diff --git a/.github/workflows/validate-schema.yml b/.github/workflows/validate-schema.yml index 6545dee93b1..5d969c9bab5 100644 --- a/.github/workflows/validate-schema.yml +++ b/.github/workflows/validate-schema.yml @@ -36,3 +36,7 @@ jobs: ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-advanced-example.json" ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-advanced-example.json" ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-basic-example.json" + # Run semver 2.0.0 tests + ajv test -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/support/tests/valid/valid-semver-2-0-0/*.json" --valid + ajv test -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/support/tests/invalid/invalid-semver-2-0-0/*.json" --invalid + diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index aaf5f5adb7c..27fc199d66a 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -303,6 +303,36 @@ }, { "required": ["version", "status", "versionType", "lessThanOrEqual"] + }, + { + "required": ["status", "versionType"], + "maxProperties": 3, + "properties": {"versionType": { "const": "semver-2.0.0" }}, + "oneOf": [ + {"required": ["exactly"]}, + {"required": ["inclusiveLowerBound"]}, + {"required": ["exclusiveLowerBound"]}, + {"required": ["inclusiveUpperBound"]}, + {"required": ["exclusiveUpperBound"]}, + ], + }, + { + "required": ["status", "versionType", "inclusiveLowerBound"], + "maxProperties": 4, + "properties": {"versionType": { "const": "semver-2.0.0" }}, + "oneOf": [ + {"required": ["inclusiveUpperBound"]}, + {"required": ["exclusiveUpperBound"]} + ] + }, + { + "required": ["status", "versionType", "exclusiveLowerBound"], + "maxProperties": 4, + "properties": {"versionType": { "const": "semver-2.0.0" }}, + "oneOf": [ + {"required": ["inclusiveUpperBound"]}, + {"required": ["exclusiveUpperBound"]} + ] } ], "properties": { @@ -357,6 +387,34 @@ } } } + }, + "exactly": { + "type": "string", + "description": "A single semver 2.0.0 version to mark", + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" + }, + "inclusiveLowerBound": { + "type": "string", + "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly also affected.", + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" + + }, + "exclusiveLowerBound": { + "type": "string", + "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly not affected.", + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" + + }, + "inclusiveUpperBound": { + "type": "string", + "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly also affected.", + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" + + }, + "exclusiveUpperBound": { + "type": "string", + "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected.", + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" } }, "additionalProperties": false diff --git a/schema/docs/versions.md b/schema/docs/versions.md index e87a6a26a17..0dd9d38da90 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -288,6 +288,78 @@ Now that we know how to encode version objects, that would be written as: } ] +### Version Types + +#### Semantic versioning 2.0.0 + +Type identifier: `semver-2.0.0` +Formally specified here at https://semver.org/spec/v2.0.0.html +`semver-2.0.0` is new type introduced to formally specify usage of semantic versioning. + +`semver-2.0.0` in its simplest form is a dot separated triple. eg `1.2.3`. The three parts have names with the first being the `MAJOR`, the second being `MINOR` and the third `PATCH`. The [Semantic](https://en.wikipedia.org/wiki/Semantics) meaning of each is described as +1. MAJOR version when you make incompatible API changes +2. MINOR version when you add functionality in a backward compatible manner +3. PATCH version when you make backward compatible bug fixes +This triple can be extended with either a `-` or a `+` or with both for `pre-release` and `build` identifiers. +The triple can only be populated with non-negative integers and must not contain leading zeros. +Ordering of the triple is determined by the first difference when comparing each of these identifiers from left to right as follows: Major, minor, and patch versions are always compared numerically. +Full ordering for pre-releases and builds are described in the semver document [here](https://semver.org/spec/v2.0.0.html#spec-item-11). +While the triple can only contain numeric values the `pre-release` and `build` are free to be alpha numeric. +A complete definition of this version type can be viewed here +https://semver.org/spec/v2.0.0.html#backusnaur-form-grammar-for-valid-semver-versions + +In the interest of simplicity the `semver-2.0.0` version type has two parameters which define a continuous range. `lowerBound` and `upperBound` each must be a valid semver triple with optional pre-release/build extensions. + +##### Example + +``` +"affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3-alpha", + "exclusiveUpperBound": "2.3.4+build17" + } + { + "versionType": "semver-2.0.0", + "status": "unaffected", + "exclusiveLowerBound": "3.4.5-beta", + "inclusiveUpperBound": "4.5.6+assembly88" + } + { + "versionType": "semver-2.0.0", + "status": "affected", + "exactly": "5.6.7-gamma", + } + { + "versionType": "semver-2.0.0", + "status": "affected", + "exactly": "6.7.8-delta", + } + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveUpperBound": "1.0.0", + } + { + "versionType": "semver-2.0.0", + "status": "unknown", + "inclusiveLowerBound": "9.0.0", + } + ], + } + ], +``` + +#### Explainer + +A `semver-2.0.0` version is expressed as either a range or as a single exact version. Chaining multiple `semver-2.0.0` versions can be done to express more complex ranges. A `semver-2.0.0` range must begin with a lower bound which is followed by an upper bound. Each bound may be either inclusive or exclusive. These terms map as `exclusiveUpperBound` to `<`, `inclusiveUpperBound` to `<=`, `exclusiveLowerBound` to `>`, `inclusiveLowerBound` to `>=` and `exactly` to `=`. Thus the first example above could be rewritten as `>= 1.2.3-alpha, < 2.3.4+build17`. + + ## Version Status Changes As presented in the previous section, diff --git a/schema/support/Node_Validator/build.js b/schema/support/Node_Validator/build.js index 09ab39b0cd4..2284c3d187f 100644 --- a/schema/support/Node_Validator/build.js +++ b/schema/support/Node_Validator/build.js @@ -3,7 +3,7 @@ const path = require("path") const Ajv = require('ajv').default; const standaloneCode = require("ajv/dist/standalone").default const addFormats = require('ajv-formats').default; -const schema = require("../../docs/CVE_JSON_bundled.json") +const schema = require("../../docs/CVE_Record_Format_bundled.json") function reduceSchema(o) { for(prop in o) { diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json new file mode 100644 index 00000000000..91306232642 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json @@ -0,0 +1,53 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "inclusiveUpperBound": "1.2.4", + "exclusiveUpperBound": "1.2.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/missing-versionType.json b/schema/support/tests/invalid/invalid-semver-2-0-0/missing-versionType.json new file mode 100644 index 00000000000..563aa583f15 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/missing-versionType.json @@ -0,0 +1,50 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "status": "affected", + "exactly": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json b/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json new file mode 100644 index 00000000000..6c9db266dd1 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3", + "exactly": "1.2.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json b/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json new file mode 100644 index 00000000000..52ed16c2a61 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-8.0.8", + "status": "affected", + "exactly": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json b/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json new file mode 100644 index 00000000000..11e9da27faf --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exactly": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json b/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json new file mode 100644 index 00000000000..997db73a90b --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example8.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "exclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json b/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json new file mode 100644 index 00000000000..d9be70ff698 --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example5.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3", + "inclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json new file mode 100644 index 00000000000..f189b7fde54 --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example6.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3", + "exclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json new file mode 100644 index 00000000000..5377e06132e --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example7.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "inclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json new file mode 100644 index 00000000000..42fa4c80e38 --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example2.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json new file mode 100644 index 00000000000..426fe633b4e --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example4.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveUpperBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json new file mode 100644 index 00000000000..845d445cace --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example3.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json new file mode 100644 index 00000000000..ce9064e5d0a --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example4.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveUpperBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file