Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a formal semver 2.0.0 version type #371

Open
wants to merge 29 commits into
base: feature-PR371-semver2.0
Choose a base branch
from
Open

Add a formal semver 2.0.0 version type #371

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
c50a136
Add a formal semver 2.0.0 version type
darakian Dec 9, 2024
bec099b
Add an example for discussion
darakian Jan 22, 2025
20f9b39
Add some text for the parameters and remove markdown horizontal break
darakian Jan 22, 2025
e637776
Expand example to show inclusive/exclusive bounds and single version …
darakian Jan 30, 2025
fffd0cd
Add explainer
darakian Jan 30, 2025
16680d2
Add examples of single sided ranges. ex < 1.0.0 or >= 9.0.0 to allow …
darakian Feb 19, 2025
208980b
Add status back as a parameter after sync chat in QWG meeting on 2025…
darakian Feb 20, 2025
0ce6601
Stub new properties
darakian Mar 5, 2025
62db169
Add pattern regex
darakian Mar 5, 2025
34af2ae
and trim newline
darakian Mar 5, 2025
046dadd
Add an attempt at json schema options for semver 2.0.0
darakian Mar 6, 2025
484ca76
Add valid forms of semver-2.0.0 usage
darakian Mar 12, 2025
3527158
trim extra comma
darakian Mar 12, 2025
b037e53
Switch from anyOf to oneOf
darakian Mar 12, 2025
226158a
Update build.js to reference current schema location
darakian Mar 12, 2025
e264318
Add missing comma
darakian Mar 12, 2025
ddf4895
Double slash seems to be the correct approach
darakian Mar 13, 2025
7b77630
Fix typo to allow stand alone inclusive lower bound
darakian Mar 13, 2025
bf48730
Add validation of schemas to the workflow
darakian Mar 14, 2025
e333f53
Prefer test over validate for symmetry with invalid test to come
darakian Mar 14, 2025
992e9c3
Be strict about versionType value
darakian Mar 14, 2025
9226d60
Add invalid test for missing versionType
darakian Mar 14, 2025
3f33ceb
Break tests out for easier long term managment
darakian Mar 14, 2025
eb4fd2f
Add test case for mixing exactly with a range
darakian Mar 14, 2025
36a22ee
Add test case for duplicate upper bounds
darakian Mar 14, 2025
fd0d7e1
Add test case for duplicate lower bounds
darakian Mar 14, 2025
745cc6f
Add semver tests to the workflow
darakian Mar 14, 2025
a0ff77b
Remove test
darakian Mar 14, 2025
9f839d6
Removing this test for now. Unclear why it fails
darakian Mar 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/validate-schema.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,3 +36,7 @@ jobs:
ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-advanced-example.json"
ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-advanced-example.json"
ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-basic-example.json"
# Run semver 2.0.0 tests
ajv test -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/support/tests/valid/valid-semver-2-0-0/*.json" --valid
ajv test -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/support/tests/invalid/invalid-semver-2-0-0/*.json" --invalid

58 changes: 58 additions & 0 deletions schema/CVE_Record_Format.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,36 @@
},
{
"required": ["version", "status", "versionType", "lessThanOrEqual"]
},
{
"required": ["status", "versionType"],
"maxProperties": 3,
"properties": {"versionType": { "const": "semver-2.0.0" }},
"oneOf": [
{"required": ["exactly"]},
{"required": ["inclusiveLowerBound"]},
{"required": ["exclusiveLowerBound"]},
{"required": ["inclusiveUpperBound"]},
{"required": ["exclusiveUpperBound"]},
],
},
{
"required": ["status", "versionType", "inclusiveLowerBound"],
"maxProperties": 4,
"properties": {"versionType": { "const": "semver-2.0.0" }},
"oneOf": [
{"required": ["inclusiveUpperBound"]},
{"required": ["exclusiveUpperBound"]}
]
},
{
"required": ["status", "versionType", "exclusiveLowerBound"],
"maxProperties": 4,
"properties": {"versionType": { "const": "semver-2.0.0" }},
"oneOf": [
{"required": ["inclusiveUpperBound"]},
{"required": ["exclusiveUpperBound"]}
]
}
],
"properties": {
Expand Down Expand Up @@ -357,6 +387,34 @@
}
}
}
},
"exactly": {
"type": "string",
"description": "A single semver 2.0.0 version to mark",
"pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"
},
"inclusiveLowerBound": {
"type": "string",
"description": "A valid semver 2.0.0 value used as a lower bound. Explicitly also affected.",
"pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"

},
"exclusiveLowerBound": {
"type": "string",
"description": "A valid semver 2.0.0 value used as a lower bound. Explicitly not affected.",
"pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"

},
"inclusiveUpperBound": {
"type": "string",
"description": "A valid semver 2.0.0 value used as an upper bound. Explicitly also affected.",
"pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"

},
"exclusiveUpperBound": {
"type": "string",
"description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected.",
"pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"
}
},
"additionalProperties": false
Expand Down
72 changes: 72 additions & 0 deletions schema/docs/versions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -288,6 +288,78 @@ Now that we know how to encode version objects, that would be written as:
}
]

### Version Types

#### Semantic versioning 2.0.0

Type identifier: `semver-2.0.0`
Formally specified here at https://semver.org/spec/v2.0.0.html
`semver-2.0.0` is new type introduced to formally specify usage of semantic versioning.

`semver-2.0.0` in its simplest form is a dot separated triple. eg `1.2.3`. The three parts have names with the first being the `MAJOR`, the second being `MINOR` and the third `PATCH`. The [Semantic](https://en.wikipedia.org/wiki/Semantics) meaning of each is described as
1. MAJOR version when you make incompatible API changes
2. MINOR version when you add functionality in a backward compatible manner
3. PATCH version when you make backward compatible bug fixes
This triple can be extended with either a `-` or a `+` or with both for `pre-release` and `build` identifiers.
The triple can only be populated with non-negative integers and must not contain leading zeros.
Ordering of the triple is determined by the first difference when comparing each of these identifiers from left to right as follows: Major, minor, and patch versions are always compared numerically.
Full ordering for pre-releases and builds are described in the semver document [here](https://semver.org/spec/v2.0.0.html#spec-item-11).
While the triple can only contain numeric values the `pre-release` and `build` are free to be alpha numeric.
A complete definition of this version type can be viewed here
https://semver.org/spec/v2.0.0.html#backusnaur-form-grammar-for-valid-semver-versions

In the interest of simplicity the `semver-2.0.0` version type has two parameters which define a continuous range. `lowerBound` and `upperBound` each must be a valid semver triple with optional pre-release/build extensions.

##### Example

```
"affected": [
{
"vendor": "Example.org",
"product": "Example Enterprise",
"versions": [
{
"versionType": "semver-2.0.0",
"status": "affected",
"inclusiveLowerBound": "1.2.3-alpha",
"exclusiveUpperBound": "2.3.4+build17"
}
{
"versionType": "semver-2.0.0",
"status": "unaffected",
"exclusiveLowerBound": "3.4.5-beta",
"inclusiveUpperBound": "4.5.6+assembly88"
}
{
"versionType": "semver-2.0.0",
"status": "affected",
"exactly": "5.6.7-gamma",
}
{
"versionType": "semver-2.0.0",
"status": "affected",
"exactly": "6.7.8-delta",
}
{
"versionType": "semver-2.0.0",
"status": "affected",
"exclusiveUpperBound": "1.0.0",
}
{
"versionType": "semver-2.0.0",
"status": "unknown",
"inclusiveLowerBound": "9.0.0",
}
],
}
],
```

#### Explainer

A `semver-2.0.0` version is expressed as either a range or as a single exact version. Chaining multiple `semver-2.0.0` versions can be done to express more complex ranges. A `semver-2.0.0` range must begin with a lower bound which is followed by an upper bound. Each bound may be either inclusive or exclusive. These terms map as `exclusiveUpperBound` to `<`, `inclusiveUpperBound` to `<=`, `exclusiveLowerBound` to `>`, `inclusiveLowerBound` to `>=` and `exactly` to `=`. Thus the first example above could be rewritten as `>= 1.2.3-alpha, < 2.3.4+build17`.


## Version Status Changes

As presented in the previous section,
Expand Down
2 changes: 1 addition & 1 deletion schema/support/Node_Validator/build.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ const path = require("path")
const Ajv = require('ajv').default;
const standaloneCode = require("ajv/dist/standalone").default
const addFormats = require('ajv-formats').default;
const schema = require("../../docs/CVE_JSON_bundled.json")
const schema = require("../../docs/CVE_Record_Format_bundled.json")

function reduceSchema(o) {
for(prop in o) {
Expand Down
53 changes: 53 additions & 0 deletions schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-1900-1234",
"assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6"
},
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-78 OS Command Injection"
}
]
}
],
"affected": [
{
"vendor": "Example.org",
"product": "Example Enterprise",
"versions": [
{
"versionType": "semver-2.0.0",
"status": "affected",
"exclusiveLowerBound": "1.2.3",
"inclusiveUpperBound": "1.2.4",
"exclusiveUpperBound": "1.2.4"
}
],
"defaultStatus": "unaffected"
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9."
}
],
"references": [
{
"url": "https://example.org/ESA-22-11-CVE-1900-1234"
}
]
}
}
}
50 changes: 50 additions & 0 deletions schema/support/tests/invalid/invalid-semver-2-0-0/missing-versionType.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-1900-1234",
"assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6"
},
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-78 OS Command Injection"
}
]
}
],
"affected": [
{
"vendor": "Example.org",
"product": "Example Enterprise",
"versions": [
{
"status": "affected",
"exactly": "1.2.3"
}
],
"defaultStatus": "unaffected"
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9."
}
],
"references": [
{
"url": "https://example.org/ESA-22-11-CVE-1900-1234"
}
]
}
}
}
52 changes: 52 additions & 0 deletions schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-1900-1234",
"assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6"
},
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-78 OS Command Injection"
}
]
}
],
"affected": [
{
"vendor": "Example.org",
"product": "Example Enterprise",
"versions": [
{
"versionType": "semver-2.0.0",
"status": "affected",
"inclusiveLowerBound": "1.2.3",
"exactly": "1.2.4"
}
],
"defaultStatus": "unaffected"
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9."
}
],
"references": [
{
"url": "https://example.org/ESA-22-11-CVE-1900-1234"
}
]
}
}
}
51 changes: 51 additions & 0 deletions schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-1900-1234",
"assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6"
},
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-78 OS Command Injection"
}
]
}
],
"affected": [
{
"vendor": "Example.org",
"product": "Example Enterprise",
"versions": [
{
"versionType": "semver-8.0.8",
"status": "affected",
"exactly": "1.2.3"
}
],
"defaultStatus": "unaffected"
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9."
}
],
"references": [
{
"url": "https://example.org/ESA-22-11-CVE-1900-1234"
}
]
}
}
}
Loading