diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json
index aaf5f5adb7c..2d1c4f84438 100644
--- a/schema/CVE_Record_Format.json
+++ b/schema/CVE_Record_Format.json
@@ -108,16 +108,49 @@
"description": "Provides information about the set of products and services affected by this vulnerability.",
"allOf": [
{
+ "description": "Require one 'identifier-like' set of fields",
"anyOf": [
{"required": ["vendor", "product"]},
{"required": ["collectionURL", "packageName"]}
]
},
{
+ "description": "Require one 'applicability' field",
"anyOf": [
{"required": ["versions"]},
{"required": ["defaultStatus"]}
]
+ },
+ {
+ "description": "If omniborArtifactID is used, require omniborArtifactType",
+ "dependencies": {
+ "omniborArtifactID": ["omniborArtifactType"],
+ "omniborArtifactType": ["omniborArtifactID"]
+ }
+ },
+ {
+ "description": "Disallow certain fields when used with a fine-grained identifier",
+ "not": {
+ "allOf": [
+ {
+ "$comment": "The fine-grained identifier fields",
+ "anyOf": [
+ {"required": ["omniborArtifactID"]}
+ ]
+ },
+ {
+ "$comment": "Fields not to be used with fine-grained identifiers",
+ "anyOf": [
+ {"required": ["cpes"]},
+ {"required": ["modules"]},
+ {"required": ["programFiles"]},
+ {"required": ["programRoutines"]},
+ {"required": ["repo"]},
+ {"required": ["versions"]}
+ ]
+ }
+ ]
+ }
}
],
"properties": {
@@ -278,7 +311,7 @@
"$ref": "#/definitions/uriType"
},
"defaultStatus": {
- "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.",
+ "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both. When used alongside a fine-grained identifier such as omniborArtifactID, where no versions field will be used, defaultStatus is the status of the artifact identified by the identifier.",
"$ref": "#/definitions/status"
},
"versions": {
@@ -361,6 +394,21 @@
},
"additionalProperties": false
}
+ },
+ "omniborArtifactID": {
+ "type": "string",
+ "pattern": "^gitoid:blob:sha256:[0-9a-f]{64}$",
+ "description": "The OmniBOR Artifact ID of the artifact to be matched against.",
+ "examples": [
+ "gitoid:blob:sha256:9f64df92367881be21e23567a31a8ce01994d98b69d28917b5c132ce32a8e6c8",
+ "gitoid:blob:sha256:09c825ac02df9150e4f93d12ba1da5d1ff5846c3e62503c814aa3a300c535772",
+ "gitoid:blob:sha256:230f3515d1306690815bd9c3da0d15d8b6fcf43894d17100eb44b6d329a92f61"
+ ]
+ },
+ "omniborArtifactType": {
+ "type": "string",
+ "enum": ["artifact", "buildInput"],
+ "description": "Specifies how consumers of the Artifact ID should search for matches. If the 'target' is 'artifact', then the Artifact ID is identifying an artifact which should be searched for directly (for example, within a file system by matching against Artifact IDs for files). If the 'target' is 'buildInput' then the Artifact ID is identifying a build input, and consumers should match the Artifact ID against IDs found in OmniBOR Input Manifests for their software."
}
}
},
@@ -778,7 +826,13 @@
"type": "array",
"description": "List of affected products.",
"minItems": 1,
- "items": {"$ref": "#/definitions/product"}
+ "items": {"$ref": "#/definitions/product"},
+ "contains": {
+ "anyOf": [
+ { "required": ["vendor", "product"] },
+ { "required": ["collectionURL", "packageName"] }
+ ]
+ }
},
"description": {
"type": "object",
diff --git a/schema/docs/CVE_Record_Format_bundled.json b/schema/docs/CVE_Record_Format_bundled.json
index 5fff73a0131..e0308d2f8e1 100644
--- a/schema/docs/CVE_Record_Format_bundled.json
+++ b/schema/docs/CVE_Record_Format_bundled.json
@@ -138,6 +138,7 @@
"description": "Provides information about the set of products and services affected by this vulnerability.",
"allOf": [
{
+ "description": "Require one 'identifier-like' set of fields",
"anyOf": [
{
"required": [
@@ -154,6 +155,7 @@
]
},
{
+ "description": "Require one 'applicability' field",
"anyOf": [
{
"required": [
@@ -166,6 +168,71 @@
]
}
]
+ },
+ {
+ "description": "If omniborArtifactID is used, require omniborArtifactType",
+ "dependentRequired": {
+ "omniborArtifactID": [
+ "omniborArtifactType"
+ ]
+ }
+ },
+ {
+ "description": "Disallow certain fields when used with a fine-grained identifier",
+ "not": {
+ "allOf": [
+ {
+ "$comment": "The fine-grained identifier fields",
+ "anyOf": [
+ {
+ "required": [
+ "omniborArtifactID"
+ ]
+ }
+ ]
+ },
+ {
+ "$comment": "Fields not to be used with fine-grained identifiers",
+ "anyOf": [
+ {
+ "required": [
+ "cpes"
+ ]
+ },
+ {
+ "required": [
+ "modules"
+ ]
+ },
+ {
+ "required": [
+ "programFiles"
+ ]
+ },
+ {
+ "required": [
+ "programRoutines"
+ ]
+ },
+ {
+ "required": [
+ "platforms"
+ ]
+ },
+ {
+ "required": [
+ "repo"
+ ]
+ },
+ {
+ "required": [
+ "versions"
+ ]
+ }
+ ]
+ }
+ ]
+ }
}
],
"properties": {
@@ -339,7 +406,7 @@
"$ref": "#/definitions/uriType"
},
"defaultStatus": {
- "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.",
+ "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both. When used alongside a fine-grained identifier such as omniborArtifactID, where no versions field will be used, defaultStatus is the status of the artifact identified by the identifier.",
"$ref": "#/definitions/status"
},
"versions": {
@@ -442,6 +509,24 @@
},
"additionalProperties": false
}
+ },
+ "omniborArtifactID": {
+ "type": "string",
+ "pattern": "^gitoid:blob:sha256:[0-9a-f]{64}$",
+ "description": "The OmniBOR Artifact ID of the artifact to be matched against.",
+ "examples": [
+ "gitoid:blob:sha256:9f64df92367881be21e23567a31a8ce01994d98b69d28917b5c132ce32a8e6c8",
+ "gitoid:blob:sha256:09c825ac02df9150e4f93d12ba1da5d1ff5846c3e62503c814aa3a300c535772",
+ "gitoid:blob:sha256:230f3515d1306690815bd9c3da0d15d8b6fcf43894d17100eb44b6d329a92f61"
+ ]
+ },
+ "omniborArtifactType": {
+ "type": "string",
+ "enum": [
+ "artifact",
+ "buildInput"
+ ],
+ "description": "Specifies how consumers of the Artifact ID should search for matches. If the 'target' is 'artifact', then the Artifact ID is identifying an artifact which should be searched for directly (for example, within a file system by matching against Artifact IDs for files). If the 'target' is 'build_input' then the Artifact ID is identifying a build input, and consumers should match the Artifact ID against IDs found in OmniBOR Input Manifests for their software."
}
}
},
@@ -866,6 +951,22 @@
"minItems": 1,
"items": {
"$ref": "#/definitions/product"
+ },
+ "contains": {
+ "anyOf": [
+ {
+ "required": [
+ "vendor",
+ "product"
+ ]
+ },
+ {
+ "required": [
+ "collectionURL",
+ "packageName"
+ ]
+ }
+ ]
}
},
"description": {
diff --git a/schema/docs/CVE_Record_Format_bundled_adpContainer.json b/schema/docs/CVE_Record_Format_bundled_adpContainer.json
index 4a3b111577a..3e376170367 100644
--- a/schema/docs/CVE_Record_Format_bundled_adpContainer.json
+++ b/schema/docs/CVE_Record_Format_bundled_adpContainer.json
@@ -138,6 +138,7 @@
"description": "Provides information about the set of products and services affected by this vulnerability.",
"allOf": [
{
+ "description": "Require one 'identifier-like' set of fields",
"anyOf": [
{
"required": [
@@ -154,6 +155,7 @@
]
},
{
+ "description": "Require one 'applicability' field",
"anyOf": [
{
"required": [
@@ -166,6 +168,71 @@
]
}
]
+ },
+ {
+ "description": "If omniborArtifactID is used, require omniborArtifactType",
+ "dependentRequired": {
+ "omniborArtifactID": [
+ "omniborArtifactType"
+ ]
+ }
+ },
+ {
+ "description": "Disallow certain fields when used with a fine-grained identifier",
+ "not": {
+ "allOf": [
+ {
+ "$comment": "The fine-grained identifier fields",
+ "anyOf": [
+ {
+ "required": [
+ "omniborArtifactID"
+ ]
+ }
+ ]
+ },
+ {
+ "$comment": "Fields not to be used with fine-grained identifiers",
+ "anyOf": [
+ {
+ "required": [
+ "cpes"
+ ]
+ },
+ {
+ "required": [
+ "modules"
+ ]
+ },
+ {
+ "required": [
+ "programFiles"
+ ]
+ },
+ {
+ "required": [
+ "programRoutines"
+ ]
+ },
+ {
+ "required": [
+ "platforms"
+ ]
+ },
+ {
+ "required": [
+ "repo"
+ ]
+ },
+ {
+ "required": [
+ "versions"
+ ]
+ }
+ ]
+ }
+ ]
+ }
}
],
"properties": {
@@ -339,7 +406,7 @@
"$ref": "#/definitions/uriType"
},
"defaultStatus": {
- "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.",
+ "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both. When used alongside a fine-grained identifier such as omniborArtifactID, where no versions field will be used, defaultStatus is the status of the artifact identified by the identifier.",
"$ref": "#/definitions/status"
},
"versions": {
@@ -442,6 +509,24 @@
},
"additionalProperties": false
}
+ },
+ "omniborArtifactID": {
+ "type": "string",
+ "pattern": "^gitoid:blob:sha256:[0-9a-f]{64}$",
+ "description": "The OmniBOR Artifact ID of the artifact to be matched against.",
+ "examples": [
+ "gitoid:blob:sha256:9f64df92367881be21e23567a31a8ce01994d98b69d28917b5c132ce32a8e6c8",
+ "gitoid:blob:sha256:09c825ac02df9150e4f93d12ba1da5d1ff5846c3e62503c814aa3a300c535772",
+ "gitoid:blob:sha256:230f3515d1306690815bd9c3da0d15d8b6fcf43894d17100eb44b6d329a92f61"
+ ]
+ },
+ "omniborArtifactType": {
+ "type": "string",
+ "enum": [
+ "artifact",
+ "buildInput"
+ ],
+ "description": "Specifies how consumers of the Artifact ID should search for matches. If the 'target' is 'artifact', then the Artifact ID is identifying an artifact which should be searched for directly (for example, within a file system by matching against Artifact IDs for files). If the 'target' is 'build_input' then the Artifact ID is identifying a build input, and consumers should match the Artifact ID against IDs found in OmniBOR Input Manifests for their software."
}
}
},
@@ -866,6 +951,22 @@
"minItems": 1,
"items": {
"$ref": "#/definitions/product"
+ },
+ "contains": {
+ "anyOf": [
+ {
+ "required": [
+ "vendor",
+ "product"
+ ]
+ },
+ {
+ "required": [
+ "collectionURL",
+ "packageName"
+ ]
+ }
+ ]
}
},
"description": {
diff --git a/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json
index 6606fcb123b..0a822a011fd 100644
--- a/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json
+++ b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json
@@ -138,6 +138,7 @@
"description": "Provides information about the set of products and services affected by this vulnerability.",
"allOf": [
{
+ "description": "Require one 'identifier-like' set of fields",
"anyOf": [
{
"required": [
@@ -154,6 +155,7 @@
]
},
{
+ "description": "Require one 'applicability' field",
"anyOf": [
{
"required": [
@@ -166,6 +168,71 @@
]
}
]
+ },
+ {
+ "description": "If omniborArtifactID is used, require omniborArtifactType",
+ "dependentRequired": {
+ "omniborArtifactID": [
+ "omniborArtifactType"
+ ]
+ }
+ },
+ {
+ "description": "Disallow certain fields when used with a fine-grained identifier",
+ "not": {
+ "allOf": [
+ {
+ "$comment": "The fine-grained identifier fields",
+ "anyOf": [
+ {
+ "required": [
+ "omniborArtifactID"
+ ]
+ }
+ ]
+ },
+ {
+ "$comment": "Fields not to be used with fine-grained identifiers",
+ "anyOf": [
+ {
+ "required": [
+ "cpes"
+ ]
+ },
+ {
+ "required": [
+ "modules"
+ ]
+ },
+ {
+ "required": [
+ "programFiles"
+ ]
+ },
+ {
+ "required": [
+ "programRoutines"
+ ]
+ },
+ {
+ "required": [
+ "platforms"
+ ]
+ },
+ {
+ "required": [
+ "repo"
+ ]
+ },
+ {
+ "required": [
+ "versions"
+ ]
+ }
+ ]
+ }
+ ]
+ }
}
],
"properties": {
@@ -339,7 +406,7 @@
"$ref": "#/definitions/uriType"
},
"defaultStatus": {
- "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.",
+ "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both. When used alongside a fine-grained identifier such as omniborArtifactID, where no versions field will be used, defaultStatus is the status of the artifact identified by the identifier.",
"$ref": "#/definitions/status"
},
"versions": {
@@ -442,6 +509,24 @@
},
"additionalProperties": false
}
+ },
+ "omniborArtifactID": {
+ "type": "string",
+ "pattern": "^gitoid:blob:sha256:[0-9a-f]{64}$",
+ "description": "The OmniBOR Artifact ID of the artifact to be matched against.",
+ "examples": [
+ "gitoid:blob:sha256:9f64df92367881be21e23567a31a8ce01994d98b69d28917b5c132ce32a8e6c8",
+ "gitoid:blob:sha256:09c825ac02df9150e4f93d12ba1da5d1ff5846c3e62503c814aa3a300c535772",
+ "gitoid:blob:sha256:230f3515d1306690815bd9c3da0d15d8b6fcf43894d17100eb44b6d329a92f61"
+ ]
+ },
+ "omniborArtifactType": {
+ "type": "string",
+ "enum": [
+ "artifact",
+ "buildInput"
+ ],
+ "description": "Specifies how consumers of the Artifact ID should search for matches. If the 'target' is 'artifact', then the Artifact ID is identifying an artifact which should be searched for directly (for example, within a file system by matching against Artifact IDs for files). If the 'target' is 'build_input' then the Artifact ID is identifying a build input, and consumers should match the Artifact ID against IDs found in OmniBOR Input Manifests for their software."
}
}
},
@@ -866,6 +951,22 @@
"minItems": 1,
"items": {
"$ref": "#/definitions/product"
+ },
+ "contains": {
+ "anyOf": [
+ {
+ "required": [
+ "vendor",
+ "product"
+ ]
+ },
+ {
+ "required": [
+ "collectionURL",
+ "packageName"
+ ]
+ }
+ ]
}
},
"description": {
diff --git a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json
index bfb1d9e4760..3a88e946ac3 100644
--- a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json
+++ b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json
@@ -138,6 +138,7 @@
"description": "Provides information about the set of products and services affected by this vulnerability.",
"allOf": [
{
+ "description": "Require one 'identifier-like' set of fields",
"anyOf": [
{
"required": [
@@ -154,6 +155,7 @@
]
},
{
+ "description": "Require one 'applicability' field",
"anyOf": [
{
"required": [
@@ -166,6 +168,71 @@
]
}
]
+ },
+ {
+ "description": "If omniborArtifactID is used, require omniborArtifactType",
+ "dependentRequired": {
+ "omniborArtifactID": [
+ "omniborArtifactType"
+ ]
+ }
+ },
+ {
+ "description": "Disallow certain fields when used with a fine-grained identifier",
+ "not": {
+ "allOf": [
+ {
+ "$comment": "The fine-grained identifier fields",
+ "anyOf": [
+ {
+ "required": [
+ "omniborArtifactID"
+ ]
+ }
+ ]
+ },
+ {
+ "$comment": "Fields not to be used with fine-grained identifiers",
+ "anyOf": [
+ {
+ "required": [
+ "cpes"
+ ]
+ },
+ {
+ "required": [
+ "modules"
+ ]
+ },
+ {
+ "required": [
+ "programFiles"
+ ]
+ },
+ {
+ "required": [
+ "programRoutines"
+ ]
+ },
+ {
+ "required": [
+ "platforms"
+ ]
+ },
+ {
+ "required": [
+ "repo"
+ ]
+ },
+ {
+ "required": [
+ "versions"
+ ]
+ }
+ ]
+ }
+ ]
+ }
}
],
"properties": {
@@ -339,7 +406,7 @@
"$ref": "#/definitions/uriType"
},
"defaultStatus": {
- "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.",
+ "description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both. When used alongside a fine-grained identifier such as omniborArtifactID, where no versions field will be used, defaultStatus is the status of the artifact identified by the identifier.",
"$ref": "#/definitions/status"
},
"versions": {
@@ -442,6 +509,24 @@
},
"additionalProperties": false
}
+ },
+ "omniborArtifactID": {
+ "type": "string",
+ "pattern": "^gitoid:blob:sha256:[0-9a-f]{64}$",
+ "description": "The OmniBOR Artifact ID of the artifact to be matched against.",
+ "examples": [
+ "gitoid:blob:sha256:9f64df92367881be21e23567a31a8ce01994d98b69d28917b5c132ce32a8e6c8",
+ "gitoid:blob:sha256:09c825ac02df9150e4f93d12ba1da5d1ff5846c3e62503c814aa3a300c535772",
+ "gitoid:blob:sha256:230f3515d1306690815bd9c3da0d15d8b6fcf43894d17100eb44b6d329a92f61"
+ ]
+ },
+ "omniborArtifactType": {
+ "type": "string",
+ "enum": [
+ "artifact",
+ "buildInput"
+ ],
+ "description": "Specifies how consumers of the Artifact ID should search for matches. If the 'target' is 'artifact', then the Artifact ID is identifying an artifact which should be searched for directly (for example, within a file system by matching against Artifact IDs for files). If the 'target' is 'build_input' then the Artifact ID is identifying a build input, and consumers should match the Artifact ID against IDs found in OmniBOR Input Manifests for their software."
}
}
},
@@ -866,6 +951,22 @@
"minItems": 1,
"items": {
"$ref": "#/definitions/product"
+ },
+ "contains": {
+ "anyOf": [
+ {
+ "required": [
+ "vendor",
+ "product"
+ ]
+ },
+ {
+ "required": [
+ "collectionURL",
+ "packageName"
+ ]
+ }
+ ]
}
},
"description": {
diff --git a/schema/docs/cnaContainer-advanced-example.json b/schema/docs/cnaContainer-advanced-example.json
index bbafe4b2fbc..2c9a2e1537b 100644
--- a/schema/docs/cnaContainer-advanced-example.json
+++ b/schema/docs/cnaContainer-advanced-example.json
@@ -82,6 +82,13 @@
}
],
"defaultStatus": "unaffected"
+ },
+ {
+ "vendor": "Example.org",
+ "product": "Example Enterprise",
+ "omniborArtifactID": "gitoid:blob:sha256:fee53a18d32820613c0527aa79be5cb30173c823a9b448fa4817767cc84c6f03",
+ "omniborArtifactType": "artifact",
+ "defaultStatus": "affected"
}
],
"cpeApplicability": [
diff --git a/schema/docs/full-record-advanced-example.json b/schema/docs/full-record-advanced-example.json
index c4722686c41..f1f31500929 100644
--- a/schema/docs/full-record-advanced-example.json
+++ b/schema/docs/full-record-advanced-example.json
@@ -95,6 +95,13 @@
}
],
"defaultStatus": "unaffected"
+ },
+ {
+ "vendor": "Example.org",
+ "product": "Example Enterprise",
+ "omniborArtifactID": "gitoid:blob:sha256:fee53a18d32820613c0527aa79be5cb30173c823a9b448fa4817767cc84c6f03",
+ "omniborArtifactType": "artifact",
+ "defaultStatus": "affected"
}
],
"cpeApplicability": [
@@ -162,7 +169,7 @@
"value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise ĉe Windows, macOS kaj XT-4500 permesas al malproksimaj neaŭtentikigitaj atakantoj eskaladi privilegiojn.
Ĉi tiu afero efikas:
- 1.0-versioj antaŭ 1.0.6
- 2.1-versioj de 2.1.6 ĝis 2.1.9.
"
}
]
- }
+ }
],
"metrics": [
{