CVE List." - }, - "state": { - "description": "State of CVE - PUBLISHED, REJECTED.", - "type": "string", - "enum": [ - "PUBLISHED" - ] - } - }, - "additionalProperties": false - }, - "cveMetadataRejected": { - "type": "object", - "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.", - "required": [ - "cveId", - "assignerOrgId", - "state" - ], - "properties": { - "cveId": { - "description": "The CVE identifier that this record pertains to.", - "$ref": "#/definitions/cveId" - }, - "assignerOrgId": { - "$ref": "#/definitions/orgId", - "description": "The UUID for the organization to which the CVE ID was originally assigned." - }, - "assignerShortName": { - "$ref": "#/definitions/shortName", - "description": "The short name for the organization to which the CVE ID was originally assigned." - }, - "serial": { - "type": "integer", - "minimum": 1, - "description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition." - }, - "dateUpdated": { - "description": "The date/time the record was last updated.", - "$ref": "#/definitions/timestamp" - }, - "datePublished": { - "$ref": "#/definitions/timestamp", - "description": "The date/time the CVE Record was first published in the CVE List." - }, - "dateRejected": { - "$ref": "#/definitions/timestamp", - "description": "The date/time the CVE ID was rejected." - }, - "state": { - "type": "string", - "description": "State of CVE - PUBLISHED, REJECTED.", - "enum": [ - "REJECTED" - ] - }, - "dateReserved": { - "$ref": "#/definitions/timestamp", - "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE." - } - }, - "additionalProperties": false - }, - "providerMetadata": { - "type": "object", - "description": "Details related to the information container provider (CNA or ADP).", - "properties": { - "orgId": { - "$ref": "#/definitions/orgId", - "description": "The container provider's organizational UUID." - }, - "shortName": { - "$ref": "#/definitions/shortName", - "description": "The container provider's organizational short name." - }, - "dateUpdated": { - "$ref": "#/definitions/timestamp", - "description": "Timestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission." - } - }, - "required": [ - "orgId" - ], - "additionalProperties": false - }, - "cnaPublishedContainer": { - "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.", - "type": "object", - "properties": { - "providerMetadata": { - "$ref": "#/definitions/providerMetadata" - }, - "dateAssigned": { - "$ref": "#/definitions/timestamp", - "description": "The date/time this CVE ID was associated with a vulnerability by a CNA." - }, - "datePublic": { - "$ref": "#/definitions/timestamp", - "description": "If known, the date/time the vulnerability was disclosed publicly." - }, - "title": { - "type": "string", - "description": "A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.", - "minLength": 1, - "maxLength": 256 - }, - "descriptions": { - "$ref": "#/definitions/descriptions" - }, - "affected": { - "$ref": "#/definitions/affected" - }, - "problemTypes": { - "$ref": "#/definitions/problemTypes" - }, - "references": { - "$ref": "#/definitions/references" - }, - "impacts": { - "$ref": "#/definitions/impacts" - }, - "metrics": { - "$ref": "#/definitions/metrics" - }, - "configurations": { - "$ref": "#/definitions/configurations" - }, - "workarounds": { - "$ref": "#/definitions/workarounds" - }, - "solutions": { - "$ref": "#/definitions/solutions" - }, - "exploits": { - "$ref": "#/definitions/exploits" - }, - "timeline": { - "$ref": "#/definitions/timeline" - }, - "credits": { - "$ref": "#/definitions/credits" - }, - "source": { - "$ref": "#/definitions/source" - }, - "tags": { - "$ref": "#/definitions/cnaTags" - }, - "taxonomyMappings": { - "$ref": "#/definitions/taxonomyMappings" - } - }, - "required": [ - "providerMetadata", - "descriptions", - "affected", - "references" - ], - "patternProperties": { - "^x_[^.]*$": {} - }, - "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.", - "additionalProperties": false - }, - "cnaRejectedContainer": { - "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a rejected CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA.", - "type": "object", - "properties": { - "providerMetadata": { - "$ref": "#/definitions/providerMetadata" - }, - "rejectedReasons": { - "description": "Reasons for rejecting this CVE Record.", - "$ref": "#/definitions/descriptions" - }, - "replacedBy": { - "type": "array", - "description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/cveId" - } - } - }, - "required": [ - "providerMetadata", - "rejectedReasons" - ], - "patternProperties": { - "^x_[^.]*$": {} - }, - "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.", - "additionalProperties": false - }, - "adpContainer": { - "description": "An object containing the vulnerability information provided by an Authorized Data Publisher (ADP). Since multiple ADPs can provide information for a CVE ID, an ADP container must indicate which ADP is the source of the information in the object.", - "type": "object", - "properties": { - "providerMetadata": { - "$ref": "#/definitions/providerMetadata" - }, - "datePublic": { - "$ref": "#/definitions/timestamp", - "description": "If known, the date/time the vulnerability was disclosed publicly." - }, - "title": { - "type": "string", - "description": "A title, headline, or a brief phrase summarizing the information in an ADP container.", - "minLength": 1, - "maxLength": 256 - }, - "descriptions": { - "$ref": "#/definitions/descriptions" - }, - "affected": { - "$ref": "#/definitions/affected" - }, - "problemTypes": { - "$ref": "#/definitions/problemTypes" - }, - "references": { - "$ref": "#/definitions/references" - }, - "impacts": { - "$ref": "#/definitions/impacts" - }, - "metrics": { - "$ref": "#/definitions/metrics" - }, - "configurations": { - "$ref": "#/definitions/configurations" - }, - "workarounds": { - "$ref": "#/definitions/workarounds" - }, - "solutions": { - "$ref": "#/definitions/solutions" - }, - "exploits": { - "$ref": "#/definitions/exploits" - }, - "timeline": { - "$ref": "#/definitions/timeline" - }, - "credits": { - "$ref": "#/definitions/credits" - }, - "source": { - "$ref": "#/definitions/source" - }, - "tags": { - "$ref": "#/definitions/adpTags" - }, - "taxonomyMappings": { - "$ref": "#/definitions/taxonomyMappings" - } - }, - "required": [ - "providerMetadata" - ], - "minProperties": 2, - "patternProperties": { - "^x_[^.]*$": {} - }, - "$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.", - "additionalProperties": false - }, - "affected": { - "type": "array", - "description": "List of affected products.", - "minItems": 1, - "items": { - "$ref": "#/definitions/product" - } - }, - "description": { - "type": "object", - "description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.", - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string", - "description": "Plain text description.", - "minLength": 1, - "maxLength": 4096 - }, - "supportingMedia": { - "type": "array", - "title": "Supporting media", - "description": "Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.", - "uniqueItems": true, - "minItems": 1, - "items": { - "type": "object", - "properties": { - "type": { - "type": "string", - "title": "Media type", - "minLength": 1, - "maxLength": 256, - "description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.", - "examples": [ - "text/markdown", - "text/html", - "image/png", - "image/svg", - "audio/mp3" - ] - }, - "base64": { - "type": "boolean", - "title": "Encoding", - "description": "If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.", - "default": false - }, - "value": { - "type": "string", - "description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.", - "minLength": 1, - "maxLength": 16384 - } - }, - "required": [ - "type", - "value" - ], - "additionalProperties": false - } - } - }, - "required": [ - "lang", - "value" - ], - "additionalProperties": false - }, - "englishLanguageDescription": { - "type": "object", - "description": "A description with lang set to an English language (en, en_US, en_UK, and so on).", - "properties": { - "lang": { - "$ref": "#/definitions/englishLanguage" - } - }, - "required": [ - "lang" - ], - "$comment": "Cannot use additionalProperties: false here, as this prevents the other properties used by /definitions/description." - }, - "descriptions": { - "type": "array", - "description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - }, - "contains": { - "$ref": "#/definitions/englishLanguageDescription" - } - }, - "problemTypes": { - "type": "array", - "description": "This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).", - "items": { - "type": "object", - "required": [ - "descriptions" - ], - "properties": { - "descriptions": { - "type": "array", - "items": { - "type": "object", - "required": [ - "lang", - "description" - ], - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "description": { - "type": "string", - "description": "Text description of problemType, or title from CWE or OWASP.", - "minLength": 1, - "maxLength": 4096 - }, - "cweId": { - "type": "string", - "description": "CWE ID of the CWE that best describes this problemType entry.", - "minLength": 5, - "maxLength": 9, - "pattern": "^CWE-[1-9][0-9]*$" - }, - "type": { - "type": "string", - "description": "Problemtype source, text, OWASP, CWE, etc.,", - "minLength": 1, - "maxLength": 128 - }, - "references": { - "$ref": "#/definitions/references" - } - }, - "additionalProperties": false - }, - "minItems": 1, - "uniqueItems": true - } - }, - "additionalProperties": false - }, - "minItems": 1, - "uniqueItems": true - }, - "references": { - "type": "array", - "description": "This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are \"dangerous\").", - "items": { - "$ref": "#/definitions/reference" - }, - "minItems": 1, - "maxItems": 512, - "uniqueItems": true - }, - "impacts": { - "type": "array", - "description": "Collection of impacts of this vulnerability.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "description": "This is impact type information (e.g. a text description.", - "required": [ - "descriptions" - ], - "properties": { - "capecId": { - "type": "string", - "description": "CAPEC ID that best relates to this impact.", - "minLength": 7, - "maxLength": 11, - "pattern": "^CAPEC-[1-9][0-9]{0,4}$" - }, - "descriptions": { - "description": "Prose description of the impact scenario. At a minimum provide the description given by CAPEC.", - "$ref": "#/definitions/descriptions" - } - }, - "additionalProperties": false - } - }, - "metrics": { - "type": "array", - "description": "Collection of impact scores with attribution.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "description": "This is impact type information (e.g. a text description, CVSSv2, CVSSv3, CVSSV4, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added.", - "anyOf": [ - { - "required": [ - "cvssV4_0" - ] - }, - { - "required": [ - "cvssV3_1" - ] - }, - { - "required": [ - "cvssV3_0" - ] - }, - { - "required": [ - "cvssV2_0" - ] - }, - { - "required": [ - "other" - ] - } - ], - "properties": { - "format": { - "type": "string", - "description": "Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.", - "minLength": 1, - "maxLength": 64 - }, - "scenarios": { - "type": "array", - "description": "Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "properties": { - "lang": { - "$ref": "#/definitions/language" - }, - "value": { - "type": "string", - "default": "GENERAL", - "description": "Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.", - "minLength": 1, - "maxLength": 4096 - } - }, - "required": [ - "lang", - "value" - ], - "additionalProperties": false - } - }, - "cvssV4_0": { - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "JSON Schema for Common Vulnerability Scoring System version 4.0", - "type": "object", - "definitions": { - "attackVectorType": { - "type": "string", - "enum": [ - "NETWORK", - "ADJACENT", - "LOCAL", - "PHYSICAL" - ] - }, - "modifiedAttackVectorType": { - "type": "string", - "enum": [ - "NETWORK", - "ADJACENT", - "LOCAL", - "PHYSICAL", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "attackComplexityType": { - "type": "string", - "enum": [ - "HIGH", - "LOW" - ] - }, - "modifiedAttackComplexityType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "attackRequirementsType": { - "type": "string", - "enum": [ - "NONE", - "PRESENT" - ] - }, - "modifiedAttackRequirementsType": { - "type": "string", - "enum": [ - "NONE", - "PRESENT", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "privilegesRequiredType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NONE" - ] - }, - "modifiedPrivilegesRequiredType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NONE", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "userInteractionType": { - "type": "string", - "enum": [ - "NONE", - "PASSIVE", - "ACTIVE" - ] - }, - "modifiedUserInteractionType": { - "type": "string", - "enum": [ - "NONE", - "PASSIVE", - "ACTIVE", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "vulnCiaType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH" - ] - }, - "modifiedVulnCiaType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "subCiaType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH" - ] - }, - "modifiedSubCType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "modifiedSubIaType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH", - "SAFETY", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "exploitMaturityType": { - "type": "string", - "enum": [ - "UNREPORTED", - "PROOF_OF_CONCEPT", - "ATTACKED", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "ciaRequirementType": { - "type": "string", - "enum": [ - "LOW", - "MEDIUM", - "HIGH", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "safetyType": { - "type": "string", - "enum": [ - "NEGLIGIBLE", - "PRESENT", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "automatableType": { - "type": "string", - "enum": [ - "NO", - "YES", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "recoveryType": { - "type": "string", - "enum": [ - "AUTOMATIC", - "USER", - "IRRECOVERABLE", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "valueDensityType": { - "type": "string", - "enum": [ - "DIFFUSE", - "CONCENTRATED", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "vulnerabilityResponseEffortType": { - "type": "string", - "enum": [ - "LOW", - "MODERATE", - "HIGH", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "providerUrgencyType": { - "type": "string", - "enum": [ - "CLEAR", - "GREEN", - "AMBER", - "RED", - "NOT_DEFINED" - ], - "default": "NOT_DEFINED" - }, - "scoreType": { - "type": "number", - "enum": [ - 0.0, - 0.1, - 0.2, - 0.3, - 0.4, - 0.5, - 0.6, - 0.7, - 0.8, - 0.9, - 1.0, - 1.1, - 1.2, - 1.3, - 1.4, - 1.5, - 1.6, - 1.7, - 1.8, - 1.9, - 2.0, - 2.1, - 2.2, - 2.3, - 2.4, - 2.5, - 2.6, - 2.7, - 2.8, - 2.9, - 3.0, - 3.1, - 3.2, - 3.3, - 3.4, - 3.5, - 3.6, - 3.7, - 3.8, - 3.9, - 4.0, - 4.1, - 4.2, - 4.3, - 4.4, - 4.5, - 4.6, - 4.7, - 4.8, - 4.9, - 5.0, - 5.1, - 5.2, - 5.3, - 5.4, - 5.5, - 5.6, - 5.7, - 5.8, - 5.9, - 6.0, - 6.1, - 6.2, - 6.3, - 6.4, - 6.5, - 6.6, - 6.7, - 6.8, - 6.9, - 7.0, - 7.1, - 7.2, - 7.3, - 7.4, - 7.5, - 7.6, - 7.7, - 7.8, - 7.9, - 8.0, - 8.1, - 8.2, - 8.3, - 8.4, - 8.5, - 8.6, - 8.7, - 8.8, - 8.9, - 9.0, - 9.1, - 9.2, - 9.3, - 9.4, - 9.5, - 9.6, - 9.7, - 9.8, - 9.9, - 10.0 - ] - }, - "noneScoreType": { - "type": "number", - "minimum": 0, - "maximum": 0 - }, - "lowScoreType": { - "type": "number", - "enum": [ - 0.1, - 0.2, - 0.3, - 0.4, - 0.5, - 0.6, - 0.7, - 0.8, - 0.9, - 1.0, - 1.1, - 1.2, - 1.3, - 1.4, - 1.5, - 1.6, - 1.7, - 1.8, - 1.9, - 2.0, - 2.1, - 2.2, - 2.3, - 2.4, - 2.5, - 2.6, - 2.7, - 2.8, - 2.9, - 3.0, - 3.1, - 3.2, - 3.3, - 3.4, - 3.5, - 3.6, - 3.7, - 3.8, - 3.9 - ] - }, - "mediumScoreType": { - "type": "number", - "enum": [ - 4.0, - 4.1, - 4.2, - 4.3, - 4.4, - 4.5, - 4.6, - 4.7, - 4.8, - 4.9, - 5.0, - 5.1, - 5.2, - 5.3, - 5.4, - 5.5, - 5.6, - 5.7, - 5.8, - 5.9, - 6.0, - 6.1, - 6.2, - 6.3, - 6.4, - 6.5, - 6.6, - 6.7, - 6.8, - 6.9 - ] - }, - "highScoreType": { - "type": "number", - "enum": [ - 7.0, - 7.1, - 7.2, - 7.3, - 7.4, - 7.5, - 7.6, - 7.7, - 7.8, - 7.9, - 8.0, - 8.1, - 8.2, - 8.3, - 8.4, - 8.5, - 8.6, - 8.7, - 8.8, - 8.9 - ] - }, - "criticalScoreType": { - "type": "number", - "enum": [ - 9.0, - 9.1, - 9.2, - 9.3, - 9.4, - 9.5, - 9.6, - 9.7, - 9.8, - 9.9, - 10.0 - ] - }, - "severityType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "MEDIUM", - "HIGH", - "CRITICAL" - ] - }, - "noneSeverityType": { - "const": "NONE" - }, - "lowSeverityType": { - "const": "LOW" - }, - "mediumSeverityType": { - "const": "MEDIUM" - }, - "highSeverityType": { - "const": "HIGH" - }, - "criticalSeverityType": { - "const": "CRITICAL" - } - }, - "properties": { - "version": { - "description": "CVSS Version", - "type": "string", - "enum": [ - "4.0" - ] - }, - "vectorString": { - "type": "string", - "pattern": "^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/E:[XAPU])?(/CR:[XHML])?(/IR:[XHML])?(/AR:[XHML])?(/MAV:[XNALP])?(/MAC:[XLH])?(/MAT:[XNP])?(/MPR:[XNLH])?(/MUI:[XNPA])?(/MVC:[XNLH])?(/MVI:[XNLH])?(/MVA:[XNLH])?(/MSC:[XNLH])?(/MSI:[XNLHS])?(/MSA:[XNLHS])?(/S:[XNP])?(/AU:[XNY])?(/R:[XAUI])?(/V:[XDC])?(/RE:[XLMH])?(/U:(X|Clear|Green|Amber|Red))?$" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/scoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/severityType" - }, - "attackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackVectorType" - }, - "attackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackComplexityType" - }, - "attackRequirements": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/attackRequirementsType" - }, - "privilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/privilegesRequiredType" - }, - "userInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/userInteractionType" - }, - "vulnConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" - }, - "vulnIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" - }, - "vulnAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnCiaType" - }, - "subConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" - }, - "subIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" - }, - "subAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/subCiaType" - }, - "exploitMaturity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/exploitMaturityType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/ciaRequirementType" - }, - "modifiedAttackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackVectorType" - }, - "modifiedAttackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackComplexityType" - }, - "modifiedAttackRequirements": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedAttackRequirementsType" - }, - "modifiedPrivilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedPrivilegesRequiredType" - }, - "modifiedUserInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedUserInteractionType" - }, - "modifiedVulnConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" - }, - "modifiedVulnIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" - }, - "modifiedVulnAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedVulnCiaType" - }, - "modifiedSubConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubCType" - }, - "modifiedSubIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" - }, - "modifiedSubAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/modifiedSubIaType" - }, - "Safety": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/safetyType" - }, - "Automatable": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/automatableType" - }, - "Recovery": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/recoveryType" - }, - "valueDensity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/valueDensityType" - }, - "vulnerabilityResponseEffort": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/vulnerabilityResponseEffortType" - }, - "providerUrgency": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/providerUrgencyType" - } - }, - "allOf": [ - { - "anyOf": [ - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" - } - } - }, - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType" - } - } - }, - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType" - } - } - }, - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType" - } - } - }, - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType" - } - } - } - ] - }, - { - "anyOf": [ - { - "properties": { - "threatScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" - }, - "threatSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" - } - } - }, - { - "properties": { - "threatScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType" - }, - "threatSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType" - } - } - }, - { - "properties": { - "threatScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType" - }, - "threatSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType" - } - } - }, - { - "properties": { - "threatScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType" - }, - "threatSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType" - } - } - }, - { - "properties": { - "threatScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType" - }, - "threatSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType" - } - } - } - ] - }, - { - "anyOf": [ - { - "properties": { - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" - } - } - }, - { - "properties": { - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType" - } - } - }, - { - "properties": { - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType" - } - } - }, - { - "properties": { - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType" - } - } - }, - { - "properties": { - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType" - } - } - } - ] - } - ], - "required": [ - "version", - "vectorString", - "baseScore", - "baseSeverity" - ], - "additionalProperties": false - }, - "cvssV3_1": { - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "JSON Schema for Common Vulnerability Scoring System version 3.1", - "type": "object", - "definitions": { - "attackVectorType": { - "type": "string", - "enum": [ - "NETWORK", - "ADJACENT_NETWORK", - "LOCAL", - "PHYSICAL" - ] - }, - "modifiedAttackVectorType": { - "type": "string", - "enum": [ - "NETWORK", - "ADJACENT_NETWORK", - "LOCAL", - "PHYSICAL", - "NOT_DEFINED" - ] - }, - "attackComplexityType": { - "type": "string", - "enum": [ - "HIGH", - "LOW" - ] - }, - "modifiedAttackComplexityType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NOT_DEFINED" - ] - }, - "privilegesRequiredType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NONE" - ] - }, - "modifiedPrivilegesRequiredType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NONE", - "NOT_DEFINED" - ] - }, - "userInteractionType": { - "type": "string", - "enum": [ - "NONE", - "REQUIRED" - ] - }, - "modifiedUserInteractionType": { - "type": "string", - "enum": [ - "NONE", - "REQUIRED", - "NOT_DEFINED" - ] - }, - "scopeType": { - "type": "string", - "enum": [ - "UNCHANGED", - "CHANGED" - ] - }, - "modifiedScopeType": { - "type": "string", - "enum": [ - "UNCHANGED", - "CHANGED", - "NOT_DEFINED" - ] - }, - "ciaType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH" - ] - }, - "modifiedCiaType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH", - "NOT_DEFINED" - ] - }, - "exploitCodeMaturityType": { - "type": "string", - "enum": [ - "UNPROVEN", - "PROOF_OF_CONCEPT", - "FUNCTIONAL", - "HIGH", - "NOT_DEFINED" - ] - }, - "remediationLevelType": { - "type": "string", - "enum": [ - "OFFICIAL_FIX", - "TEMPORARY_FIX", - "WORKAROUND", - "UNAVAILABLE", - "NOT_DEFINED" - ] - }, - "confidenceType": { - "type": "string", - "enum": [ - "UNKNOWN", - "REASONABLE", - "CONFIRMED", - "NOT_DEFINED" - ] - }, - "ciaRequirementType": { - "type": "string", - "enum": [ - "LOW", - "MEDIUM", - "HIGH", - "NOT_DEFINED" - ] - }, - "scoreType": { - "type": "number", - "minimum": 0, - "maximum": 10 - }, - "severityType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "MEDIUM", - "HIGH", - "CRITICAL" - ] - } - }, - "properties": { - "version": { - "description": "CVSS Version", - "type": "string", - "enum": [ - "3.1" - ] - }, - "vectorString": { - "type": "string", - "pattern": "^CVSS:3[.]1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" - }, - "attackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackVectorType" - }, - "attackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/attackComplexityType" - }, - "privilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/privilegesRequiredType" - }, - "userInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/userInteractionType" - }, - "scope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scopeType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - }, - "exploitCodeMaturity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/exploitCodeMaturityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/confidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "temporalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/ciaRequirementType" - }, - "modifiedAttackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackVectorType" - }, - "modifiedAttackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedAttackComplexityType" - }, - "modifiedPrivilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedPrivilegesRequiredType" - }, - "modifiedUserInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedUserInteractionType" - }, - "modifiedScope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedScopeType" - }, - "modifiedConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "modifiedIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "modifiedAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/modifiedCiaType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/scoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_1/definitions/severityType" - } - }, - "anyOf": [ - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" - } - } - }, - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType" - } - } - }, - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType" - } - } - }, - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType" - } - } - }, - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType" - } - } - } - ], - "required": [ - "version", - "vectorString", - "baseScore", - "baseSeverity" - ], - "additionalProperties": false - }, - "cvssV3_0": { - "$schema": "http://json-schema.org/draft-04/schema#", - "title": "JSON Schema for Common Vulnerability Scoring System version 3.0", - "type": "object", - "definitions": { - "attackVectorType": { - "type": "string", - "enum": [ - "NETWORK", - "ADJACENT_NETWORK", - "LOCAL", - "PHYSICAL" - ] - }, - "modifiedAttackVectorType": { - "type": "string", - "enum": [ - "NETWORK", - "ADJACENT_NETWORK", - "LOCAL", - "PHYSICAL", - "NOT_DEFINED" - ] - }, - "attackComplexityType": { - "type": "string", - "enum": [ - "HIGH", - "LOW" - ] - }, - "modifiedAttackComplexityType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NOT_DEFINED" - ] - }, - "privilegesRequiredType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NONE" - ] - }, - "modifiedPrivilegesRequiredType": { - "type": "string", - "enum": [ - "HIGH", - "LOW", - "NONE", - "NOT_DEFINED" - ] - }, - "userInteractionType": { - "type": "string", - "enum": [ - "NONE", - "REQUIRED" - ] - }, - "modifiedUserInteractionType": { - "type": "string", - "enum": [ - "NONE", - "REQUIRED", - "NOT_DEFINED" - ] - }, - "scopeType": { - "type": "string", - "enum": [ - "UNCHANGED", - "CHANGED" - ] - }, - "modifiedScopeType": { - "type": "string", - "enum": [ - "UNCHANGED", - "CHANGED", - "NOT_DEFINED" - ] - }, - "ciaType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH" - ] - }, - "modifiedCiaType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "HIGH", - "NOT_DEFINED" - ] - }, - "exploitCodeMaturityType": { - "type": "string", - "enum": [ - "UNPROVEN", - "PROOF_OF_CONCEPT", - "FUNCTIONAL", - "HIGH", - "NOT_DEFINED" - ] - }, - "remediationLevelType": { - "type": "string", - "enum": [ - "OFFICIAL_FIX", - "TEMPORARY_FIX", - "WORKAROUND", - "UNAVAILABLE", - "NOT_DEFINED" - ] - }, - "confidenceType": { - "type": "string", - "enum": [ - "UNKNOWN", - "REASONABLE", - "CONFIRMED", - "NOT_DEFINED" - ] - }, - "ciaRequirementType": { - "type": "string", - "enum": [ - "LOW", - "MEDIUM", - "HIGH", - "NOT_DEFINED" - ] - }, - "scoreType": { - "type": "number", - "minimum": 0, - "maximum": 10 - }, - "severityType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "MEDIUM", - "HIGH", - "CRITICAL" - ] - } - }, - "properties": { - "version": { - "description": "CVSS Version", - "type": "string", - "enum": [ - "3.0" - ] - }, - "vectorString": { - "type": "string", - "pattern": "^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" - }, - "attackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackVectorType" - }, - "attackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/attackComplexityType" - }, - "privilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/privilegesRequiredType" - }, - "userInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/userInteractionType" - }, - "scope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scopeType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - }, - "exploitCodeMaturity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/exploitCodeMaturityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/confidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "temporalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/ciaRequirementType" - }, - "modifiedAttackVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackVectorType" - }, - "modifiedAttackComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedAttackComplexityType" - }, - "modifiedPrivilegesRequired": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedPrivilegesRequiredType" - }, - "modifiedUserInteraction": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedUserInteractionType" - }, - "modifiedScope": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedScopeType" - }, - "modifiedConfidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "modifiedIntegrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "modifiedAvailabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/modifiedCiaType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/scoreType" - }, - "environmentalSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV3_0/definitions/severityType" - } - }, - "anyOf": [ - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/noneSeverityType" - } - } - }, - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/lowSeverityType" - } - } - }, - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumSeverityType" - } - } - }, - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/highSeverityType" - } - } - }, - { - "properties": { - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalScoreType" - }, - "baseSeverity": { - "$ref": "#/definitions/metrics/items/properties/cvssV4_0/definitions/criticalSeverityType" - } - } - } - ], - "required": [ - "version", - "vectorString", - "baseScore", - "baseSeverity" - ], - "additionalProperties": false - }, - "cvssV2_0": { - "$schema": "http://json-schema.org/draft-04/schema#", - "title": "JSON Schema for Common Vulnerability Scoring System version 2.0", - "type": "object", - "definitions": { - "accessVectorType": { - "type": "string", - "enum": [ - "NETWORK", - "ADJACENT_NETWORK", - "LOCAL" - ] - }, - "accessComplexityType": { - "type": "string", - "enum": [ - "HIGH", - "MEDIUM", - "LOW" - ] - }, - "authenticationType": { - "type": "string", - "enum": [ - "MULTIPLE", - "SINGLE", - "NONE" - ] - }, - "ciaType": { - "type": "string", - "enum": [ - "NONE", - "PARTIAL", - "COMPLETE" - ] - }, - "exploitabilityType": { - "type": "string", - "enum": [ - "UNPROVEN", - "PROOF_OF_CONCEPT", - "FUNCTIONAL", - "HIGH", - "NOT_DEFINED" - ] - }, - "remediationLevelType": { - "type": "string", - "enum": [ - "OFFICIAL_FIX", - "TEMPORARY_FIX", - "WORKAROUND", - "UNAVAILABLE", - "NOT_DEFINED" - ] - }, - "reportConfidenceType": { - "type": "string", - "enum": [ - "UNCONFIRMED", - "UNCORROBORATED", - "CONFIRMED", - "NOT_DEFINED" - ] - }, - "collateralDamagePotentialType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "LOW_MEDIUM", - "MEDIUM_HIGH", - "HIGH", - "NOT_DEFINED" - ] - }, - "targetDistributionType": { - "type": "string", - "enum": [ - "NONE", - "LOW", - "MEDIUM", - "HIGH", - "NOT_DEFINED" - ] - }, - "ciaRequirementType": { - "type": "string", - "enum": [ - "LOW", - "MEDIUM", - "HIGH", - "NOT_DEFINED" - ] - }, - "scoreType": { - "type": "number", - "minimum": 0, - "maximum": 10 - } - }, - "properties": { - "version": { - "description": "CVSS Version", - "type": "string", - "enum": [ - "2.0" - ] - }, - "vectorString": { - "type": "string", - "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$" - }, - "accessVector": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessVectorType" - }, - "accessComplexity": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/accessComplexityType" - }, - "authentication": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/authenticationType" - }, - "confidentialityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "integrityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "availabilityImpact": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaType" - }, - "baseScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - }, - "exploitability": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/exploitabilityType" - }, - "remediationLevel": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/remediationLevelType" - }, - "reportConfidence": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/reportConfidenceType" - }, - "temporalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - }, - "collateralDamagePotential": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/collateralDamagePotentialType" - }, - "targetDistribution": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/targetDistributionType" - }, - "confidentialityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "integrityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "availabilityRequirement": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/ciaRequirementType" - }, - "environmentalScore": { - "$ref": "#/definitions/metrics/items/properties/cvssV2_0/definitions/scoreType" - } - }, - "required": [ - "version", - "vectorString", - "baseScore" - ], - "additionalProperties": false - }, - "other": { - "type": "object", - "description": "A non-standard impact description, may be prose or JSON block.", - "required": [ - "type", - "content" - ], - "properties": { - "type": { - "description": "Name of the non-standard impact metrics format used.", - "type": "string", - "minLength": 1, - "maxLength": 128 - }, - "content": { - "type": "object", - "$comment": "additionalProperties are allowed here, since this construct supports arbitrary JSON.", - "description": "JSON object not covered by another metrics format.", - "minProperties": 1 - } - }, - "additionalProperties": false - } - }, - "additionalProperties": false - } - }, - "configurations": { - "type": "array", - "description": "Configurations required for exploiting this vulnerability.", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } - }, - "workarounds": { - "type": "array", - "description": "Workarounds and mitigations for this vulnerability.", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } - }, - "solutions": { - "type": "array", - "description": "Information about solutions or remediations available for this vulnerability.", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } - }, - "exploits": { - "type": "array", - "description": "Information about exploits of the vulnerability.", - "minItems": 1, - "uniqueItems": true, - "items": { - "$ref": "#/definitions/description" - } - }, - "timeline": { - "type": "array", - "description": "This is timeline information for significant events about this vulnerability or changes to the CVE Record.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "required": [ - "time", - "lang", - "value" - ], - "properties": { - "time": { - "description": "Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00) is assumed.", - "$ref": "#/definitions/timestamp" - }, - "lang": { - "description": "The language used in the description of the event. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.", - "$ref": "#/definitions/language" - }, - "value": { - "description": "A summary of the event.", - "type": "string", - "minLength": 1, - "maxLength": 4096 - } - }, - "additionalProperties": false - } - }, - "credits": { - "type": "array", - "description": "Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "properties": { - "lang": { - "description": "The language used when describing the credits. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.", - "$ref": "#/definitions/language" - }, - "value": { - "type": "string", - "minLength": 1, - "maxLength": 4096 - }, - "user": { - "description": "UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.", - "$ref": "#/definitions/uuidType" - }, - "type": { - "type": "string", - "description": "Type or role of the entity being credited (optional). finder: identifies the vulnerability.\nreporter: notifies the vendor of the vulnerability to a CNA.\nanalyst: validates the vulnerability to ensure accuracy or severity.\ncoordinator: facilitates the coordinated response process.\nremediation developer: prepares a code change or other remediation plans.\nremediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness.\nremediation verifier: tests and verifies the vulnerability or its remediation.\ntool: names of tools used in vulnerability discovery or identification.\nsponsor: supports the vulnerability identification or remediation activities.", - "default": "finder", - "enum": [ - "finder", - "reporter", - "analyst", - "coordinator", - "remediation developer", - "remediation reviewer", - "remediation verifier", - "tool", - "sponsor", - "other" - ] - } - }, - "additionalProperties": false, - "required": [ - "lang", - "value" - ] - } - }, - "source": { - "type": "object", - "description": "This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.", - "minProperties": 1 - }, - "language": { - "type": "string", - "description": "BCP 47 language code, language-region.", - "default": "en", - "pattern": "^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$" - }, - "englishLanguage": { - "type": "string", - "description": "BCP 47 language code, language-region, required to be English.", - "pattern": "^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$" - }, - "taxonomyMappings": { - "type": "array", - "description": "List of taxonomy items related to the vulnerability.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "description": "A taxonomy mapping object identifies the taxonomy by a name and version (eg., ATT&CK v13.1, CVSS 3.1, CWE 4.12) along with a list of relations relevant to this CVE.", - "required": [ - "taxonomyName", - "taxonomyRelations" - ], - "properties": { - "taxonomyName": { - "type": "string", - "description": "The name of the taxonomy, eg., ATT&CK, D3FEND, CWE, CVSS", - "minLength": 1, - "maxLength": 128 - }, - "taxonomyVersion": { - "type": "string", - "description": "The version of taxonomy the identifiers come from.", - "minLength": 1, - "maxLength": 128 - }, - "taxonomyRelations": { - "type": "array", - "description": "List of relationships to the taxonomy for the vulnerability.", - "minItems": 1, - "uniqueItems": true, - "items": { - "type": "object", - "description": "A relationship between the taxonomy and the CVE or two taxonomy items.", - "required": [ - "taxonomyId", - "relationshipName", - "relationshipValue" - ], - "properties": { - "taxonomyId": { - "type": "string", - "description": "Identifier of the item in the taxonomy. Used as the subject of the relationship.", - "minLength": 1, - "maxLength": 2048 - }, - "relationshipName": { - "type": "string", - "description": "A description of the relationship.", - "minLength": 1, - "maxLength": 128 - }, - "relationshipValue": { - "type": "string", - "description": "The target of the relationship. Can be the CVE ID or another taxonomy identifier.", - "minLength": 1, - "maxLength": 2048 - } - }, - "additionalProperties": false - } - } - }, - "additionalProperties": false - } - }, - "tagExtension": { - "type": "string", - "minLength": 2, - "maxLength": 128, - "pattern": "^x_.*$", - "$comment": "These values are not used as JSON property names, so there is not a need to work-around property naming limitations in some common implementations." - }, - "cnaTags": { - "type": "array", - "description": "Tags provided by a CNA describing the CVE Record.", - "uniqueItems": true, - "minItems": 1, - "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/", - "type": "string", - "description": "exclusively-hosted-service: All known software and/or hardware affected by this CVE Record is known to exist only in the affected hosted service. If the vulnerability affects both hosted and on-prem software and/or hardware, then the tag should not be used.\n\nunsupported-when-assigned: Used by the assigning CNA to indicate that when a request for a CVE assignment was received, the product was already end-of-life (EOL) or a product or specific version was deemed not to be supported by the vendor. This tag should only be applied to a CVE Record when all affected products or version lines referenced in the CVE-Record are EOL.\n\ndisputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.", - "enum": [ - "unsupported-when-assigned", - "exclusively-hosted-service", - "disputed" - ] - } - ] - } - }, - "adpTags": { - "type": "array", - "description": "Tags provided by an ADP describing the CVE Record.", - "uniqueItems": true, - "minItems": 1, - "items": { - "oneOf": [ - { - "$ref": "#/definitions/tagExtension" - }, - { - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/", - "type": "string", - "description": "disputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.", - "enum": [ - "disputed" - ] - } - ] - } - } - }, - "oneOf": [ - { - "title": "Published", - "description": "When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published.", - "type": "object", - "properties": { - "dataType": { - "$ref": "#/definitions/dataType" - }, - "dataVersion": { - "$ref": "#/definitions/dataVersion" - }, - "cveMetadata": { - "$ref": "#/definitions/cveMetadataPublished" - }, - "containers": { - "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt a minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA. However, there can be multiple 'adp' containers, allowing multiple organizations participating in the CVE program to add additional information related to the vulnerability. For the most part, the 'cna' and 'adp' containers contain the same properties. The main differences are the source of the information. The 'cna' container requires the CNA to include certain fields, while the 'adp' container does not.", - "type": "object", - "properties": { - "cna": { - "$ref": "#/definitions/cnaPublishedContainer" - }, - "adp": { - "type": "array", - "items": { - "$ref": "#/definitions/adpContainer" - }, - "minItems": 1, - "uniqueItems": true - } - }, - "required": [ - "cna" - ], - "additionalProperties": false - } - }, - "required": [ - "dataType", - "dataVersion", - "cveMetadata", - "containers" - ], - "additionalProperties": false - }, - { - "title": "Rejected", - "description": "If the CVE ID and associated CVE Record should no longer be used, the CVE Record is placed in the Rejected state. A Rejected CVE Record remains on the CVE List so that users can know when it is invalid.", - "type": "object", - "properties": { - "dataType": { - "$ref": "#/definitions/dataType" - }, - "dataVersion": { - "$ref": "#/definitions/dataVersion" - }, - "cveMetadata": { - "$ref": "#/definitions/cveMetadataRejected" - }, - "containers": { - "description": "A set of structures (called containers) used to store vulnerability information related to a specific CVE ID provided by a specific organization participating in the CVE program. Each container includes information provided by a different source.\n\nAt minimum, a 'cna' container containing the vulnerability information provided by the CNA who initially assigned the CVE ID must be included.\n\nThere can only be one 'cna' container, as there can only be one assigning CNA.", - "type": "object", - "properties": { - "cna": { - "$ref": "#/definitions/cnaRejectedContainer" - } - }, - "required": [ - "cna" - ], - "additionalProperties": false - } - }, - "required": [ - "dataType", - "dataVersion", - "cveMetadata", - "containers" - ], - "additionalProperties": false - } - ] -} \ No newline at end of file diff --git a/src/model/cve.js b/src/model/cve.js index 5729f5c94..dfb4ab114 100644 --- a/src/model/cve.js +++ b/src/model/cve.js @@ -2,7 +2,7 @@ const mongoose = require('mongoose') const aggregatePaginate = require('mongoose-aggregate-paginate-v2') const MongoPaging = require('mongo-cursor-pagination') const fs = require('fs') -const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1_bundled.json')) +const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1.1_bundled.json')) const Ajv = require('ajv') const addFormats = require('ajv-formats') From 57b7ea9fc16562bd05145e0dcb9fc93f4dda1501 Mon Sep 17 00:00:00 2001 From: "Daigneau, Jeremy T" Date: Wed, 30 Oct 2024 09:46:23 -0400 Subject: [PATCH 2/2] Revert "Merge pull request #1262 from CVEProject/jf-1258" This reverts commit 3300b067071e02f2947693881e22c83be17133e7, reversing changes made to 8fc52ad6ce99994ae734bf09952b0aee6baf6a8d. --- api-docs/openapi.json | 11 +- schemas/org/am-i-alive-response.json | 20 -- src/controller/org.controller/index.js | 16 +- .../org.controller/org.controller.js | 65 +++--- src/middleware/middleware.js | 27 --- src/model/org.js | 3 +- test/integration-tests/org/putOrgTest.js | 201 ------------------ test/unit-tests/middleware/validateOrgTest.js | 172 --------------- .../unit-tests/org/orgUpdateLastActiveTest.js | 138 ------------ test/unit-tests/org/orgUpdateTest.js | 16 -- 10 files changed, 32 insertions(+), 637 deletions(-) delete mode 100644 schemas/org/am-i-alive-response.json delete mode 100644 test/integration-tests/org/putOrgTest.js delete mode 100644 test/unit-tests/middleware/validateOrgTest.js delete mode 100644 test/unit-tests/org/orgUpdateLastActiveTest.js diff --git a/api-docs/openapi.json b/api-docs/openapi.json index 1fb6cb8fe..b2fe134c4 100644 --- a/api-docs/openapi.json +++ b/api-docs/openapi.json @@ -2099,7 +2099,7 @@ "Organization" ], "summary": "Updates information about the organization specified by short name (accessible to Secretariat)", - "description": "

Access Control

User must belong to an organization with the Secretariat role, or user must belong to the organization specified by short name

Expected Behavior

Secretariat: Updates any organization's information

Non-secretariat: Updates 'last_active' timestamp to show that an org is still active

", + "description": "

Access Control

User must belong to an organization with the Secretariat role

Expected Behavior

Secretariat: Updates any organization's information

", "operationId": "orgUpdateSingle", "parameters": [ { @@ -2142,14 +2142,7 @@ "content": { "application/json": { "schema": { - "oneOf": [ - { - "$ref": "../schemas/org/update-org-response.json" - }, - { - "$ref": "../schemas/org/am-i-alive-response.json" - } - ] + "$ref": "../schemas/org/update-org-response.json" } } } diff --git a/schemas/org/am-i-alive-response.json b/schemas/org/am-i-alive-response.json deleted file mode 100644 index b9b3d55b0..000000000 --- a/schemas/org/am-i-alive-response.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema", - "type": "object", - "properties": { - "message": { - "type": "string", - "description": "Success description" - }, - "updated": { - "type": "object", - "properties": { - "last_active": { - "type": "string", - "format": "date-time", - "description": "The time the organization was last active." - } - } - } - } - } \ No newline at end of file diff --git a/src/controller/org.controller/index.js b/src/controller/org.controller/index.js index 2c9279835..15a160a62 100644 --- a/src/controller/org.controller/index.js +++ b/src/controller/org.controller/index.js @@ -245,10 +245,9 @@ router.put('/org/:shortname', #swagger.summary = "Updates information about the organization specified by short name (accessible to Secretariat)" #swagger.description = "

Access Control

-

User must belong to an organization with the Secretariat role, or user must belong to the organization specified by short name

+

User must belong to an organization with the Secretariat role

Expected Behavior

-

Secretariat: Updates any organization's information

-

Non-secretariat: Updates 'last_active' timestamp to show that an org is still active

" +

Secretariat: Updates any organization's information

" #swagger.parameters['shortname'] = { description: 'The shortname of the organization' } #swagger.parameters['$ref'] = [ '#/components/parameters/id_quota', @@ -264,12 +263,7 @@ router.put('/org/:shortname', description: 'Returns information about the organization updated', content: { "application/json": { - schema: { - oneOf: [ - { $ref: '../schemas/org/update-org-response.json' }, - { $ref: '../schemas/org/am-i-alive-response.json' } - ] - } + schema: { $ref: '../schemas/org/update-org-response.json' } } } } @@ -315,10 +309,10 @@ router.put('/org/:shortname', } */ mw.validateUser, - param(['shortname']).isString().trim().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), - mw.validateOrg, + mw.onlySecretariat, query().custom((query) => { return mw.validateQueryParameterNames(query, ['new_short_name', 'id_quota', 'name', 'active_roles.add', 'active_roles.remove']) }), query(['new_short_name', 'id_quota', 'name', 'active_roles.add', 'active_roles.remove']).custom((val) => { return mw.containsNoInvalidCharacters(val) }), + param(['shortname']).isString().trim().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), query(['new_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }), query(['id_quota']).optional().not().isArray().isInt({ min: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_min, max: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_max }).withMessage(errorMsgs.ID_QUOTA), query(['name']).optional().isString().trim().notEmpty(), diff --git a/src/controller/org.controller/org.controller.js b/src/controller/org.controller/org.controller.js index 7803da44c..d1a094b57 100644 --- a/src/controller/org.controller/org.controller.js +++ b/src/controller/org.controller/org.controller.js @@ -329,7 +329,6 @@ async function updateOrg (req, res, next) { const addRoles = [] const orgRepo = req.ctx.repositories.getOrgRepository() const org = await orgRepo.findOneByShortName(shortName) - const orgMakingChanges = req.ctx.org let agt = setAggregateOrgObj({ short_name: shortName }) // org doesn't exist @@ -338,38 +337,30 @@ async function updateOrg (req, res, next) { return res.status(404).json(error.orgDnePathParam(shortName)) } - const isSec = await orgRepo.isSecretariat(orgMakingChanges) - - if (isSec) { - Object.keys(req.ctx.query).forEach(k => { - const key = k.toLowerCase() - - if (key === 'new_short_name') { - newOrg.short_name = req.ctx.query.new_short_name - agt = setAggregateOrgObj({ short_name: newOrg.short_name }) - } else if (key === 'name') { - newOrg.name = req.ctx.query.name - } else if (key === 'id_quota') { - newOrg.policies.id_quota = req.ctx.query.id_quota - } else if (key === 'active_roles.add') { - if (Array.isArray(req.ctx.query['active_roles.add'])) { - req.ctx.query['active_roles.add'].forEach(r => { - addRoles.push(r) - }) - } - } else if (key === 'active_roles.remove') { - if (Array.isArray(req.ctx.query['active_roles.remove'])) { - req.ctx.query['active_roles.remove'].forEach(r => { - removeRoles.push(r) - }) - } - } - }) - } + Object.keys(req.ctx.query).forEach(k => { + const key = k.toLowerCase() - if (shortName === orgMakingChanges) { - newOrg.last_active = Date.now() - } + if (key === 'new_short_name') { + newOrg.short_name = req.ctx.query.new_short_name + agt = setAggregateOrgObj({ short_name: newOrg.short_name }) + } else if (key === 'name') { + newOrg.name = req.ctx.query.name + } else if (key === 'id_quota') { + newOrg.policies.id_quota = req.ctx.query.id_quota + } else if (key === 'active_roles.add') { + if (Array.isArray(req.ctx.query['active_roles.add'])) { + req.ctx.query['active_roles.add'].forEach(r => { + addRoles.push(r) + }) + } + } else if (key === 'active_roles.remove') { + if (Array.isArray(req.ctx.query['active_roles.remove'])) { + req.ctx.query['active_roles.remove'].forEach(r => { + removeRoles.push(r) + }) + } + } + }) // updating the org's roles if (org) { @@ -412,13 +403,6 @@ async function updateOrg (req, res, next) { result = await orgRepo.aggregate(agt) result = result.length > 0 ? result[0] : null - if (!isSec) { - if (!result || !result.last_active) { - return res.status(500).json(error.serverError()) - } - result = { last_active: result.last_active } - } - const responseMessage = { message: shortName + ' organization was successfully updated.', updated: result @@ -835,8 +819,7 @@ function setAggregateOrgObj (query) { name: true, 'authority.active_roles': true, 'policies.id_quota': true, - time: true, - last_active: true + time: true } } ] diff --git a/src/middleware/middleware.js b/src/middleware/middleware.js index 8fbd8fc92..5bfb60726 100644 --- a/src/middleware/middleware.js +++ b/src/middleware/middleware.js @@ -135,32 +135,6 @@ async function validateUser (req, res, next) { } } -async function validateOrg (req, res, next) { - const org = req.ctx.org - const reqOrg = req.params.shortname - const orgRepo = req.ctx.repositories.getOrgRepository() - const CONSTANTS = getConstants() - - try { - logger.info({ uuid: req.ctx.uuid, message: 'Authenticating org: ' + org }) - - const isSec = await orgRepo.isSecretariat(org) - if (!isSec) { - if (org !== reqOrg) { - logger.info({ uuid: req.ctx.uuid, message: org + ' is not a ' + CONSTANTS.AUTH_ROLE_ENUM.SECRETARIAT + ' or the same as ' + reqOrg + ' and is not allowed to make these changes.' }) - return res.status(403).json(error.secretariatOnly()) - } else if (Object.keys(req.query).length > 0) { - return res.status(403).json(error.secretariatOnly()) - } - } - - logger.info({ uuid: req.ctx.uuid, message: 'Confirmed ' + org + ' has the authority to make changes to ' + reqOrg }) - next() - } catch (err) { - next(err) - } -} - // Checks that the requester belongs to an org that has the 'BULK_DOWNLOAD' role async function onlySecretariatOrBulkDownload (req, res, next) { const org = req.ctx.org @@ -509,7 +483,6 @@ module.exports = { setCacheControl, optionallyValidateUser, validateUser, - validateOrg, onlySecretariat, onlySecretariatOrBulkDownload, onlySecretariatOrAdmin, diff --git a/src/model/org.js b/src/model/org.js index 2c0964dc1..48f3b226c 100644 --- a/src/model/org.js +++ b/src/model/org.js @@ -24,8 +24,7 @@ const schema = { created: Date, modified: Date }, - inUse: Boolean, - last_active: Date + inUse: Boolean } const OrgSchema = new mongoose.Schema(schema, { collection: 'Org', timestamps: { createdAt: 'time.created', updatedAt: 'time.modified' } }) diff --git a/test/integration-tests/org/putOrgTest.js b/test/integration-tests/org/putOrgTest.js deleted file mode 100644 index 28c3a0625..000000000 --- a/test/integration-tests/org/putOrgTest.js +++ /dev/null @@ -1,201 +0,0 @@ -/* eslint-disable no-unused-expressions */ -const chai = require('chai') -chai.use(require('chai-http')) -const expect = chai.expect - -const constants = require('../constants.js') -const app = require('../../../src/index.js') - -const params = { name: 'Test Organization', id_quota: 100 } -const secretariatParams = { name: 'MITRE Corporation', id_quota: 100000 } -const cnaParams = { name: 'Adams, Nielsen and Hensley', id_quota: 1309 } - -describe('Testing org put endpoint', () => { - context('Positive Tests', () => { - it('Allows update made by a secretariat to itself', async () => { - await chai.request(app) - .put('/api/org/mitre') - .set({ ...constants.headers }) - .query(params) - .send() - .then((res, err) => { - expect(res).to.have.status(200) - expect(res.body.updated.name).to.equal(params.name) - expect(res.body.updated.policies.id_quota).to.equal(params.id_quota) - expect(err).to.be.undefined - }) - await chai.request(app) - .put('/api/org/mitre') - .set({ ...constants.headers }) - .query(secretariatParams) - .send() - .then((res, err) => { - expect(res).to.have.status(200) - expect(res.body.updated.name).to.equal(secretariatParams.name) - expect(res.body.updated.policies.id_quota).to.equal(secretariatParams.id_quota) - expect(err).to.be.undefined - }) - }) - it('Allows update made by a secretariat to another org', async () => { - await chai.request(app) - .put('/api/org/win_5') - .set({ ...constants.headers }) - .query(params) - .send() - .then((res, err) => { - expect(res).to.have.status(200) - expect(res.body.updated.name).to.equal(params.name) - expect(res.body.updated.policies.id_quota).to.equal(params.id_quota) - expect(err).to.be.undefined - }) - await chai.request(app) - .put('/api/org/win_5') - .set({ ...constants.headers }) - .query(cnaParams) - .send() - .then((res, err) => { - expect(res).to.have.status(200) - expect(res.body.updated.name).to.equal(cnaParams.name) - expect(res.body.updated.policies.id_quota).to.equal(cnaParams.id_quota) - expect(err).to.be.undefined - }) - }) - it('Update made by a secretariat to another org does NOT update last_active field', async () => { - await chai.request(app) - .put('/api/org/win_5') - .set({ ...constants.headers }) - .query(params) - .send() - .then((res, err) => { - expect(res.body.updated.last_active).to.be.undefined - expect(res).to.have.status(200) - expect(err).to.be.undefined - }) - }) - it('Update made by a secretariat to itself DOES update last_active field', async () => { - const now = Date.now() - await chai.request(app) - .put('/api/org/mitre') - .set({ ...constants.headers }) - .query(params) - .send() - .then((res, err) => { - expect(res.body.updated.last_active).to.not.be.null - // Assert that that the last_active field was updated under 2 seconds ago - const lastActive = Date.parse(res.body.updated.last_active) - const diff = Math.abs(now - lastActive) - const withinTwoSeconds = diff < 2000 - expect(withinTwoSeconds).to.be.true - expect(res).to.have.status(200) - expect(err).to.be.undefined - }) - }) - it('Update made by non-secretariat org to itself ONLY updates last_active field', async () => { - const now = Date.now() - await chai.request(app) - .put('/api/org/win_5') - .set({ ...constants.nonSecretariatUserHeaders }) - .send() - .then((res, err) => { - // Assert that that the last_active field was updated under 2 seconds ago - const lastActive = Date.parse(res.body.updated.last_active) - const diff = Math.abs(now - lastActive) - const withinTwoSeconds = diff < 2000 - expect(withinTwoSeconds).to.be.true - // Assert no other fields were changed - expect(res).to.have.status(200) - expect(res.body.updated.active_roles).to.be.undefined - expect(res.body.updated.name).to.be.undefined - expect(res.body.updated.policies).to.be.undefined - expect(err).to.be.undefined - }) - }) - it('Request body ignored in update made by non-secretariat org to itself', async () => { - const requestBody = { - key1: 'value1', - key2: 'value2', - key3: 'value3', - key4: 'value4', - key5: 'value5', - key6: 'value6', - key7: 'value7', - key8: 'value8' - } - await chai.request(app) - .put('/api/org/win_5') - .set({ ...constants.nonSecretariatUserHeaders }) - .send(requestBody) - .then((res, err) => { - expect(res).to.have.status(200) - expect(res.body.updated.last_active).to.not.be.null - expect(res.body.updated.active_roles).to.be.undefined - expect(res.body.updated.name).to.be.undefined - expect(res.body.updated.policies).to.be.undefined - expect(err).to.be.undefined - }) - }) - it('Request body ignored in update made by secretariat to itself', async () => { - const requestBody = { - key1: 'value1', - key2: 'value2', - key3: 'value3', - key4: 'value4', - key5: 'value5', - key6: 'value6', - key7: 'value7', - key8: 'value8' - } - await chai.request(app) - .put('/api/org/mitre') - .set({ ...constants.headers }) - .query(params) - .send(requestBody) - .then((res, err) => { - expect(res).to.have.status(200) - expect(res.body.updated.last_active).to.not.be.null - expect(res.body.updated.name).to.equal(params.name) - expect(res.body.updated.policies.id_quota).to.equal(params.id_quota) - expect(err).to.be.undefined - }) - }) - }) - context('Negative Tests', () => { - it('Fails update made by a non-secretariat org to a different org', async () => { - await chai.request(app) - .put('/api/org/cause_8') - .set({ ...constants.nonSecretariatUserHeaders }) - .send() - .then((res, err) => { - expect(res).to.have.status(403) - expect(err).to.be.undefined - expect(res.body).to.haveOwnProperty('error') - expect(res.body.error).to.equal('SECRETARIAT_ONLY') - }) - }) - it('Fails update to fields made by a non-secretariat org to itself', async () => { - await chai.request(app) - .put('/api/org/win_5') - .set({ ...constants.nonSecretariatUserHeaders }) - .query(params) - .send() - .then((res, err) => { - expect(res).to.have.status(403) - expect(err).to.be.undefined - expect(res.body).to.haveOwnProperty('error') - expect(res.body.error).to.equal('SECRETARIAT_ONLY') - }) - }) - it('Fails update made by a non-secretariat org to a secretariat', async () => { - await chai.request(app) - .put('/api/org/mitre') - .set({ ...constants.nonSecretariatUserHeaders }) - .send() - .then((res, err) => { - expect(res).to.have.status(403) - expect(err).to.be.undefined - expect(res.body).to.haveOwnProperty('error') - expect(res.body.error).to.equal('SECRETARIAT_ONLY') - }) - }) - }) -}) diff --git a/test/unit-tests/middleware/validateOrgTest.js b/test/unit-tests/middleware/validateOrgTest.js deleted file mode 100644 index af239880f..000000000 --- a/test/unit-tests/middleware/validateOrgTest.js +++ /dev/null @@ -1,172 +0,0 @@ -/* eslint-disable no-unused-expressions */ -const chai = require('chai') -const sinon = require('sinon') -const { validateOrg } = require('../../../src/middleware/middleware.js') -const OrgRepository = require('../../../src/repositories/orgRepository.js') -const expect = chai.expect - -const secretariat = { - short_name: 'mitre', - name: 'MITRE Corporation', - authority: { - active_roles: [ - 'SECRETARIAT', - 'CNA' - ] - }, - policies: { - id_quota: 1248 - } -} - -const nonSecretariat = { - short_name: 'win_5', - name: 'test_org', - authority: { - active_roles: [ - 'CNA' - ] - }, - policies: { - id_quota: 200 - } -} - -const nonSecretariat2 = { - short_name: 'cause_8', - name: 'test_org2', - authority: { - active_roles: [ - 'CNA' - ] - }, - policies: { - id_quota: 888 - } -} - -describe('Testing the validateOrg function', () => { - let status, json, res, next, getOrgRepository, orgRepo - beforeEach(() => { - status = sinon.stub() - json = sinon.spy() - res = { json, status } - next = sinon.stub() - status.returns(res) - - orgRepo = new OrgRepository() - getOrgRepository = sinon.stub() - getOrgRepository.returns(orgRepo) - }) - context('Positive Tests', () => { - it('Secretariat can update itself', async () => { - sinon.stub(orgRepo, 'isSecretariat').returns(true) - - const req = { - ctx: { - org: secretariat.short_name, - repositories: { - getOrgRepository - } - }, - params: { - shortname: secretariat.short_name - }, - query: { - id_quota: 111 - } - } - await validateOrg(req, res, next) - - expect(next.calledOnce).to.be.true - expect(next.firstCall.args).to.be.empty - }) - it('Secretariat can update another org', async () => { - sinon.stub(orgRepo, 'isSecretariat').returns(true) - - const req = { - ctx: { - org: secretariat.short_name, - repositories: { - getOrgRepository - } - }, - params: { - shortname: nonSecretariat.short_name - }, - query: { - id_quota: 999 - } - } - await validateOrg(req, res, next) - - expect(next.calledOnce).to.be.true - expect(next.firstCall.args).to.be.empty - }) - it('Non-secretariat can update itself', async () => { - sinon.stub(orgRepo, 'isSecretariat').returns(true) - - const req = { - ctx: { - org: nonSecretariat.short_name, - repositories: { - getOrgRepository - } - }, - params: { - shortname: nonSecretariat.short_name - } - } - await validateOrg(req, res, next) - - expect(next.calledOnce).to.be.true - expect(next.firstCall.args).to.be.empty - }) - }) - context('Negative Tests', () => { - it('Non-secretariat cannot update its fields other than last_active', async () => { - sinon.stub(orgRepo, 'isSecretariat').returns(false) - - const req = { - ctx: { - org: nonSecretariat.short_name, - repositories: { - getOrgRepository - } - }, - params: { - shortname: nonSecretariat.short_name - }, - query: { - id_quota: 999 - } - } - await validateOrg(req, res, next) - - expect(status.calledWith(403)).to.be.true - expect(next.calledOnce).to.be.false - }) - it('Non-secretariat cannot update another org', async () => { - sinon.stub(orgRepo, 'isSecretariat').returns(false) - - const req = { - ctx: { - org: nonSecretariat.short_name, - repositories: { - getOrgRepository - } - }, - params: { - shortname: nonSecretariat2.short_name - }, - query: { - id_quota: 999 - } - } - await validateOrg(req, res, next) - - expect(status.calledWith(403)).to.be.true - expect(next.calledOnce).to.be.false - }) - }) -}) diff --git a/test/unit-tests/org/orgUpdateLastActiveTest.js b/test/unit-tests/org/orgUpdateLastActiveTest.js deleted file mode 100644 index 33fa5bc0c..000000000 --- a/test/unit-tests/org/orgUpdateLastActiveTest.js +++ /dev/null @@ -1,138 +0,0 @@ -/* eslint-disable no-unused-expressions */ -const chai = require('chai') -const sinon = require('sinon') -const { ORG_UPDATE_SINGLE } = require('../../../src/controller/org.controller/org.controller.js') -const OrgRepository = require('../../../src/repositories/orgRepository.js') -const UserRepository = require('../../../src/repositories/userRepository.js') -const expect = chai.expect - -const secretariat = { - short_name: 'mitre', - name: 'MITRE Corporation', - authority: { - active_roles: [ - 'SECRETARIAT', - 'CNA' - ] - }, - policies: { - id_quota: 1248 - } -} - -const nonSecretariat = { - short_name: 'win_5', - name: 'test_org', - authority: { - active_roles: [ - 'CNA' - ] - }, - policies: { - id_quota: 200 - } -} - -describe('Testing the updateOrg function', () => { - let status, json, res, next, getOrgRepository, orgRepo, getUserRepository, - userRepo, updateOrg - beforeEach(() => { - status = sinon.stub() - json = sinon.spy() - res = { json, status } - next = sinon.spy() - status.returns(res) - - orgRepo = new OrgRepository() - getOrgRepository = sinon.stub() - getOrgRepository.returns(orgRepo) - - userRepo = new UserRepository() - getUserRepository = sinon.stub() - getUserRepository.returns(userRepo) - - updateOrg = sinon.stub(orgRepo, 'updateByOrgUUID').returns(true) - sinon.stub(orgRepo, 'getOrgUUID').returns(true) - sinon.stub(userRepo, 'getUserUUID').returns(true) - }) - context('Positive Tests', () => { - it('Secretariat updates itself', async () => { - sinon.stub(orgRepo, 'isSecretariat').returns(true) - sinon.stub(orgRepo, 'findOneByShortName').returns(secretariat) - sinon.stub(orgRepo, 'aggregate').returns([secretariat]) - - const req = { - ctx: { - org: secretariat.short_name, - repositories: { - getOrgRepository, - getUserRepository - }, - params: { - shortname: secretariat.short_name - }, - query: { - id_quota: 111 - } - } - } - await ORG_UPDATE_SINGLE(req, res, next) - - expect(status.args[0][0]).to.equal(200) - expect(updateOrg.args[0][1].policies.id_quota).to.equal(req.ctx.query.id_quota) - }) - it('Secretariat updates a different org', async () => { - sinon.stub(orgRepo, 'isSecretariat').returns(true) - sinon.stub(orgRepo, 'findOneByShortName').returns(nonSecretariat) - sinon.stub(orgRepo, 'aggregate').returns([nonSecretariat]) - - const req = { - ctx: { - org: secretariat.short_name, - repositories: { - getOrgRepository, - getUserRepository - }, - params: { - shortname: nonSecretariat.short_name - }, - query: { - id_quota: 999 - } - } - } - await ORG_UPDATE_SINGLE(req, res, next) - - expect(status.args[0][0]).to.equal(200) - expect(updateOrg.args[0][1].policies.id_quota).to.equal(req.ctx.query.id_quota) - }) - it('Non-secretariat no params only updates last_active field', async () => { - sinon.stub(orgRepo, 'isSecretariat').returns(false) - sinon.stub(orgRepo, 'findOneByShortName').returns(nonSecretariat) - const nonSecretariatAgt = nonSecretariat - nonSecretariatAgt.last_active = Date.now() - sinon.stub(orgRepo, 'aggregate').returns([nonSecretariatAgt]) - - const req = { - ctx: { - org: nonSecretariat.short_name, - repositories: { - getOrgRepository, - getUserRepository - }, - params: { - shortname: nonSecretariat.short_name - } - } - } - await ORG_UPDATE_SINGLE(req, res, next) - - expect(status.args[0][0]).to.equal(200) - const now = Date.now() - const lastActive = updateOrg.args[0][1].last_active - const diff = Math.abs(now - lastActive) - const withinHalfASecond = diff < 500 - expect(withinHalfASecond).to.be.true - }) - }) -}) diff --git a/test/unit-tests/org/orgUpdateTest.js b/test/unit-tests/org/orgUpdateTest.js index 4e5f00b76..f978d6f96 100644 --- a/test/unit-tests/org/orgUpdateTest.js +++ b/test/unit-tests/org/orgUpdateTest.js @@ -48,10 +48,6 @@ class OrgUpdatedAddingRole { async getOrgUUID () { return null } - - async isSecretariat () { - return true - } } class OrgUpdatedRemovingRole { @@ -70,10 +66,6 @@ class OrgUpdatedRemovingRole { async getOrgUUID () { return null } - - async isSecretariat () { - return true - } } describe('Testing the PUT /org/:shortname endpoint in Org Controller', () => { @@ -110,10 +102,6 @@ describe('Testing the PUT /org/:shortname endpoint in Org Controller', () => { async findOneByShortName () { return orgFixtures.existentOrg } - - async isSecretariat () { - return true - } } app.route('/org-not-updated-shortname-exists/:shortname') @@ -300,10 +288,6 @@ describe('Testing the PUT /org/:shortname endpoint in Org Controller', () => { async aggregate () { return [orgFixtures.existentOrg] } - - async isSecretariat () { - return true - } } app.route('/org-not-updated-no-query-parameters/:shortname')