_#3734 Updates for CVE Record Format 2.0.0 and CVE Services 2.6.0

rlxdev · rlxdev · commit ee9a5ebbefd6 · 2025-10-29T11:14:00.000-04:00
diff --git a/src/assets/data/news.json b/src/assets/data/news.json
@@ -1,5 +1,99 @@
 {
   "currentNews": [
+    {
+      "id": 591,
+      "newsType": "blog",
+      "title": "CVE Record Format Version 5.2.0 and CVE Services Version 2.6.0 Now Available",
+      "urlKeywords": "CVE Record Format CVE Services Updated",
+      "date": "2025-10-29",
+      "author": {
+        "name": "CVE Program",
+        "organization": {
+          "name": "CVE Program",
+          "url": ""
+        },
+        "title": "",
+        "bio": ""
+      },
+      "description": [
+        {
+          "contentnewsType": "paragraph",
+          "content": "The CVE Program is pleased to announce the release of <a href='https://github.com/CVEProject/cve-schema/blob/master/README.md' target='_blank'>CVE Record Format 5.2.0</a> (view <a href='https://github.com/CVEProject/cve-schema/releases/tag/v5.2.0' target='_blank'>release notes</a>) and <a href='https://github.com/CVEProject/cve-services/releases/tag/v2.6.0' target='_blank'>CVE Services 2.6.0</a> (view <a href='https://github.com/CVEProject/cve-services/releases/tag/v2.6.0' target='_blank'>release notes</a>). This newest version release of the CVE Record Format further enables support the <a href='https://github.com/package-url/' target='_blank'>Package URL (PURL)</a> specification for identifying software packages, components, and libraries in <a href='/ResourcesSupport/Glossary?activeTerm=glossaryRecord'>CVE Records</a>. CVE Services was updated to support this new version of the CVE Record Format."
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "Adding PURL support in the new CVE Record Format continues the <a href='/Media/News/item/blog/2024/04/30/New-CVE-Record-Format-Enables-Additional-Data'>evolution of the CVE Record Format</a> to provide additional information of value to the downstream consumer. Being able to quickly correlate vulnerability information with relevant software identification helps accelerate vulnerability management. PURL uses a URL string to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs, and databases."
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "<h3>Updates for CVE Record Format 5.2.0</h3>"
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "The key updates for the new release include:"
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "<ul><li>Support for PURL (Package URL) identifiers using the packageURL property within the affected array items (i.e., product objects).</li><ul><li>Note that adding PURLs to a CVE Record is optional and NOT required for CNAs.</li><li>CVE Services will enforce validation on provided PURL syntax. If any provided PURLs are not syntactically valid according to the <a href='https://github.com/package-url/purl-spec' target='_blank'>PURL specification</a>, the CVE Record will be flagged and will require resubmission after correcting the provided PURL.</li><li>The CVE Record Format will disallow a package version as part of a PURL. The reason is that it could conflict with the version property that is already part of the affected array data. PURLs within the CVE Record Format should NOT include a version.</li></ul><li>Added additionalProperties equal to false for the affected array items. New or renamed properties are no longer allowed for affected array items (i.e., product objects).</li><li>Updates were made to the example CVE Records including PURL examples, tag examples, and a fix to improve compliance with the CNA Rules.</li><li>Multiple documentation and infrastructure improvements were made to better support future CVE Record Format updates.</li></ul>"
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "A complete list of updates is available in the <a href='https://github.com/CVEProject/cve-schema/releases/tag/v5.2.0' target='_blank'>release notes</a>."
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "<h3>Important Vulnogram Compatibility Update</h3>"
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "<a href='https://github.com/Vulnogram/Vulnogram' target='_blank'>Vulnogram</a> is a widely used tool for creating and editing CVE information in CVE JSON format, and for generating advisories. A live instance of <a href='https://vulnogram.github.io/#editor' target='_blank'>Vulnogram</a> is available and can be used immediately for creating and submitting CVE Records, and it was recently updated to allow loading of the new CVE Record Format 5.2.0 Records."
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "NOTE: If you have either forked or developed tools based on Vulnogram, you may need to update your code to support loading of 5.2.0 CVE Records."
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "You should modify default/cve5/script.js (was line 526 within Vulnogram) so that 5.2 is a valid value. A similar update where the 5.1 support was added can be viewed in a GitHub commit <a href='https://github.com/Vulnogram/Vulnogram/commit/e368607e0768a656270d79dc881850e30935aa7b' target='_blank'>here</a>."
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "Replace:<pre>(res && res.dataVersion == \"5.0\" || res.dataVersion == \"5.1\")</pre> with <pre>(res && (res.dataVersion == \"5.0\" || res.dataVersion == \"5.1\" || res.dataVersion == \"5.2\"))</pre>Another alternative would be to replace the code with something that allows all 5.x versions such as: <pre>(res?.dataVersion?.match?.(/^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$/))</pre>"
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "<h3>Important Additional Guidance for PURL Support</h3>"
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "The CVE Program’s intended use of PURLs is to provide an additional machine-readable identifier for identifying the affected (or unaffected) products within a CVE Record. When included, the provided PURLs should align with the human-readable product and version properties that are already required when producing CVE Records. It is entirely possible that the product names and PURL names will not match up exactly, and this is to be expected. However, <a href='/ProgramOrganization/CNAs'>CVE Numbering Authorities (CNAs)</a> should avoid providing PURLs that do not match up with the human-readable information already provided (and required) within the affected array product and version properties."
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "<h3>Updates for CVE Services 2.6.0</h3>"
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "<a href='/AllResources/CveServices'>CVE Services</a> will be updated to version 2.6.0 to support the release of CVE Record Format 5.2.0. A complete list of updates will be available in the <a href='https://github.com/CVEProject/cve-services/releases/tag/v2.6.0' target='_blank'>release notes</a>."
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "<h3>Detailed Release Notes</h3>"
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "For more information on the features, bugs, etc., noted above, and additional compatibility considerations, please see the following on GitHub once they are available:"
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "<ul><li><a href='https://github.com/CVEProject/cve-schema/releases/tag/v5.2.0' target='_blank'>CVE Record Format Version 5.2.0 Release Notes</a></li><li><a href='https://github.com/CVEProject/cve-services/releases/tag/v2.6.0' target='_blank'>CVE Services 2.6.0 Release Notes</a></li></ul>"
+        },
+        {
+          "contentnewsType": "paragraph",
+          "content": "<i>Please use the <a target='_blank' href='https://medium.com/@cve_program'>CVE Blog on Medium</a>, or use the <a target='_blank' href='https://cveform.mitre.org/'>CVE Request Web forms</a> and select “Other” from the dropdown menu, to provide feedback about this article."
+        }
+      ]
+    },
     {
       "id": 590,
       "newsType": "news",
diff --git a/src/views/CVERecord/CveRecordUserGuide.vue b/src/views/CVERecord/CveRecordUserGuide.vue
@@ -101,6 +101,28 @@
               </router-link>.”
             </p>
           </div>
+          <div id="cve-kev" class="content">
+            <h2 class="title">PURL</h2>
+            <p>
+              <a href="https://github.com/package-url/purl-spec" target="_blank">Package URL (PURL)</a>
+              attempts to standardize existing approaches to reliably identifying and locating software packages.
+              PURLs use a URL string used to identify and locate a software package in a mostly universal and uniform way
+              across programming languages, package managers, packaging conventions, tools, APIs and databases. PURL provides
+              CNAs with another optional software identifier to include when documenting products affected by vulnerabilities
+              within CVE Records. Being able to quickly correlate vulnerability information with relevant software identification
+              helps accelerate vulnerability management.
+              Learn more about
+              <span class="icon-text">
+                <a href="https://github.com/CVEProject/cve-schema/releases/tag/v5.2.0" target="_blank">PURL in the CVE Record Format
+                  <span class="icon cve-icon-xxs">
+                    <p id="programSupport" class="is-hidden">external site</p>
+                    <font-awesome-icon icon="external-link-alt" aria-labelledby="programSupport">
+                    </font-awesome-icon>
+                  </span>
+                </a>.
+              </span>
+            </p>
+          </div>
           <div id="cve-kev" class="content">
             <h2 class="title">KEV</h2>
             <p>
diff --git a/src/views/ResourcesSupport/AllResources/CveServices.vue b/src/views/ResourcesSupport/AllResources/CveServices.vue
@@ -47,12 +47,12 @@
               <h3 class="title" :id="pagePath['Overview']['items']['Current Status'].anchorId">Current Status</h3>
               <ul>
                 <li>
-                  <a href="https://github.com/CVEProject/cve-schema/blob/master/README.md" target="_blank">CVE Record Format 5.1.1</a>
-                  (view <a href="https://github.com/CVEProject/cve-schema/releases/tag/v5.1.1" target="_blank">release notes</a>)
+                  <a href="https://github.com/CVEProject/cve-schema/blob/master/README.md" target="_blank">CVE Record Format 5.2.0</a>
+                  (view <a href="https://github.com/CVEProject/cve-schema/releases/tag/v5.2.0" target="_blank">release notes</a>)
                 </li>
                 <li>
-                  <a href="https://github.com/CVEProject/cve-services/releases/tag/v2.5.4" target="_blank">CVE Services 2.5.4</a>
-                  (view <a href="https://github.com/CVEProject/cve-services/releases/tag/v2.5.4" target="_blank">release notes</a>)
+                  <a href="https://github.com/CVEProject/cve-services/releases/tag/v2.6.0" target="_blank">CVE Services 2.6.0</a>
+                  (view <a href="https://github.com/CVEProject/cve-services/releases/tag/v2.6.0" target="_blank">release notes</a>)
                 </li>
               </ul>
             <h4 class="title">Known Issues</h4>
