From c50a13683dc2d76e233610edb1f1b322bf636796 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Mon, 9 Dec 2024 13:33:06 -0800 Subject: [PATCH 01/29] Add a formal semver 2.0.0 version type First crack at adding a formal version type in response to https://github.com/CVEProject/cve-schema/issues/362#issuecomment-2529000807 Any others which are agreed upon should be spun up in their own PRs so that conversations in the PRs can be kept on topic Happy to expand this if people think the full semver spec should be in this repo as well. I went back and forth on that. --- schema/docs/versions.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index e87a6a26a17..e0b31f51a54 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -288,6 +288,27 @@ Now that we know how to encode version objects, that would be written as: } ] +### Version Types + +#### Semantic versioning 2.0.0 +Type identifier: `semver-2.0.0` +Formally specified here at https://semver.org/spec/v2.0.0.html +`semver-2.0.0` is new type introduced to formally specify usage of semantic versioning. +--- +`semver-2.0.0` in its simplest form is a dot separated triple. eg `1.2.3`. The three parts have names with the first being the `MAJOR`, the second being `MINOR` and the third `PATCH`. The [Semantic](https://en.wikipedia.org/wiki/Semantics) meaning of each is described as +1. MAJOR version when you make incompatible API changes +2. MINOR version when you add functionality in a backward compatible manner +3. PATCH version when you make backward compatible bug fixes +This triple can be extended with either a `-` or a `+` or with both for `pre-release` and `build` identifiers. +The triple can only be populated with non-negative integers and must not contain leading zeros. +Ordering of the triple is determined by the first difference when comparing each of these identifiers from left to right as follows: Major, minor, and patch versions are always compared numerically. +Full ordering for pre-releases and builds are described in the semver document [here](https://semver.org/spec/v2.0.0.html#spec-item-11). +While the triple can only contain numeric values the `pre-release` and `build` are free to be alpha numeric. +A complete definition of this version type can be viewed here +https://semver.org/spec/v2.0.0.html#backusnaur-form-grammar-for-valid-semver-versions + + + ## Version Status Changes As presented in the previous section, From bec099b4925e97bd81b3d91fc8377833ac743ce7 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 22 Jan 2025 13:23:22 -0800 Subject: [PATCH 02/29] Add an example for discussion --- schema/docs/versions.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index e0b31f51a54..376542d0ef6 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -291,6 +291,7 @@ Now that we know how to encode version objects, that would be written as: ### Version Types #### Semantic versioning 2.0.0 + Type identifier: `semver-2.0.0` Formally specified here at https://semver.org/spec/v2.0.0.html `semver-2.0.0` is new type introduced to formally specify usage of semantic versioning. @@ -307,6 +308,23 @@ While the triple can only contain numeric values the `pre-release` and `build` a A complete definition of this version type can be viewed here https://semver.org/spec/v2.0.0.html#backusnaur-form-grammar-for-valid-semver-versions +##### Example + +``` +"affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "lowerBound": "1.2.3-alpha", + "upperBound": "2.3.4+build17" + } + ], + } + ], +``` ## Version Status Changes From 20f9b39bea8a9c8eb4f63a39e9cb0ac1170ca378 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 22 Jan 2025 13:30:14 -0800 Subject: [PATCH 03/29] Add some text for the parameters and remove markdown horizontal break --- schema/docs/versions.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index 376542d0ef6..e43a3559f3e 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -295,7 +295,7 @@ Now that we know how to encode version objects, that would be written as: Type identifier: `semver-2.0.0` Formally specified here at https://semver.org/spec/v2.0.0.html `semver-2.0.0` is new type introduced to formally specify usage of semantic versioning. ---- + `semver-2.0.0` in its simplest form is a dot separated triple. eg `1.2.3`. The three parts have names with the first being the `MAJOR`, the second being `MINOR` and the third `PATCH`. The [Semantic](https://en.wikipedia.org/wiki/Semantics) meaning of each is described as 1. MAJOR version when you make incompatible API changes 2. MINOR version when you add functionality in a backward compatible manner @@ -308,6 +308,8 @@ While the triple can only contain numeric values the `pre-release` and `build` a A complete definition of this version type can be viewed here https://semver.org/spec/v2.0.0.html#backusnaur-form-grammar-for-valid-semver-versions +In the interest of simplicity the `semver-2.0.0` version type has two parameters which define a continuous range. `lowerBound` and `upperBound` each must be a valid semver triple with optional pre-release/build extensions. + ##### Example ``` From e637776f78c5fca15314e54e032fbf21b55626f8 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 30 Jan 2025 10:11:51 -0800 Subject: [PATCH 04/29] Expand example to show inclusive/exclusive bounds and single version `exactly` --- schema/docs/versions.md | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index e43a3559f3e..4d336101132 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -320,8 +320,21 @@ In the interest of simplicity the `semver-2.0.0` version type has two parameters "versions": [ { "versionType": "semver-2.0.0", - "lowerBound": "1.2.3-alpha", - "upperBound": "2.3.4+build17" + "inclusiveLowerBound": "1.2.3-alpha", + "exclusiveUpperBound": "2.3.4+build17" + } + { + "versionType": "semver-2.0.0", + "exclusiveLowerBound": "3.4.5-beta", + "inclusiveUpperBound": "4.5.6+assembly88" + } + { + "versionType": "semver-2.0.0", + "exactly": "5.6.7-gamma", + } + { + "versionType": "semver-2.0.0", + "exactly": "6.7.8-delta", } ], } From fffd0cdc586d26f918a9d94c3b4ec2bd95a2359e Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 30 Jan 2025 15:50:56 -0800 Subject: [PATCH 05/29] Add explainer --- schema/docs/versions.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index 4d336101132..027b185f0c5 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -341,6 +341,10 @@ In the interest of simplicity the `semver-2.0.0` version type has two parameters ], ``` +#### Explainer + +A `semver-2.0.0` version is expressed as either a range or as a single exact version. Chaining multiple `semver-2.0.0` versions can be done to express more complex ranges. A `semver-2.0.0` range must begin with a lower bound which is followed by an upper bound. Each bound may be either inclusive or exclusive. These terms map as `exclusiveUpperBound` to `<`, `inclusiveUpperBound` to `<=`, `exclusiveLowerBound` to `>`, `inclusiveLowerBound` to `>=` and `exactly` to `=`. Thus the first example above could be rewritten as `>= 1.2.3-alpha, < 2.3.4+build17`. + ## Version Status Changes From 16680d277522c03da4105a4720598c0bb78be821 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 19 Feb 2025 12:59:33 -0800 Subject: [PATCH 06/29] Add examples of single sided ranges. ex < 1.0.0 or >= 9.0.0 to allow for the expressions of "everything under X" or "everything over Y" --- schema/docs/versions.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index 027b185f0c5..eade1b04224 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -336,6 +336,14 @@ In the interest of simplicity the `semver-2.0.0` version type has two parameters "versionType": "semver-2.0.0", "exactly": "6.7.8-delta", } + { + "versionType": "semver-2.0.0", + "exclusiveUpperBound": "1.0.0", + } + { + "versionType": "semver-2.0.0", + "inclusiveLowerBound": "9.0.0", + } ], } ], From 208980b38d7dd33fcaa23fa8df5d9ac3e19730ff Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 20 Feb 2025 14:35:58 -0800 Subject: [PATCH 07/29] Add status back as a parameter after sync chat in QWG meeting on 2025-02-20. The status conversation will happen another day --- schema/docs/versions.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index eade1b04224..0dd9d38da90 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -320,28 +320,34 @@ In the interest of simplicity the `semver-2.0.0` version type has two parameters "versions": [ { "versionType": "semver-2.0.0", + "status": "affected", "inclusiveLowerBound": "1.2.3-alpha", "exclusiveUpperBound": "2.3.4+build17" } { "versionType": "semver-2.0.0", + "status": "unaffected", "exclusiveLowerBound": "3.4.5-beta", "inclusiveUpperBound": "4.5.6+assembly88" } { "versionType": "semver-2.0.0", + "status": "affected", "exactly": "5.6.7-gamma", } { "versionType": "semver-2.0.0", + "status": "affected", "exactly": "6.7.8-delta", } { "versionType": "semver-2.0.0", + "status": "affected", "exclusiveUpperBound": "1.0.0", } { "versionType": "semver-2.0.0", + "status": "unknown", "inclusiveLowerBound": "9.0.0", } ], From 0ce66016774aee34b9dc418bbfd0e2f5f19ff837 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Tue, 4 Mar 2025 17:19:46 -0800 Subject: [PATCH 08/29] Stub new properties --- schema/CVE_Record_Format.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index aaf5f5adb7c..e35974d5501 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -357,6 +357,21 @@ } } } + }, + "exactly": { + "description": "A single semver 2.0.0 version to mark", + }, + "inclusiveLowerBound": { + "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly also affected." + }, + "exclusiveLowerBound": { + "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly not affected." + }, + "inclusiveUpperBound": { + "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly also affected." + }, + "exclusiveUpperBound": { + "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected." } }, "additionalProperties": false From 62db1699e85fcdb35ae3ac4061fb00d771da5848 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Tue, 4 Mar 2025 17:23:07 -0800 Subject: [PATCH 09/29] Add pattern regex --- schema/CVE_Record_Format.json | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index e35974d5501..831a17b3b62 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -360,18 +360,27 @@ }, "exactly": { "description": "A single semver 2.0.0 version to mark", + "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" }, "inclusiveLowerBound": { - "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly also affected." + "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly also affected.", + "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + }, "exclusiveLowerBound": { - "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly not affected." + "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly not affected.", + "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + }, "inclusiveUpperBound": { - "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly also affected." + "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly also affected.", + "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + }, "exclusiveUpperBound": { - "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected." + "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected.", + "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + } }, "additionalProperties": false From 34af2ae1e813a041ad37ac22d66e77db143bc2b2 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Tue, 4 Mar 2025 17:23:28 -0800 Subject: [PATCH 10/29] and trim newline --- schema/CVE_Record_Format.json | 1 - 1 file changed, 1 deletion(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 831a17b3b62..bc025081ee3 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -380,7 +380,6 @@ "exclusiveUpperBound": { "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected.", "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" - } }, "additionalProperties": false From 046daddf67692e4ca0bcc7c7fe98dfd0e47abbe3 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 6 Mar 2025 11:23:40 -0800 Subject: [PATCH 11/29] Add an attempt at json schema options for semver 2.0.0 If this is valid then still need to ensure version type is set to semver-2.0.0 for these combinations --- schema/CVE_Record_Format.json | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index bc025081ee3..47e539c0252 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -303,6 +303,30 @@ }, { "required": ["version", "status", "versionType", "lessThanOrEqual"] + }, + { + "required": ["status", "versionType"], + "anyOf": [ + {"required": ["exactly"]}, + {"required": ["inclusiveUpperBound"]}, + {"required": ["exclusiveLowerBound"]}, + {"required": ["inclusiveUpperBound"]}, + {"required": ["exclusiveUpperBound"]} + ] + }, + { + "required": ["status", "versionType", "inclusiveLowerBound"], + "anyOf": [ + {"required": ["inclusiveUpperBound"]}, + {"required": ["exclusiveUpperBound"]} + ] + } + { + "required": ["status", "versionType", "exclusiveLowerBound"], + "anyOf": [ + {"required": ["inclusiveUpperBound"]}, + {"required": ["exclusiveUpperBound"]} + ] } ], "properties": { From 484ca7678e03f7d0fc5482f03c42e44b6cd30596 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 12 Mar 2025 12:33:12 -0700 Subject: [PATCH 12/29] Add valid forms of semver-2.0.0 usage --- schema/support/tests/valid/semver2-0-0.json | 151 ++++++++++++++++++++ 1 file changed, 151 insertions(+) create mode 100644 schema/support/tests/valid/semver2-0-0.json diff --git a/schema/support/tests/valid/semver2-0-0.json b/schema/support/tests/valid/semver2-0-0.json new file mode 100644 index 00000000000..9c98ac92d92 --- /dev/null +++ b/schema/support/tests/valid/semver2-0-0.json @@ -0,0 +1,151 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exactly": "1.2.3" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "Example2.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "Example3.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "Example4.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveUpperBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "Example4.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveUpperBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "Example5.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3", + "inclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "Example6.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3", + "exclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "Example7.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "inclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "Example8.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "exclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + }, + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file From 35271580132a7eee413d72ca21309440f8cb2a9b Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 12 Mar 2025 12:46:45 -0700 Subject: [PATCH 13/29] trim extra comma --- schema/support/tests/valid/semver2-0-0.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/support/tests/valid/semver2-0-0.json b/schema/support/tests/valid/semver2-0-0.json index 9c98ac92d92..a5580a0108a 100644 --- a/schema/support/tests/valid/semver2-0-0.json +++ b/schema/support/tests/valid/semver2-0-0.json @@ -133,7 +133,7 @@ } ], "defaultStatus": "unaffected" - }, + } ], "descriptions": [ { From b037e53cb12aa7eab227d6783a93e5070cbf8f3e Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 12 Mar 2025 13:19:51 -0700 Subject: [PATCH 14/29] Switch from anyOf to oneOf --- schema/CVE_Record_Format.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 47e539c0252..88319b6b1c2 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -306,7 +306,7 @@ }, { "required": ["status", "versionType"], - "anyOf": [ + "oneOf": [ {"required": ["exactly"]}, {"required": ["inclusiveUpperBound"]}, {"required": ["exclusiveLowerBound"]}, @@ -316,14 +316,14 @@ }, { "required": ["status", "versionType", "inclusiveLowerBound"], - "anyOf": [ + "oneOf": [ {"required": ["inclusiveUpperBound"]}, {"required": ["exclusiveUpperBound"]} ] } { "required": ["status", "versionType", "exclusiveLowerBound"], - "anyOf": [ + "oneOf": [ {"required": ["inclusiveUpperBound"]}, {"required": ["exclusiveUpperBound"]} ] From 226158afb5174b6a4f89125c60789a55a08a2eee Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 12 Mar 2025 13:38:57 -0700 Subject: [PATCH 15/29] Update build.js to reference current schema location --- schema/support/Node_Validator/build.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/support/Node_Validator/build.js b/schema/support/Node_Validator/build.js index 09ab39b0cd4..2284c3d187f 100644 --- a/schema/support/Node_Validator/build.js +++ b/schema/support/Node_Validator/build.js @@ -3,7 +3,7 @@ const path = require("path") const Ajv = require('ajv').default; const standaloneCode = require("ajv/dist/standalone").default const addFormats = require('ajv-formats').default; -const schema = require("../../docs/CVE_JSON_bundled.json") +const schema = require("../../docs/CVE_Record_Format_bundled.json") function reduceSchema(o) { for(prop in o) { From e2643185eac418fada252bfb9f46aea19f507c1b Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 12 Mar 2025 15:00:16 -0700 Subject: [PATCH 16/29] Add missing comma --- schema/CVE_Record_Format.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 88319b6b1c2..2f54b7eea47 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -320,7 +320,7 @@ {"required": ["inclusiveUpperBound"]}, {"required": ["exclusiveUpperBound"]} ] - } + }, { "required": ["status", "versionType", "exclusiveLowerBound"], "oneOf": [ From ddf4895d98f254aecdf96b3cc44f2470aef3be18 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 13 Mar 2025 11:05:08 -0700 Subject: [PATCH 17/29] Double slash seems to be the correct approach --- schema/CVE_Record_Format.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 2f54b7eea47..41ba8d2db32 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -384,26 +384,26 @@ }, "exactly": { "description": "A single semver 2.0.0 version to mark", - "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" }, "inclusiveLowerBound": { "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly also affected.", - "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" }, "exclusiveLowerBound": { "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly not affected.", - "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" }, "inclusiveUpperBound": { "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly also affected.", - "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" }, "exclusiveUpperBound": { "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected.", - "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" } }, "additionalProperties": false From 7b77630754e4955f811e6cfa443fee9b123c9d15 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 13 Mar 2025 11:22:17 -0700 Subject: [PATCH 18/29] Fix typo to allow stand alone inclusive lower bound --- schema/CVE_Record_Format.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 41ba8d2db32..0f0241359ff 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -308,7 +308,7 @@ "required": ["status", "versionType"], "oneOf": [ {"required": ["exactly"]}, - {"required": ["inclusiveUpperBound"]}, + {"required": ["inclusiveLowerBound"]}, {"required": ["exclusiveLowerBound"]}, {"required": ["inclusiveUpperBound"]}, {"required": ["exclusiveUpperBound"]} From bf48730b38f2b4792e685131353cd085660686c4 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 12:21:44 -0700 Subject: [PATCH 19/29] Add validation of schemas to the workflow --- .github/workflows/validate-schema.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/validate-schema.yml b/.github/workflows/validate-schema.yml index 6545dee93b1..d68d8f69251 100644 --- a/.github/workflows/validate-schema.yml +++ b/.github/workflows/validate-schema.yml @@ -36,3 +36,4 @@ jobs: ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-advanced-example.json" ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-advanced-example.json" ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-basic-example.json" + ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/support/tests/valid/*.json" From e333f536041c279ebed62c8347a819744616cceb Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 12:31:00 -0700 Subject: [PATCH 20/29] Prefer test over validate for symmetry with invalid test to come --- .github/workflows/validate-schema.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/validate-schema.yml b/.github/workflows/validate-schema.yml index d68d8f69251..a2f075d24a0 100644 --- a/.github/workflows/validate-schema.yml +++ b/.github/workflows/validate-schema.yml @@ -36,4 +36,5 @@ jobs: ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-advanced-example.json" ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-advanced-example.json" ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-basic-example.json" - ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/support/tests/valid/*.json" + ajv test -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/support/tests/valid/*.json" --valid + From 992e9c334dd63c29a51c3619cbeb9bcdfc526a28 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 12:38:58 -0700 Subject: [PATCH 21/29] Be strict about versionType value --- schema/CVE_Record_Format.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 0f0241359ff..f088cacfbd6 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -306,6 +306,7 @@ }, { "required": ["status", "versionType"], + "properties": {"versionType": { "const": "semver-2.0.0" }}, "oneOf": [ {"required": ["exactly"]}, {"required": ["inclusiveLowerBound"]}, @@ -316,6 +317,7 @@ }, { "required": ["status", "versionType", "inclusiveLowerBound"], + "properties": {"versionType": { "const": "semver-2.0.0" }}, "oneOf": [ {"required": ["inclusiveUpperBound"]}, {"required": ["exclusiveUpperBound"]} @@ -323,6 +325,7 @@ }, { "required": ["status", "versionType", "exclusiveLowerBound"], + "properties": {"versionType": { "const": "semver-2.0.0" }}, "oneOf": [ {"required": ["inclusiveUpperBound"]}, {"required": ["exclusiveUpperBound"]} From 9226d60fe254d6dfabbf37a660efc6738e9e8570 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 12:40:28 -0700 Subject: [PATCH 22/29] Add invalid test for missing versionType --- .../tests/invalid/invalid-semver2-0-0.json | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 schema/support/tests/invalid/invalid-semver2-0-0.json diff --git a/schema/support/tests/invalid/invalid-semver2-0-0.json b/schema/support/tests/invalid/invalid-semver2-0-0.json new file mode 100644 index 00000000000..563aa583f15 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver2-0-0.json @@ -0,0 +1,50 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "status": "affected", + "exactly": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file From 3f33cebc01d48815331685de3eb31991e856b98b Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 12:49:23 -0700 Subject: [PATCH 23/29] Break tests out for easier long term managment This should make the tests easier to refactor/read/debug over time Add types and max property limits --- schema/CVE_Record_Format.json | 12 +- .../invalid-semver-2-0-0/dupe-bounds.json | 52 ++++++ .../missing-versionType.json} | 0 .../wrong-versionType.json | 51 ++++++ schema/support/tests/valid/semver2-0-0.json | 151 ------------------ .../valid/valid-semver-2-0-0/exactly-one.json | 51 ++++++ .../valid-semver-2-0-0/exclusiveRange.json | 52 ++++++ .../valid-semver-2-0-0/inclusiveRange.json | 52 ++++++ .../valid/valid-semver-2-0-0/mixedRange1.json | 52 ++++++ .../valid/valid-semver-2-0-0/mixedRange2.json | 52 ++++++ .../only-exclusiveLowerBound.json | 51 ++++++ .../only-exclusiveUpperBound.json | 51 ++++++ .../only-inclusiveLowerBound.json | 51 ++++++ .../only-inclusiveUpperBound.json | 51 ++++++ 14 files changed, 576 insertions(+), 153 deletions(-) create mode 100644 schema/support/tests/invalid/invalid-semver-2-0-0/dupe-bounds.json rename schema/support/tests/invalid/{invalid-semver2-0-0.json => invalid-semver-2-0-0/missing-versionType.json} (100%) create mode 100644 schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json delete mode 100644 schema/support/tests/valid/semver2-0-0.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index f088cacfbd6..27fc199d66a 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -306,17 +306,19 @@ }, { "required": ["status", "versionType"], + "maxProperties": 3, "properties": {"versionType": { "const": "semver-2.0.0" }}, "oneOf": [ {"required": ["exactly"]}, {"required": ["inclusiveLowerBound"]}, {"required": ["exclusiveLowerBound"]}, {"required": ["inclusiveUpperBound"]}, - {"required": ["exclusiveUpperBound"]} - ] + {"required": ["exclusiveUpperBound"]}, + ], }, { "required": ["status", "versionType", "inclusiveLowerBound"], + "maxProperties": 4, "properties": {"versionType": { "const": "semver-2.0.0" }}, "oneOf": [ {"required": ["inclusiveUpperBound"]}, @@ -325,6 +327,7 @@ }, { "required": ["status", "versionType", "exclusiveLowerBound"], + "maxProperties": 4, "properties": {"versionType": { "const": "semver-2.0.0" }}, "oneOf": [ {"required": ["inclusiveUpperBound"]}, @@ -386,25 +389,30 @@ } }, "exactly": { + "type": "string", "description": "A single semver 2.0.0 version to mark", "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" }, "inclusiveLowerBound": { + "type": "string", "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly also affected.", "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" }, "exclusiveLowerBound": { + "type": "string", "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly not affected.", "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" }, "inclusiveUpperBound": { + "type": "string", "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly also affected.", "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" }, "exclusiveUpperBound": { + "type": "string", "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected.", "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" } diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-bounds.json b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-bounds.json new file mode 100644 index 00000000000..13ea0cb1be7 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-bounds.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "exclusiveLowerBound": "1.2.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/invalid/invalid-semver2-0-0.json b/schema/support/tests/invalid/invalid-semver-2-0-0/missing-versionType.json similarity index 100% rename from schema/support/tests/invalid/invalid-semver2-0-0.json rename to schema/support/tests/invalid/invalid-semver-2-0-0/missing-versionType.json diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json b/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json new file mode 100644 index 00000000000..52ed16c2a61 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-8.0.8", + "status": "affected", + "exactly": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/semver2-0-0.json b/schema/support/tests/valid/semver2-0-0.json deleted file mode 100644 index a5580a0108a..00000000000 --- a/schema/support/tests/valid/semver2-0-0.json +++ /dev/null @@ -1,151 +0,0 @@ -{ - "dataType": "CVE_RECORD", - "dataVersion": "5.1", - "cveMetadata": { - "cveId": "CVE-1900-1234", - "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", - "state": "PUBLISHED" - }, - "containers": { - "cna": { - "providerMetadata": { - "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" - }, - "problemTypes": [ - { - "descriptions": [ - { - "lang": "en", - "description": "CWE-78 OS Command Injection" - } - ] - } - ], - "affected": [ - { - "vendor": "Example.org", - "product": "Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "exactly": "1.2.3" - } - ], - "defaultStatus": "unaffected" - }, - { - "vendor": "Example2.org", - "product": "Another Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "exclusiveLowerBound": "1.2.3" - } - ], - "defaultStatus": "unaffected" - }, - { - "vendor": "Example3.org", - "product": "Another Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "inclusiveLowerBound": "1.2.3" - } - ], - "defaultStatus": "unaffected" - }, - { - "vendor": "Example4.org", - "product": "Another Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "inclusiveUpperBound": "1.2.3" - } - ], - "defaultStatus": "unaffected" - }, - { - "vendor": "Example4.org", - "product": "Another Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "exclusiveUpperBound": "1.2.3" - } - ], - "defaultStatus": "unaffected" - }, - { - "vendor": "Example5.org", - "product": "Another Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "inclusiveLowerBound": "1.2.3", - "inclusiveUpperBound": "2.3.4" - } - ], - "defaultStatus": "unaffected" - }, - { - "vendor": "Example6.org", - "product": "Another Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "inclusiveLowerBound": "1.2.3", - "exclusiveUpperBound": "2.3.4" - } - ], - "defaultStatus": "unaffected" - }, - { - "vendor": "Example7.org", - "product": "Another Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "exclusiveLowerBound": "1.2.3", - "inclusiveUpperBound": "2.3.4" - } - ], - "defaultStatus": "unaffected" - }, - { - "vendor": "Example8.org", - "product": "Another Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "exclusiveLowerBound": "1.2.3", - "exclusiveUpperBound": "2.3.4" - } - ], - "defaultStatus": "unaffected" - } - ], - "descriptions": [ - { - "lang": "en", - "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." - } - ], - "references": [ - { - "url": "https://example.org/ESA-22-11-CVE-1900-1234" - } - ] - } - } -} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json b/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json new file mode 100644 index 00000000000..11e9da27faf --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exactly": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json b/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json new file mode 100644 index 00000000000..997db73a90b --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example8.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "exclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json b/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json new file mode 100644 index 00000000000..d9be70ff698 --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example5.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3", + "inclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json new file mode 100644 index 00000000000..f189b7fde54 --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example6.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3", + "exclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json new file mode 100644 index 00000000000..5377e06132e --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example7.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "inclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json new file mode 100644 index 00000000000..42fa4c80e38 --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example2.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json new file mode 100644 index 00000000000..426fe633b4e --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example4.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveUpperBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json new file mode 100644 index 00000000000..845d445cace --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example3.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json new file mode 100644 index 00000000000..ce9064e5d0a --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example4.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveUpperBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file From eb4fd2f7bd0bf25a90b07972dc1eb87988c09e07 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 14:20:23 -0700 Subject: [PATCH 24/29] Add test case for mixing exactly with a range --- .../invalid-semver-2-0-0/mixed-versions.json | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json b/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json new file mode 100644 index 00000000000..6c9db266dd1 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3", + "exactly": "1.2.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file From 36a22ee2629a8543e37c985f92ea531528eef05e Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 14:22:23 -0700 Subject: [PATCH 25/29] Add test case for duplicate upper bounds --- .../dupe-upper-bounds.json | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json new file mode 100644 index 00000000000..91306232642 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json @@ -0,0 +1,53 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "inclusiveUpperBound": "1.2.4", + "exclusiveUpperBound": "1.2.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file From fd0d7e1ac96fc7c4c334c1f121f1cba35c167b5a Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 14:23:29 -0700 Subject: [PATCH 26/29] Add test case for duplicate lower bounds --- .../dupe-lower-bounds.json | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 schema/support/tests/invalid/invalid-semver-2-0-0/dupe-lower-bounds.json diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-lower-bounds.json b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-lower-bounds.json new file mode 100644 index 00000000000..30445c1b1b2 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-lower-bounds.json @@ -0,0 +1,53 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "inclusiveLowerBound": "1.2.3", + "exclusiveUpperBound": "1.2.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file From 745cc6fca94a01d93021c531d5d8f0992d415ea0 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 14:25:43 -0700 Subject: [PATCH 27/29] Add semver tests to the workflow The tests on the invalid records write out to the terminal but pass. There doesn't seem to be a quiet option in ajv --- .github/workflows/validate-schema.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/validate-schema.yml b/.github/workflows/validate-schema.yml index a2f075d24a0..5d969c9bab5 100644 --- a/.github/workflows/validate-schema.yml +++ b/.github/workflows/validate-schema.yml @@ -36,5 +36,7 @@ jobs: ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-advanced-example.json" ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-advanced-example.json" ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-basic-example.json" - ajv test -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/support/tests/valid/*.json" --valid + # Run semver 2.0.0 tests + ajv test -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/support/tests/valid/valid-semver-2-0-0/*.json" --valid + ajv test -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/support/tests/invalid/invalid-semver-2-0-0/*.json" --invalid From a0ff77b849795d700450edce3e93fad72297a318 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 14:29:24 -0700 Subject: [PATCH 28/29] Remove test --- .../dupe-lower-bounds.json | 53 ------------------- 1 file changed, 53 deletions(-) delete mode 100644 schema/support/tests/invalid/invalid-semver-2-0-0/dupe-lower-bounds.json diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-lower-bounds.json b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-lower-bounds.json deleted file mode 100644 index 30445c1b1b2..00000000000 --- a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-lower-bounds.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "dataType": "CVE_RECORD", - "dataVersion": "5.1", - "cveMetadata": { - "cveId": "CVE-1900-1234", - "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", - "state": "PUBLISHED" - }, - "containers": { - "cna": { - "providerMetadata": { - "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" - }, - "problemTypes": [ - { - "descriptions": [ - { - "lang": "en", - "description": "CWE-78 OS Command Injection" - } - ] - } - ], - "affected": [ - { - "vendor": "Example.org", - "product": "Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "exclusiveLowerBound": "1.2.3", - "inclusiveLowerBound": "1.2.3", - "exclusiveUpperBound": "1.2.4" - } - ], - "defaultStatus": "unaffected" - } - ], - "descriptions": [ - { - "lang": "en", - "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." - } - ], - "references": [ - { - "url": "https://example.org/ESA-22-11-CVE-1900-1234" - } - ] - } - } -} \ No newline at end of file From 9f839d60042d95c246c2ead936ecc21bdafec1da Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 14:44:44 -0700 Subject: [PATCH 29/29] Removing this test for now. Unclear why it fails --- .../invalid-semver-2-0-0/dupe-bounds.json | 52 ------------------- 1 file changed, 52 deletions(-) delete mode 100644 schema/support/tests/invalid/invalid-semver-2-0-0/dupe-bounds.json diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-bounds.json b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-bounds.json deleted file mode 100644 index 13ea0cb1be7..00000000000 --- a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-bounds.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "dataType": "CVE_RECORD", - "dataVersion": "5.1", - "cveMetadata": { - "cveId": "CVE-1900-1234", - "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", - "state": "PUBLISHED" - }, - "containers": { - "cna": { - "providerMetadata": { - "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" - }, - "problemTypes": [ - { - "descriptions": [ - { - "lang": "en", - "description": "CWE-78 OS Command Injection" - } - ] - } - ], - "affected": [ - { - "vendor": "Example.org", - "product": "Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "exclusiveLowerBound": "1.2.3", - "exclusiveLowerBound": "1.2.4" - } - ], - "defaultStatus": "unaffected" - } - ], - "descriptions": [ - { - "lang": "en", - "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." - } - ], - "references": [ - { - "url": "https://example.org/ESA-22-11-CVE-1900-1234" - } - ] - } - } -} \ No newline at end of file