Skip to content

Add omniborArtifactID/omniborArtifactType to product in affected array #410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 8 commits into from
Closed

Add omniborArtifactID/omniborArtifactType to product in affected array #410

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
0cb32e8
Add `artifactID`/`artifactType` to `affected` array
alilleybrinker May 9, 2025
43f6221
feat: `artifactID` can't fulfill "identifier-like"
alilleybrinker Jun 26, 2025
4f536a2
feat: Ensure `affected` has at least one coarse-grained ID
alilleybrinker Jun 26, 2025
d5a9a10
Add OmniBOR fields to cnaContainer advanced example
alilleybrinker Jul 17, 2025
b139cde
feat: Update omnibor field names and constraints.
alilleybrinker Jul 21, 2025
b532f24
fix: Use 'dependencies' instead of 'dependentRequired'
alilleybrinker Jul 21, 2025
6fadd58
Permit "platforms" alongside "omniborArtifactID"
alilleybrinker Jul 24, 2025
4b7dc22
fix: typo in desc for `omniborArtifactType`
alilleybrinker Aug 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 56 additions & 2 deletions schema/CVE_Record_Format.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,16 +108,49 @@
"description": "Provides information about the set of products and services affected by this vulnerability.",
"allOf": [
{
"description": "Require one 'identifier-like' set of fields",
"anyOf": [
{"required": ["vendor", "product"]},
{"required": ["collectionURL", "packageName"]}
]
},
{
"description": "Require one 'applicability' field",
"anyOf": [
{"required": ["versions"]},
{"required": ["defaultStatus"]}
]
},
{
"description": "If omniborArtifactID is used, require omniborArtifactType",
"dependencies": {
"omniborArtifactID": ["omniborArtifactType"],
"omniborArtifactType": ["omniborArtifactID"]
}
},
{
"description": "Disallow certain fields when used with a fine-grained identifier",
"not": {
"allOf": [
{
"$comment": "The fine-grained identifier fields",
"anyOf": [
{"required": ["omniborArtifactID"]}
]
},
{
"$comment": "Fields not to be used with fine-grained identifiers",
"anyOf": [
{"required": ["cpes"]},
{"required": ["modules"]},
{"required": ["programFiles"]},
{"required": ["programRoutines"]},
{"required": ["repo"]},
{"required": ["versions"]}
]
}
]
}
}
],
"properties": {
Expand Down Expand Up @@ -278,7 +311,7 @@
"$ref": "#/definitions/uriType"
},
"defaultStatus": {
"description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.",
"description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both. When used alongside a fine-grained identifier such as omniborArtifactID, where no versions field will be used, defaultStatus is the status of the artifact identified by the identifier.",
"$ref": "#/definitions/status"
},
"versions": {
Expand Down Expand Up @@ -361,6 +394,21 @@
},
"additionalProperties": false
}
},
"omniborArtifactID": {
"type": "string",
"pattern": "^gitoid:blob:sha256:[0-9a-f]{64}$",
"description": "The OmniBOR Artifact ID of the artifact to be matched against.",
"examples": [
"gitoid:blob:sha256:9f64df92367881be21e23567a31a8ce01994d98b69d28917b5c132ce32a8e6c8",
"gitoid:blob:sha256:09c825ac02df9150e4f93d12ba1da5d1ff5846c3e62503c814aa3a300c535772",
"gitoid:blob:sha256:230f3515d1306690815bd9c3da0d15d8b6fcf43894d17100eb44b6d329a92f61"
]
},
"omniborArtifactType": {
"type": "string",
"enum": ["artifact", "buildInput"],
"description": "Specifies how consumers of the Artifact ID should search for matches. If the 'target' is 'artifact', then the Artifact ID is identifying an artifact which should be searched for directly (for example, within a file system by matching against Artifact IDs for files). If the 'target' is 'buildInput' then the Artifact ID is identifying a build input, and consumers should match the Artifact ID against IDs found in OmniBOR Input Manifests for their software."
}
}
},
Expand Down Expand Up @@ -778,7 +826,13 @@
"type": "array",
"description": "List of affected products.",
"minItems": 1,
"items": {"$ref": "#/definitions/product"}
"items": {"$ref": "#/definitions/product"},
"contains": {
"anyOf": [
{ "required": ["vendor", "product"] },
{ "required": ["collectionURL", "packageName"] }
]
}
},
"description": {
"type": "object",
Expand Down
103 changes: 102 additions & 1 deletion schema/docs/CVE_Record_Format_bundled.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,7 @@
"description": "Provides information about the set of products and services affected by this vulnerability.",
"allOf": [
{
"description": "Require one 'identifier-like' set of fields",
"anyOf": [
{
"required": [
Expand All @@ -154,6 +155,7 @@
]
},
{
"description": "Require one 'applicability' field",
"anyOf": [
{
"required": [
Expand All @@ -166,6 +168,71 @@
]
}
]
},
{
"description": "If omniborArtifactID is used, require omniborArtifactType",
"dependentRequired": {
"omniborArtifactID": [
"omniborArtifactType"
]
}
},
{
"description": "Disallow certain fields when used with a fine-grained identifier",
"not": {
"allOf": [
{
"$comment": "The fine-grained identifier fields",
"anyOf": [
{
"required": [
"omniborArtifactID"
]
}
]
},
{
"$comment": "Fields not to be used with fine-grained identifiers",
"anyOf": [
{
"required": [
"cpes"
]
},
{
"required": [
"modules"
]
},
{
"required": [
"programFiles"
]
},
{
"required": [
"programRoutines"
]
},
{
"required": [
"platforms"
]
},
{
"required": [
"repo"
]
},
{
"required": [
"versions"
]
}
]
}
]
}
}
],
"properties": {
Expand Down Expand Up @@ -339,7 +406,7 @@
"$ref": "#/definitions/uriType"
},
"defaultStatus": {
"description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.",
"description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both. When used alongside a fine-grained identifier such as omniborArtifactID, where no versions field will be used, defaultStatus is the status of the artifact identified by the identifier.",
"$ref": "#/definitions/status"
},
"versions": {
Expand Down Expand Up @@ -442,6 +509,24 @@
},
"additionalProperties": false
}
},
"omniborArtifactID": {
"type": "string",
"pattern": "^gitoid:blob:sha256:[0-9a-f]{64}$",
"description": "The OmniBOR Artifact ID of the artifact to be matched against.",
"examples": [
"gitoid:blob:sha256:9f64df92367881be21e23567a31a8ce01994d98b69d28917b5c132ce32a8e6c8",
"gitoid:blob:sha256:09c825ac02df9150e4f93d12ba1da5d1ff5846c3e62503c814aa3a300c535772",
"gitoid:blob:sha256:230f3515d1306690815bd9c3da0d15d8b6fcf43894d17100eb44b6d329a92f61"
]
},
"omniborArtifactType": {
"type": "string",
"enum": [
"artifact",
"buildInput"
],
"description": "Specifies how consumers of the Artifact ID should search for matches. If the 'target' is 'artifact', then the Artifact ID is identifying an artifact which should be searched for directly (for example, within a file system by matching against Artifact IDs for files). If the 'target' is 'build_input' then the Artifact ID is identifying a build input, and consumers should match the Artifact ID against IDs found in OmniBOR Input Manifests for their software."
}
}
},
Expand Down Expand Up @@ -866,6 +951,22 @@
"minItems": 1,
"items": {
"$ref": "#/definitions/product"
},
"contains": {
"anyOf": [
{
"required": [
"vendor",
"product"
]
},
{
"required": [
"collectionURL",
"packageName"
]
}
]
}
},
"description": {
Expand Down
103 changes: 102 additions & 1 deletion schema/docs/CVE_Record_Format_bundled_adpContainer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,7 @@
"description": "Provides information about the set of products and services affected by this vulnerability.",
"allOf": [
{
"description": "Require one 'identifier-like' set of fields",
"anyOf": [
{
"required": [
Expand All @@ -154,6 +155,7 @@
]
},
{
"description": "Require one 'applicability' field",
"anyOf": [
{
"required": [
Expand All @@ -166,6 +168,71 @@
]
}
]
},
{
"description": "If omniborArtifactID is used, require omniborArtifactType",
"dependentRequired": {
"omniborArtifactID": [
"omniborArtifactType"
]
}
},
{
"description": "Disallow certain fields when used with a fine-grained identifier",
"not": {
"allOf": [
{
"$comment": "The fine-grained identifier fields",
"anyOf": [
{
"required": [
"omniborArtifactID"
]
}
]
},
{
"$comment": "Fields not to be used with fine-grained identifiers",
"anyOf": [
{
"required": [
"cpes"
]
},
{
"required": [
"modules"
]
},
{
"required": [
"programFiles"
]
},
{
"required": [
"programRoutines"
]
},
{
"required": [
"platforms"
]
},
{
"required": [
"repo"
]
},
{
"required": [
"versions"
]
}
]
}
]
}
}
],
"properties": {
Expand Down Expand Up @@ -339,7 +406,7 @@
"$ref": "#/definitions/uriType"
},
"defaultStatus": {
"description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.",
"description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both. When used alongside a fine-grained identifier such as omniborArtifactID, where no versions field will be used, defaultStatus is the status of the artifact identified by the identifier.",
"$ref": "#/definitions/status"
},
"versions": {
Expand Down Expand Up @@ -442,6 +509,24 @@
},
"additionalProperties": false
}
},
"omniborArtifactID": {
"type": "string",
"pattern": "^gitoid:blob:sha256:[0-9a-f]{64}$",
"description": "The OmniBOR Artifact ID of the artifact to be matched against.",
"examples": [
"gitoid:blob:sha256:9f64df92367881be21e23567a31a8ce01994d98b69d28917b5c132ce32a8e6c8",
"gitoid:blob:sha256:09c825ac02df9150e4f93d12ba1da5d1ff5846c3e62503c814aa3a300c535772",
"gitoid:blob:sha256:230f3515d1306690815bd9c3da0d15d8b6fcf43894d17100eb44b6d329a92f61"
]
},
"omniborArtifactType": {
"type": "string",
"enum": [
"artifact",
"buildInput"
],
"description": "Specifies how consumers of the Artifact ID should search for matches. If the 'target' is 'artifact', then the Artifact ID is identifying an artifact which should be searched for directly (for example, within a file system by matching against Artifact IDs for files). If the 'target' is 'build_input' then the Artifact ID is identifying a build input, and consumers should match the Artifact ID against IDs found in OmniBOR Input Manifests for their software."
}
}
},
Expand Down Expand Up @@ -866,6 +951,22 @@
"minItems": 1,
"items": {
"$ref": "#/definitions/product"
},
"contains": {
"anyOf": [
{
"required": [
"vendor",
"product"
]
},
{
"required": [
"collectionURL",
"packageName"
]
}
]
}
},
"description": {
Expand Down
Loading