CVEProject · alilleybrinker · Aug 5, 2025
diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json
@@ -366,6 +366,85 @@
                 }
             }
         },
+        "affectedArtifact": {
+            "type": "object",
+            "description": "Provides information about a specific artifact affected by a vulnerability.",
+            "allOf": [
+                {
+                    "description": "An identifier-like field, to identify the artifact.",
+                    "anyOf": [
+                        {"required": ["omniborArtifactID", "omniborArtifactType"]},
+                        {"required": ["sha256"]}
+                    ]
+                },
+                {
+                    "description": "The status of the artifact.",
+                    "anyOf": [
+                        {"required": ["status"]}
+                    ]
+                }
+            ],
+            "properties": {
+                "omniborArtifactID": {
+                    "type": "string",
+                    "pattern": "^gitoid:blob:sha256:[0-9a-f]{64}$",
+                    "description": "The OmniBOR Artifact ID of the artifact to be matched against.",
+                    "examples": [
+                        "gitoid:blob:sha256:9f64df92367881be21e23567a31a8ce01994d98b69d28917b5c132ce32a8e6c8",
+                        "gitoid:blob:sha256:09c825ac02df9150e4f93d12ba1da5d1ff5846c3e62503c814aa3a300c535772",
+                        "gitoid:blob:sha256:230f3515d1306690815bd9c3da0d15d8b6fcf43894d17100eb44b6d329a92f61"
+                    ]
+                },
+                "omniborArtifactType": {
+                    "type": "string",
+                    "enum": ["artifact", "buildInput"],
+                    "description": "Specifies how consumers of the Artifact ID should search for matches. If the 'target' is 'artifact', then the Artifact ID is identifying an artifact which should be searched for directly (for example, within a file system by matching against Artifact IDs for files). If the 'target' is 'buildInput' then the Artifact ID is identifying a build input, and consumers should match the Artifact ID against IDs found in OmniBOR Input Manifests for their software."
+                },
+                "sha256": {
+                    "type": "string",
+                    "pattern": "^[a-f0-9]{64}$",
+                    "description": "The SHA-256 hash of the artifact.",
+                    "examples": [
+                        "68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728",
+                        "2cc620f8a156b986806bc2757c0572d978d8cbfc4d25f0dfa7c552291bf68279",
+                        "97272dc1b6ac7ca84735b797b4a04233b17fd55707f9c728fc3747e3f935f02c"
+                    ]
+                },
+                "status": {
+                    "description": "The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.",
+                    "$ref": "#/definitions/status"
+                },
+                "version": {
+                    "description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.",
+                    "$ref": "#/definitions/version"
+                },
+                "versionType": {
+                    "type": "string",
+                    "description": "The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.",
+                    "minLength": 1,
+                    "maxLength": 128,
+                    "examples": [
+                        "custom",
+                        "git",
+                        "maven",
+                        "python",
+                        "rpm",
+                        "semver"
+                    ]
+                },
+                "platforms": {
+                    "description": "List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field implies that the other fields are applicable to all relevant platforms.",
+                    "type": "array",
+                    "minItems": 1,
+                    "uniqueItems": true,
+                    "items": {
+                        "type": "string",
+                        "examples": ["iOS", "Android", "Windows", "macOS", "x86", "ARM", "64 bit", "Big Endian", "iPad", "Chromebook", "Docker", "Model T"],
+                        "maxLength": 1024
+                    }
+                }
+            }
+        },
         "dataType": {
             "description": "Indicates the type of information represented in the JSON instance.",
             "type": "string",
@@ -782,6 +861,12 @@
             "minItems": 1,
             "items": {"$ref": "#/definitions/product"}
         },
+        "affectedArtifacts": {
+            "type": "array",
+            "description": "List of affected artifacts.",
+            "minItems": 1,
+            "items": {"$ref": "#/definitions/affectedArtifact"}
+        },
         "description": {
             "type": "object",
             "description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.",