diff --git a/schema/docs/CVE_Record_Format_bundled.json b/schema/docs/CVE_Record_Format_bundled.json index f2345f1dfc8..7c032d9c79f 100644 --- a/schema/docs/CVE_Record_Format_bundled.json +++ b/schema/docs/CVE_Record_Format_bundled.json @@ -3168,73 +3168,80 @@ }, "ssvcV1_0_1": { "$schema": "https://json-schema.org/draft/2020-12/schema", + "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.", "$defs": { "id": { "type": "string", - "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", "examples": [ "CVE-1900-1234", "VU#11111", "GHSA-11a1-22b2-33c3" - ] + ], + "minLength": 1 }, "role": { "type": "string", - "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", "examples": [ "Supplier", "Deployer", "Coordinator" - ] + ], + "minLength": 1 }, "timestamp": { - "description": "Date and time in ISO format ISO 8601 format", + "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.", "type": "string", "format": "date-time" }, - "schemaVersion": { - "description": "Schema version used to represent this evaluation", - "type": "string", - "enum": [ - "1-0-1" - ] - }, "SsvcdecisionpointselectionSchema": { - "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.", "properties": { "name": { - "description": "Name of the Decision Point that were evaluated", - "title": "name", "type": "string", + "description": "A short label that identifies a Decision Point.", + "minLength": 1, "examples": [ - "Automatable", - "Exploitation" + "Exploitation", + "Automatable" ] }, "namespace": { - "description": "SSVC Namespace that were used for defining the evaluated Decision Points", - "title": "namespace", "type": "string", + "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.", + "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$", "examples": [ "ssvc", - "cvssv4" + "cvss", + "ssvc-jp", + "ssvc/acme", + "ssvc/example.com" ] }, "values": { - "description": "Evaluated values of the Decision Point", + "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.", "title": "values", "type": "array", "minItems": 1, "items": { - "description": "Each value that were down-selected for a Decision Point", - "title": "values", - "type": "string" + "type": "string", + "description": "A short label that identifies a Decision Point Value", + "minLength": 1, + "examples": [ + "Public PoC", + "Yes" + ] } }, "version": { - "description": "Version of the Decision Points that were evaluated", - "title": "version", - "type": "string" + "type": "string", + "description": "Version (a semantic version string) that identifies the version of a Decision Point.", + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", + "examples": [ + "1.0.1", + "1.0.1-alpha" + ] } }, "type": "object", @@ -3255,13 +3262,17 @@ "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/role" }, "schemaVersion": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/schemaVersion" + "description": "Schema version used to represent this Decision Point.", + "type": "string", + "enum": [ + "1-0-1" + ] }, "timestamp": { "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/timestamp" }, "selections": { - "description": "An array of Decision Points and their Values that were down-selected or evaluated ", + "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.", "title": "selections", "type": "array", "minItems": 1, diff --git a/schema/docs/CVE_Record_Format_bundled_adpContainer.json b/schema/docs/CVE_Record_Format_bundled_adpContainer.json index ed1d3dbf2cf..b294d13ffd2 100644 --- a/schema/docs/CVE_Record_Format_bundled_adpContainer.json +++ b/schema/docs/CVE_Record_Format_bundled_adpContainer.json @@ -3168,73 +3168,80 @@ }, "ssvcV1_0_1": { "$schema": "https://json-schema.org/draft/2020-12/schema", + "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.", "$defs": { "id": { "type": "string", - "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", "examples": [ "CVE-1900-1234", "VU#11111", "GHSA-11a1-22b2-33c3" - ] + ], + "minLength": 1 }, "role": { "type": "string", - "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", "examples": [ "Supplier", "Deployer", "Coordinator" - ] + ], + "minLength": 1 }, "timestamp": { - "description": "Date and time in ISO format ISO 8601 format", + "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.", "type": "string", "format": "date-time" }, - "schemaVersion": { - "description": "Schema version used to represent this evaluation", - "type": "string", - "enum": [ - "1-0-1" - ] - }, "SsvcdecisionpointselectionSchema": { - "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.", "properties": { "name": { - "description": "Name of the Decision Point that were evaluated", - "title": "name", "type": "string", + "description": "A short label that identifies a Decision Point.", + "minLength": 1, "examples": [ - "Automatable", - "Exploitation" + "Exploitation", + "Automatable" ] }, "namespace": { - "description": "SSVC Namespace that were used for defining the evaluated Decision Points", - "title": "namespace", "type": "string", + "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.", + "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$", "examples": [ "ssvc", - "cvssv4" + "cvss", + "ssvc-jp", + "ssvc/acme", + "ssvc/example.com" ] }, "values": { - "description": "Evaluated values of the Decision Point", + "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.", "title": "values", "type": "array", "minItems": 1, "items": { - "description": "Each value that were down-selected for a Decision Point", - "title": "values", - "type": "string" + "type": "string", + "description": "A short label that identifies a Decision Point Value", + "minLength": 1, + "examples": [ + "Public PoC", + "Yes" + ] } }, "version": { - "description": "Version of the Decision Points that were evaluated", - "title": "version", - "type": "string" + "type": "string", + "description": "Version (a semantic version string) that identifies the version of a Decision Point.", + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", + "examples": [ + "1.0.1", + "1.0.1-alpha" + ] } }, "type": "object", @@ -3255,13 +3262,17 @@ "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/role" }, "schemaVersion": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/schemaVersion" + "description": "Schema version used to represent this Decision Point.", + "type": "string", + "enum": [ + "1-0-1" + ] }, "timestamp": { "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/timestamp" }, "selections": { - "description": "An array of Decision Points and their Values that were down-selected or evaluated ", + "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.", "title": "selections", "type": "array", "minItems": 1, diff --git a/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json index 596b73e6209..7e650c278cc 100644 --- a/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json +++ b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json @@ -3168,73 +3168,80 @@ }, "ssvcV1_0_1": { "$schema": "https://json-schema.org/draft/2020-12/schema", + "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.", "$defs": { "id": { "type": "string", - "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", "examples": [ "CVE-1900-1234", "VU#11111", "GHSA-11a1-22b2-33c3" - ] + ], + "minLength": 1 }, "role": { "type": "string", - "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", "examples": [ "Supplier", "Deployer", "Coordinator" - ] + ], + "minLength": 1 }, "timestamp": { - "description": "Date and time in ISO format ISO 8601 format", + "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.", "type": "string", "format": "date-time" }, - "schemaVersion": { - "description": "Schema version used to represent this evaluation", - "type": "string", - "enum": [ - "1-0-1" - ] - }, "SsvcdecisionpointselectionSchema": { - "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.", "properties": { "name": { - "description": "Name of the Decision Point that were evaluated", - "title": "name", "type": "string", + "description": "A short label that identifies a Decision Point.", + "minLength": 1, "examples": [ - "Automatable", - "Exploitation" + "Exploitation", + "Automatable" ] }, "namespace": { - "description": "SSVC Namespace that were used for defining the evaluated Decision Points", - "title": "namespace", "type": "string", + "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.", + "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$", "examples": [ "ssvc", - "cvssv4" + "cvss", + "ssvc-jp", + "ssvc/acme", + "ssvc/example.com" ] }, "values": { - "description": "Evaluated values of the Decision Point", + "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.", "title": "values", "type": "array", "minItems": 1, "items": { - "description": "Each value that were down-selected for a Decision Point", - "title": "values", - "type": "string" + "type": "string", + "description": "A short label that identifies a Decision Point Value", + "minLength": 1, + "examples": [ + "Public PoC", + "Yes" + ] } }, "version": { - "description": "Version of the Decision Points that were evaluated", - "title": "version", - "type": "string" + "type": "string", + "description": "Version (a semantic version string) that identifies the version of a Decision Point.", + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", + "examples": [ + "1.0.1", + "1.0.1-alpha" + ] } }, "type": "object", @@ -3255,13 +3262,17 @@ "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/role" }, "schemaVersion": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/schemaVersion" + "description": "Schema version used to represent this Decision Point.", + "type": "string", + "enum": [ + "1-0-1" + ] }, "timestamp": { "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/timestamp" }, "selections": { - "description": "An array of Decision Points and their Values that were down-selected or evaluated ", + "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.", "title": "selections", "type": "array", "minItems": 1, diff --git a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json index 9935bc01da4..3a3224d48b7 100644 --- a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json +++ b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json @@ -3168,73 +3168,80 @@ }, "ssvcV1_0_1": { "$schema": "https://json-schema.org/draft/2020-12/schema", + "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.", "$defs": { "id": { "type": "string", - "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", "examples": [ "CVE-1900-1234", "VU#11111", "GHSA-11a1-22b2-33c3" - ] + ], + "minLength": 1 }, "role": { "type": "string", - "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", "examples": [ "Supplier", "Deployer", "Coordinator" - ] + ], + "minLength": 1 }, "timestamp": { - "description": "Date and time in ISO format ISO 8601 format", + "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.", "type": "string", "format": "date-time" }, - "schemaVersion": { - "description": "Schema version used to represent this evaluation", - "type": "string", - "enum": [ - "1-0-1" - ] - }, "SsvcdecisionpointselectionSchema": { - "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.", "properties": { "name": { - "description": "Name of the Decision Point that were evaluated", - "title": "name", "type": "string", + "description": "A short label that identifies a Decision Point.", + "minLength": 1, "examples": [ - "Automatable", - "Exploitation" + "Exploitation", + "Automatable" ] }, "namespace": { - "description": "SSVC Namespace that were used for defining the evaluated Decision Points", - "title": "namespace", "type": "string", + "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.", + "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$", "examples": [ "ssvc", - "cvssv4" + "cvss", + "ssvc-jp", + "ssvc/acme", + "ssvc/example.com" ] }, "values": { - "description": "Evaluated values of the Decision Point", + "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.", "title": "values", "type": "array", "minItems": 1, "items": { - "description": "Each value that were down-selected for a Decision Point", - "title": "values", - "type": "string" + "type": "string", + "description": "A short label that identifies a Decision Point Value", + "minLength": 1, + "examples": [ + "Public PoC", + "Yes" + ] } }, "version": { - "description": "Version of the Decision Points that were evaluated", - "title": "version", - "type": "string" + "type": "string", + "description": "Version (a semantic version string) that identifies the version of a Decision Point.", + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", + "examples": [ + "1.0.1", + "1.0.1-alpha" + ] } }, "type": "object", @@ -3255,13 +3262,17 @@ "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/role" }, "schemaVersion": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/schemaVersion" + "description": "Schema version used to represent this Decision Point.", + "type": "string", + "enum": [ + "1-0-1" + ] }, "timestamp": { "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/timestamp" }, "selections": { - "description": "An array of Decision Points and their Values that were down-selected or evaluated ", + "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.", "title": "selections", "type": "array", "minItems": 1, diff --git a/schema/imports/ssvc/deep-ssvc-v1.0.1.json b/schema/imports/ssvc/deep-ssvc-v1.0.1.json new file mode 100644 index 00000000000..ca5b1115114 --- /dev/null +++ b/schema/imports/ssvc/deep-ssvc-v1.0.1.json @@ -0,0 +1,86 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", + "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.", + "$defs": { + "id": { + "type": "string", + "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": ["CVE-1900-1234","VU#11111","GHSA-11a1-22b2-33c3"], + "minLength": 1 + }, + "role": { + "type": "string", + "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": ["Supplier","Deployer","Coordinator"], + "minLength": 1 + }, + "timestamp" : { + "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.", + "type": "string", + "format": "date-time" + }, + "SsvcdecisionpointselectionSchema": { + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.", + "properties": { + "name": { + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/name" + }, + "namespace": { + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/namespace" + }, + "values": { + "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.", + "title": "values", + "type": "array", + "minItems": 1, + "items": { + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point_value/properties/name" + } + }, + "version": { + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version" + } + }, + "type": "object", + "required": [ + "name", + "namespace", + "values", + "version" + ], + "additionalProperties": false + } + }, + "properties": { + "id": { + "$ref": "#/$defs/id" + }, + "role": { + "$ref": "#/$defs/role" + }, + "schemaVersion": { + "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/schemaVersion" + }, + "timestamp": { + "$ref": "#/$defs/timestamp" + }, + "selections": { + "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/$defs/SsvcdecisionpointselectionSchema" + } + } + }, + "type": "object", + "required": [ + "selections", + "id", + "timestamp", + "schemaVersion" + ], + "additionalProperties": false +} diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json index 59022e040bf..306ea086228 100644 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ b/schema/imports/ssvc/ssvc-v1.0.1.json @@ -1,98 +1,125 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", + "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.", "$defs": { - "id": { + "id": { "type": "string", - "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", - "examples": ["CVE-1900-1234","VU#11111","GHSA-11a1-22b2-33c3"] - }, - "role": { + "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", + "examples": [ + "CVE-1900-1234", + "VU#11111", + "GHSA-11a1-22b2-33c3" + ], + "minLength": 1 + }, + "role": { "type": "string", - "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", - "examples": ["Supplier","Deployer","Coordinator"] + "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", + "examples": [ + "Supplier", + "Deployer", + "Coordinator" + ], + "minLength": 1 }, - "timestamp" : { - "description": "Date and time in ISO format ISO 8601 format", + "timestamp": { + "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.", "type": "string", "format": "date-time" - }, + }, + "SsvcdecisionpointselectionSchema": { + "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.", + "properties": { + "name": { + "type": "string", + "description": "A short label that identifies a Decision Point.", + "minLength": 1, + "examples": [ + "Exploitation", + "Automatable" + ] + }, + "namespace": { + "type": "string", + "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.", + "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$", + "examples": [ + "ssvc", + "cvss", + "ssvc-jp", + "ssvc/acme", + "ssvc/example.com" + ] + }, + "values": { + "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.", + "title": "values", + "type": "array", + "minItems": 1, + "items": { + "type": "string", + "description": "A short label that identifies a Decision Point Value", + "minLength": 1, + "examples": [ + "Public PoC", + "Yes" + ] + } + }, + "version": { + "type": "string", + "description": "Version (a semantic version string) that identifies the version of a Decision Point.", + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", + "examples": [ + "1.0.1", + "1.0.1-alpha" + ] + } + }, + "type": "object", + "required": [ + "name", + "namespace", + "values", + "version" + ], + "additionalProperties": false + } + }, + "properties": { + "id": { + "$ref": "#/$defs/id" + }, + "role": { + "$ref": "#/$defs/role" + }, "schemaVersion": { - "description": "Schema version used to represent this evaluation", + "description": "Schema version used to represent this Decision Point.", "type": "string", - "enum": ["1-0-1"] + "enum": [ + "1-0-1" + ] }, - "SsvcdecisionpointselectionSchema": { - "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability", - "properties": { - "name": { - "description": "Name of the Decision Point that were evaluated", - "title": "name", - "type": "string", - "examples": ["Automatable", "Exploitation"] - }, - "namespace": { - "description": "SSVC Namespace that were used for defining the evaluated Decision Points", - "title": "namespace", - "type": "string", - "examples": ["ssvc","cvssv4"] - }, - "values": { - "description": "Evaluated values of the Decision Point", - "title": "values", - "type": "array", - "minItems": 1, - "items": { - "description": "Each value that were down-selected for a Decision Point", - "title": "values", - "type": "string" - } - }, - "version": { - "description": "Version of the Decision Points that were evaluated", - "title": "version", - "type": "string" - } - }, - "type": "object", - "required": [ - "name", - "namespace", - "values", - "version" - ], - "additionalProperties": false - } + "timestamp": { + "$ref": "#/$defs/timestamp" + }, + "selections": { + "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.", + "title": "selections", + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/$defs/SsvcdecisionpointselectionSchema" + } + } }, - "properties": { - "id": { - "$ref": "#/$defs/id" - }, - "role": { - "$ref": "#/$defs/role" - }, - "schemaVersion": { - "$ref": "#/$defs/schemaVersion" - }, - "timestamp": { - "$ref": "#/$defs/timestamp" - }, - "selections": { - "description" : "An array of Decision Points and their Values that were down-selected or evaluated ", - "title": "selections", - "type": "array", - "minItems": 1, - "items": { - "$ref": "#/$defs/SsvcdecisionpointselectionSchema" - } - } - }, "type": "object", "required": [ - "selections", - "id", - "timestamp", - "schemaVersion" + "selections", + "id", + "timestamp", + "schemaVersion" ], "additionalProperties": false } diff --git a/tools/cve-schema-test.sh b/tools/cve-schema-test.sh index 4fed61ba6af..03acfe5f1a4 100644 --- a/tools/cve-schema-test.sh +++ b/tools/cve-schema-test.sh @@ -4,9 +4,15 @@ npm install --loglevel verbose -g yargs ajv-formats@"^1.5.x" ajv-cli@"^4.0.x" REPO_DIR=`pwd` CVE_SCHEMA_DIR=$REPO_DIR/schema CVE_SCHEMA_FILENAME=CVE_Record_Format.json + npm --prefix "${CVE_SCHEMA_DIR}/support/schema2markmap" install "${CVE_SCHEMA_DIR}/support/schema2markmap" + +python3.12 "${REPO_DIR}/tools/merge_schema.py" "${CVE_SCHEMA_DIR}/imports/ssvc/deep-ssvc-v1.0.1.json" > "${CVE_SCHEMA_DIR}/imports/ssvc/ssvc-v1.0.1.json" + sed 's/file\://g' "${CVE_SCHEMA_DIR}/${CVE_SCHEMA_FILENAME}" > "${CVE_SCHEMA_DIR}/cve-schema.json" + node "${CVE_SCHEMA_DIR}/support/schema2markmap/schema-bundle.js" "${CVE_SCHEMA_DIR}/cve-schema.json" "${CVE_SCHEMA_DIR}/docs/" + ajv compile -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-basic-example.json" ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-advanced-example.json" diff --git a/tools/merge_schema.py b/tools/merge_schema.py new file mode 100644 index 00000000000..89002250ab9 --- /dev/null +++ b/tools/merge_schema.py @@ -0,0 +1,85 @@ +import json +import re +import requests +from urllib.parse import urlparse +import sys +import logging +import os + +logger = logging.getLogger(__name__) +logger.setLevel(logging.DEBUG) +handler = logging.StreamHandler(sys.stderr) +handler.setLevel(logging.DEBUG) +formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s') +handler.setFormatter(formatter) +logger.addHandler(handler) + +rootpath = "./" + + +def resolve_ref(uri): + """ + Parse https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/name + to find definitions + """ + parsed_url = urlparse(uri) + logger.debug(f"Fetching URI {uri}") + keys = parsed_url.fragment.split("/") + if parsed_url.scheme == 'file': + data = json.load(open(parsed_url.netloc + parsed_url.path, "r")) + else: + response = requests.get(uri) + data = response.json() + if len(keys) > 1: + keys.pop(0) + for key in keys: + data = replace_in_json(data[key]) + return replace_in_json(data) + + + +def replace_in_json(json_data, pattern="(https|file)://", key=None): + """ + Args: + json_data: The JSON data (dict, list, string, etc.). + pattern: The regular expression pattern to match. "(https|file)://" + key: The key to replace. + + Returns: + The modified JSON data. + """ + + if isinstance(json_data, dict): + for key, value in json_data.items(): + if isinstance(value, str) and key == "$ref": + logger.debug(f"Descending as {key}, {value}") + if re.match(pattern, value): + json_data = replace_in_json(value, pattern, key) + elif value[0] != "#": + value = "file://" + rootpath + '/' + value + json_data = replace_in_json(value, pattern, key) + else: + json_data[key] = replace_in_json(value) + else: + json_data[key] = replace_in_json(value) + elif isinstance(json_data, list): + for i, item in enumerate(json_data): + json_data[i] = replace_in_json(item, pattern) + elif isinstance(json_data, str): + if key == "$ref" and re.match(pattern, json_data): + logger.debug(f"Resolving remote reference or local reference {json_data}") + json_data = resolve_ref(json_data) + return json_data + +if __name__ == "__main__": + if len(sys.argv) < 2: + print(json.dumps(resolve_ref("https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json"), indent=4)) + else: + baseuri = sys.argv[1] + if os.path.isfile(baseuri): + rootpath = os.path.dirname(baseuri) + logger.debug(f"Updated begining URL so local file as file://{baseuri}") + baseuri = "file://" + sys.argv[1] + parsed_url = urlparse(baseuri) + print(json.dumps(resolve_ref(baseuri), indent=4)) +