CVEProject
diff --git a/‎.gitignore‎
Lines changed: 5 additions & 0 deletions b/‎.gitignore‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎schema/CVE_Record_Format.json‎
Lines changed: 1 addition & 1 deletion b/‎schema/CVE_Record_Format.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎schema/docs/CVE_Record_Format_bundled.json‎
Lines changed: 53 additions & 16 deletions b/‎schema/docs/CVE_Record_Format_bundled.json‎
Lines changed: 53 additions & 16 deletions
diff --git a/‎schema/docs/CVE_Record_Format_bundled_adpContainer.json‎
Lines changed: 53 additions & 15 deletions b/‎schema/docs/CVE_Record_Format_bundled_adpContainer.json‎
Lines changed: 53 additions & 15 deletions
@@ -1,3 +1,8 @@
 
 package-lock.json
 node_modules
+schema/cve-schema.json
+schema/docs/CVE_Record_Format_bundled.json
+schema/docs/CVE_Record_Format_bundled_adpContainer.json
+schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json
+schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json
@@ -85,7 +85,7 @@
         "timestamp": {
             "type": "string",
             "description": "Date/time format based on RFC3339 and ISO ISO8601, with a mandatory timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'.",
-            "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(Z|[+-][0-9]{2}:[0-9]{2})$",
+            "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])([+-][0-9]{2}:[0-9]{2})$",
             "examples": [
                 "2025-01-04T12:01:01+05:30"
             ]
 
@@ -2,7 +2,7 @@
   "$schema": "http://json-schema.org/draft-07/schema#",
   "$id": "https://cveproject.github.io/cve-schema/schema/CVE_Record_Format.json",
   "title": "CVE JSON record format",
-  "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).",
+  "description": "The CVE Record Format is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://www.cve.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).",
   "definitions": {
     "uriType": {
       "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).",
@@ -77,6 +77,7 @@
     },
     "cveId": {
       "type": "string",
+      "description": "The official CVE identifier contains the string 'CVE', followed by the year, followed by a 4 to 19 digit number. Note that the year-part of the identifier should indicate either the year the vulnerability was discovered, or the year the CVE ID is published in. CVE IDs must be unique.",
       "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
     },
     "cpe22and23": {
@@ -107,16 +108,13 @@
       "minLength": 2,
       "maxLength": 32
     },
-    "datestamp": {
-      "description": "Date/time format based on RFC3339 and ISO ISO8601.",
-      "type": "string",
-      "format": "date",
-      "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$"
-    },
     "timestamp": {
       "type": "string",
-      "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.",
-      "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"
+      "description": "Date/time format based on RFC3339 and ISO ISO8601, with a mandatory timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'.",
+      "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])([+-][0-9]{2}:[0-9]{2})$",
+      "examples": [
+        "2025-01-04T12:01:01+05:30"
+      ]
     },
     "version": {
       "description": "A single version of a product, as expressed in its own version numbering scheme.",
@@ -345,7 +343,7 @@
         },
         "versions": {
           "type": "array",
-          "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.",
+          "description": "Set of product versions or version ranges related to the vulnerability. The versions help satisfy the CNA Rules [5.1.3 requirement](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_5-1_Required_CVE_Record_Content). Versions or defaultStatus may be omitted, but not both.",
           "minItems": 1,
           "uniqueItems": true,
           "items": {
@@ -465,7 +463,9 @@
       "required": [
         "cveId",
         "assignerOrgId",
-        "state"
+        "state",
+        "datePublished",
+        "dateReserved"
       ],
       "properties": {
         "cveId": {
@@ -517,7 +517,9 @@
       "required": [
         "cveId",
         "assignerOrgId",
-        "state"
+        "state",
+        "datePublished",
+        "dateReserved"
       ],
       "properties": {
         "cveId": {
@@ -743,7 +745,8 @@
         "providerMetadata",
         "descriptions",
         "affected",
-        "references"
+        "references",
+        "datePublic"
       ],
       "patternProperties": {
         "^x_[^.]*$": {}
@@ -924,6 +927,10 @@
             ],
             "additionalProperties": false
           }
+        },
+        "preformatted": {
+          "type": "boolean",
+          "description": "If true, indicates the 'description' is preformatted text that should be rendered to preserve spacing and other formatting. If false, will be rendered without preserving formatting."
         }
       },
       "required": [
@@ -3239,7 +3246,6 @@
         ],
         "properties": {
           "time": {
-            "description": "Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00) is assumed.",
             "$ref": "#/definitions/timestamp"
           },
           "lang": {
@@ -3305,7 +3311,38 @@
     "source": {
       "type": "object",
       "description": "This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.",
-      "minProperties": 1
+      "minProperties": 1,
+      "properties": {
+        "defect": {
+          "title": "Defects",
+          "type": "array",
+          "description": "CNA specific bug or defect tracking IDs (optional).",
+          "uniqueItems": true,
+          "items": {
+            "type": "string",
+            "maxLength": 64
+          }
+        },
+        "advisory": {
+          "title": "Advisory ID",
+          "type": "string",
+          "description": "CNA specific advisory IDs (optional).",
+          "maxLength": 64
+        },
+        "discovery": {
+          "type": "string",
+          "title": "Source of vulnerability discovery",
+          "enum": [
+            "INTERNAL",
+            "EXTERNAL",
+            "USER",
+            "UPSTREAM",
+            "UNKNOWN"
+          ],
+          "description": "Source of vulnerability discovery. This may be a factor for some consumers in prioritizing vulnerability response. \nINTERNAL: this vulnerability was found by the CNA's internal research.\nEXTERNAL: this vulnerability was found during research external to a CNA.\nUSER: This vulnerability was discovered during product use.\nUPSTREAM: This vulnerability was found by an upstream vendor or producer.\nUNKNOWN: Source of discovery is not defined or is unknown",
+          "default": "UNKNOWN"
+        }
+      }
     },
     "language": {
       "type": "string",
@@ -3519,4 +3556,4 @@
       "additionalProperties": false
     }
   ]
-}
+}
@@ -77,6 +77,7 @@
     },
     "cveId": {
       "type": "string",
+      "description": "The official CVE identifier contains the string 'CVE', followed by the year, followed by a 4 to 19 digit number. Note that the year-part of the identifier should indicate either the year the vulnerability was discovered, or the year the CVE ID is published in. CVE IDs must be unique.",
       "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
     },
     "cpe22and23": {
@@ -107,16 +108,13 @@
       "minLength": 2,
       "maxLength": 32
     },
-    "datestamp": {
-      "description": "Date/time format based on RFC3339 and ISO ISO8601.",
-      "type": "string",
-      "format": "date",
-      "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$"
-    },
     "timestamp": {
       "type": "string",
-      "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.",
-      "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"
+      "description": "Date/time format based on RFC3339 and ISO ISO8601, with a mandatory timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'.",
+      "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])([+-][0-9]{2}:[0-9]{2})$",
+      "examples": [
+        "2025-01-04T12:01:01+05:30"
+      ]
     },
     "version": {
       "description": "A single version of a product, as expressed in its own version numbering scheme.",
@@ -345,7 +343,7 @@
         },
         "versions": {
           "type": "array",
-          "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.",
+          "description": "Set of product versions or version ranges related to the vulnerability. The versions help satisfy the CNA Rules [5.1.3 requirement](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_5-1_Required_CVE_Record_Content). Versions or defaultStatus may be omitted, but not both.",
           "minItems": 1,
           "uniqueItems": true,
           "items": {
@@ -465,7 +463,9 @@
       "required": [
         "cveId",
         "assignerOrgId",
-        "state"
+        "state",
+        "datePublished",
+        "dateReserved"
       ],
       "properties": {
         "cveId": {
@@ -517,7 +517,9 @@
       "required": [
         "cveId",
         "assignerOrgId",
-        "state"
+        "state",
+        "datePublished",
+        "dateReserved"
       ],
       "properties": {
         "cveId": {
@@ -743,7 +745,8 @@
         "providerMetadata",
         "descriptions",
         "affected",
-        "references"
+        "references",
+        "datePublic"
       ],
       "patternProperties": {
         "^x_[^.]*$": {}
@@ -924,6 +927,10 @@
             ],
             "additionalProperties": false
           }
+        },
+        "preformatted": {
+          "type": "boolean",
+          "description": "If true, indicates the 'description' is preformatted text that should be rendered to preserve spacing and other formatting. If false, will be rendered without preserving formatting."
         }
       },
       "required": [
@@ -3239,7 +3246,6 @@
         ],
         "properties": {
           "time": {
-            "description": "Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00) is assumed.",
             "$ref": "#/definitions/timestamp"
           },
           "lang": {
@@ -3305,7 +3311,38 @@
     "source": {
       "type": "object",
       "description": "This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.",
-      "minProperties": 1
+      "minProperties": 1,
+      "properties": {
+        "defect": {
+          "title": "Defects",
+          "type": "array",
+          "description": "CNA specific bug or defect tracking IDs (optional).",
+          "uniqueItems": true,
+          "items": {
+            "type": "string",
+            "maxLength": 64
+          }
+        },
+        "advisory": {
+          "title": "Advisory ID",
+          "type": "string",
+          "description": "CNA specific advisory IDs (optional).",
+          "maxLength": 64
+        },
+        "discovery": {
+          "type": "string",
+          "title": "Source of vulnerability discovery",
+          "enum": [
+            "INTERNAL",
+            "EXTERNAL",
+            "USER",
+            "UPSTREAM",
+            "UNKNOWN"
+          ],
+          "description": "Source of vulnerability discovery. This may be a factor for some consumers in prioritizing vulnerability response. \nINTERNAL: this vulnerability was found by the CNA's internal research.\nEXTERNAL: this vulnerability was found during research external to a CNA.\nUSER: This vulnerability was discovered during product use.\nUPSTREAM: This vulnerability was found by an upstream vendor or producer.\nUNKNOWN: Source of discovery is not defined or is unknown",
+          "default": "UNKNOWN"
+        }
+      }
     },
     "language": {
       "type": "string",
@@ -3437,10 +3474,11 @@
       }
     }
   },
+  "type": "object",
   "properties": {
     "adpContainer": {
       "$ref": "#/definitions/adpContainer"
     }
   },
   "additionalProperties": false
-}
+}
Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@`
`85`	`85`	`"timestamp": {`
`86`	`86`	`"type": "string",`
`87`	`87`	`"description": "Date/time format based on RFC3339 and ISO ISO8601, with a mandatory timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'.",`
`88`		`- "pattern": "^(((2000\|2400\|2800\|(19\|2[0-9](0[48]\|[2468][048]\|[13579][26])))-02-29)\|(((19\|2[0-9])[0-9]{2})-02-(0[1-9]\|1[0-9]\|2[0-8]))\|(((19\|2[0-9])[0-9]{2})-(0[13578]\|10\|12)-(0[1-9]\|[12][0-9]\|3[01]))\|(((19\|2[0-9])[0-9]{2})-(0[469]\|11)-(0[1-9]\|[12][0-9]\|30)))T(2[0-3]\|[01][0-9]):([0-5][0-9]):([0-5][0-9])(Z\|[+-][0-9]{2}:[0-9]{2})$",`
	`88`	`+ "pattern": "^(((2000\|2400\|2800\|(19\|2[0-9](0[48]\|[2468][048]\|[13579][26])))-02-29)\|(((19\|2[0-9])[0-9]{2})-02-(0[1-9]\|1[0-9]\|2[0-8]))\|(((19\|2[0-9])[0-9]{2})-(0[13578]\|10\|12)-(0[1-9]\|[12][0-9]\|3[01]))\|(((19\|2[0-9])[0-9]{2})-(0[469]\|11)-(0[1-9]\|[12][0-9]\|30)))T(2[0-3]\|[01][0-9]):([0-5][0-9]):([0-5][0-9])([+-][0-9]{2}:[0-9]{2})$",`
`89`	`89`	`"examples": [`
`90`	`90`	`"2025-01-04T12:01:01+05:30"`
`91`	`91`	`]`