├── .github └── workflows │ └── validate-schema.yml ├── .gitignore ├── LICENSE.txt ├── README.md ├── schema ├── CVE_Record_Format.json ├── archive │ ├── v1.0 │ │ └── JSON-file-format-v1.md │ ├── v2.0 │ │ └── JSON-file-format-v2.md │ ├── v3.1 │ │ ├── CVE_JSON_example_full-3.1.json │ │ ├── CVE_JSON_example_min-3.1.json │ │ └── CVE_JSON_schema-3.1.json │ ├── v4.0 │ │ ├── CVE_JSON_4.0_min_public.schema │ │ ├── CVE_JSON_4.0_min_reject.schema │ │ ├── CVE_JSON_4.0_min_reserved.schema │ │ └── DRAFT-JSON-file-format-v4.md │ └── v5.0 │ │ ├── CVE_JSON_5.0_schema.json │ │ ├── docs │ │ ├── CVE_JSON_5.0_bundled.json │ │ ├── cnaContainer-advanced-example.json │ │ ├── cnaContainer-basic-example.json │ │ ├── full-record-advanced-example.json │ │ ├── full-record-basic-example.json │ │ ├── index.html │ │ ├── mindmap.html │ │ ├── schema_doc.css │ │ ├── schema_doc.min.js │ │ └── versions.md │ │ ├── imports │ │ └── cvss │ │ │ ├── README.md │ │ │ ├── cvss-v2.0.json │ │ │ ├── cvss-v3.0.json │ │ │ └── cvss-v3.1.json │ │ ├── support │ │ ├── CVE_4_to_5_converter │ │ │ ├── PUBLISHED_CVE_JSON_5.0_bundled.json │ │ │ ├── convert.log │ │ │ ├── cve4to5up.py │ │ │ ├── cve_record_dates.json.example │ │ │ ├── ref_tag_map.json │ │ │ ├── settings_example.py │ │ │ └── user_map_example.csv │ │ ├── Node_Validator │ │ │ ├── .gitignore │ │ │ ├── README.md │ │ │ ├── build.js │ │ │ ├── dist │ │ │ │ └── cve5validator.js │ │ │ ├── package.json │ │ │ ├── reportValidation.js │ │ │ └── validate.js │ │ ├── Python3.x_Validator │ │ │ ├── D7Validator.py │ │ │ ├── cvss-v2.0.json │ │ │ ├── cvss-v3.0.json │ │ │ └── cvss-v3.1.json │ │ ├── docs │ │ │ ├── css_override.css │ │ │ └── docs.sh │ │ └── schema2markmap │ │ │ ├── index.js │ │ │ ├── package.json │ │ │ └── schema-bundle.js │ │ └── tags │ │ ├── adp-tags.json │ │ ├── cna-tags.json │ │ └── reference-tags.json ├── docs │ ├── CVE_Record_Format_bundled.json │ ├── CVE_Record_Format_bundled_adpContainer.json │ ├── CVE_Record_Format_bundled_cnaPublishedContainer.json │ ├── CVE_Record_Format_bundled_cnaRejectedContainer.json │ ├── cnaContainer-advanced-example.json │ ├── cnaContainer-basic-example.json │ ├── cnaContainer-rejected-example.json │ ├── full-record-advanced-example.json │ ├── full-record-basic-example.json │ ├── index.html │ ├── mindmap.html │ ├── schema_doc.css │ ├── schema_doc.min.js │ └── versions.md ├── imports │ └── cvss │ │ ├── README.md │ │ ├── cvss-v2.0.json │ │ ├── cvss-v3.0.json │ │ ├── cvss-v3.1.json │ │ └── cvss-v4.0.json ├── support │ ├── CVE_4_to_5_converter │ │ ├── PUBLISHED_CVE_JSON_5.0_bundled.json │ │ ├── convert.log │ │ ├── cve4to5up.py │ │ ├── cve_record_dates.json.example │ │ ├── ref_tag_map.json │ │ ├── settings_example.py │ │ └── user_map_example.csv │ ├── Node_Validator │ │ ├── .gitignore │ │ ├── README.md │ │ ├── build.js │ │ ├── dist │ │ │ └── cve5validator.js │ │ ├── package.json │ │ ├── reportValidation.js │ │ └── validate.js │ ├── Python3.x_Validator │ │ ├── D7Validator.py │ │ ├── cvss-v2.0.json │ │ ├── cvss-v3.0.json │ │ └── cvss-v3.1.json │ ├── docs │ │ ├── css_override.css │ │ └── docs.sh │ ├── qualityReport │ │ ├── README.md │ │ └── report.js │ ├── schema2markmap │ │ ├── index.js │ │ ├── package.json │ │ └── schema-bundle.js │ └── tests │ │ └── README.md └── tags │ ├── adp-tags.json │ ├── cna-tags.json │ └── reference-tags.json └── tools ├── McAfee PSIRT Assigned CVEs Spreadsheet - 22 Dec 2016.xlsx ├── cmdlinejsonvalidator.py ├── cna-assignment-info-to-json.pl └── mitre-cna-assignment-info.js /.github/workflows/validate-schema.yml: -------------------------------------------------------------------------------- 1 | name: Validate JSON Schemas 2 | on: 3 | push: 4 | branches: 5 | - master 6 | pull_request: 7 | types: [opened, synchronize, reopened] 8 | workflow_dispatch: 9 | branches: 10 | - master 11 | env: 12 | CVE_SCHEMA_DIR: schema 13 | CVE_SCHEMA_FILENAME: CVE_Record_Format.json 14 | jobs: 15 | verify-json-validation: 16 | runs-on: ubuntu-latest 17 | steps: 18 | - uses: actions/checkout@v1 19 | - name: Install NPM dependencies (i.e., ajv) 20 | run: | 21 | sudo npm install --loglevel verbose -g yargs ajv-formats@"^1.5.x" ajv-cli@"^4.0.x" 22 | - name: Install schema2markmap NPM dependencies 23 | run: | 24 | npm --prefix "${CVE_SCHEMA_DIR}/support/schema2markmap" install "${CVE_SCHEMA_DIR}/support/schema2markmap" 25 | # Rename the schema, since AJV doesn't like non-".json" extensions 26 | - name: Prepare schema for bundling 27 | run: | 28 | sed 's/file\://g' "${CVE_SCHEMA_DIR}/${CVE_SCHEMA_FILENAME}" > "${CVE_SCHEMA_DIR}/cve-schema.json" 29 | - name: Bundle schema for AJV 30 | run: | 31 | node "${CVE_SCHEMA_DIR}/support/schema2markmap/schema-bundle.js" "${CVE_SCHEMA_DIR}/cve-schema.json" "${CVE_SCHEMA_DIR}/docs/" 32 | - name: Validate JSON schema 33 | run: | 34 | ajv compile -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" 35 | ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-basic-example.json" 36 | ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-advanced-example.json" 37 | ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-advanced-example.json" 38 | ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-basic-example.json" 39 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | package-lock.json 3 | node_modules 4 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Creative Commons Legal Code 2 | 3 | CC0 1.0 Universal 4 | 5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN 7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS 10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM 11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED 12 | HEREUNDER. 13 | 14 | Statement of Purpose 15 | 16 | The laws of most jurisdictions throughout the world automatically confer 17 | exclusive Copyright and Related Rights (defined below) upon the creator 18 | and subsequent owner(s) (each and all, an "owner") of an original work of 19 | authorship and/or a database (each, a "Work"). 20 | 21 | Certain owners wish to permanently relinquish those rights to a Work for 22 | the purpose of contributing to a commons of creative, cultural and 23 | scientific works ("Commons") that the public can reliably and without fear 24 | of later claims of infringement build upon, modify, incorporate in other 25 | works, reuse and redistribute as freely as possible in any form whatsoever 26 | and for any purposes, including without limitation commercial purposes. 27 | These owners may contribute to the Commons to promote the ideal of a free 28 | culture and the further production of creative, cultural and scientific 29 | works, or to gain reputation or greater distribution for their Work in 30 | part through the use and efforts of others. 31 | 32 | For these and/or other purposes and motivations, and without any 33 | expectation of additional consideration or compensation, the person 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she 35 | is an owner of Copyright and Related Rights in the Work, voluntarily 36 | elects to apply CC0 to the Work and publicly distribute the Work under its 37 | terms, with knowledge of his or her Copyright and Related Rights in the 38 | Work and the meaning and intended legal effect of CC0 on those rights. 39 | 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be 41 | protected by copyright and related or neighboring rights ("Copyright and 42 | Related Rights"). Copyright and Related Rights include, but are not 43 | limited to, the following: 44 | 45 | i. the right to reproduce, adapt, distribute, perform, display, 46 | communicate, and translate a Work; 47 | ii. moral rights retained by the original author(s) and/or performer(s); 48 | iii. publicity and privacy rights pertaining to a person's image or 49 | likeness depicted in a Work; 50 | iv. rights protecting against unfair competition in regards to a Work, 51 | subject to the limitations in paragraph 4(a), below; 52 | v. rights protecting the extraction, dissemination, use and reuse of data 53 | in a Work; 54 | vi. database rights (such as those arising under Directive 96/9/EC of the 55 | European Parliament and of the Council of 11 March 1996 on the legal 56 | protection of databases, and under any national implementation 57 | thereof, including any amended or successor version of such 58 | directive); and 59 | vii. other similar, equivalent or corresponding rights throughout the 60 | world based on applicable law or treaty, and any national 61 | implementations thereof. 62 | 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention 64 | of, applicable law, Affirmer hereby overtly, fully, permanently, 65 | irrevocably and unconditionally waives, abandons, and surrenders all of 66 | Affirmer's Copyright and Related Rights and associated claims and causes 67 | of action, whether now known or unknown (including existing as well as 68 | future claims and causes of action), in the Work (i) in all territories 69 | worldwide, (ii) for the maximum duration provided by applicable law or 70 | treaty (including future time extensions), (iii) in any current or future 71 | medium and for any number of copies, and (iv) for any purpose whatsoever, 72 | including without limitation commercial, advertising or promotional 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each 74 | member of the public at large and to the detriment of Affirmer's heirs and 75 | successors, fully intending that such Waiver shall not be subject to 76 | revocation, rescission, cancellation, termination, or any other legal or 77 | equitable action to disrupt the quiet enjoyment of the Work by the public 78 | as contemplated by Affirmer's express Statement of Purpose. 79 | 80 | 3. Public License Fallback. Should any part of the Waiver for any reason 81 | be judged legally invalid or ineffective under applicable law, then the 82 | Waiver shall be preserved to the maximum extent permitted taking into 83 | account Affirmer's express Statement of Purpose. In addition, to the 84 | extent the Waiver is so judged Affirmer hereby grants to each affected 85 | person a royalty-free, non transferable, non sublicensable, non exclusive, 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the 88 | maximum duration provided by applicable law or treaty (including future 89 | time extensions), (iii) in any current or future medium and for any number 90 | of copies, and (iv) for any purpose whatsoever, including without 91 | limitation commercial, advertising or promotional purposes (the 92 | "License"). The License shall be deemed effective as of the date CC0 was 93 | applied by Affirmer to the Work. Should any part of the License for any 94 | reason be judged legally invalid or ineffective under applicable law, such 95 | partial invalidity or ineffectiveness shall not invalidate the remainder 96 | of the License, and in such case Affirmer hereby affirms that he or she 97 | will not (i) exercise any of his or her remaining Copyright and Related 98 | Rights in the Work or (ii) assert any associated claims and causes of 99 | action with respect to the Work, in either case contrary to Affirmer's 100 | express Statement of Purpose. 101 | 102 | 4. Limitations and Disclaimers. 103 | 104 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 105 | surrendered, licensed or otherwise affected by this document. 106 | b. Affirmer offers the Work as-is and makes no representations or 107 | warranties of any kind concerning the Work, express, implied, 108 | statutory or otherwise, including without limitation warranties of 109 | title, merchantability, fitness for a particular purpose, non 110 | infringement, or the absence of latent or other defects, accuracy, or 111 | the present or absence of errors, whether or not discoverable, all to 112 | the greatest extent permissible under applicable law. 113 | c. Affirmer disclaims responsibility for clearing rights of other persons 114 | that may apply to the Work or any use thereof, including without 115 | limitation any person's Copyright and Related Rights in the Work. 116 | Further, Affirmer disclaims responsibility for obtaining any necessary 117 | consents, permissions or other rights required for any use of the 118 | Work. 119 | d. Affirmer understands and acknowledges that Creative Commons is not a 120 | party to this document and has no duty or obligation with respect to 121 | this CC0 or use of the Work. 122 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Current Version of CVE Record Format 2 | 3 | Update to cve-schema to provide better support for CPE!! if you have integrations that rely on the cve-schema repo structure, please review the changes here. The latest version of the CVE JSON Record Format is 5.1.1. A single schema file with bundled dependencies is available [here](https://github.com/CVEProject/cve-schema/blob/master/schema/docs/CVE_Record_Format_bundled.json). 4 | 5 | Note: The CVE Record Format now supports Authorized Data Publisher (ADP) containers there is one active ADP currently. The CVE Program uses a separate ADP container to provide additional CVE information (e.g., references) for some records. Access this README.md page [here]( 6 | https://github.com/CVEProject/cvelistV5/blob/main/README.md) 7 | for more information about the CVE Program Container. 8 | 9 | Note: Please refer to the CVE Services page [here](https://www.cve.org/AllResources/CveServices) for known issues with the schema. 10 | 11 | # CVE Record Format Overview 12 | 13 | cve-schema specifies the CVE Record Format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. 14 | 15 | ### Learn 16 | 17 | Learn more about the CVE program at: https://www.cve.org/ 18 | 19 | This CVE Record Format is defined using JSON Schema. Learn more about JSON Schema at: https://json-schema.org/ . 20 | 21 | ### Latest 22 | 23 | The latest version of the CVE Record Format is 5.1.1. It is specified in the JSON schema at https://github.com/CVEProject/cve-schema/blob/master/schema/CVE_Record_Format.json 24 | 25 | A single schema file with bundled dependencies is at https://github.com/CVEProject/cve-schema/blob/master/schema/docs/CVE_Record_Format_bundled.json 26 | 27 | ### Documentation and Guidance 28 | 29 | Documentation about this format is available at https://cveproject.github.io/cve-schema/schema/docs/ 30 | 31 | A mindmap version of the CVE Record structure is at https://cveproject.github.io/cve-schema/schema/docs/mindmap.html 32 | 33 | More details about Product and Version Encodings in the CVE Record Format are at https://github.com/CVEProject/cve-schema/blob/master/schema/docs/versions.md 34 | 35 | ### Examples 36 | 37 | A basic example of a full record in the 5.1.1 format with minimally required fields is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/full-record-basic-example.json 38 | 39 | An advanced example of a full record in the 5.1.1 format is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/full-record-advanced-example.json 40 | 41 | A basic example of a cnaContainer, to be used with CVE Services, is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/cnaContainer-basic-example.json 42 | 43 | An advanced example of a cnaContainer, to be used with CVE Services, is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/cnaContainer-advanced-example.json 44 | -------------------------------------------------------------------------------- /schema/archive/v3.1/CVE_JSON_example_full-3.1.json: -------------------------------------------------------------------------------- 1 | { 2 | "data_version": "3.1", 3 | "cve_id":"CVE-YYYY-XXXXXX", 4 | "updated":"DATE-TIMESTAMP", 5 | "serial":"INT", 6 | "date_requested":"DATE-TIMESTAMP", 7 | "date_assigned":"DATE-TIMESTAMP", 8 | "date_public":"DATE-TIMESTAMP", 9 | "requester":"Requester id String", 10 | "assigner": "Assigner id String", 11 | "state":"string of state of CVE", 12 | "replaced_by":"string replace by data", 13 | "title":[ 14 | { 15 | "lang":"string ISO 639-2", 16 | "value":"string short title of issue" 17 | } 18 | ], 19 | "products": [ 20 | { 21 | "vendor_name": "string", 22 | "product": [ 23 | { 24 | "product_name": "string", 25 | "version": "string", 26 | "affects": "string =/>/=/!", 27 | "cpe":[ 28 | { 29 | "cpe_value":"string" 30 | } 31 | ], 32 | "swid":[ 33 | { 34 | "swid_value":"string" 35 | } 36 | ] 37 | } 38 | ] 39 | } 40 | ], 41 | "problem_types":[ 42 | { 43 | "description":[ 44 | { 45 | "lang":"string ISO 639-2", 46 | "value":"string description of problem_type" 47 | } 48 | ], 49 | "cwes":[ 50 | "strings of cwes","strings separated by commas" 51 | ], 52 | "owasp":[ 53 | "string of OWASP information","strings separated by commas" 54 | ] 55 | } 56 | ], 57 | "references":[ 58 | { 59 | "url":"string for url location", 60 | "name":"string Name of reference i.e. if advisory has name", 61 | "publish_date":"DATE-TIMESTAMP of reference release to public" 62 | } 63 | ], 64 | "description":[ 65 | { 66 | "lang":"string ISO 639-2", 67 | "value":"string description of vulnerability" 68 | } 69 | ], 70 | "attack":[ 71 | { 72 | "attackers":[ 73 | { 74 | "extent":"string explaining extent of vulnerability", 75 | "authentication":"string stating whether authentication is needed for vulnerability", 76 | "user_assistance":"string stating whether user assistance is needed for vulnerability" 77 | } 78 | ], 79 | "impacts":[ 80 | "string of impacts","strings separated by commas" 81 | ], 82 | "attack_methods":[ 83 | { 84 | "vectors":[ 85 | "string list of vectors", "strings separated by commas" 86 | ], 87 | "components":[ 88 | "string list of components", "strings separated by commas" 89 | ], 90 | "capecs":"string of repective capec" 91 | } 92 | ] 93 | } 94 | ], 95 | "files":[ 96 | { 97 | "url":"url string", 98 | "import_time":"DATE-TIMESTAMP", 99 | "local_name":"string name of file" 100 | } 101 | ], 102 | "exploitation":{ 103 | "lang":"string ISO 639-2", 104 | "value":"string description of issue" 105 | }, 106 | "work_around":[ 107 | { 108 | "lang":"string ISO 639-2", 109 | "value":"string description of issue" 110 | } 111 | ], 112 | "time_line":[ 113 | { 114 | "time_stamp":"DATE-TIMESTAMP", 115 | "reference":{ 116 | "reference_name":"string", 117 | "reference_value":"string" 118 | }, 119 | "text":[ 120 | { 121 | "lang":"string ISO 639-2", 122 | "value":"string decription of issue" 123 | } 124 | ] 125 | } 126 | ], 127 | "source":{ 128 | "discovered_by":"name of discover", 129 | "discovered_with":"name of parties involved", 130 | "verification":"string", 131 | "cna_chain":[ 132 | "string initial CNA", 133 | "string Parent CNA", 134 | "string root CNA" 135 | ] 136 | }, 137 | "conditions":[ 138 | "strings of conditions", 139 | "separated by commas" 140 | ], 141 | "notes":{ 142 | "lang":"string ISO 639-2" 143 | }, 144 | "credits":[ 145 | { 146 | "id":"string to identify person recieving credit", 147 | "role":[ 148 | { 149 | "discoverer":"string", 150 | "research_assist":"string", 151 | "exploit_code":"string" 152 | } 153 | ] 154 | } 155 | ], 156 | "impact_metrics":{ 157 | "cvss2":{ 158 | "vector":"string value for CVSS score ie. CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", 159 | "bm":{ 160 | "av":"string value", 161 | "ac":"string value", 162 | "au":"string value", 163 | "c":"string value", 164 | "i":"string value", 165 | "a":"string value", 166 | "score":"string value" 167 | }, 168 | "tm":{ 169 | "e":"string value", 170 | "rl":"string value", 171 | "rc":"string value", 172 | "score":"string value" 173 | }, 174 | "em":{ 175 | "cdp":"string value", 176 | "td":"string value", 177 | "cr":"string value", 178 | "ir":"string value", 179 | "ar":"string value", 180 | "score":"string value" 181 | } 182 | }, 183 | "cvss3":{ 184 | "vector":"string value for CVSS score ie. CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", 185 | "bm":{ 186 | "av":"string value", 187 | "ac":"string value", 188 | "pr":"string value", 189 | "ui":"string value", 190 | "scope":"string value", 191 | "c":"string value", 192 | "i":"string value", 193 | "a":"string value", 194 | "score":"string value" 195 | }, 196 | "tm":{ 197 | "e":"string value", 198 | "rl":"string value", 199 | "rc":"string value", 200 | "score":"string value" 201 | }, 202 | "em":{ 203 | "mav":"string value", 204 | "mac":"string value", 205 | "mpr":"string value", 206 | "mui":"string value", 207 | "ms":"string value", 208 | "mc":"string value", 209 | "mi":"string value", 210 | "ma":"string value", 211 | "cr":"string value", 212 | "ir":"string value", 213 | "ar":"string value", 214 | "score":"string value" 215 | } 216 | } 217 | } 218 | } -------------------------------------------------------------------------------- /schema/archive/v3.1/CVE_JSON_example_min-3.1.json: -------------------------------------------------------------------------------- 1 | { 2 | "data_version": "3.1", 3 | "cve_id":"CVE-YYYY-XXXXXX", 4 | "products": [ 5 | { 6 | "vendor_name": "string", 7 | "product": [ 8 | { 9 | "product_name": "string", 10 | "version": "string", 11 | "affects": "string =/>/=/!" 12 | } 13 | ] 14 | } 15 | ], 16 | "problem_types":[ 17 | { 18 | "description":[ 19 | { 20 | "lang":"string ISO 639-2", 21 | "value":"string description of problem_type" 22 | } 23 | ] 24 | } 25 | ], 26 | "references":[ 27 | { 28 | "url":"string for url location" 29 | } 30 | ], 31 | "description":[ 32 | { 33 | "lang":"string ISO 639-2", 34 | "value":"string description of vulnerability" 35 | } 36 | ] 37 | } -------------------------------------------------------------------------------- /schema/archive/v4.0/CVE_JSON_4.0_min_public.schema: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | 4 | "definitions": { 5 | "cve_id": { 6 | "type": "string", 7 | "pattern": "^CVE-[0-9]{4}-[0-9]{4,}$" 8 | }, 9 | "email_address": { 10 | "type": "string", 11 | "pattern": "^([a-zA-Z0-9_\\-\\.]+)@([a-zA-Z0-9_\\-\\.]+)\\.([a-zA-Z]{2,5})$" 12 | }, 13 | "product": { 14 | "type": "object", 15 | "required": [ "product_name", "version" ], 16 | "properties": { 17 | "product_name": { "type": "string" }, 18 | "version": { 19 | "type": "object", 20 | "required": [ "version_data" ], 21 | "properties": { 22 | "version_data": { 23 | "type": "array", 24 | "minItems": 1, 25 | "items": { 26 | "type": "object", 27 | "required": [ "version_value" ], 28 | "properties": { 29 | "version_value": { "type": "string" } 30 | } 31 | } 32 | } 33 | } 34 | } 35 | } 36 | }, 37 | "reference": { 38 | "type": "object", 39 | "required": [ "url" ], 40 | "properties": { 41 | "url": { 42 | "maxLength": 500, 43 | "type": "string", 44 | "pattern": "^(ftp|http)s?://\\S+$" 45 | } 46 | } 47 | }, 48 | "lang_string": { 49 | "type": "object", 50 | "required": [ "lang", "value" ], 51 | "properties": { 52 | "lang": { "type": "string" }, 53 | "value": { "type": "string", "maxLength": 3999 } 54 | } 55 | } 56 | }, 57 | 58 | "type": "object", 59 | "required": [ "data_type", "data_format", "data_version", "CVE_data_meta", "affects", "problemtype", "references", "description" ], 60 | "properties": { 61 | "data_type": { "enum": [ "CVE" ] }, 62 | "data_format": { "enum": [ "MITRE" ] }, 63 | "data_version": { "enum": [ "4.0" ] }, 64 | "CVE_data_meta": { 65 | "type":"object", 66 | "required": [ "ID", "ASSIGNER" ], 67 | "properties": { 68 | "ID": { "$ref": "#/definitions/cve_id" }, 69 | "ASSIGNER": { "$ref": "#/definitions/email_address" } 70 | } 71 | }, 72 | "affects": { 73 | "type": "object", 74 | "required": [ "vendor" ], 75 | "properties": { 76 | "vendor": { 77 | "type": "object", 78 | "required": [ "vendor_data" ], 79 | "properties": { 80 | "vendor_data": { 81 | "type": "array", 82 | "minItems": 1, 83 | "items": { 84 | "type": "object", 85 | "required": [ "vendor_name", "product" ], 86 | "properties": { 87 | "vendor_name": { "type": "string" }, 88 | "product": { 89 | "type": "object", 90 | "required": [ "product_data" ], 91 | "properties": { 92 | "product_data": { 93 | "type": "array", 94 | "minItems": 1, 95 | "items": { "$ref": "#/definitions/product" } 96 | } 97 | } 98 | } 99 | } 100 | } 101 | } 102 | } 103 | } 104 | } 105 | }, 106 | "problemtype": { 107 | "type": "object", 108 | "required": [ "problemtype_data" ], 109 | "properties": { 110 | "problemtype_data": { 111 | "type": "array", 112 | "minItems": 1, 113 | "items": { 114 | "type": "object", 115 | "required": [ "description" ], 116 | "properties": { 117 | "description": { 118 | "type": "array", 119 | "minItems": 1, 120 | "items": { "$ref": "#/definitions/lang_string" } 121 | } 122 | } 123 | } 124 | } 125 | } 126 | }, 127 | "references": { 128 | "type": "object", 129 | "required": [ "reference_data" ], 130 | "properties": { 131 | "reference_data": { 132 | "type": "array", 133 | "maxItems": 500, 134 | "minItems": 1, 135 | "items": { "$ref": "#/definitions/reference" } 136 | } 137 | } 138 | }, 139 | "description": { 140 | "type": "object", 141 | "required": [ "description_data" ], 142 | "properties": { 143 | "description_data": { 144 | "type": "array", 145 | "minItems": 1, 146 | "items": { "$ref": "#/definitions/lang_string" } 147 | } 148 | } 149 | } 150 | } 151 | } 152 | 153 | -------------------------------------------------------------------------------- /schema/archive/v4.0/CVE_JSON_4.0_min_reject.schema: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | 4 | "definitions": { 5 | "cve_id": { 6 | "type": "string", 7 | "pattern": "^CVE-[0-9]{4}-[0-9]{4,}$" 8 | }, 9 | "email_address": { 10 | "type": "string", 11 | "pattern": "^([a-zA-Z0-9_\\-\\.]+)@([a-zA-Z0-9_\\-\\.]+)\\.([a-zA-Z]{2,5})$" 12 | }, 13 | "lang_string": { 14 | "type": "object", 15 | "required": [ "lang", "value" ], 16 | "properties": { 17 | "lang": { "type": "string" }, 18 | "value": { "type": "string", "maxLength": 3999 } 19 | } 20 | } 21 | }, 22 | 23 | "type": "object", 24 | "required": [ "data_type", "data_format", "data_version", "CVE_data_meta", "description" ], 25 | "properties": { 26 | "data_type": { "enum": [ "CVE" ] }, 27 | "data_format": { "enum": [ "MITRE" ] }, 28 | "data_version": { "enum": [ "4.0" ] }, 29 | "CVE_data_meta": { 30 | "type":"object", 31 | "required": [ "ID", "ASSIGNER" ], 32 | "properties": { 33 | "ID": { "$ref": "#/definitions/cve_id" }, 34 | "ASSIGNER": { "$ref": "#/definitions/email_address" }, 35 | "STATE": { "enum": [ "REJECT" ] } 36 | } 37 | }, 38 | "affects": { 39 | "not": {} 40 | }, 41 | "description": { 42 | "type": "object", 43 | "required": [ "description_data" ], 44 | "properties": { 45 | "description_data": { 46 | "type": "array", 47 | "minItems": 1, 48 | "items": { "$ref": "#/definitions/lang_string" } 49 | } 50 | } 51 | }, 52 | "problemtype": { 53 | "not": {} 54 | }, 55 | "references": { 56 | "not": {} 57 | } 58 | } 59 | } 60 | 61 | -------------------------------------------------------------------------------- /schema/archive/v4.0/CVE_JSON_4.0_min_reserved.schema: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | 4 | "definitions": { 5 | "cve_id": { 6 | "type": "string", 7 | "pattern": "^CVE-[0-9]{4}-[0-9]{4,}$" 8 | }, 9 | "email_address": { 10 | "type": "string", 11 | "pattern": "^([a-zA-Z0-9_\\-\\.]+)@([a-zA-Z0-9_\\-\\.]+)\\.([a-zA-Z]{2,5})$" 12 | }, 13 | "lang_string": { 14 | "type": "object", 15 | "required": [ "lang", "value" ], 16 | "properties": { 17 | "lang": { "type": "string" }, 18 | "value": { "type": "string", "maxLength": 3999 } 19 | } 20 | } 21 | }, 22 | 23 | "type": "object", 24 | "required": [ "data_type", "data_format", "data_version", "CVE_data_meta", "description" ], 25 | "properties": { 26 | "data_type": { "enum": [ "CVE" ] }, 27 | "data_format": { "enum": [ "MITRE" ] }, 28 | "data_version": { "enum": [ "4.0" ] }, 29 | "CVE_data_meta": { 30 | "type":"object", 31 | "required": [ "ID", "ASSIGNER" ], 32 | "properties": { 33 | "ID": { "$ref": "#/definitions/cve_id" }, 34 | "ASSIGNER": { "$ref": "#/definitions/email_address" }, 35 | "STATE": { "enum": [ "RESERVED" ] } 36 | } 37 | }, 38 | "affects": { 39 | "not": {} 40 | }, 41 | "description": { 42 | "type": "object", 43 | "required": [ "description_data" ], 44 | "properties": { 45 | "description_data": { 46 | "type": "array", 47 | "minItems": 1, 48 | "items": { "$ref": "#/definitions/lang_string" } 49 | } 50 | } 51 | }, 52 | "problemtype": { 53 | "not": {} 54 | }, 55 | "references": { 56 | "not": {} 57 | } 58 | } 59 | } 60 | 61 | -------------------------------------------------------------------------------- /schema/archive/v5.0/docs/cnaContainer-advanced-example.json: -------------------------------------------------------------------------------- 1 | { 2 | "cnaContainer": { 3 | "title": "Buffer overflow in Example Enterprise allows Privilege Escalation.", 4 | "datePublic": "2021-09-08T16:24:00.000Z", 5 | "problemTypes": [ 6 | { 7 | "descriptions": [ 8 | { 9 | "lang": "en", 10 | "cweId": "CWE-78", 11 | "description": "CWE-78 OS Command Injection", 12 | "type": "CWE" 13 | } 14 | ] 15 | } 16 | ], 17 | "impacts": [ 18 | { 19 | "capecId": "CAPEC-233", 20 | "descriptions": [ 21 | { 22 | "lang": "en", 23 | "value": "CAPEC-233 Privilege Escalation" 24 | } 25 | ] 26 | } 27 | ], 28 | "affected": [ 29 | { 30 | "vendor": "Example.org", 31 | "product": "Example Enterprise", 32 | "platforms": [ 33 | "Windows", 34 | "MacOS", 35 | "XT-4500" 36 | ], 37 | "collectionURL": "https://example.org/packages", 38 | "packageName": "example_enterprise", 39 | "repo": "git://example.org/source/example_enterprise", 40 | "modules": [ 41 | "Web-Management-Interface" 42 | ], 43 | "programFiles": [ 44 | "http://example_enterprise/example.php" 45 | ], 46 | "programRoutines": [ 47 | { 48 | "name": "parseFilename" 49 | } 50 | ], 51 | "versions": [ 52 | { 53 | "version": "1.0.0", 54 | "status": "affected", 55 | "lessThan": "1.0.6", 56 | "versionType": "semver" 57 | }, 58 | { 59 | "version": "2.1.0", 60 | "status": "unaffected", 61 | "lessThan": "2.1.*", 62 | "changes": [ 63 | { 64 | "at": "2.1.6", 65 | "status": "affected" 66 | }, 67 | { 68 | "at": "2.1.9", 69 | "status": "unaffected" 70 | } 71 | ], 72 | "versionType": "semver" 73 | }, 74 | { 75 | "version": "3.0.0", 76 | "status": "unaffected", 77 | "lessThan": "*", 78 | "versionType": "semver" 79 | } 80 | ], 81 | "defaultStatus": "unaffected" 82 | } 83 | ], 84 | "descriptions": [ 85 | { 86 | "lang": "en", 87 | "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, macOS, and XT-4500 allows remote unauthenticated attackers to escalate privileges. This issue affects: 1.0 versions before 1.0.6, 2.1 versions from 2.16 until 2.1.9.", 88 | "supportingMedia": [ 89 | { 90 | "type": "text/html", 91 | "base64": false, 92 | "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, macOS, and XT-4500 allows remote unauthenticated attackers to escalate privileges.

This issue affects:
" 93 | } 94 | ] 95 | }, 96 | { 97 | "lang": "eo", 98 | "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise ĉe Windows, macOS kaj XT-4500 permesas al malproksimaj neaŭtentikigitaj atakantoj eskaladi privilegiojn. Ĉi tiu afero efikas: 1.0-versioj antaŭ 1.0.6, 2.1-versioj de 2.16 ĝis 2.1.9.", 99 | "supportingMedia": [ 100 | { 101 | "type": "text/html", 102 | "base64": false, 103 | "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise ĉe Windows, macOS kaj XT-4500 permesas al malproksimaj neaŭtentikigitaj atakantoj eskaladi privilegiojn.

Ĉi tiu afero efikas:
" 104 | } 105 | ] 106 | } 107 | ], 108 | "metrics": [ 109 | { 110 | "format": "CVSS", 111 | "scenarios": [ 112 | { 113 | "lang": "en", 114 | "value": "GENERAL" 115 | } 116 | ], 117 | "cvssV3_1": { 118 | "version": "3.1", 119 | "attackVector": "NETWORK", 120 | "attackComplexity": "LOW", 121 | "privilegesRequired": "NONE", 122 | "userInteraction": "NONE", 123 | "scope": "UNCHANGED", 124 | "confidentialityImpact": "HIGH", 125 | "integrityImpact": "HIGH", 126 | "availabilityImpact": "HIGH", 127 | "baseScore": 9.8, 128 | "baseSeverity": "CRITICAL", 129 | "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" 130 | } 131 | }, 132 | { 133 | "format": "CVSS", 134 | "scenarios": [ 135 | { 136 | "lang": "en", 137 | "value": "If the enhanced host protection mode is turned on, this vulnerability can only be exploited to run os commands as user 'nobody'. Privilege escalation is not possible." 138 | } 139 | ], 140 | "cvssV3_1": { 141 | "version": "3.1", 142 | "attackVector": "NETWORK", 143 | "attackComplexity": "LOW", 144 | "privilegesRequired": "NONE", 145 | "userInteraction": "NONE", 146 | "scope": "UNCHANGED", 147 | "confidentialityImpact": "LOW", 148 | "integrityImpact": "LOW", 149 | "availabilityImpact": "LOW", 150 | "baseScore": 7.3, 151 | "baseSeverity": "HIGH", 152 | "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" 153 | } 154 | } 155 | ], 156 | "solutions": [ 157 | { 158 | "lang": "en", 159 | "value": "This issue is fixed in 1.0.6, 2.1.9, and 3.0.0 and all later versions.", 160 | "supportingMedia": [ 161 | { 162 | "type": "text/html", 163 | "base64": false, 164 | "value": "This issue is fixed in 1.0.6, 2.1.9, and 3.0.0 and all later versions." 165 | } 166 | ] 167 | } 168 | ], 169 | "workarounds": [ 170 | { 171 | "lang": "en", 172 | "value": "Disable the web management interface with the command\n> service disable webmgmt", 173 | "supportingMedia": [ 174 | { 175 | "type": "text/html", 176 | "base64": false, 177 | "value": "Disable the web management interface with the command
> service disable webmgmt
" 178 | } 179 | ] 180 | } 181 | ], 182 | "configurations": [ 183 | { 184 | "lang": "en", 185 | "value": "Web management interface should be enabled.\n> service status webmgmt\nwebmgmt running", 186 | "supportingMedia": [ 187 | { 188 | "type": "text/html", 189 | "base64": false, 190 | "value": "Web management interface should be enabled.
> service status webmgmt
webmgmt running
" 191 | } 192 | ] 193 | } 194 | ], 195 | "exploits": [ 196 | { 197 | "lang": "en", 198 | "value": "Example.org is not aware of any malicious exploitation of the issue however exploits targeting this issue are publicly available.", 199 | "supportingMedia": [ 200 | { 201 | "type": "text/html", 202 | "base64": false, 203 | "value": "Example.org is not aware of any malicious exploitation of the issue however exploits targeting this issue are publicly available." 204 | } 205 | ] 206 | } 207 | ], 208 | "timeline": [ 209 | { 210 | "time": "2001-09-01T07:31:00.000Z", 211 | "lang": "en", 212 | "value": "Issue discovered by Alice using Acme Autofuzz" 213 | }, 214 | { 215 | "time": "2021-09-02T16:36:00.000Z", 216 | "lang": "en", 217 | "value": "Confirmed by Bob" 218 | }, 219 | { 220 | "time": "2021-09-07T16:37:00.000Z", 221 | "lang": "en", 222 | "value": "Fixes released" 223 | } 224 | ], 225 | "credits": [ 226 | { 227 | "lang": "en", 228 | "value": "Alice", 229 | "type": "finder" 230 | }, 231 | { 232 | "lang": "en", 233 | "value": "Bob", 234 | "type": "analyst" 235 | }, 236 | { 237 | "lang": "en", 238 | "value": "Acme Autofuzz", 239 | "type": "tool" 240 | } 241 | ], 242 | "references": [ 243 | { 244 | "url": "https://example.org/ESA-22-11-CVE-1337-1234", 245 | "name": "ESA-22-11", 246 | "tags": [ 247 | "vendor-advisory" 248 | ] 249 | }, 250 | { 251 | "url": "https://example.com/blog/alice/pwning_example_enterprise", 252 | "name": "Pwning Example Enterprise", 253 | "tags": [ 254 | "technical-description", 255 | "third-party-advisory" 256 | ] 257 | }, 258 | { 259 | "url": "https://example.org/bugs/EXAMPLE-1234", 260 | "name": "EXAMPLE-1234", 261 | "tags": [ 262 | "issue-tracking" 263 | ] 264 | }, 265 | { 266 | "url": "https://example.org/ExampleEnterprise", 267 | "tags": [ 268 | "product" 269 | ] 270 | } 271 | ], 272 | "source": { 273 | "defects": [ 274 | "EXAMPLE-1234" 275 | ], 276 | "advisory": "ESA-22-11", 277 | "discovery": "EXTERNAL" 278 | }, 279 | "taxonomyMappings": [ 280 | { 281 | "taxonomyName": "ATT&CK", 282 | "taxonomyVersion": "v9", 283 | "taxonomyRelations": [ 284 | { 285 | "taxonomyId": "T1190", 286 | "relationshipName": "mitigated by", 287 | "relationshipValue": "M1048" 288 | } 289 | ] 290 | } 291 | ] 292 | } 293 | } 294 | -------------------------------------------------------------------------------- /schema/archive/v5.0/docs/cnaContainer-basic-example.json: -------------------------------------------------------------------------------- 1 | { 2 | "cnaContainer": { 3 | "problemTypes": [ 4 | { 5 | "descriptions": [ 6 | { 7 | "lang": "en", 8 | "description": "CWE-78 OS Command Injection" 9 | } 10 | ] 11 | } 12 | ], 13 | "affected": [ 14 | { 15 | "vendor": "Example.org", 16 | "product": "Example Enterprise", 17 | "versions": [ 18 | { 19 | "version": "1.0.0", 20 | "status": "affected", 21 | "lessThan": "1.0.6", 22 | "versionType": "semver" 23 | } 24 | ], 25 | "defaultStatus": "unaffected" 26 | } 27 | ], 28 | "descriptions": [ 29 | { 30 | "lang": "en", 31 | "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." 32 | } 33 | ], 34 | "references": [ 35 | { 36 | "url": "https://example.org/ESA-22-11-CVE-1337-1234" 37 | } 38 | ] 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /schema/archive/v5.0/docs/full-record-basic-example.json: -------------------------------------------------------------------------------- 1 | { 2 | "dataType": "CVE_RECORD", 3 | "dataVersion": "5.0", 4 | "cveMetadata": { 5 | "cveId": "CVE-1337-1234", 6 | "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", 7 | "state": "PUBLISHED" 8 | }, 9 | "containers": { 10 | "cna": { 11 | "providerMetadata": { 12 | "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" 13 | }, 14 | "problemTypes": [ 15 | { 16 | "descriptions": [ 17 | { 18 | "lang": "en", 19 | "description": "CWE-78 OS Command Injection" 20 | } 21 | ] 22 | } 23 | ], 24 | "affected": [ 25 | { 26 | "vendor": "Example.org", 27 | "product": "Example Enterprise", 28 | "versions": [ 29 | { 30 | "version": "1.0.0", 31 | "status": "affected", 32 | "lessThan": "1.0.6", 33 | "versionType": "semver" 34 | } 35 | ], 36 | "defaultStatus": "unaffected" 37 | } 38 | ], 39 | "descriptions": [ 40 | { 41 | "lang": "en", 42 | "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." 43 | } 44 | ], 45 | "references": [ 46 | { 47 | "url": "https://example.org/ESA-22-11-CVE-1337-1234" 48 | } 49 | ] 50 | } 51 | } 52 | } -------------------------------------------------------------------------------- /schema/archive/v5.0/docs/schema_doc.css: -------------------------------------------------------------------------------- 1 | body { 2 | font: 16px/1.5em "Overpass", "Open Sans", Helvetica, sans-serif; 3 | color: #333; 4 | font-weight: 300; 5 | padding: 40px; 6 | } 7 | 8 | .btn.btn-link { 9 | font-size: 18px; 10 | } 11 | 12 | .jsfh-animated-property { 13 | animation: eclair; 14 | animation-iteration-count: 1; 15 | animation-fill-mode: forwards; 16 | animation-duration: .75s; 17 | 18 | } 19 | 20 | @keyframes eclair { 21 | 0%,100% { 22 | transform: scale(1); 23 | } 24 | 50% { 25 | transform: scale(1.03); 26 | } 27 | } 28 | 29 | .btn.btn-primary { 30 | margin: 10px; 31 | } 32 | 33 | .btn.example-show.collapsed:before { 34 | content: "show" 35 | } 36 | 37 | .btn.example-show:before { 38 | content: "hide" 39 | } 40 | 41 | .description.collapse:not(.show) { 42 | max-height: 100px !important; 43 | overflow: hidden; 44 | 45 | display: -webkit-box; 46 | -webkit-line-clamp: 2; 47 | -webkit-box-orient: vertical; 48 | } 49 | 50 | .description.collapsing { 51 | min-height: 100px !important; 52 | } 53 | 54 | .collapse-description-link.collapsed:after { 55 | content: '+ Read More'; 56 | } 57 | 58 | .collapse-description-link:not(.collapsed):after { 59 | content: '- Read Less'; 60 | } 61 | 62 | .badge { 63 | font-size: 100%; 64 | margin-bottom: 0.5rem; 65 | margin-top: 0.5rem; 66 | } 67 | 68 | .badge.value-type { 69 | font-size: 120%; 70 | margin-right: 5px; 71 | margin-bottom: 10px; 72 | } 73 | 74 | 75 | .badge.default-value { 76 | font-size: 120%; 77 | margin-left: 5px; 78 | margin-bottom: 10px; 79 | } 80 | 81 | .badge.restriction { 82 | display: inline-block; 83 | } 84 | 85 | .badge.required-property,.badge.deprecated-property,.badge.pattern-property,.badge.no-additional { 86 | font-size: 100%; 87 | margin-left: 10px; 88 | } 89 | 90 | .accordion div.card:only-child { 91 | border-bottom: 1px solid rgba(0, 0, 0, 0.125); 92 | } 93 | 94 | .examples { 95 | padding: 1rem !important; 96 | } 97 | 98 | .examples pre { 99 | margin-bottom: 0; 100 | } 101 | 102 | .highlight.jumbotron { 103 | padding: 1rem !important; 104 | } 105 | 106 | .generated-by-footer { 107 | margin-top: 1em; 108 | text-align: right; 109 | } 110 | 111 | /* From https://github.com/richleland/pygments-css/blob/master/friendly.css, see https://github.com/trentm/python-markdown2/wiki/fenced-code-blocks */ 112 | .highlight { background: #e9ecef; } /* Changed from #f0f0f0 in the original style to be the same as bootstrap's jumbotron */ 113 | .highlight .hll { background-color: #ffffcc } 114 | .highlight .c { color: #60a0b0; font-style: italic } /* Comment */ 115 | .highlight .err { border: 1px solid #FF0000 } /* Error */ 116 | .highlight .k { color: #007020; font-weight: bold } /* Keyword */ 117 | .highlight .o { color: #666666 } /* Operator */ 118 | .highlight .ch { color: #60a0b0; font-style: italic } /* Comment.Hashbang */ 119 | .highlight .cm { color: #60a0b0; font-style: italic } /* Comment.Multiline */ 120 | .highlight .cp { color: #007020 } /* Comment.Preproc */ 121 | .highlight .cpf { color: #60a0b0; font-style: italic } /* Comment.PreprocFile */ 122 | .highlight .c1 { color: #60a0b0; font-style: italic } /* Comment.Single */ 123 | .highlight .cs { color: #60a0b0; background-color: #fff0f0 } /* Comment.Special */ 124 | .highlight .gd { color: #A00000 } /* Generic.Deleted */ 125 | .highlight .ge { font-style: italic } /* Generic.Emph */ 126 | .highlight .gr { color: #FF0000 } /* Generic.Error */ 127 | .highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */ 128 | .highlight .gi { color: #00A000 } /* Generic.Inserted */ 129 | .highlight .go { color: #888888 } /* Generic.Output */ 130 | .highlight .gp { color: #c65d09; font-weight: bold } /* Generic.Prompt */ 131 | .highlight .gs { font-weight: bold } /* Generic.Strong */ 132 | .highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */ 133 | .highlight .gt { color: #0044DD } /* Generic.Traceback */ 134 | .highlight .kc { color: #007020; font-weight: bold } /* Keyword.Constant */ 135 | .highlight .kd { color: #007020; font-weight: bold } /* Keyword.Declaration */ 136 | .highlight .kn { color: #007020; font-weight: bold } /* Keyword.Namespace */ 137 | .highlight .kp { color: #007020 } /* Keyword.Pseudo */ 138 | .highlight .kr { color: #007020; font-weight: bold } /* Keyword.Reserved */ 139 | .highlight .kt { color: #902000 } /* Keyword.Type */ 140 | .highlight .m { color: #40a070 } /* Literal.Number */ 141 | .highlight .s { color: #4070a0 } /* Literal.String */ 142 | .highlight .na { color: #4070a0 } /* Name.Attribute */ 143 | .highlight .nb { color: #007020 } /* Name.Builtin */ 144 | .highlight .nc { color: #0e84b5; font-weight: bold } /* Name.Class */ 145 | .highlight .no { color: #60add5 } /* Name.Constant */ 146 | .highlight .nd { color: #555555; font-weight: bold } /* Name.Decorator */ 147 | .highlight .ni { color: #d55537; font-weight: bold } /* Name.Entity */ 148 | .highlight .ne { color: #007020 } /* Name.Exception */ 149 | .highlight .nf { color: #06287e } /* Name.Function */ 150 | .highlight .nl { color: #002070; font-weight: bold } /* Name.Label */ 151 | .highlight .nn { color: #0e84b5; font-weight: bold } /* Name.Namespace */ 152 | .highlight .nt { color: #062873; font-weight: bold } /* Name.Tag */ 153 | .highlight .nv { color: #bb60d5 } /* Name.Variable */ 154 | .highlight .ow { color: #007020; font-weight: bold } /* Operator.Word */ 155 | .highlight .w { color: #bbbbbb } /* Text.Whitespace */ 156 | .highlight .mb { color: #40a070 } /* Literal.Number.Bin */ 157 | .highlight .mf { color: #40a070 } /* Literal.Number.Float */ 158 | .highlight .mh { color: #40a070 } /* Literal.Number.Hex */ 159 | .highlight .mi { color: #40a070 } /* Literal.Number.Integer */ 160 | .highlight .mo { color: #40a070 } /* Literal.Number.Oct */ 161 | .highlight .sa { color: #4070a0 } /* Literal.String.Affix */ 162 | .highlight .sb { color: #4070a0 } /* Literal.String.Backtick */ 163 | .highlight .sc { color: #4070a0 } /* Literal.String.Char */ 164 | .highlight .dl { color: #4070a0 } /* Literal.String.Delimiter */ 165 | .highlight .sd { color: #4070a0; font-style: italic } /* Literal.String.Doc */ 166 | .highlight .s2 { color: #4070a0 } /* Literal.String.Double */ 167 | .highlight .se { color: #4070a0; font-weight: bold } /* Literal.String.Escape */ 168 | .highlight .sh { color: #4070a0 } /* Literal.String.Heredoc */ 169 | .highlight .si { color: #70a0d0; font-style: italic } /* Literal.String.Interpol */ 170 | .highlight .sx { color: #c65d09 } /* Literal.String.Other */ 171 | .highlight .sr { color: #235388 } /* Literal.String.Regex */ 172 | .highlight .s1 { color: #4070a0 } /* Literal.String.Single */ 173 | .highlight .ss { color: #517918 } /* Literal.String.Symbol */ 174 | .highlight .bp { color: #007020 } /* Name.Builtin.Pseudo */ 175 | .highlight .fm { color: #06287e } /* Name.Function.Magic */ 176 | .highlight .vc { color: #bb60d5 } /* Name.Variable.Class */ 177 | .highlight .vg { color: #bb60d5 } /* Name.Variable.Global */ 178 | .highlight .vi { color: #bb60d5 } /* Name.Variable.Instance */ 179 | .highlight .vm { color: #bb60d5 } /* Name.Variable.Magic */ 180 | .highlight .il { color: #40a070 } /* Literal.Number.Integer.Long */ 181 | .examples, .highlight.jumbotron, .card-header { 182 | padding: 0rem !important; 183 | } 184 | .jumbotron { 185 | margin-bottom: 0px !important; 186 | } 187 | 188 | .badge { 189 | font-size: 80% !important; 190 | margin-bottom: 0px !important; 191 | } 192 | h2, h4, .h2, .h4 { 193 | font-size: 100% !important; 194 | } 195 | .btn.btn-link { 196 | font-size: 16px; 197 | } 198 | .property-name-button { 199 | padding: 0px 5px; 200 | } 201 | .btn.btn-primary { 202 | margin: 5px; 203 | } 204 | 205 | p { 206 | margin-bottom: 0px; 207 | } 208 | 209 | .list-group-item { 210 | padding: 3px 8px; 211 | } 212 | 213 | .pl-5, .card-body { 214 | padding-left: 0.5em !important; 215 | } 216 | 217 | #root h1:before { 218 | background: url("https://cve.mitre.org/images/cvelogobanner.png") no-repeat; 219 | background-size: contain; 220 | background-position-y: center; 221 | width: 120px; 222 | height: 30px; 223 | display: inline-block; 224 | content: ""; 225 | } 226 | 227 | span.description ~ p { 228 | display: inline-block; 229 | margin-right: 3px; 230 | } 231 | -------------------------------------------------------------------------------- /schema/archive/v5.0/docs/schema_doc.min.js: -------------------------------------------------------------------------------- 1 | function flashElement(t){myElement=document.getElementById(t),myElement.classList.add("jsfh-animated-property"),setTimeout(function(){myElement.classList.remove("jsfh-animated-property")},1e3)}function setAnchor(t){history.pushState({},"",t)}function anchorOnLoad(){let t=window.location.hash.split("?")[0].split("&")[0];"#"===t[0]&&(t=t.substr(1)),t.length>0&&anchorLink(t)}function anchorLink(t){$("#"+t).parents().addBack().filter(".collapse:not(.show), .tab-pane, [role='tab']").each(function(t){if($(this).hasClass("collapse"))$(this).collapse("show");else if($(this).hasClass("tab-pane")){const t=$("a[href='#"+$(this).attr("id")+"']");t&&t.tab("show")}else"tab"===$(this).attr("role")&&$(this).tab("show")}),setTimeout(function(){let e=document.getElementById(t);e&&(e.scrollIntoView({block:"center",behavior:"smooth"}),setTimeout(function(){flashElement(t)},500))},1e3)}$(document).on("click",'a[href^="#"]',function(t){t.preventDefault(),history.pushState({},"",this.href)}); -------------------------------------------------------------------------------- /schema/archive/v5.0/imports/cvss/README.md: -------------------------------------------------------------------------------- 1 | The files in this folder are included here as a stable mirror of the CVSS JSON schemas [maintained](https://www.first.org/cvss/data-representations) by the [Forum of Incident Response and Security Teams](https://www.first.org/) (FIRST). -------------------------------------------------------------------------------- /schema/archive/v5.0/imports/cvss/cvss-v2.0.json: -------------------------------------------------------------------------------- 1 | { 2 | "license": [ 3 | "Copyright (c) 2017, FIRST.ORG, INC.", 4 | "All rights reserved.", 5 | "", 6 | "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ", 7 | "following conditions are met:", 8 | "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ", 9 | " disclaimer.", 10 | "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ", 11 | " following disclaimer in the documentation and/or other materials provided with the distribution.", 12 | "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ", 13 | " products derived from this software without specific prior written permission.", 14 | "", 15 | "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ", 16 | "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ", 17 | "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ", 18 | "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ", 19 | "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ", 20 | "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ", 21 | "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." 22 | ], 23 | 24 | "$schema": "http://json-schema.org/draft-04/schema#", 25 | "title": "JSON Schema for Common Vulnerability Scoring System version 2.0", 26 | "id": "https://www.first.org/cvss/cvss-v2.0.json?20170531", 27 | "type": "object", 28 | "definitions": { 29 | "accessVectorType": { 30 | "type": "string", 31 | "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL" ] 32 | }, 33 | "accessComplexityType": { 34 | "type": "string", 35 | "enum": [ "HIGH", "MEDIUM", "LOW" ] 36 | }, 37 | "authenticationType": { 38 | "type": "string", 39 | "enum": [ "MULTIPLE", "SINGLE", "NONE" ] 40 | }, 41 | "ciaType": { 42 | "type": "string", 43 | "enum": [ "NONE", "PARTIAL", "COMPLETE" ] 44 | }, 45 | "exploitabilityType": { 46 | "type": "string", 47 | "enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ] 48 | }, 49 | "remediationLevelType": { 50 | "type": "string", 51 | "enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ] 52 | }, 53 | "reportConfidenceType": { 54 | "type": "string", 55 | "enum": [ "UNCONFIRMED", "UNCORROBORATED", "CONFIRMED", "NOT_DEFINED" ] 56 | }, 57 | "collateralDamagePotentialType": { 58 | "type": "string", 59 | "enum": [ "NONE", "LOW", "LOW_MEDIUM", "MEDIUM_HIGH", "HIGH", "NOT_DEFINED" ] 60 | }, 61 | "targetDistributionType": { 62 | "type": "string", 63 | "enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] 64 | }, 65 | "ciaRequirementType": { 66 | "type": "string", 67 | "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] 68 | }, 69 | "scoreType": { 70 | "type": "number", 71 | "minimum": 0, 72 | "maximum": 10 73 | } 74 | }, 75 | "properties": { 76 | "version": { 77 | "description": "CVSS Version", 78 | "type": "string", 79 | "enum": [ "2.0" ] 80 | }, 81 | "vectorString": { 82 | "type": "string", 83 | "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$" 84 | }, 85 | "accessVector": { "$ref": "#/definitions/accessVectorType" }, 86 | "accessComplexity": { "$ref": "#/definitions/accessComplexityType" }, 87 | "authentication": { "$ref": "#/definitions/authenticationType" }, 88 | "confidentialityImpact": { "$ref": "#/definitions/ciaType" }, 89 | "integrityImpact": { "$ref": "#/definitions/ciaType" }, 90 | "availabilityImpact": { "$ref": "#/definitions/ciaType" }, 91 | "baseScore": { "$ref": "#/definitions/scoreType" }, 92 | "exploitability": { "$ref": "#/definitions/exploitabilityType" }, 93 | "remediationLevel": { "$ref": "#/definitions/remediationLevelType" }, 94 | "reportConfidence": { "$ref": "#/definitions/reportConfidenceType" }, 95 | "temporalScore": { "$ref": "#/definitions/scoreType" }, 96 | "collateralDamagePotential": { "$ref": "#/definitions/collateralDamagePotentialType" }, 97 | "targetDistribution": { "$ref": "#/definitions/targetDistributionType" }, 98 | "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 99 | "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 100 | "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 101 | "environmentalScore": { "$ref": "#/definitions/scoreType" } 102 | }, 103 | "required": [ "version", "vectorString", "baseScore" ] 104 | } 105 | -------------------------------------------------------------------------------- /schema/archive/v5.0/imports/cvss/cvss-v3.0.json: -------------------------------------------------------------------------------- 1 | { 2 | "license": [ 3 | "Copyright (c) 2017, FIRST.ORG, INC.", 4 | "All rights reserved.", 5 | "", 6 | "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ", 7 | "following conditions are met:", 8 | "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ", 9 | " disclaimer.", 10 | "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ", 11 | " following disclaimer in the documentation and/or other materials provided with the distribution.", 12 | "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ", 13 | " products derived from this software without specific prior written permission.", 14 | "", 15 | "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ", 16 | "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ", 17 | "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ", 18 | "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ", 19 | "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ", 20 | "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ", 21 | "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." 22 | ], 23 | 24 | "$schema": "http://json-schema.org/draft-04/schema#", 25 | "title": "JSON Schema for Common Vulnerability Scoring System version 3.0", 26 | "id": "https://www.first.org/cvss/cvss-v3.0.json?20170531", 27 | "type": "object", 28 | "definitions": { 29 | "attackVectorType": { 30 | "type": "string", 31 | "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL" ] 32 | }, 33 | "modifiedAttackVectorType": { 34 | "type": "string", 35 | "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL", "NOT_DEFINED" ] 36 | }, 37 | "attackComplexityType": { 38 | "type": "string", 39 | "enum": [ "HIGH", "LOW" ] 40 | }, 41 | "modifiedAttackComplexityType": { 42 | "type": "string", 43 | "enum": [ "HIGH", "LOW", "NOT_DEFINED" ] 44 | }, 45 | "privilegesRequiredType": { 46 | "type": "string", 47 | "enum": [ "HIGH", "LOW", "NONE" ] 48 | }, 49 | "modifiedPrivilegesRequiredType": { 50 | "type": "string", 51 | "enum": [ "HIGH", "LOW", "NONE", "NOT_DEFINED" ] 52 | }, 53 | "userInteractionType": { 54 | "type": "string", 55 | "enum": [ "NONE", "REQUIRED" ] 56 | }, 57 | "modifiedUserInteractionType": { 58 | "type": "string", 59 | "enum": [ "NONE", "REQUIRED", "NOT_DEFINED" ] 60 | }, 61 | "scopeType": { 62 | "type": "string", 63 | "enum": [ "UNCHANGED", "CHANGED" ] 64 | }, 65 | "modifiedScopeType": { 66 | "type": "string", 67 | "enum": [ "UNCHANGED", "CHANGED", "NOT_DEFINED" ] 68 | }, 69 | "ciaType": { 70 | "type": "string", 71 | "enum": [ "NONE", "LOW", "HIGH" ] 72 | }, 73 | "modifiedCiaType": { 74 | "type": "string", 75 | "enum": [ "NONE", "LOW", "HIGH", "NOT_DEFINED" ] 76 | }, 77 | "exploitCodeMaturityType": { 78 | "type": "string", 79 | "enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ] 80 | }, 81 | "remediationLevelType": { 82 | "type": "string", 83 | "enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ] 84 | }, 85 | "confidenceType": { 86 | "type": "string", 87 | "enum": [ "UNKNOWN", "REASONABLE", "CONFIRMED", "NOT_DEFINED" ] 88 | }, 89 | "ciaRequirementType": { 90 | "type": "string", 91 | "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] 92 | }, 93 | "scoreType": { 94 | "type": "number", 95 | "minimum": 0, 96 | "maximum": 10 97 | }, 98 | "severityType": { 99 | "type": "string", 100 | "enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL" ] 101 | } 102 | }, 103 | "properties": { 104 | "version": { 105 | "description": "CVSS Version", 106 | "type": "string", 107 | "enum": [ "3.0" ] 108 | }, 109 | "vectorString": { 110 | "type": "string", 111 | "pattern": "^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" 112 | }, 113 | "attackVector": { "$ref": "#/definitions/attackVectorType" }, 114 | "attackComplexity": { "$ref": "#/definitions/attackComplexityType" }, 115 | "privilegesRequired": { "$ref": "#/definitions/privilegesRequiredType" }, 116 | "userInteraction": { "$ref": "#/definitions/userInteractionType" }, 117 | "scope": { "$ref": "#/definitions/scopeType" }, 118 | "confidentialityImpact": { "$ref": "#/definitions/ciaType" }, 119 | "integrityImpact": { "$ref": "#/definitions/ciaType" }, 120 | "availabilityImpact": { "$ref": "#/definitions/ciaType" }, 121 | "baseScore": { "$ref": "#/definitions/scoreType" }, 122 | "baseSeverity": { "$ref": "#/definitions/severityType" }, 123 | "exploitCodeMaturity": { "$ref": "#/definitions/exploitCodeMaturityType" }, 124 | "remediationLevel": { "$ref": "#/definitions/remediationLevelType" }, 125 | "reportConfidence": { "$ref": "#/definitions/confidenceType" }, 126 | "temporalScore": { "$ref": "#/definitions/scoreType" }, 127 | "temporalSeverity": { "$ref": "#/definitions/severityType" }, 128 | "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 129 | "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 130 | "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 131 | "modifiedAttackVector": { "$ref": "#/definitions/modifiedAttackVectorType" }, 132 | "modifiedAttackComplexity": { "$ref": "#/definitions/modifiedAttackComplexityType" }, 133 | "modifiedPrivilegesRequired": { "$ref": "#/definitions/modifiedPrivilegesRequiredType" }, 134 | "modifiedUserInteraction": { "$ref": "#/definitions/modifiedUserInteractionType" }, 135 | "modifiedScope": { "$ref": "#/definitions/modifiedScopeType" }, 136 | "modifiedConfidentialityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 137 | "modifiedIntegrityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 138 | "modifiedAvailabilityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 139 | "environmentalScore": { "$ref": "#/definitions/scoreType" }, 140 | "environmentalSeverity": { "$ref": "#/definitions/severityType" } 141 | }, 142 | "required": [ "version", "vectorString", "baseScore", "baseSeverity" ] 143 | } 144 | -------------------------------------------------------------------------------- /schema/archive/v5.0/imports/cvss/cvss-v3.1.json: -------------------------------------------------------------------------------- 1 | { 2 | "license": [ 3 | "Copyright (c) 2021, FIRST.ORG, INC.", 4 | "All rights reserved.", 5 | "", 6 | "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ", 7 | "following conditions are met:", 8 | "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ", 9 | " disclaimer.", 10 | "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ", 11 | " following disclaimer in the documentation and/or other materials provided with the distribution.", 12 | "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ", 13 | " products derived from this software without specific prior written permission.", 14 | "", 15 | "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ", 16 | "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ", 17 | "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ", 18 | "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ", 19 | "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ", 20 | "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ", 21 | "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." 22 | ], 23 | 24 | "$schema": "http://json-schema.org/draft-07/schema#", 25 | "title": "JSON Schema for Common Vulnerability Scoring System version 3.1", 26 | "id": "https://www.first.org/cvss/cvss-v3.1.json?20210501", 27 | "type": "object", 28 | "definitions": { 29 | "attackVectorType": { 30 | "type": "string", 31 | "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL" ] 32 | }, 33 | "modifiedAttackVectorType": { 34 | "type": "string", 35 | "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL", "NOT_DEFINED" ] 36 | }, 37 | "attackComplexityType": { 38 | "type": "string", 39 | "enum": [ "HIGH", "LOW" ] 40 | }, 41 | "modifiedAttackComplexityType": { 42 | "type": "string", 43 | "enum": [ "HIGH", "LOW", "NOT_DEFINED" ] 44 | }, 45 | "privilegesRequiredType": { 46 | "type": "string", 47 | "enum": [ "HIGH", "LOW", "NONE" ] 48 | }, 49 | "modifiedPrivilegesRequiredType": { 50 | "type": "string", 51 | "enum": [ "HIGH", "LOW", "NONE", "NOT_DEFINED" ] 52 | }, 53 | "userInteractionType": { 54 | "type": "string", 55 | "enum": [ "NONE", "REQUIRED" ] 56 | }, 57 | "modifiedUserInteractionType": { 58 | "type": "string", 59 | "enum": [ "NONE", "REQUIRED", "NOT_DEFINED" ] 60 | }, 61 | "scopeType": { 62 | "type": "string", 63 | "enum": [ "UNCHANGED", "CHANGED" ] 64 | }, 65 | "modifiedScopeType": { 66 | "type": "string", 67 | "enum": [ "UNCHANGED", "CHANGED", "NOT_DEFINED" ] 68 | }, 69 | "ciaType": { 70 | "type": "string", 71 | "enum": [ "NONE", "LOW", "HIGH" ] 72 | }, 73 | "modifiedCiaType": { 74 | "type": "string", 75 | "enum": [ "NONE", "LOW", "HIGH", "NOT_DEFINED" ] 76 | }, 77 | "exploitCodeMaturityType": { 78 | "type": "string", 79 | "enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ] 80 | }, 81 | "remediationLevelType": { 82 | "type": "string", 83 | "enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ] 84 | }, 85 | "confidenceType": { 86 | "type": "string", 87 | "enum": [ "UNKNOWN", "REASONABLE", "CONFIRMED", "NOT_DEFINED" ] 88 | }, 89 | "ciaRequirementType": { 90 | "type": "string", 91 | "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] 92 | }, 93 | "scoreType": { 94 | "type": "number", 95 | "minimum": 0, 96 | "maximum": 10 97 | }, 98 | "severityType": { 99 | "type": "string", 100 | "enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL" ] 101 | } 102 | }, 103 | "properties": { 104 | "version": { 105 | "description": "CVSS Version", 106 | "type": "string", 107 | "enum": [ "3.1" ] 108 | }, 109 | "vectorString": { 110 | "type": "string", 111 | "pattern": "^CVSS:3[.]1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" 112 | }, 113 | "attackVector": { "$ref": "#/definitions/attackVectorType" }, 114 | "attackComplexity": { "$ref": "#/definitions/attackComplexityType" }, 115 | "privilegesRequired": { "$ref": "#/definitions/privilegesRequiredType" }, 116 | "userInteraction": { "$ref": "#/definitions/userInteractionType" }, 117 | "scope": { "$ref": "#/definitions/scopeType" }, 118 | "confidentialityImpact": { "$ref": "#/definitions/ciaType" }, 119 | "integrityImpact": { "$ref": "#/definitions/ciaType" }, 120 | "availabilityImpact": { "$ref": "#/definitions/ciaType" }, 121 | "baseScore": { "$ref": "#/definitions/scoreType" }, 122 | "baseSeverity": { "$ref": "#/definitions/severityType" }, 123 | "exploitCodeMaturity": { "$ref": "#/definitions/exploitCodeMaturityType" }, 124 | "remediationLevel": { "$ref": "#/definitions/remediationLevelType" }, 125 | "reportConfidence": { "$ref": "#/definitions/confidenceType" }, 126 | "temporalScore": { "$ref": "#/definitions/scoreType" }, 127 | "temporalSeverity": { "$ref": "#/definitions/severityType" }, 128 | "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 129 | "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 130 | "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 131 | "modifiedAttackVector": { "$ref": "#/definitions/modifiedAttackVectorType" }, 132 | "modifiedAttackComplexity": { "$ref": "#/definitions/modifiedAttackComplexityType" }, 133 | "modifiedPrivilegesRequired": { "$ref": "#/definitions/modifiedPrivilegesRequiredType" }, 134 | "modifiedUserInteraction": { "$ref": "#/definitions/modifiedUserInteractionType" }, 135 | "modifiedScope": { "$ref": "#/definitions/modifiedScopeType" }, 136 | "modifiedConfidentialityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 137 | "modifiedIntegrityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 138 | "modifiedAvailabilityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 139 | "environmentalScore": { "$ref": "#/definitions/scoreType" }, 140 | "environmentalSeverity": { "$ref": "#/definitions/severityType" } 141 | }, 142 | "required": [ "version", "vectorString", "baseScore", "baseSeverity" ] 143 | } 144 | -------------------------------------------------------------------------------- /schema/archive/v5.0/support/CVE_4_to_5_converter/cve_record_dates.json.example: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "cve_identifier" : "CVE-2010-0001", 4 | "reserved_date" : "2010-06-07", 5 | "disclosure_date" : null, 6 | "populated_date" : "2010-08-08 05:00:00.000000", 7 | "history_date" : "2010-12-17 00:00:00.000000", 8 | "HType" : "Modified" 9 | }, 10 | { 11 | "cve_identifier" : "CVE-1999-7001", 12 | "reserved_date" : "1999-06-07", 13 | "disclosure_date" : null, 14 | "populated_date" : "2000-06-04 05:00:00.000000", 15 | "history_date" : "2005-11-12 00:00:00.000000", 16 | "HType" : "Modified" 17 | }, 18 | { 19 | "cve_identifier" : "CVE-2001-2001", 20 | "reserved_date" : "2001-06-07", 21 | "disclosure_date" : null, 22 | "populated_date" : "2002-02-04 05:00:00.000000", 23 | "history_date" : "2007-12-17 00:00:00.000000", 24 | "HType" : "Modified" 25 | }, 26 | { 27 | "cve_identifier" : "CVE-2008-3001", 28 | "reserved_date" : "2008-06-07", 29 | "disclosure_date" : null, 30 | "populated_date" : "2009-02-04 05:00:00.000000", 31 | "history_date" : "2008-03-21 10:00:00.000000", 32 | "HType" : "Modified" 33 | }, 34 | { 35 | "cve_identifier" : "CVE-2003-6001", 36 | "reserved_date" : "2003-06-07", 37 | "disclosure_date" : null, 38 | "populated_date" : "2004-02-04 05:00:00.000000", 39 | "history_date" : "2003-07-28 00:00:00.000000", 40 | "HType" : "Proposed" 41 | } 42 | ] 43 | -------------------------------------------------------------------------------- /schema/archive/v5.0/support/CVE_4_to_5_converter/ref_tag_map.json: -------------------------------------------------------------------------------- 1 | { 2 | "referenceMaps":[ 3 | { 4 | "v4":"AIXAPAR", 5 | "v5":["vendor-advisory"] 6 | },{ 7 | "v4":"ALLAIRE", 8 | "v5":["vendor-advisory"] 9 | },{ 10 | "v4":"APPLE", 11 | "v5":["vendor-advisory"] 12 | },{ 13 | "v4":"ASCEND", 14 | "v5":["vendor-advisory"] 15 | },{ 16 | "v4":"ATSTAKE", 17 | "v5":["vendor-advisory"] 18 | },{ 19 | "v4":"AUSCERT", 20 | "v5":["third-party-advisory"] 21 | },{ 22 | "v4":"BEA", 23 | "v5":["vendor-advisory"] 24 | },{ 25 | "v4":"BID", 26 | "v5":["vdb-entry"] 27 | },{ 28 | "v4":"BINDVIEW", 29 | "v5":["vendor-advisory"] 30 | },{ 31 | "v4":"BUGTRAQ", 32 | "v5":["mailing-list"] 33 | },{ 34 | "v4":"CALDERA", 35 | "v5":["vendor-advisory"] 36 | },{ 37 | "v4":"CERT", 38 | "v5":["third-party-advisory"] 39 | },{ 40 | "v4":"CERT-VN", 41 | "v5":["third-party-advisory"] 42 | },{ 43 | "v4":"CHECKPOINT", 44 | "v5":["vendor-advisory"] 45 | },{ 46 | "v4":"CIAC", 47 | "v5":["third-party-advisory", "government-resource"] 48 | },{ 49 | "v4":"CISCO", 50 | "v5":["vendor-advisory"] 51 | },{ 52 | "v4":"COMPAQ", 53 | "v5":["vendor-advisory"] 54 | },{ 55 | "v4":"CONECTIVA", 56 | "v5":["vendor-advisory"] 57 | },{ 58 | "v4":"DEBIAN", 59 | "v5":["vendor-advisory"] 60 | },{ 61 | "v4":"EEYE", 62 | "v5":["third-party-advisory"] 63 | },{ 64 | "v4":"EL8", 65 | "v5":["vendor-advisory"] 66 | },{ 67 | "v4":"ENGARDE", 68 | "v5":["vendor-advisory"] 69 | },{ 70 | "v4":"ERS", 71 | "v5":["vendor-advisory"] 72 | },{ 73 | "v4":"EXPLOIT-DB", 74 | "v5":["exploit"] 75 | },{ 76 | "v4":"FARMERVENEMA", 77 | "v5":["technical-description"] 78 | },{ 79 | "v4":"FEDORA", 80 | "v5":["vendor-advisory"] 81 | },{ 82 | "v4":"FREEBSD", 83 | "v5":["vendor-advisory"] 84 | },{ 85 | "v4":"FRSIRT", 86 | "v5":["third-party-advisory"] 87 | },{ 88 | "v4":"FULLDISC", 89 | "v5":["mailing-list"] 90 | },{ 91 | "v4":"GENTOO", 92 | "v5":["vendor-advisory"] 93 | },{ 94 | "v4":"HERT", 95 | "v5":["vendor-advisory"] 96 | },{ 97 | "v4":"HP", 98 | "v5":["vendor-advisory"] 99 | },{ 100 | "v4":"HPBUG", 101 | "v5":["issue-tracking"] 102 | },{ 103 | "v4":"IBM", 104 | "v5":["vendor-advisory"] 105 | },{ 106 | "v4":"IDEFENSE", 107 | "v5":["third-party-advisory"] 108 | },{ 109 | "v4":"IMMUNIX", 110 | "v5":["vendor-advisory"] 111 | },{ 112 | "v4":"INFOWAR", 113 | "v5":["third-party-advisory"] 114 | },{ 115 | "v4":"ISS", 116 | "v5":["third-party-advisory"] 117 | },{ 118 | "v4":"JVN", 119 | "v5":["third-party-advisory"] 120 | },{ 121 | "v4":"JVNDB", 122 | "v5":["third-party-advisory"] 123 | },{ 124 | "v4":"KSRT", 125 | "v5":["vendor-advisory"] 126 | },{ 127 | "v4":"L0PHT", 128 | "v5":["vendor-advisory"] 129 | },{ 130 | "v4":"MANDRAKE", 131 | "v5":["vendor-advisory"] 132 | },{ 133 | "v4":"MANDRIVA", 134 | "v5":["vendor-advisory"] 135 | },{ 136 | "v4":"MILW0RM", 137 | "v5":["exploit"] 138 | },{ 139 | "v4":"MLIST", 140 | "v5":["mailing-list"] 141 | },{ 142 | "v4":"MS", 143 | "v5":["vendor-advisory"] 144 | },{ 145 | "v4":"MSKB", 146 | "v5":["vendor-advisory"] 147 | },{ 148 | "v4":"NAI", 149 | "v5":["vendor-advisory"] 150 | },{ 151 | "v4":"NETBSD", 152 | "v5":["vendor-advisory"] 153 | },{ 154 | "v4":"NETECT", 155 | "v5":["broken-link"] 156 | },{ 157 | "v4":"NTBUGTRAQ", 158 | "v5":["mailing-list"] 159 | },{ 160 | "v4":"OPENBSD", 161 | "v5":["vendor-advisory"] 162 | },{ 163 | "v4":"OPENPKG", 164 | "v5":["vendor-advisory"] 165 | },{ 166 | "v4":"OSVDB", 167 | "v5":["vdb-entry"] 168 | },{ 169 | "v4":"OVAL", 170 | "v5":["vdb-entry", "signature"] 171 | },{ 172 | "v4":"REDHAT", 173 | "v5":["vendor-advisory"] 174 | },{ 175 | "v4":"RSI", 176 | "v5":["vendor-advisory"] 177 | },{ 178 | "v4":"SCO", 179 | "v5":["vendor-advisory"] 180 | },{ 181 | "v4":"SECTRACK", 182 | "v5":["vdb-entry"] 183 | },{ 184 | "v4":"SECUNIA", 185 | "v5":["third-party-advisory"] 186 | },{ 187 | "v4":"SEKURE", 188 | "v5":["vendor-advisory"] 189 | },{ 190 | "v4":"SF-INCIDENTS", 191 | "v5":["mailing-list"] 192 | },{ 193 | "v4":"SGI", 194 | "v5":["vendor-advisory"] 195 | },{ 196 | "v4":"SLACKWARE", 197 | "v5":["vendor-advisory"] 198 | },{ 199 | "v4":"SNI", 200 | "v5":["vendor-advisory"] 201 | },{ 202 | "v4":"SREASON", 203 | "v5":["third-party-advisory"] 204 | },{ 205 | "v4":"SREASONRES", 206 | "v5":["third-party-advisory"] 207 | },{ 208 | "v4":"SUN", 209 | "v5":["vendor-advisory"] 210 | },{ 211 | "v4":"SUNALERT", 212 | "v5":["vendor-advisory"] 213 | },{ 214 | "v4":"SUNBUG", 215 | "v5":["issue-tracking"] 216 | },{ 217 | "v4":"SUSE", 218 | "v5":["vendor-advisory"] 219 | },{ 220 | "v4":"TRUSTIX", 221 | "v5":["vendor-advisory"] 222 | },{ 223 | "v4":"TURBO", 224 | "v5":["vendor-advisory"] 225 | },{ 226 | "v4":"UBUNTU", 227 | "v5":["vendor-advisory"] 228 | },{ 229 | "v4":"URL", 230 | "v5":["related"] 231 | },{ 232 | "v4":"VIM", 233 | "v5":["mailing-list"] 234 | },{ 235 | "v4":"VULN-DEV", 236 | "v5":["mailing-list"] 237 | },{ 238 | "v4":"VULNWATCH", 239 | "v5":["mailing-list"] 240 | },{ 241 | "v4":"VUPEN", 242 | "v5":["vdb-entry"] 243 | },{ 244 | "v4":"WIN2KSEC", 245 | "v5":["mailing-list"] 246 | },{ 247 | "v4":"XF", 248 | "v5":["vdb-entry"] 249 | } 250 | ] 251 | } 252 | -------------------------------------------------------------------------------- /schema/archive/v5.0/support/CVE_4_to_5_converter/settings_example.py: -------------------------------------------------------------------------------- 1 | # variables to access IDR services 2 | # the CPS acts on behalf of the secretariat (is `mitre`) 3 | # using the IDR requires cloning the `cve-services` repository, too 4 | AWG_IDR_ENDPOINT_HEALTHCHECK="/health-check" 5 | AWG_SERVICE_TIMEOUT = 30 6 | 7 | AWG_IDR_SERVICE_URL="http://localhost:3000/api" 8 | AWG_USER_CNA_NAME="cna_name" 9 | AWG_USER_KEY="123456-1234567-1234567-1234567" # this is your secret key 10 | AWG_USER_UUID = "" # the UUID for your user 11 | AWG_USER_NAME="someone@somewhere.com" 12 | AWG_USER_ORG_UUID = "" # the UUID for your organization 13 | AWG_ORG_SHORT_NAME="" # the short name of your organization 14 | 15 | -------------------------------------------------------------------------------- /schema/archive/v5.0/support/CVE_4_to_5_converter/user_map_example.csv: -------------------------------------------------------------------------------- 1 | manual@hack.bob,fake,fake,cnaShortName,notacna 2 |  3 | -------------------------------------------------------------------------------- /schema/archive/v5.0/support/Node_Validator/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules/ 2 | .DS_Store -------------------------------------------------------------------------------- /schema/archive/v5.0/support/Node_Validator/README.md: -------------------------------------------------------------------------------- 1 | # This is a json validator for the JSON schema v5.0 2 | 3 | ## Usage 4 | 5 | ##### 1. Download and install [node.js](https://nodejs.org/en/download/) 6 | 7 | ##### 2. Go to the node validator 8 | 9 | ``` 10 | cd cve_json_schema/v5.x_discuss/support/Node_Validator 11 | ``` 12 | 13 | ##### 3. Run validator in CLI 14 | 15 | To validate one or more files 16 | 
17 | 
18 |    $ node validate.js file-1.json file-2.json ... 
19 |    file-1.json is valid.
20 |    file-2.json is invalid!
21 |    Summary: Validation FAILED for 1 out of 2 files!.
22 | 
23 |
24 | 25 | To validate a list of files in a file or on stdin: 26 | 
27 |    $ cat list.txt | node validate.js -e 
28 | 
29 |    $ find directory1 -name '*.json' | node validate.js -e
30 |    directory1/file1.json is valid.
31 |    Summary: All files PASSED validation.
32 |
33 | 34 | To validate a single file via stdin: 35 | ``` 36 | $ cat file.json | node validate.js 37 | ``` 38 | 39 | ##### 4. Use validator in a NodeJS program 40 | 41 | ``` 42 | const validateCve = require('./dist/cve5validator.js') 43 | 44 | if (validateCve(cveJsonObject)) { 45 | // cveJsonObject is valid 46 | } else { 47 | // cveJsonObject is invalid. Errors are in validateCve.errors 48 | } 49 | 50 | ``` 51 | 52 | ##### 5. Generate a HTML report of validation 53 | 54 | ``` 55 | $ find directory1 -name '*.json' | node reportValidation.js > output.html 56 | ``` 57 | 58 | Example report https://chandanbn.github.io/notes/cve5-validation-errors-Jan26.html 59 | 60 | ##### 6. Development: Build the standalone validator library dist/cve5validator.js compiled from bundled CVE JSON schema. 61 | 62 | ``` 63 | $ npm install 64 | $ node build.js 65 | ``` 66 | 67 | This creates standalone validator module at ./dist/cve5validator.js based on the bundled CVE JSON schema. 68 | When the schema is updated, a new validator module needs to be built using build.js. 69 | -------------------------------------------------------------------------------- /schema/archive/v5.0/support/Node_Validator/build.js: -------------------------------------------------------------------------------- 1 | const fs = require("fs") 2 | const path = require("path") 3 | const Ajv = require('ajv').default; 4 | const standaloneCode = require("ajv/dist/standalone").default 5 | const addFormats = require('ajv-formats').default; 6 | const schema = require("../../docs/CVE_JSON_5.0_bundled.json") 7 | 8 | function reduceSchema(o) { 9 | for(prop in o) { 10 | if(typeof(o[prop])=='object') { 11 | reduceSchema(o[prop]) 12 | } else if (prop == "description" && typeof(o[prop])=='string') { 13 | delete o[prop] 14 | } else if (prop == "title" && typeof(o[prop])=='string') { 15 | delete o[prop] 16 | } 17 | } 18 | return o; 19 | } 20 | var rSchema = reduceSchema(schema); 21 | 22 | const ajv = new Ajv({code: {source: true, optimize: 10}}) 23 | addFormats(ajv); 24 | const validate = ajv.compile(rSchema) 25 | let moduleCode = standaloneCode(ajv, validate) 26 | 27 | // Now you can write the module code to file 28 | fs.writeFileSync(path.join(__dirname+'/dist', "cve5validator.js"), moduleCode) 29 | -------------------------------------------------------------------------------- /schema/archive/v5.0/support/Node_Validator/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Node_Validator", 3 | "version": "1.1.0", 4 | "description": "", 5 | "main": "validate.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "keywords": [], 10 | "author": "", 11 | "license": "ISC", 12 | "dependencies": { 13 | "ajv": "^8.9.0", 14 | "ajv-formats": "^2.1.1" 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /schema/archive/v5.0/support/Node_Validator/reportValidation.js: -------------------------------------------------------------------------------- 1 | const fs = require('fs'); 2 | const readline = require('readline'); 3 | const docs= { 4 | '/containers/cna/affected/product:maxLength': "Product name is too long! If you are listing multiple products, please use separate product objects.", 5 | '/containers/cna/affected/product:minLength': "A product name is required.", 6 | '/containers/cna/affected/versions/version:maxLength': "Version name is too long! If you are listing multiple versions, please encode as an array of version objects.", 7 | '/containers/cna/metrics/cvssV3_0:required': "CVSS objects are incomplete. Please provide a valid vectorString at the minimum in your CVE-JSON v4 submission." 8 | 9 | } 10 | /* 11 | function cvePath(value) { 12 | var realId = value.match(/(CVE-(\d{4})-(\d{1,12})(\d{3}))/); 13 | if (realId) { 14 | var id = realId[1]; 15 | var year = realId[2]; 16 | var bucket = realId[3]; 17 | return (year + '/' + bucket + 'xxx/' + id + '.json') 18 | } 19 | } 20 | */ 21 | const validateCve = require('./dist/cve5validator.js') 22 | var errorStat = {}; 23 | var warnStat = {}; 24 | var errorCount = {}; 25 | var yStat = {}; 26 | var invalid = 0; 27 | var warns = 0; 28 | var total = 0; 29 | var ignore = { '': 1, '/cveMetadata/state': 1, '/containers/cna/references/url': 0} 30 | function validate(line) { 31 | if (line) { 32 | var parts = line.match(/(CVE-(\d+)-\d+)/); 33 | var year = "unknown"; 34 | var id = "unknown"; 35 | if (parts) { 36 | year = parts[2]; 37 | id = parts[1]; 38 | } 39 | try { 40 | if (!fs.lstatSync(line).isDirectory()) { 41 | var cveFile = fs.readFileSync(line); 42 | var cve = JSON.parse(cveFile); 43 | var warnings = cve.containers?.cna.x_ConverterErrors; 44 | //delete cve.x_ValidationErrors; 45 | var assigner = "default"; 46 | try { 47 | assigner = cve.containers?.cna?.x_legacyV4Record?.CVE_data_meta?.ASSIGNER; 48 | if(!assigner) { 49 | assigner = cve.containers?.cna?.providerMetadata?.shortName; 50 | } 51 | } catch (e) { 52 | console.error(e.message); 53 | } 54 | total++; 55 | 56 | if(warnings) { 57 | warns++; 58 | errorCount[assigner]++; 59 | for (const key in warnings) { 60 | var w = 'Warning: ' + warnings[key].error; 61 | //console.log(key); 62 | if(!errorStat[assigner]) { 63 | errorStat[assigner] = {} 64 | errorCount[assigner] = 0 65 | } 66 | if(!errorStat[assigner][key]) { 67 | errorStat[assigner][key] = []; 68 | } 69 | if(!errorStat[assigner][key][w]) { 70 | errorStat[assigner][key][w] = []; 71 | } 72 | errorStat[assigner][key][w].push(id); 73 | } 74 | } 75 | var valid = validateCve(cve); 76 | if (!valid) { 77 | var errseen = false; 78 | validateCve.errors.forEach(err => { 79 | var path = err.instancePath.replace(/\/\d+\/?/g, "/") 80 | if (!ignore[path]) { 81 | var e = 'Error: ' + err.keyword; 82 | if (!errorStat[assigner]) { 83 | errorStat[assigner] = {} 84 | errorCount[assigner] = 0 85 | } 86 | if (!errorStat[assigner][path]) { 87 | errorStat[assigner][path] = {} 88 | } 89 | if (!errorStat[assigner][path][e]) { 90 | errorStat[assigner][path][e] = [] 91 | } 92 | errorStat[assigner][path][e].push(id); 93 | errseen = true; 94 | } 95 | }); 96 | if (errseen) { 97 | errorCount[assigner]++; 98 | invalid++; 99 | yStat[year] ? yStat[year]++ : (yStat[year] = 1); 100 | } 101 | } 102 | } 103 | } catch (e) { 104 | console.error(e.message); 105 | } 106 | } 107 | } 108 | /* Example error 109 | { 110 | instancePath: '/cveMetadata/state', 111 | schemaPath: '#/properties/state/enum', 112 | keyword: 'enum', 113 | params: { allowedValues: [Array] }, 114 | message: 'must be equal to one of the allowed values' 115 | }, 116 | */ 117 | var rl = readline.createInterface({ 118 | input: process.stdin, 119 | output: process.stdout, 120 | terminal: false 121 | }); 122 | 123 | function report() { 124 | console.log(` 125 | 138 |

139 | ${total} upconverted CVEs: ${warns} warnings and ${invalid} errors. 140 |

141 | `) 142 | for (const y in yStat) { 143 | console.log(`
  • year ${y} - ${yStat[y]}
    • `) 144 | } 145 | 146 | Object.keys(errorStat).sort().forEach(x => { 147 | var domain = x.substring(x.indexOf('@') + 1) 148 | console.log(`

    ${domain} [link]

    `) 149 | for (const k in errorStat[x]) { 150 | var alist = errorStat[x][k]; 151 | for (const a in alist) { 152 | var ids = [...new Set(alist[a])]; 153 | console.log(`
    [${ids.length} CVEs] ${a} - field ${k} [link]:`) 154 | if(docs[x + ':' + k]) { 155 | console.log(`

    `+docs[x + ':' + k]+'

    ') 156 | } 157 | console.log('
    ') 158 | for (const c of ids.sort()) { 159 | console.log(` ${c}`) 160 | } 161 | console.log('
    ') 162 | } 163 | } 164 | }); 165 | } 166 | 167 | rl.on('line', validate) 168 | rl.on('close', report) -------------------------------------------------------------------------------- /schema/archive/v5.0/support/Node_Validator/validate.js: -------------------------------------------------------------------------------- 1 | const fs = require('fs'); 2 | const readline = require('readline'); 3 | const validateCve = require('./dist/cve5validator.js') 4 | var invalid = 0; 5 | var total = 0; 6 | function validateFile(line) { 7 | if (line) { 8 | try { 9 | if (!fs.lstatSync(line).isDirectory()) { 10 | var cveFile = fs.readFileSync(line); 11 | var cve = JSON.parse(cveFile); 12 | total++; 13 | var valid = validateCve(cve); 14 | if (!valid) { 15 | invalid++; 16 | console.log(line + ' is invalid:'); 17 | console.log(validateCve.errors); 18 | } else { 19 | console.log(line + ' is valid.'); 20 | } 21 | } 22 | } catch (e) { 23 | console.error(e.message); 24 | } 25 | } 26 | } 27 | 28 | function report() { 29 | if (invalid == 0) { 30 | console.log(`Summary: All files PASSED validation.`) 31 | } else { 32 | console.log(`Summary: Validation FAILED for ${invalid} out of ${total} files!`) 33 | } 34 | } 35 | var usage = ` 36 | To validate one or more files 37 | $ node validate.js [file-1.json] [file-2.json] ... 38 | 39 | To validate a list of files in a file or on stdin: 40 | $ cat list.txt | node validate.js -e 41 | $ find directory -name '*.json' | node validate.js -e 42 | 43 | To validate a single file via stdin: 44 | $ cat file.json | node validate.js 45 | 46 | ` 47 | try { 48 | if (process.argv.length >= 3) { 49 | if (process.argv[2] && (process.argv[2].startsWith("-?") || process.argv[2].startsWith("-h"))) { 50 | console.log(usage) 51 | } else if (process.argv[2] && process.argv[2] == '-e') { 52 | var rl = readline.createInterface({ 53 | input: process.stdin, 54 | output: process.stdout, 55 | terminal: false 56 | }); 57 | rl.on('line', validateFile) 58 | rl.on('close', report) 59 | } else { 60 | for (i = 2; i < process.argv.length; i++) { 61 | validateFile(process.argv[i]); 62 | } 63 | report(); 64 | } 65 | } else { 66 | var cve = fs.readFileSync(0, 'utf-8'); 67 | var valid = validateCve(JSON.parse(cve)); 68 | if (!valid) { 69 | console.log('Input is invalid:'); 70 | console.log(validateCve.errors); 71 | } else 72 | console.log('Input is valid.'); 73 | } 74 | } catch (e) { 75 | console.log(e.message); 76 | console.log(usage); 77 | } -------------------------------------------------------------------------------- /schema/archive/v5.0/support/Python3.x_Validator/D7Validator.py: -------------------------------------------------------------------------------- 1 | from jsonschema import * 2 | import json 3 | import sys 4 | 5 | jsource = None 6 | jschema = None 7 | 8 | if len(sys.argv) == 3: 9 | argv = sys.argv 10 | jsource = json.load(open(argv[1])) #'cve502example.json' 11 | jschema = json.load(open(argv[2])) #'cve502.schema' 12 | 13 | D7validator = Draft7Validator(jschema) 14 | hasErrors = 0 15 | for error in sorted(D7validator.iter_errors(jsource), key=str): 16 | hasErrors += 1 17 | print('Schema object with error: ', error.validator) 18 | print('ERROR CONTEXT', error.context) 19 | #print(error.message) 20 | print('') 21 | print('---------------------------------------------') 22 | print('') 23 | 24 | if hasErrors > 0: 25 | print('Found ', hasErrors, ' error(s)') 26 | else: 27 | print('Source was valid against schema') 28 | else: 29 | print('Usage: python D7Validator.py [json source file] [json schema file]') 30 | 31 | 32 | -------------------------------------------------------------------------------- /schema/archive/v5.0/support/Python3.x_Validator/cvss-v2.0.json: -------------------------------------------------------------------------------- 1 | { 2 | "license": [ 3 | "Copyright (c) 2017, FIRST.ORG, INC.", 4 | "All rights reserved.", 5 | "", 6 | "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ", 7 | "following conditions are met:", 8 | "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ", 9 | " disclaimer.", 10 | "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ", 11 | " following disclaimer in the documentation and/or other materials provided with the distribution.", 12 | "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ", 13 | " products derived from this software without specific prior written permission.", 14 | "", 15 | "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ", 16 | "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ", 17 | "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ", 18 | "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ", 19 | "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ", 20 | "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ", 21 | "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." 22 | ], 23 | 24 | "$schema": "http://json-schema.org/draft-04/schema#", 25 | "title": "JSON Schema for Common Vulnerability Scoring System version 2.0", 26 | "id": "https://www.first.org/cvss/cvss-v2.0.json?20170531", 27 | "type": "object", 28 | "definitions": { 29 | "accessVectorType": { 30 | "type": "string", 31 | "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL" ] 32 | }, 33 | "accessComplexityType": { 34 | "type": "string", 35 | "enum": [ "HIGH", "MEDIUM", "LOW" ] 36 | }, 37 | "authenticationType": { 38 | "type": "string", 39 | "enum": [ "MULTIPLE", "SINGLE", "NONE" ] 40 | }, 41 | "ciaType": { 42 | "type": "string", 43 | "enum": [ "NONE", "PARTIAL", "COMPLETE" ] 44 | }, 45 | "exploitabilityType": { 46 | "type": "string", 47 | "enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ] 48 | }, 49 | "remediationLevelType": { 50 | "type": "string", 51 | "enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ] 52 | }, 53 | "reportConfidenceType": { 54 | "type": "string", 55 | "enum": [ "UNCONFIRMED", "UNCORROBORATED", "CONFIRMED", "NOT_DEFINED" ] 56 | }, 57 | "collateralDamagePotentialType": { 58 | "type": "string", 59 | "enum": [ "NONE", "LOW", "LOW_MEDIUM", "MEDIUM_HIGH", "HIGH", "NOT_DEFINED" ] 60 | }, 61 | "targetDistributionType": { 62 | "type": "string", 63 | "enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] 64 | }, 65 | "ciaRequirementType": { 66 | "type": "string", 67 | "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] 68 | }, 69 | "scoreType": { 70 | "type": "number", 71 | "minimum": 0, 72 | "maximum": 10 73 | } 74 | }, 75 | "properties": { 76 | "version": { 77 | "description": "CVSS Version", 78 | "type": "string", 79 | "enum": [ "2.0" ] 80 | }, 81 | "vectorString": { 82 | "type": "string", 83 | "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$" 84 | }, 85 | "accessVector": { "$ref": "#/definitions/accessVectorType" }, 86 | "accessComplexity": { "$ref": "#/definitions/accessComplexityType" }, 87 | "authentication": { "$ref": "#/definitions/authenticationType" }, 88 | "confidentialityImpact": { "$ref": "#/definitions/ciaType" }, 89 | "integrityImpact": { "$ref": "#/definitions/ciaType" }, 90 | "availabilityImpact": { "$ref": "#/definitions/ciaType" }, 91 | "baseScore": { "$ref": "#/definitions/scoreType" }, 92 | "exploitability": { "$ref": "#/definitions/exploitabilityType" }, 93 | "remediationLevel": { "$ref": "#/definitions/remediationLevelType" }, 94 | "reportConfidence": { "$ref": "#/definitions/reportConfidenceType" }, 95 | "temporalScore": { "$ref": "#/definitions/scoreType" }, 96 | "collateralDamagePotential": { "$ref": "#/definitions/collateralDamagePotentialType" }, 97 | "targetDistribution": { "$ref": "#/definitions/targetDistributionType" }, 98 | "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 99 | "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 100 | "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 101 | "environmentalScore": { "$ref": "#/definitions/scoreType" } 102 | }, 103 | "required": [ "version", "vectorString", "baseScore" ] 104 | } 105 | -------------------------------------------------------------------------------- /schema/archive/v5.0/support/Python3.x_Validator/cvss-v3.0.json: -------------------------------------------------------------------------------- 1 | { 2 | "license": [ 3 | "Copyright (c) 2017, FIRST.ORG, INC.", 4 | "All rights reserved.", 5 | "", 6 | "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ", 7 | "following conditions are met:", 8 | "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ", 9 | " disclaimer.", 10 | "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ", 11 | " following disclaimer in the documentation and/or other materials provided with the distribution.", 12 | "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ", 13 | " products derived from this software without specific prior written permission.", 14 | "", 15 | "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ", 16 | "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ", 17 | "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ", 18 | "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ", 19 | "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ", 20 | "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ", 21 | "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." 22 | ], 23 | 24 | "$schema": "http://json-schema.org/draft-04/schema#", 25 | "title": "JSON Schema for Common Vulnerability Scoring System version 3.0", 26 | "id": "https://www.first.org/cvss/cvss-v3.0.json?20170531", 27 | "type": "object", 28 | "definitions": { 29 | "attackVectorType": { 30 | "type": "string", 31 | "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL" ] 32 | }, 33 | "modifiedAttackVectorType": { 34 | "type": "string", 35 | "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL", "NOT_DEFINED" ] 36 | }, 37 | "attackComplexityType": { 38 | "type": "string", 39 | "enum": [ "HIGH", "LOW" ] 40 | }, 41 | "modifiedAttackComplexityType": { 42 | "type": "string", 43 | "enum": [ "HIGH", "LOW", "NOT_DEFINED" ] 44 | }, 45 | "privilegesRequiredType": { 46 | "type": "string", 47 | "enum": [ "HIGH", "LOW", "NONE" ] 48 | }, 49 | "modifiedPrivilegesRequiredType": { 50 | "type": "string", 51 | "enum": [ "HIGH", "LOW", "NONE", "NOT_DEFINED" ] 52 | }, 53 | "userInteractionType": { 54 | "type": "string", 55 | "enum": [ "NONE", "REQUIRED" ] 56 | }, 57 | "modifiedUserInteractionType": { 58 | "type": "string", 59 | "enum": [ "NONE", "REQUIRED", "NOT_DEFINED" ] 60 | }, 61 | "scopeType": { 62 | "type": "string", 63 | "enum": [ "UNCHANGED", "CHANGED" ] 64 | }, 65 | "modifiedScopeType": { 66 | "type": "string", 67 | "enum": [ "UNCHANGED", "CHANGED", "NOT_DEFINED" ] 68 | }, 69 | "ciaType": { 70 | "type": "string", 71 | "enum": [ "NONE", "LOW", "HIGH" ] 72 | }, 73 | "modifiedCiaType": { 74 | "type": "string", 75 | "enum": [ "NONE", "LOW", "HIGH", "NOT_DEFINED" ] 76 | }, 77 | "exploitCodeMaturityType": { 78 | "type": "string", 79 | "enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ] 80 | }, 81 | "remediationLevelType": { 82 | "type": "string", 83 | "enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ] 84 | }, 85 | "confidenceType": { 86 | "type": "string", 87 | "enum": [ "UNKNOWN", "REASONABLE", "CONFIRMED", "NOT_DEFINED" ] 88 | }, 89 | "ciaRequirementType": { 90 | "type": "string", 91 | "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] 92 | }, 93 | "scoreType": { 94 | "type": "number", 95 | "minimum": 0, 96 | "maximum": 10 97 | }, 98 | "severityType": { 99 | "type": "string", 100 | "enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL" ] 101 | } 102 | }, 103 | "properties": { 104 | "version": { 105 | "description": "CVSS Version", 106 | "type": "string", 107 | "enum": [ "3.0" ] 108 | }, 109 | "vectorString": { 110 | "type": "string", 111 | "pattern": "^CVSS:3.0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" 112 | }, 113 | "attackVector": { "$ref": "#/definitions/attackVectorType" }, 114 | "attackComplexity": { "$ref": "#/definitions/attackComplexityType" }, 115 | "privilegesRequired": { "$ref": "#/definitions/privilegesRequiredType" }, 116 | "userInteraction": { "$ref": "#/definitions/userInteractionType" }, 117 | "scope": { "$ref": "#/definitions/scopeType" }, 118 | "confidentialityImpact": { "$ref": "#/definitions/ciaType" }, 119 | "integrityImpact": { "$ref": "#/definitions/ciaType" }, 120 | "availabilityImpact": { "$ref": "#/definitions/ciaType" }, 121 | "baseScore": { "$ref": "#/definitions/scoreType" }, 122 | "baseSeverity": { "$ref": "#/definitions/severityType" }, 123 | "exploitCodeMaturity": { "$ref": "#/definitions/exploitCodeMaturityType" }, 124 | "remediationLevel": { "$ref": "#/definitions/remediationLevelType" }, 125 | "reportConfidence": { "$ref": "#/definitions/confidenceType" }, 126 | "temporalScore": { "$ref": "#/definitions/scoreType" }, 127 | "temporalSeverity": { "$ref": "#/definitions/severityType" }, 128 | "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 129 | "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 130 | "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 131 | "modifiedAttackVector": { "$ref": "#/definitions/modifiedAttackVectorType" }, 132 | "modifiedAttackComplexity": { "$ref": "#/definitions/modifiedAttackComplexityType" }, 133 | "modifiedPrivilegesRequired": { "$ref": "#/definitions/modifiedPrivilegesRequiredType" }, 134 | "modifiedUserInteraction": { "$ref": "#/definitions/modifiedUserInteractionType" }, 135 | "modifiedScope": { "$ref": "#/definitions/modifiedScopeType" }, 136 | "modifiedConfidentialityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 137 | "modifiedIntegrityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 138 | "modifiedAvailabilityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 139 | "environmentalScore": { "$ref": "#/definitions/scoreType" }, 140 | "environmentalSeverity": { "$ref": "#/definitions/severityType" } 141 | }, 142 | "required": [ "version", "vectorString", "baseScore", "baseSeverity" ] 143 | } 144 | -------------------------------------------------------------------------------- /schema/archive/v5.0/support/Python3.x_Validator/cvss-v3.1.json: -------------------------------------------------------------------------------- 1 | { 2 | "license": [ 3 | "Copyright (c) 2019, FIRST.ORG, INC.", 4 | "All rights reserved.", 5 | "", 6 | "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ", 7 | "following conditions are met:", 8 | "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ", 9 | " disclaimer.", 10 | "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ", 11 | " following disclaimer in the documentation and/or other materials provided with the distribution.", 12 | "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ", 13 | " products derived from this software without specific prior written permission.", 14 | "", 15 | "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ", 16 | "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ", 17 | "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ", 18 | "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ", 19 | "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ", 20 | "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ", 21 | "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." 22 | ], 23 | 24 | "$schema": "http://json-schema.org/draft-07/schema#", 25 | "title": "JSON Schema for Common Vulnerability Scoring System version 3.1", 26 | "id": "https://www.first.org/cvss/cvss-v3.1.json?20190610", 27 | "type": "object", 28 | "definitions": { 29 | "attackVectorType": { 30 | "type": "string", 31 | "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL" ] 32 | }, 33 | "modifiedAttackVectorType": { 34 | "type": "string", 35 | "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL", "NOT_DEFINED" ] 36 | }, 37 | "attackComplexityType": { 38 | "type": "string", 39 | "enum": [ "HIGH", "LOW" ] 40 | }, 41 | "modifiedAttackComplexityType": { 42 | "type": "string", 43 | "enum": [ "HIGH", "LOW", "NOT_DEFINED" ] 44 | }, 45 | "privilegesRequiredType": { 46 | "type": "string", 47 | "enum": [ "HIGH", "LOW", "NONE" ] 48 | }, 49 | "modifiedPrivilegesRequiredType": { 50 | "type": "string", 51 | "enum": [ "HIGH", "LOW", "NONE", "NOT_DEFINED" ] 52 | }, 53 | "userInteractionType": { 54 | "type": "string", 55 | "enum": [ "NONE", "REQUIRED" ] 56 | }, 57 | "modifiedUserInteractionType": { 58 | "type": "string", 59 | "enum": [ "NONE", "REQUIRED", "NOT_DEFINED" ] 60 | }, 61 | "scopeType": { 62 | "type": "string", 63 | "enum": [ "UNCHANGED", "CHANGED" ] 64 | }, 65 | "modifiedScopeType": { 66 | "type": "string", 67 | "enum": [ "UNCHANGED", "CHANGED", "NOT_DEFINED" ] 68 | }, 69 | "ciaType": { 70 | "type": "string", 71 | "enum": [ "NONE", "LOW", "HIGH" ] 72 | }, 73 | "modifiedCiaType": { 74 | "type": "string", 75 | "enum": [ "NONE", "LOW", "HIGH", "NOT_DEFINED" ] 76 | }, 77 | "exploitCodeMaturityType": { 78 | "type": "string", 79 | "enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ] 80 | }, 81 | "remediationLevelType": { 82 | "type": "string", 83 | "enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ] 84 | }, 85 | "confidenceType": { 86 | "type": "string", 87 | "enum": [ "UNKNOWN", "REASONABLE", "CONFIRMED", "NOT_DEFINED" ] 88 | }, 89 | "ciaRequirementType": { 90 | "type": "string", 91 | "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] 92 | }, 93 | "scoreType": { 94 | "type": "number", 95 | "minimum": 0, 96 | "maximum": 10 97 | }, 98 | "severityType": { 99 | "type": "string", 100 | "enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL" ] 101 | } 102 | }, 103 | "properties": { 104 | "version": { 105 | "description": "CVSS Version", 106 | "type": "string", 107 | "enum": [ "3.1" ] 108 | }, 109 | "vectorString": { 110 | "type": "string", 111 | "pattern": "^CVSS:3.1/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" 112 | }, 113 | "attackVector": { "$ref": "#/definitions/attackVectorType" }, 114 | "attackComplexity": { "$ref": "#/definitions/attackComplexityType" }, 115 | "privilegesRequired": { "$ref": "#/definitions/privilegesRequiredType" }, 116 | "userInteraction": { "$ref": "#/definitions/userInteractionType" }, 117 | "scope": { "$ref": "#/definitions/scopeType" }, 118 | "confidentialityImpact": { "$ref": "#/definitions/ciaType" }, 119 | "integrityImpact": { "$ref": "#/definitions/ciaType" }, 120 | "availabilityImpact": { "$ref": "#/definitions/ciaType" }, 121 | "baseScore": { "$ref": "#/definitions/scoreType" }, 122 | "baseSeverity": { "$ref": "#/definitions/severityType" }, 123 | "exploitCodeMaturity": { "$ref": "#/definitions/exploitCodeMaturityType" }, 124 | "remediationLevel": { "$ref": "#/definitions/remediationLevelType" }, 125 | "reportConfidence": { "$ref": "#/definitions/confidenceType" }, 126 | "temporalScore": { "$ref": "#/definitions/scoreType" }, 127 | "temporalSeverity": { "$ref": "#/definitions/severityType" }, 128 | "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 129 | "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 130 | "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 131 | "modifiedAttackVector": { "$ref": "#/definitions/modifiedAttackVectorType" }, 132 | "modifiedAttackComplexity": { "$ref": "#/definitions/modifiedAttackComplexityType" }, 133 | "modifiedPrivilegesRequired": { "$ref": "#/definitions/modifiedPrivilegesRequiredType" }, 134 | "modifiedUserInteraction": { "$ref": "#/definitions/modifiedUserInteractionType" }, 135 | "modifiedScope": { "$ref": "#/definitions/modifiedScopeType" }, 136 | "modifiedConfidentialityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 137 | "modifiedIntegrityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 138 | "modifiedAvailabilityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 139 | "environmentalScore": { "$ref": "#/definitions/scoreType" }, 140 | "environmentalSeverity": { "$ref": "#/definitions/severityType" } 141 | }, 142 | "required": [ "version", "vectorString", "baseScore", "baseSeverity" ] 143 | } 144 | -------------------------------------------------------------------------------- /schema/archive/v5.0/support/docs/css_override.css: -------------------------------------------------------------------------------- 1 | 2 | .examples, .highlight.jumbotron, .card-header { 3 | padding: 0rem !important; 4 | } 5 | .jumbotron { 6 | margin-bottom: 0px !important; 7 | } 8 | 9 | .badge { 10 | font-size: 80% !important; 11 | margin-bottom: 0px !important; 12 | } 13 | h2, h4, .h2, .h4 { 14 | font-size: 100% !important; 15 | } 16 | .btn.btn-link { 17 | font-size: 16px; 18 | } 19 | .property-name-button { 20 | padding: 0px 5px; 21 | } 22 | .btn.btn-primary { 23 | margin: 5px; 24 | } 25 | 26 | p { 27 | margin-bottom: 0px; 28 | } 29 | 30 | .list-group-item { 31 | padding: 3px 8px; 32 | } 33 | 34 | .pl-5, .card-body { 35 | padding-left: 0.5em !important; 36 | } 37 | 38 | #root h1:before { 39 | background: url("https://cve.mitre.org/images/cvelogobanner.png") no-repeat; 40 | background-size: contain; 41 | background-position-y: center; 42 | width: 120px; 43 | height: 30px; 44 | display: inline-block; 45 | content: ""; 46 | } 47 | 48 | span.description ~ p { 49 | display: inline-block; 50 | margin-right: 3px; 51 | } 52 | -------------------------------------------------------------------------------- /schema/archive/v5.0/support/docs/docs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cd ../../ 3 | sed 's/file\://g' CVE_JSON_5.0_schema.json > tmp.json | generate-schema-doc --minify tmp.json docs/index.html 4 | perl -pi -e 's//>/g' docs/index.html 5 | node support/schema2markmap/index.js tmp.json > 'docs/mindmap.html' 6 | node support/schema2markmap/schema-bundle.js tmp.json > 'docs/CVE_JSON_5.0_bundled.json' 7 | rm tmp.json 8 | cat support/docs/css_override.css >> docs/schema_doc.css 9 | -------------------------------------------------------------------------------- /schema/archive/v5.0/support/schema2markmap/index.js: -------------------------------------------------------------------------------- 1 | // Author: Chandan BN (c) 2021 2 | // (1) convert CVE JSON schema to a mindmap 3 | 4 | var ml = require('markmap-lib') 5 | var Transformer = ml.Transformer; 6 | var fillTemplate = ml.fillTemplate; 7 | var sw = require('@cloudflare/json-schema-walker'); 8 | var rp = require('json-schema-ref-parser'); 9 | var fold = ['metrics', 'cvssV3_1', 'cvssV3_0', 'cvssV2_0', 'supportingMedia', 10 | 'tags', 'impacts', 'configurations', 'workarounds', 'solutions', 'exploits', 11 | 'timeline', 'credits', 'tags', 'taxonomyMappings', 'adp']; 12 | var symbol = { object: '', array: '[]', string: '', boolean: '☯', number: '', integer: '', undefined: '' }; 13 | const fs = require('fs'); 14 | var markmap = require('markmap-view'); 15 | const { Markmap, loadCSS, loadJS } = markmap; 16 | 17 | let forDeletion = ['properties', 'items', 'anyOf', 'allOf', 'oneOf']; 18 | 19 | var markdown = "# CVE JSON Record\n"; 20 | 21 | function postfunc(obj, path, parent, parentPath) { 22 | if (path[1] && isNaN(path[1])) { 23 | var depth = parentPath.filter(i => !forDeletion.includes(i)).length; 24 | var reqStart = ""; 25 | var reqEnd = ""; 26 | 27 | if (parent?.required?.includes(path[1])) { 28 | reqStart = ""; 29 | reqEnd = ""; 30 | } 31 | markdown += (" ".repeat(depth) 32 | + "* " + reqStart + path[1] + reqEnd 33 | + ' ' + (fold.includes(path[1]) ? '' : '') 34 | + symbol[obj.type] 35 | + (obj.examples ? 'e.g., `' + obj.examples[0] + '`' : '') 36 | + (obj.enum ? '`' + obj.enum.join('` `') + '`' : '')) 37 | + '\n'; 38 | } 39 | } 40 | 41 | async function schemaMindMap() { 42 | var cveSchema = await rp.dereference(process.argv[2]); 43 | markdown += "## Published \n"; 44 | sw.schemaWalk(cveSchema.oneOf[0], postfunc, null); 45 | 46 | markdown += "## Rejected \n"; 47 | sw.schemaWalk(cveSchema.oneOf[1], postfunc, null); 48 | 49 | const transformer = new Transformer(); 50 | 51 | // transform markdown 52 | const { root, features } = transformer.transform(markdown); 53 | 54 | // get assets required by used features 55 | var assets = transformer.getUsedAssets(features); 56 | 57 | // create mindmap html 58 | var html = fillTemplate(root, assets); 59 | html = html.replace('Markmap', 'CVE JSON v5 Mindmap'); 60 | console.log(html); 61 | } 62 | 63 | schemaMindMap(); 64 | -------------------------------------------------------------------------------- /schema/archive/v5.0/support/schema2markmap/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "schema2markmap", 3 | "version": "1.0.0", 4 | "description": "Convert CVE JSON schema to a Mardkdown document suitable for use with Markmap.js", 5 | "main": "index.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "repository": { 10 | "type": "git", 11 | "url": "https://github.com/CVEProject/cve-schema/tree/master/schema/v5.0/support" 12 | }, 13 | "keywords": [ 14 | "JSON", 15 | "Schema", 16 | "Markdown", 17 | "Markmap" 18 | ], 19 | "author": "Chandan B.N.", 20 | "license": "CC0-1.0", 21 | "dependencies": { 22 | "@cloudflare/json-schema-walker": "^0.1.1", 23 | "json-schema-ref-parser": "^9.0.9", 24 | "markmap-lib": "^0.11.6", 25 | "markmap-view": "^0.2.6" 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /schema/archive/v5.0/support/schema2markmap/schema-bundle.js: -------------------------------------------------------------------------------- 1 | // Author: Chandan BN (c) 2021 2 | // (2) creates a bundled schema 3 | 4 | var rp = require('json-schema-ref-parser'); 5 | var fs = require('fs'); 6 | async function schemaBundle() { 7 | var cveSchemaBundle = await rp.bundle(process.argv[2]); 8 | var metricProperties = cveSchemaBundle.definitions.metrics.items.properties; 9 | delete metricProperties.cvssV3_1.id; 10 | delete metricProperties.cvssV3_0.id; 11 | delete metricProperties.cvssV2_0.id; 12 | delete metricProperties.cvssV3_1.license; 13 | delete metricProperties.cvssV3_0.license; 14 | delete metricProperties.cvssV2_0.license; 15 | console.log(JSON.stringify(cveSchemaBundle, null, 2)); 16 | } 17 | 18 | schemaBundle(); -------------------------------------------------------------------------------- /schema/archive/v5.0/tags/adp-tags.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-07/schema#", 3 | "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/", 4 | "type": "string", 5 | "description": "disputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.", 6 | "enum": ["disputed"] 7 | } 8 | -------------------------------------------------------------------------------- /schema/archive/v5.0/tags/cna-tags.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-07/schema#", 3 | "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/", 4 | "type": "string", 5 | "description": "exclusively-hosted-service: All known software and/or hardware affected by this CVE Record is known to exist only in the affected hosted service. If the vulnerability affects both hosted and on-prem software and/or hardware, then the tag should not be used.\n\nunsupported-when-assigned: Used by the assigning CNA to indicate that when a request for a CVE assignment was received, the product was already end-of-life (EOL) or a product or specific version was deemed not to be supported by the vendor. This tag should only be applied to a CVE Record when all affected products or version lines referenced in the CVE-Record are EOL.\n\ndisputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.", 6 | "enum": ["unsupported-when-assigned", "exclusively-hosted-service", "disputed"] 7 | } 8 | -------------------------------------------------------------------------------- /schema/archive/v5.0/tags/reference-tags.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-07/schema#", 3 | "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/", 4 | "type": "string", 5 | "description": "broken-link: The reference link is returning a 404 error, or the site is no longer online.\n\ncustomer-entitlement: Similar to Privileges Required, but specific to references that require non-public/paid access for customers of the particular vendor.\n\nexploit: Reference contains an in-depth/detailed description of steps to exploit a vulnerability OR the reference contains any legitimate Proof of Concept (PoC) code or exploit kit.\n\ngovernment-resource: All reference links that are from a government agency or organization should be given the Government Resource tag.\n\nissue-tracking: The reference is a post from a bug tracking tool such as MantisBT, Bugzilla, JIRA, Github Issues, etc...\n\nmailing-list: The reference is from a mailing list -- often specific to a product or vendor.\n\nmitigation: The reference contains information on steps to mitigate against the vulnerability in the event a patch can't be applied or is unavailable or for EOL product situations.\n\nnot-applicable: The reference link is not applicable to the vulnerability and was likely associated by MITRE accidentally (should be used sparingly).\n\npatch: The reference contains an update to the software that fixes the vulnerability.\n\npermissions-required: The reference link provided is blocked by a logon page. If credentials are required to see any information this tag must be applied.\n\nmedia-coverage: The reference is from a media outlet such as a newspaper, magazine, social media, or weblog. This tag is not intended to apply to any individual's personal social media account. It is strictly intended for public media entities.\n\nproduct: A reference appropriate for describing a product for the purpose of CPE or SWID.\n\nrelated: A reference that is for a related (but not the same) vulnerability.\n\nrelease-notes: The reference is in the format of a vendor or open source project's release notes or change log.\n\nsignature: The reference contains a method to detect or prevent the presence or exploitation of the vulnerability.\n\ntechnical-description: The reference contains in-depth technical information about a vulnerability and its exploitation process, typically in the form of a presentation or whitepaper.\n\nthird-party-advisory: Advisory is from an organization that is not the vulnerable product's vendor/publisher/maintainer.\n\nvendor-advisory: Advisory is from the vendor/publisher/maintainer of the product or the parent organization.\n\nvdb-entry: VDBs are loosely defined as sites that provide information about this vulnerability, such as advisories, with identifiers. Included VDBs are free to access, substantially public, and have broad scope and coverage (not limited to a single vendor or research organization). See: https://www.first.org/global/sigs/vrdx/vdb-catalog", 6 | "enum": [ 7 | "broken-link", 8 | "customer-entitlement", 9 | "exploit", 10 | "government-resource", 11 | "issue-tracking", 12 | "mailing-list", 13 | "mitigation", 14 | "not-applicable", 15 | "patch", 16 | "permissions-required", 17 | "media-coverage", 18 | "product", 19 | "related", 20 | "release-notes", 21 | "signature", 22 | "technical-description", 23 | "third-party-advisory", 24 | "vendor-advisory", 25 | "vdb-entry" 26 | ] 27 | } -------------------------------------------------------------------------------- /schema/docs/cnaContainer-basic-example.json: -------------------------------------------------------------------------------- 1 | { 2 | "cnaContainer": { 3 | "providerMetadata": { 4 | "orgId": "00000000-0000-4000-9000-000000000000" 5 | }, 6 | "problemTypes": [ 7 | { 8 | "descriptions": [ 9 | { 10 | "lang": "en", 11 | "description": "CWE-78 OS Command Injection" 12 | } 13 | ] 14 | } 15 | ], 16 | "affected": [ 17 | { 18 | "vendor": "Example.org", 19 | "product": "Example Enterprise", 20 | "versions": [ 21 | { 22 | "version": "1.0.0", 23 | "status": "affected", 24 | "lessThan": "1.0.6", 25 | "versionType": "semver" 26 | } 27 | ], 28 | "defaultStatus": "unaffected" 29 | } 30 | ], 31 | "descriptions": [ 32 | { 33 | "lang": "en", 34 | "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." 35 | } 36 | ], 37 | "references": [ 38 | { 39 | "url": "https://example.org/ESA-22-11-CVE-1900-1234" 40 | } 41 | ] 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /schema/docs/cnaContainer-rejected-example.json: -------------------------------------------------------------------------------- 1 | { 2 | "cnaContainer": { 3 | "providerMetadata": { 4 | "orgId": "00000000-0000-4000-9000-000000000000", 5 | "shortName": "example" 6 | }, 7 | "rejectedReasons": [ 8 | { 9 | "lang": "en", 10 | "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority." 11 | } 12 | ] 13 | } 14 | } -------------------------------------------------------------------------------- /schema/docs/full-record-basic-example.json: -------------------------------------------------------------------------------- 1 | { 2 | "dataType": "CVE_RECORD", 3 | "dataVersion": "5.1", 4 | "cveMetadata": { 5 | "cveId": "CVE-1900-1234", 6 | "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", 7 | "state": "PUBLISHED" 8 | }, 9 | "containers": { 10 | "cna": { 11 | "providerMetadata": { 12 | "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" 13 | }, 14 | "problemTypes": [ 15 | { 16 | "descriptions": [ 17 | { 18 | "lang": "en", 19 | "description": "CWE-78 OS Command Injection" 20 | } 21 | ] 22 | } 23 | ], 24 | "affected": [ 25 | { 26 | "vendor": "Example.org", 27 | "product": "Example Enterprise", 28 | "versions": [ 29 | { 30 | "version": "1.0.0", 31 | "status": "affected", 32 | "lessThan": "1.0.6", 33 | "versionType": "semver" 34 | } 35 | ], 36 | "defaultStatus": "unaffected" 37 | } 38 | ], 39 | "descriptions": [ 40 | { 41 | "lang": "en", 42 | "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." 43 | } 44 | ], 45 | "references": [ 46 | { 47 | "url": "https://example.org/ESA-22-11-CVE-1900-1234" 48 | } 49 | ] 50 | } 51 | } 52 | } -------------------------------------------------------------------------------- /schema/docs/schema_doc.css: -------------------------------------------------------------------------------- 1 | body { 2 | font: 16px/1.5em "Overpass", "Open Sans", Helvetica, sans-serif; 3 | color: #333; 4 | font-weight: 300; 5 | padding: 40px; 6 | } 7 | 8 | .btn.btn-link { 9 | font-size: 18px; 10 | } 11 | 12 | .jsfh-animated-property { 13 | animation: eclair; 14 | animation-iteration-count: 1; 15 | animation-fill-mode: forwards; 16 | animation-duration: .75s; 17 | 18 | } 19 | 20 | @keyframes eclair { 21 | 0%,100% { 22 | transform: scale(1); 23 | } 24 | 50% { 25 | transform: scale(1.03); 26 | } 27 | } 28 | 29 | .btn.btn-primary { 30 | margin: 10px; 31 | } 32 | 33 | .btn.example-show.collapsed:before { 34 | content: "show" 35 | } 36 | 37 | .btn.example-show:before { 38 | content: "hide" 39 | } 40 | 41 | .description.collapse:not(.show) { 42 | max-height: 100px !important; 43 | overflow: hidden; 44 | 45 | display: -webkit-box; 46 | -webkit-line-clamp: 2; 47 | -webkit-box-orient: vertical; 48 | } 49 | 50 | .description.collapsing { 51 | min-height: 100px !important; 52 | } 53 | 54 | .collapse-description-link.collapsed:after { 55 | content: '+ Read More'; 56 | } 57 | 58 | .collapse-description-link:not(.collapsed):after { 59 | content: '- Read Less'; 60 | } 61 | 62 | .badge { 63 | font-size: 100%; 64 | margin-bottom: 0.5rem; 65 | margin-top: 0.5rem; 66 | } 67 | 68 | .badge.value-type { 69 | font-size: 120%; 70 | margin-right: 5px; 71 | margin-bottom: 10px; 72 | } 73 | 74 | 75 | .badge.default-value { 76 | font-size: 120%; 77 | margin-left: 5px; 78 | margin-bottom: 10px; 79 | } 80 | 81 | .badge.restriction { 82 | display: inline-block; 83 | } 84 | 85 | .badge.required-property,.badge.deprecated-property,.badge.pattern-property,.badge.no-additional { 86 | font-size: 100%; 87 | margin-left: 10px; 88 | } 89 | 90 | .accordion div.card:only-child { 91 | border-bottom: 1px solid rgba(0, 0, 0, 0.125); 92 | } 93 | 94 | .examples { 95 | padding: 1rem !important; 96 | } 97 | 98 | .examples pre { 99 | margin-bottom: 0; 100 | } 101 | 102 | .highlight.jumbotron { 103 | padding: 1rem !important; 104 | } 105 | 106 | .generated-by-footer { 107 | margin-top: 1em; 108 | text-align: right; 109 | } 110 | 111 | /* From https://github.com/richleland/pygments-css/blob/master/friendly.css, see https://github.com/trentm/python-markdown2/wiki/fenced-code-blocks */ 112 | .highlight { background: #e9ecef; } /* Changed from #f0f0f0 in the original style to be the same as bootstrap's jumbotron */ 113 | .highlight .hll { background-color: #ffffcc } 114 | .highlight .c { color: #60a0b0; font-style: italic } /* Comment */ 115 | .highlight .err { border: 1px solid #FF0000 } /* Error */ 116 | .highlight .k { color: #007020; font-weight: bold } /* Keyword */ 117 | .highlight .o { color: #666666 } /* Operator */ 118 | .highlight .ch { color: #60a0b0; font-style: italic } /* Comment.Hashbang */ 119 | .highlight .cm { color: #60a0b0; font-style: italic } /* Comment.Multiline */ 120 | .highlight .cp { color: #007020 } /* Comment.Preproc */ 121 | .highlight .cpf { color: #60a0b0; font-style: italic } /* Comment.PreprocFile */ 122 | .highlight .c1 { color: #60a0b0; font-style: italic } /* Comment.Single */ 123 | .highlight .cs { color: #60a0b0; background-color: #fff0f0 } /* Comment.Special */ 124 | .highlight .gd { color: #A00000 } /* Generic.Deleted */ 125 | .highlight .ge { font-style: italic } /* Generic.Emph */ 126 | .highlight .gr { color: #FF0000 } /* Generic.Error */ 127 | .highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */ 128 | .highlight .gi { color: #00A000 } /* Generic.Inserted */ 129 | .highlight .go { color: #888888 } /* Generic.Output */ 130 | .highlight .gp { color: #c65d09; font-weight: bold } /* Generic.Prompt */ 131 | .highlight .gs { font-weight: bold } /* Generic.Strong */ 132 | .highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */ 133 | .highlight .gt { color: #0044DD } /* Generic.Traceback */ 134 | .highlight .kc { color: #007020; font-weight: bold } /* Keyword.Constant */ 135 | .highlight .kd { color: #007020; font-weight: bold } /* Keyword.Declaration */ 136 | .highlight .kn { color: #007020; font-weight: bold } /* Keyword.Namespace */ 137 | .highlight .kp { color: #007020 } /* Keyword.Pseudo */ 138 | .highlight .kr { color: #007020; font-weight: bold } /* Keyword.Reserved */ 139 | .highlight .kt { color: #902000 } /* Keyword.Type */ 140 | .highlight .m { color: #40a070 } /* Literal.Number */ 141 | .highlight .s { color: #4070a0 } /* Literal.String */ 142 | .highlight .na { color: #4070a0 } /* Name.Attribute */ 143 | .highlight .nb { color: #007020 } /* Name.Builtin */ 144 | .highlight .nc { color: #0e84b5; font-weight: bold } /* Name.Class */ 145 | .highlight .no { color: #60add5 } /* Name.Constant */ 146 | .highlight .nd { color: #555555; font-weight: bold } /* Name.Decorator */ 147 | .highlight .ni { color: #d55537; font-weight: bold } /* Name.Entity */ 148 | .highlight .ne { color: #007020 } /* Name.Exception */ 149 | .highlight .nf { color: #06287e } /* Name.Function */ 150 | .highlight .nl { color: #002070; font-weight: bold } /* Name.Label */ 151 | .highlight .nn { color: #0e84b5; font-weight: bold } /* Name.Namespace */ 152 | .highlight .nt { color: #062873; font-weight: bold } /* Name.Tag */ 153 | .highlight .nv { color: #bb60d5 } /* Name.Variable */ 154 | .highlight .ow { color: #007020; font-weight: bold } /* Operator.Word */ 155 | .highlight .w { color: #bbbbbb } /* Text.Whitespace */ 156 | .highlight .mb { color: #40a070 } /* Literal.Number.Bin */ 157 | .highlight .mf { color: #40a070 } /* Literal.Number.Float */ 158 | .highlight .mh { color: #40a070 } /* Literal.Number.Hex */ 159 | .highlight .mi { color: #40a070 } /* Literal.Number.Integer */ 160 | .highlight .mo { color: #40a070 } /* Literal.Number.Oct */ 161 | .highlight .sa { color: #4070a0 } /* Literal.String.Affix */ 162 | .highlight .sb { color: #4070a0 } /* Literal.String.Backtick */ 163 | .highlight .sc { color: #4070a0 } /* Literal.String.Char */ 164 | .highlight .dl { color: #4070a0 } /* Literal.String.Delimiter */ 165 | .highlight .sd { color: #4070a0; font-style: italic } /* Literal.String.Doc */ 166 | .highlight .s2 { color: #4070a0 } /* Literal.String.Double */ 167 | .highlight .se { color: #4070a0; font-weight: bold } /* Literal.String.Escape */ 168 | .highlight .sh { color: #4070a0 } /* Literal.String.Heredoc */ 169 | .highlight .si { color: #70a0d0; font-style: italic } /* Literal.String.Interpol */ 170 | .highlight .sx { color: #c65d09 } /* Literal.String.Other */ 171 | .highlight .sr { color: #235388 } /* Literal.String.Regex */ 172 | .highlight .s1 { color: #4070a0 } /* Literal.String.Single */ 173 | .highlight .ss { color: #517918 } /* Literal.String.Symbol */ 174 | .highlight .bp { color: #007020 } /* Name.Builtin.Pseudo */ 175 | .highlight .fm { color: #06287e } /* Name.Function.Magic */ 176 | .highlight .vc { color: #bb60d5 } /* Name.Variable.Class */ 177 | .highlight .vg { color: #bb60d5 } /* Name.Variable.Global */ 178 | .highlight .vi { color: #bb60d5 } /* Name.Variable.Instance */ 179 | .highlight .vm { color: #bb60d5 } /* Name.Variable.Magic */ 180 | .highlight .il { color: #40a070 } /* Literal.Number.Integer.Long */ 181 | .examples, .highlight.jumbotron, .card-header { 182 | padding: 0rem !important; 183 | } 184 | .jumbotron { 185 | margin-bottom: 0px !important; 186 | } 187 | 188 | .badge { 189 | font-size: 80% !important; 190 | margin-bottom: 0px !important; 191 | } 192 | h2, h4, .h2, .h4 { 193 | font-size: 100% !important; 194 | } 195 | .btn.btn-link { 196 | font-size: 16px; 197 | } 198 | .property-name-button { 199 | padding: 0px 5px; 200 | } 201 | .btn.btn-primary { 202 | margin: 5px; 203 | } 204 | 205 | p { 206 | margin-bottom: 0px; 207 | } 208 | 209 | .list-group-item { 210 | padding: 3px 8px; 211 | } 212 | 213 | .pl-5, .card-body { 214 | padding-left: 0.5em !important; 215 | } 216 | 217 | #root h1:before { 218 | background: url("https://cve.mitre.org/images/cvelogobanner.png") no-repeat; 219 | background-size: contain; 220 | background-position-y: center; 221 | width: 120px; 222 | height: 30px; 223 | display: inline-block; 224 | content: ""; 225 | } 226 | 227 | span.description ~ p { 228 | display: inline-block; 229 | margin-right: 3px; 230 | } 231 | -------------------------------------------------------------------------------- /schema/docs/schema_doc.min.js: -------------------------------------------------------------------------------- 1 | function flashElement(t){myElement=document.getElementById(t),myElement.classList.add("jsfh-animated-property"),setTimeout(function(){myElement.classList.remove("jsfh-animated-property")},1e3)}function setAnchor(t){history.pushState({},"",t)}function anchorOnLoad(){let t=window.location.hash.split("?")[0].split("&")[0];"#"===t[0]&&(t=t.substr(1)),t.length>0&&anchorLink(t)}function anchorLink(t){$("#"+t).parents().addBack().filter(".collapse:not(.show), .tab-pane, [role='tab']").each(function(t){if($(this).hasClass("collapse"))$(this).collapse("show");else if($(this).hasClass("tab-pane")){const t=$("a[href='#"+$(this).attr("id")+"']");t&&t.tab("show")}else"tab"===$(this).attr("role")&&$(this).tab("show")}),setTimeout(function(){let e=document.getElementById(t);e&&(e.scrollIntoView({block:"center",behavior:"smooth"}),setTimeout(function(){flashElement(t)},500))},1e3)}$(document).on("click",'a[href^="#"]',function(t){t.preventDefault(),history.pushState({},"",this.href)}); -------------------------------------------------------------------------------- /schema/imports/cvss/README.md: -------------------------------------------------------------------------------- 1 | ATTENTION: The files in this folder are local modified versions of the CVSS JSON schemas [maintained](https://www.first.org/cvss/data-representations) by the [Forum of Incident Response and Security Teams](https://www.first.org/) (FIRST). Changes have been made to correct bug fixes in certain validators and to provide additional validation in older cvss schemas. 2 | -------------------------------------------------------------------------------- /schema/imports/cvss/cvss-v2.0.json: -------------------------------------------------------------------------------- 1 | { 2 | "license": [ 3 | "Copyright (c) 2017, FIRST.ORG, INC.", 4 | "All rights reserved.", 5 | "", 6 | "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ", 7 | "following conditions are met:", 8 | "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ", 9 | " disclaimer.", 10 | "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ", 11 | " following disclaimer in the documentation and/or other materials provided with the distribution.", 12 | "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ", 13 | " products derived from this software without specific prior written permission.", 14 | "", 15 | "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ", 16 | "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ", 17 | "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ", 18 | "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ", 19 | "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ", 20 | "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ", 21 | "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." 22 | ], 23 | 24 | "$schema": "http://json-schema.org/draft-04/schema#", 25 | "title": "JSON Schema for Common Vulnerability Scoring System version 2.0", 26 | "id": "https://www.first.org/cvss/cvss-v2.0.json?20170531", 27 | "type": "object", 28 | "definitions": { 29 | "accessVectorType": { 30 | "type": "string", 31 | "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL" ] 32 | }, 33 | "accessComplexityType": { 34 | "type": "string", 35 | "enum": [ "HIGH", "MEDIUM", "LOW" ] 36 | }, 37 | "authenticationType": { 38 | "type": "string", 39 | "enum": [ "MULTIPLE", "SINGLE", "NONE" ] 40 | }, 41 | "ciaType": { 42 | "type": "string", 43 | "enum": [ "NONE", "PARTIAL", "COMPLETE" ] 44 | }, 45 | "exploitabilityType": { 46 | "type": "string", 47 | "enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ] 48 | }, 49 | "remediationLevelType": { 50 | "type": "string", 51 | "enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ] 52 | }, 53 | "reportConfidenceType": { 54 | "type": "string", 55 | "enum": [ "UNCONFIRMED", "UNCORROBORATED", "CONFIRMED", "NOT_DEFINED" ] 56 | }, 57 | "collateralDamagePotentialType": { 58 | "type": "string", 59 | "enum": [ "NONE", "LOW", "LOW_MEDIUM", "MEDIUM_HIGH", "HIGH", "NOT_DEFINED" ] 60 | }, 61 | "targetDistributionType": { 62 | "type": "string", 63 | "enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] 64 | }, 65 | "ciaRequirementType": { 66 | "type": "string", 67 | "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] 68 | }, 69 | "scoreType": { 70 | "type": "number", 71 | "minimum": 0, 72 | "maximum": 10 73 | } 74 | }, 75 | "properties": { 76 | "version": { 77 | "description": "CVSS Version", 78 | "type": "string", 79 | "enum": [ "2.0" ] 80 | }, 81 | "vectorString": { 82 | "type": "string", 83 | "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$" 84 | }, 85 | "accessVector": { "$ref": "#/definitions/accessVectorType" }, 86 | "accessComplexity": { "$ref": "#/definitions/accessComplexityType" }, 87 | "authentication": { "$ref": "#/definitions/authenticationType" }, 88 | "confidentialityImpact": { "$ref": "#/definitions/ciaType" }, 89 | "integrityImpact": { "$ref": "#/definitions/ciaType" }, 90 | "availabilityImpact": { "$ref": "#/definitions/ciaType" }, 91 | "baseScore": { "$ref": "#/definitions/scoreType" }, 92 | "exploitability": { "$ref": "#/definitions/exploitabilityType" }, 93 | "remediationLevel": { "$ref": "#/definitions/remediationLevelType" }, 94 | "reportConfidence": { "$ref": "#/definitions/reportConfidenceType" }, 95 | "temporalScore": { "$ref": "#/definitions/scoreType" }, 96 | "collateralDamagePotential": { "$ref": "#/definitions/collateralDamagePotentialType" }, 97 | "targetDistribution": { "$ref": "#/definitions/targetDistributionType" }, 98 | "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 99 | "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 100 | "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 101 | "environmentalScore": { "$ref": "#/definitions/scoreType" } 102 | }, 103 | "required": [ "version", "vectorString", "baseScore" ], 104 | "additionalProperties": false 105 | } 106 | -------------------------------------------------------------------------------- /schema/support/CVE_4_to_5_converter/cve_record_dates.json.example: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "cve_identifier" : "CVE-2010-0001", 4 | "reserved_date" : "2010-06-07", 5 | "disclosure_date" : null, 6 | "populated_date" : "2010-08-08 05:00:00.000000", 7 | "history_date" : "2010-12-17 00:00:00.000000", 8 | "HType" : "Modified" 9 | }, 10 | { 11 | "cve_identifier" : "CVE-1999-7001", 12 | "reserved_date" : "1999-06-07", 13 | "disclosure_date" : null, 14 | "populated_date" : "2000-06-04 05:00:00.000000", 15 | "history_date" : "2005-11-12 00:00:00.000000", 16 | "HType" : "Modified" 17 | }, 18 | { 19 | "cve_identifier" : "CVE-2001-2001", 20 | "reserved_date" : "2001-06-07", 21 | "disclosure_date" : null, 22 | "populated_date" : "2002-02-04 05:00:00.000000", 23 | "history_date" : "2007-12-17 00:00:00.000000", 24 | "HType" : "Modified" 25 | }, 26 | { 27 | "cve_identifier" : "CVE-2008-3001", 28 | "reserved_date" : "2008-06-07", 29 | "disclosure_date" : null, 30 | "populated_date" : "2009-02-04 05:00:00.000000", 31 | "history_date" : "2008-03-21 10:00:00.000000", 32 | "HType" : "Modified" 33 | }, 34 | { 35 | "cve_identifier" : "CVE-2003-6001", 36 | "reserved_date" : "2003-06-07", 37 | "disclosure_date" : null, 38 | "populated_date" : "2004-02-04 05:00:00.000000", 39 | "history_date" : "2003-07-28 00:00:00.000000", 40 | "HType" : "Proposed" 41 | } 42 | ] 43 | -------------------------------------------------------------------------------- /schema/support/CVE_4_to_5_converter/ref_tag_map.json: -------------------------------------------------------------------------------- 1 | { 2 | "referenceMaps":[ 3 | { 4 | "v4":"AIXAPAR", 5 | "v5":["vendor-advisory"] 6 | },{ 7 | "v4":"ALLAIRE", 8 | "v5":["vendor-advisory"] 9 | },{ 10 | "v4":"APPLE", 11 | "v5":["vendor-advisory"] 12 | },{ 13 | "v4":"ASCEND", 14 | "v5":["vendor-advisory"] 15 | },{ 16 | "v4":"ATSTAKE", 17 | "v5":["vendor-advisory"] 18 | },{ 19 | "v4":"AUSCERT", 20 | "v5":["third-party-advisory"] 21 | },{ 22 | "v4":"BEA", 23 | "v5":["vendor-advisory"] 24 | },{ 25 | "v4":"BID", 26 | "v5":["vdb-entry"] 27 | },{ 28 | "v4":"BINDVIEW", 29 | "v5":["vendor-advisory"] 30 | },{ 31 | "v4":"BUGTRAQ", 32 | "v5":["mailing-list"] 33 | },{ 34 | "v4":"CALDERA", 35 | "v5":["vendor-advisory"] 36 | },{ 37 | "v4":"CERT", 38 | "v5":["third-party-advisory"] 39 | },{ 40 | "v4":"CERT-VN", 41 | "v5":["third-party-advisory"] 42 | },{ 43 | "v4":"CHECKPOINT", 44 | "v5":["vendor-advisory"] 45 | },{ 46 | "v4":"CIAC", 47 | "v5":["third-party-advisory", "government-resource"] 48 | },{ 49 | "v4":"CISCO", 50 | "v5":["vendor-advisory"] 51 | },{ 52 | "v4":"COMPAQ", 53 | "v5":["vendor-advisory"] 54 | },{ 55 | "v4":"CONECTIVA", 56 | "v5":["vendor-advisory"] 57 | },{ 58 | "v4":"DEBIAN", 59 | "v5":["vendor-advisory"] 60 | },{ 61 | "v4":"EEYE", 62 | "v5":["third-party-advisory"] 63 | },{ 64 | "v4":"EL8", 65 | "v5":["vendor-advisory"] 66 | },{ 67 | "v4":"ENGARDE", 68 | "v5":["vendor-advisory"] 69 | },{ 70 | "v4":"ERS", 71 | "v5":["vendor-advisory"] 72 | },{ 73 | "v4":"EXPLOIT-DB", 74 | "v5":["exploit"] 75 | },{ 76 | "v4":"FARMERVENEMA", 77 | "v5":["technical-description"] 78 | },{ 79 | "v4":"FEDORA", 80 | "v5":["vendor-advisory"] 81 | },{ 82 | "v4":"FREEBSD", 83 | "v5":["vendor-advisory"] 84 | },{ 85 | "v4":"FRSIRT", 86 | "v5":["third-party-advisory"] 87 | },{ 88 | "v4":"FULLDISC", 89 | "v5":["mailing-list"] 90 | },{ 91 | "v4":"GENTOO", 92 | "v5":["vendor-advisory"] 93 | },{ 94 | "v4":"HERT", 95 | "v5":["vendor-advisory"] 96 | },{ 97 | "v4":"HP", 98 | "v5":["vendor-advisory"] 99 | },{ 100 | "v4":"HPBUG", 101 | "v5":["issue-tracking"] 102 | },{ 103 | "v4":"IBM", 104 | "v5":["vendor-advisory"] 105 | },{ 106 | "v4":"IDEFENSE", 107 | "v5":["third-party-advisory"] 108 | },{ 109 | "v4":"IMMUNIX", 110 | "v5":["vendor-advisory"] 111 | },{ 112 | "v4":"INFOWAR", 113 | "v5":["third-party-advisory"] 114 | },{ 115 | "v4":"ISS", 116 | "v5":["third-party-advisory"] 117 | },{ 118 | "v4":"JVN", 119 | "v5":["third-party-advisory"] 120 | },{ 121 | "v4":"JVNDB", 122 | "v5":["third-party-advisory"] 123 | },{ 124 | "v4":"KSRT", 125 | "v5":["vendor-advisory"] 126 | },{ 127 | "v4":"L0PHT", 128 | "v5":["vendor-advisory"] 129 | },{ 130 | "v4":"MANDRAKE", 131 | "v5":["vendor-advisory"] 132 | },{ 133 | "v4":"MANDRIVA", 134 | "v5":["vendor-advisory"] 135 | },{ 136 | "v4":"MILW0RM", 137 | "v5":["exploit"] 138 | },{ 139 | "v4":"MLIST", 140 | "v5":["mailing-list"] 141 | },{ 142 | "v4":"MS", 143 | "v5":["vendor-advisory"] 144 | },{ 145 | "v4":"MSKB", 146 | "v5":["vendor-advisory"] 147 | },{ 148 | "v4":"NAI", 149 | "v5":["vendor-advisory"] 150 | },{ 151 | "v4":"NETBSD", 152 | "v5":["vendor-advisory"] 153 | },{ 154 | "v4":"NETECT", 155 | "v5":["broken-link"] 156 | },{ 157 | "v4":"NTBUGTRAQ", 158 | "v5":["mailing-list"] 159 | },{ 160 | "v4":"OPENBSD", 161 | "v5":["vendor-advisory"] 162 | },{ 163 | "v4":"OPENPKG", 164 | "v5":["vendor-advisory"] 165 | },{ 166 | "v4":"OSVDB", 167 | "v5":["vdb-entry"] 168 | },{ 169 | "v4":"OVAL", 170 | "v5":["vdb-entry", "signature"] 171 | },{ 172 | "v4":"REDHAT", 173 | "v5":["vendor-advisory"] 174 | },{ 175 | "v4":"RSI", 176 | "v5":["vendor-advisory"] 177 | },{ 178 | "v4":"SCO", 179 | "v5":["vendor-advisory"] 180 | },{ 181 | "v4":"SECTRACK", 182 | "v5":["vdb-entry"] 183 | },{ 184 | "v4":"SECUNIA", 185 | "v5":["third-party-advisory"] 186 | },{ 187 | "v4":"SEKURE", 188 | "v5":["vendor-advisory"] 189 | },{ 190 | "v4":"SF-INCIDENTS", 191 | "v5":["mailing-list"] 192 | },{ 193 | "v4":"SGI", 194 | "v5":["vendor-advisory"] 195 | },{ 196 | "v4":"SLACKWARE", 197 | "v5":["vendor-advisory"] 198 | },{ 199 | "v4":"SNI", 200 | "v5":["vendor-advisory"] 201 | },{ 202 | "v4":"SREASON", 203 | "v5":["third-party-advisory"] 204 | },{ 205 | "v4":"SREASONRES", 206 | "v5":["third-party-advisory"] 207 | },{ 208 | "v4":"SUN", 209 | "v5":["vendor-advisory"] 210 | },{ 211 | "v4":"SUNALERT", 212 | "v5":["vendor-advisory"] 213 | },{ 214 | "v4":"SUNBUG", 215 | "v5":["issue-tracking"] 216 | },{ 217 | "v4":"SUSE", 218 | "v5":["vendor-advisory"] 219 | },{ 220 | "v4":"TRUSTIX", 221 | "v5":["vendor-advisory"] 222 | },{ 223 | "v4":"TURBO", 224 | "v5":["vendor-advisory"] 225 | },{ 226 | "v4":"UBUNTU", 227 | "v5":["vendor-advisory"] 228 | },{ 229 | "v4":"URL", 230 | "v5":["related"] 231 | },{ 232 | "v4":"VIM", 233 | "v5":["mailing-list"] 234 | },{ 235 | "v4":"VULN-DEV", 236 | "v5":["mailing-list"] 237 | },{ 238 | "v4":"VULNWATCH", 239 | "v5":["mailing-list"] 240 | },{ 241 | "v4":"VUPEN", 242 | "v5":["vdb-entry"] 243 | },{ 244 | "v4":"WIN2KSEC", 245 | "v5":["mailing-list"] 246 | },{ 247 | "v4":"XF", 248 | "v5":["vdb-entry"] 249 | } 250 | ] 251 | } 252 | -------------------------------------------------------------------------------- /schema/support/CVE_4_to_5_converter/settings_example.py: -------------------------------------------------------------------------------- 1 | # variables to access IDR services 2 | # the CPS acts on behalf of the secretariat (is `mitre`) 3 | # using the IDR requires cloning the `cve-services` repository, too 4 | AWG_IDR_ENDPOINT_HEALTHCHECK="/health-check" 5 | AWG_SERVICE_TIMEOUT = 30 6 | 7 | AWG_IDR_SERVICE_URL="http://localhost:3000/api" 8 | AWG_USER_CNA_NAME="cna_name" 9 | AWG_USER_KEY="123456-1234567-1234567-1234567" # this is your secret key 10 | AWG_USER_UUID = "" # the UUID for your user 11 | AWG_USER_NAME="someone@somewhere.com" 12 | AWG_USER_ORG_UUID = "" # the UUID for your organization 13 | AWG_ORG_SHORT_NAME="" # the short name of your organization 14 | 15 | -------------------------------------------------------------------------------- /schema/support/CVE_4_to_5_converter/user_map_example.csv: -------------------------------------------------------------------------------- 1 | manual@hack.bob,fake,fake,cnaShortName,notacna 2 |  3 | -------------------------------------------------------------------------------- /schema/support/Node_Validator/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules/ 2 | .DS_Store -------------------------------------------------------------------------------- /schema/support/Node_Validator/README.md: -------------------------------------------------------------------------------- 1 | # This is a json validator for the JSON schema v5.0 2 | 3 | ## Usage 4 | 5 | ##### 1. Download and install [node.js](https://nodejs.org/en/download/) 6 | 7 | ##### 2. Go to the node validator 8 | 9 | ``` 10 | cd cve_json_schema/v5.x_discuss/support/Node_Validator 11 | ``` 12 | 13 | ##### 3. Run validator in CLI 14 | 15 | To validate one or more files 16 | 
    17 | 
18 |    $ node validate.js file-1.json file-2.json ... 
19 |    file-1.json is valid.
20 |    file-2.json is invalid!
21 |    Summary: Validation FAILED for 1 out of 2 files!.
22 | 
23 |
    24 | 25 | To validate a list of files in a file or on stdin: 26 | 
    27 |    $ cat list.txt | node validate.js -e 
28 | 
29 |    $ find directory1 -name '*.json' | node validate.js -e
30 |    directory1/file1.json is valid.
31 |    Summary: All files PASSED validation.
32 |
    33 | 34 | To validate a single file via stdin: 35 | ``` 36 | $ cat file.json | node validate.js 37 | ``` 38 | 39 | ##### 4. Use validator in a NodeJS program 40 | 41 | ``` 42 | const validateCve = require('./dist/cve5validator.js') 43 | 44 | if (validateCve(cveJsonObject)) { 45 | // cveJsonObject is valid 46 | } else { 47 | // cveJsonObject is invalid. Errors are in validateCve.errors 48 | } 49 | 50 | ``` 51 | 52 | ##### 5. Generate a HTML report of validation 53 | 54 | ``` 55 | $ find directory1 -name '*.json' | node reportValidation.js > output.html 56 | ``` 57 | 58 | Example report https://chandanbn.github.io/notes/cve5-validation-errors-Jan26.html 59 | 60 | ##### 6. Development: Build the standalone validator library dist/cve5validator.js compiled from bundled CVE JSON schema. 61 | 62 | ``` 63 | $ npm install 64 | $ node build.js 65 | ``` 66 | 67 | This creates standalone validator module at ./dist/cve5validator.js based on the bundled CVE JSON schema. 68 | When the schema is updated, a new validator module needs to be built using build.js. 69 | -------------------------------------------------------------------------------- /schema/support/Node_Validator/build.js: -------------------------------------------------------------------------------- 1 | const fs = require("fs") 2 | const path = require("path") 3 | const Ajv = require('ajv').default; 4 | const standaloneCode = require("ajv/dist/standalone").default 5 | const addFormats = require('ajv-formats').default; 6 | const schema = require("../../docs/CVE_JSON_bundled.json") 7 | 8 | function reduceSchema(o) { 9 | for(prop in o) { 10 | if(typeof(o[prop])=='object') { 11 | reduceSchema(o[prop]) 12 | } else if (prop == "description" && typeof(o[prop])=='string') { 13 | delete o[prop] 14 | } else if (prop == "title" && typeof(o[prop])=='string') { 15 | delete o[prop] 16 | } 17 | } 18 | return o; 19 | } 20 | var rSchema = reduceSchema(schema); 21 | 22 | const ajv = new Ajv({code: {source: true, optimize: 10}}) 23 | addFormats(ajv); 24 | const validate = ajv.compile(rSchema) 25 | let moduleCode = standaloneCode(ajv, validate) 26 | 27 | // Now you can write the module code to file 28 | fs.writeFileSync(path.join(__dirname+'/dist', "cve5validator.js"), moduleCode) 29 | -------------------------------------------------------------------------------- /schema/support/Node_Validator/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Node_Validator", 3 | "version": "1.1.0", 4 | "description": "", 5 | "main": "validate.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "keywords": [], 10 | "author": "", 11 | "license": "ISC", 12 | "dependencies": { 13 | "ajv": "^8.9.0", 14 | "ajv-formats": "^2.1.1" 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /schema/support/Node_Validator/reportValidation.js: -------------------------------------------------------------------------------- 1 | const fs = require('fs'); 2 | const readline = require('readline'); 3 | const docs= { 4 | '/containers/cna/affected/product:maxLength': "Product name is too long! If you are listing multiple products, please use separate product objects.", 5 | '/containers/cna/affected/product:minLength': "A product name is required.", 6 | '/containers/cna/affected/versions/version:maxLength': "Version name is too long! If you are listing multiple versions, please encode as an array of version objects.", 7 | '/containers/cna/metrics/cvssV3_0:required': "CVSS objects are incomplete. Please provide a valid vectorString at the minimum in your CVE-JSON v4 submission." 8 | 9 | } 10 | /* 11 | function cvePath(value) { 12 | var realId = value.match(/(CVE-(\d{4})-(\d{1,12})(\d{3}))/); 13 | if (realId) { 14 | var id = realId[1]; 15 | var year = realId[2]; 16 | var bucket = realId[3]; 17 | return (year + '/' + bucket + 'xxx/' + id + '.json') 18 | } 19 | } 20 | */ 21 | const validateCve = require('./dist/cve5validator.js') 22 | var errorStat = {}; 23 | var warnStat = {}; 24 | var errorCount = {}; 25 | var yStat = {}; 26 | var invalid = 0; 27 | var warns = 0; 28 | var total = 0; 29 | var ignore = { '': 1, '/cveMetadata/state': 1, '/containers/cna/references/url': 0} 30 | function validate(line) { 31 | if (line) { 32 | var parts = line.match(/(CVE-(\d+)-\d+)/); 33 | var year = "unknown"; 34 | var id = "unknown"; 35 | if (parts) { 36 | year = parts[2]; 37 | id = parts[1]; 38 | } 39 | try { 40 | if (!fs.lstatSync(line).isDirectory()) { 41 | var cveFile = fs.readFileSync(line); 42 | var cve = JSON.parse(cveFile); 43 | var warnings = cve.containers?.cna.x_ConverterErrors; 44 | //delete cve.x_ValidationErrors; 45 | var assigner = "default"; 46 | try { 47 | assigner = cve.containers?.cna?.x_legacyV4Record?.CVE_data_meta?.ASSIGNER; 48 | if(!assigner) { 49 | assigner = cve.containers?.cna?.providerMetadata?.shortName; 50 | } 51 | } catch (e) { 52 | console.error(e.message); 53 | } 54 | total++; 55 | 56 | if(warnings) { 57 | warns++; 58 | errorCount[assigner]++; 59 | for (const key in warnings) { 60 | var w = 'Warning: ' + warnings[key].error; 61 | //console.log(key); 62 | if(!errorStat[assigner]) { 63 | errorStat[assigner] = {} 64 | errorCount[assigner] = 0 65 | } 66 | if(!errorStat[assigner][key]) { 67 | errorStat[assigner][key] = []; 68 | } 69 | if(!errorStat[assigner][key][w]) { 70 | errorStat[assigner][key][w] = []; 71 | } 72 | errorStat[assigner][key][w].push(id); 73 | } 74 | } 75 | var valid = validateCve(cve); 76 | if (!valid) { 77 | var errseen = false; 78 | validateCve.errors.forEach(err => { 79 | var path = err.instancePath.replace(/\/\d+\/?/g, "/") 80 | if (!ignore[path]) { 81 | var e = 'Error: ' + err.keyword; 82 | if (!errorStat[assigner]) { 83 | errorStat[assigner] = {} 84 | errorCount[assigner] = 0 85 | } 86 | if (!errorStat[assigner][path]) { 87 | errorStat[assigner][path] = {} 88 | } 89 | if (!errorStat[assigner][path][e]) { 90 | errorStat[assigner][path][e] = [] 91 | } 92 | errorStat[assigner][path][e].push(id); 93 | errseen = true; 94 | } 95 | }); 96 | if (errseen) { 97 | errorCount[assigner]++; 98 | invalid++; 99 | yStat[year] ? yStat[year]++ : (yStat[year] = 1); 100 | } 101 | } 102 | } 103 | } catch (e) { 104 | console.error(e.message); 105 | } 106 | } 107 | } 108 | /* Example error 109 | { 110 | instancePath: '/cveMetadata/state', 111 | schemaPath: '#/properties/state/enum', 112 | keyword: 'enum', 113 | params: { allowedValues: [Array] }, 114 | message: 'must be equal to one of the allowed values' 115 | }, 116 | */ 117 | var rl = readline.createInterface({ 118 | input: process.stdin, 119 | output: process.stdout, 120 | terminal: false 121 | }); 122 | 123 | function report() { 124 | console.log(` 125 | 138 |

    139 | ${total} upconverted CVEs: ${warns} warnings and ${invalid} errors. 140 |

    141 | `) 142 | for (const y in yStat) { 143 | console.log(`
  • year ${y} - ${yStat[y]}
    • `) 144 | } 145 | 146 | Object.keys(errorStat).sort().forEach(x => { 147 | var domain = x.substring(x.indexOf('@') + 1) 148 | console.log(`

    ${domain} [link]

    `) 149 | for (const k in errorStat[x]) { 150 | var alist = errorStat[x][k]; 151 | for (const a in alist) { 152 | var ids = [...new Set(alist[a])]; 153 | console.log(`
    [${ids.length} CVEs] ${a} - field ${k} [link]:`) 154 | if(docs[x + ':' + k]) { 155 | console.log(`

    `+docs[x + ':' + k]+'

    ') 156 | } 157 | console.log('
    ') 158 | for (const c of ids.sort()) { 159 | console.log(` ${c}`) 160 | } 161 | console.log('
    ') 162 | } 163 | } 164 | }); 165 | } 166 | 167 | rl.on('line', validate) 168 | rl.on('close', report) -------------------------------------------------------------------------------- /schema/support/Node_Validator/validate.js: -------------------------------------------------------------------------------- 1 | const fs = require('fs'); 2 | const readline = require('readline'); 3 | const validateCve = require('./dist/cve5validator.js') 4 | var invalid = 0; 5 | var total = 0; 6 | function validateFile(line) { 7 | if (line) { 8 | try { 9 | if (!fs.lstatSync(line).isDirectory()) { 10 | var cveFile = fs.readFileSync(line); 11 | var cve = JSON.parse(cveFile); 12 | total++; 13 | var valid = validateCve(cve); 14 | if (!valid) { 15 | invalid++; 16 | console.log(line + ' is invalid:'); 17 | console.log(validateCve.errors); 18 | } else { 19 | console.log(line + ' is valid.'); 20 | } 21 | } 22 | } catch (e) { 23 | console.error(e.message); 24 | } 25 | } 26 | } 27 | 28 | function report() { 29 | if (invalid == 0) { 30 | console.log(`Summary: All files PASSED validation.`) 31 | } else { 32 | console.log(`Summary: Validation FAILED for ${invalid} out of ${total} files!`) 33 | } 34 | } 35 | var usage = ` 36 | To validate one or more files 37 | $ node validate.js [file-1.json] [file-2.json] ... 38 | 39 | To validate a list of files in a file or on stdin: 40 | $ cat list.txt | node validate.js -e 41 | $ find directory -name '*.json' | node validate.js -e 42 | 43 | To validate a single file via stdin: 44 | $ cat file.json | node validate.js 45 | 46 | ` 47 | try { 48 | if (process.argv.length >= 3) { 49 | if (process.argv[2] && (process.argv[2].startsWith("-?") || process.argv[2].startsWith("-h"))) { 50 | console.log(usage) 51 | } else if (process.argv[2] && process.argv[2] == '-e') { 52 | var rl = readline.createInterface({ 53 | input: process.stdin, 54 | output: process.stdout, 55 | terminal: false 56 | }); 57 | rl.on('line', validateFile) 58 | rl.on('close', report) 59 | } else { 60 | for (i = 2; i < process.argv.length; i++) { 61 | validateFile(process.argv[i]); 62 | } 63 | report(); 64 | } 65 | } else { 66 | var cve = fs.readFileSync(0, 'utf-8'); 67 | var valid = validateCve(JSON.parse(cve)); 68 | if (!valid) { 69 | console.log('Input is invalid:'); 70 | console.log(validateCve.errors); 71 | } else 72 | console.log('Input is valid.'); 73 | } 74 | } catch (e) { 75 | console.log(e.message); 76 | console.log(usage); 77 | } -------------------------------------------------------------------------------- /schema/support/Python3.x_Validator/D7Validator.py: -------------------------------------------------------------------------------- 1 | from jsonschema import * 2 | import json 3 | import sys 4 | 5 | jsource = None 6 | jschema = None 7 | 8 | if len(sys.argv) == 3: 9 | argv = sys.argv 10 | jsource = json.load(open(argv[1])) #'cve502example.json' 11 | jschema = json.load(open(argv[2])) #'cve502.schema' 12 | 13 | D7validator = Draft7Validator(jschema) 14 | hasErrors = 0 15 | for error in sorted(D7validator.iter_errors(jsource), key=str): 16 | hasErrors += 1 17 | print('Schema object with error: ', error.validator) 18 | print('ERROR CONTEXT', error.context) 19 | #print(error.message) 20 | print('') 21 | print('---------------------------------------------') 22 | print('') 23 | 24 | if hasErrors > 0: 25 | print('Found ', hasErrors, ' error(s)') 26 | else: 27 | print('Source was valid against schema') 28 | else: 29 | print('Usage: python D7Validator.py [json source file] [json schema file]') 30 | 31 | 32 | -------------------------------------------------------------------------------- /schema/support/Python3.x_Validator/cvss-v2.0.json: -------------------------------------------------------------------------------- 1 | { 2 | "license": [ 3 | "Copyright (c) 2017, FIRST.ORG, INC.", 4 | "All rights reserved.", 5 | "", 6 | "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ", 7 | "following conditions are met:", 8 | "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ", 9 | " disclaimer.", 10 | "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ", 11 | " following disclaimer in the documentation and/or other materials provided with the distribution.", 12 | "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ", 13 | " products derived from this software without specific prior written permission.", 14 | "", 15 | "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ", 16 | "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ", 17 | "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ", 18 | "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ", 19 | "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ", 20 | "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ", 21 | "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." 22 | ], 23 | 24 | "$schema": "http://json-schema.org/draft-04/schema#", 25 | "title": "JSON Schema for Common Vulnerability Scoring System version 2.0", 26 | "id": "https://www.first.org/cvss/cvss-v2.0.json?20170531", 27 | "type": "object", 28 | "definitions": { 29 | "accessVectorType": { 30 | "type": "string", 31 | "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL" ] 32 | }, 33 | "accessComplexityType": { 34 | "type": "string", 35 | "enum": [ "HIGH", "MEDIUM", "LOW" ] 36 | }, 37 | "authenticationType": { 38 | "type": "string", 39 | "enum": [ "MULTIPLE", "SINGLE", "NONE" ] 40 | }, 41 | "ciaType": { 42 | "type": "string", 43 | "enum": [ "NONE", "PARTIAL", "COMPLETE" ] 44 | }, 45 | "exploitabilityType": { 46 | "type": "string", 47 | "enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ] 48 | }, 49 | "remediationLevelType": { 50 | "type": "string", 51 | "enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ] 52 | }, 53 | "reportConfidenceType": { 54 | "type": "string", 55 | "enum": [ "UNCONFIRMED", "UNCORROBORATED", "CONFIRMED", "NOT_DEFINED" ] 56 | }, 57 | "collateralDamagePotentialType": { 58 | "type": "string", 59 | "enum": [ "NONE", "LOW", "LOW_MEDIUM", "MEDIUM_HIGH", "HIGH", "NOT_DEFINED" ] 60 | }, 61 | "targetDistributionType": { 62 | "type": "string", 63 | "enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] 64 | }, 65 | "ciaRequirementType": { 66 | "type": "string", 67 | "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] 68 | }, 69 | "scoreType": { 70 | "type": "number", 71 | "minimum": 0, 72 | "maximum": 10 73 | } 74 | }, 75 | "properties": { 76 | "version": { 77 | "description": "CVSS Version", 78 | "type": "string", 79 | "enum": [ "2.0" ] 80 | }, 81 | "vectorString": { 82 | "type": "string", 83 | "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$" 84 | }, 85 | "accessVector": { "$ref": "#/definitions/accessVectorType" }, 86 | "accessComplexity": { "$ref": "#/definitions/accessComplexityType" }, 87 | "authentication": { "$ref": "#/definitions/authenticationType" }, 88 | "confidentialityImpact": { "$ref": "#/definitions/ciaType" }, 89 | "integrityImpact": { "$ref": "#/definitions/ciaType" }, 90 | "availabilityImpact": { "$ref": "#/definitions/ciaType" }, 91 | "baseScore": { "$ref": "#/definitions/scoreType" }, 92 | "exploitability": { "$ref": "#/definitions/exploitabilityType" }, 93 | "remediationLevel": { "$ref": "#/definitions/remediationLevelType" }, 94 | "reportConfidence": { "$ref": "#/definitions/reportConfidenceType" }, 95 | "temporalScore": { "$ref": "#/definitions/scoreType" }, 96 | "collateralDamagePotential": { "$ref": "#/definitions/collateralDamagePotentialType" }, 97 | "targetDistribution": { "$ref": "#/definitions/targetDistributionType" }, 98 | "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 99 | "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 100 | "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 101 | "environmentalScore": { "$ref": "#/definitions/scoreType" } 102 | }, 103 | "required": [ "version", "vectorString", "baseScore" ] 104 | } 105 | -------------------------------------------------------------------------------- /schema/support/Python3.x_Validator/cvss-v3.0.json: -------------------------------------------------------------------------------- 1 | { 2 | "license": [ 3 | "Copyright (c) 2017, FIRST.ORG, INC.", 4 | "All rights reserved.", 5 | "", 6 | "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ", 7 | "following conditions are met:", 8 | "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ", 9 | " disclaimer.", 10 | "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ", 11 | " following disclaimer in the documentation and/or other materials provided with the distribution.", 12 | "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ", 13 | " products derived from this software without specific prior written permission.", 14 | "", 15 | "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ", 16 | "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ", 17 | "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ", 18 | "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ", 19 | "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ", 20 | "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ", 21 | "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." 22 | ], 23 | 24 | "$schema": "http://json-schema.org/draft-04/schema#", 25 | "title": "JSON Schema for Common Vulnerability Scoring System version 3.0", 26 | "id": "https://www.first.org/cvss/cvss-v3.0.json?20170531", 27 | "type": "object", 28 | "definitions": { 29 | "attackVectorType": { 30 | "type": "string", 31 | "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL" ] 32 | }, 33 | "modifiedAttackVectorType": { 34 | "type": "string", 35 | "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL", "NOT_DEFINED" ] 36 | }, 37 | "attackComplexityType": { 38 | "type": "string", 39 | "enum": [ "HIGH", "LOW" ] 40 | }, 41 | "modifiedAttackComplexityType": { 42 | "type": "string", 43 | "enum": [ "HIGH", "LOW", "NOT_DEFINED" ] 44 | }, 45 | "privilegesRequiredType": { 46 | "type": "string", 47 | "enum": [ "HIGH", "LOW", "NONE" ] 48 | }, 49 | "modifiedPrivilegesRequiredType": { 50 | "type": "string", 51 | "enum": [ "HIGH", "LOW", "NONE", "NOT_DEFINED" ] 52 | }, 53 | "userInteractionType": { 54 | "type": "string", 55 | "enum": [ "NONE", "REQUIRED" ] 56 | }, 57 | "modifiedUserInteractionType": { 58 | "type": "string", 59 | "enum": [ "NONE", "REQUIRED", "NOT_DEFINED" ] 60 | }, 61 | "scopeType": { 62 | "type": "string", 63 | "enum": [ "UNCHANGED", "CHANGED" ] 64 | }, 65 | "modifiedScopeType": { 66 | "type": "string", 67 | "enum": [ "UNCHANGED", "CHANGED", "NOT_DEFINED" ] 68 | }, 69 | "ciaType": { 70 | "type": "string", 71 | "enum": [ "NONE", "LOW", "HIGH" ] 72 | }, 73 | "modifiedCiaType": { 74 | "type": "string", 75 | "enum": [ "NONE", "LOW", "HIGH", "NOT_DEFINED" ] 76 | }, 77 | "exploitCodeMaturityType": { 78 | "type": "string", 79 | "enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ] 80 | }, 81 | "remediationLevelType": { 82 | "type": "string", 83 | "enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ] 84 | }, 85 | "confidenceType": { 86 | "type": "string", 87 | "enum": [ "UNKNOWN", "REASONABLE", "CONFIRMED", "NOT_DEFINED" ] 88 | }, 89 | "ciaRequirementType": { 90 | "type": "string", 91 | "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] 92 | }, 93 | "scoreType": { 94 | "type": "number", 95 | "minimum": 0, 96 | "maximum": 10 97 | }, 98 | "severityType": { 99 | "type": "string", 100 | "enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL" ] 101 | } 102 | }, 103 | "properties": { 104 | "version": { 105 | "description": "CVSS Version", 106 | "type": "string", 107 | "enum": [ "3.0" ] 108 | }, 109 | "vectorString": { 110 | "type": "string", 111 | "pattern": "^CVSS:3.0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" 112 | }, 113 | "attackVector": { "$ref": "#/definitions/attackVectorType" }, 114 | "attackComplexity": { "$ref": "#/definitions/attackComplexityType" }, 115 | "privilegesRequired": { "$ref": "#/definitions/privilegesRequiredType" }, 116 | "userInteraction": { "$ref": "#/definitions/userInteractionType" }, 117 | "scope": { "$ref": "#/definitions/scopeType" }, 118 | "confidentialityImpact": { "$ref": "#/definitions/ciaType" }, 119 | "integrityImpact": { "$ref": "#/definitions/ciaType" }, 120 | "availabilityImpact": { "$ref": "#/definitions/ciaType" }, 121 | "baseScore": { "$ref": "#/definitions/scoreType" }, 122 | "baseSeverity": { "$ref": "#/definitions/severityType" }, 123 | "exploitCodeMaturity": { "$ref": "#/definitions/exploitCodeMaturityType" }, 124 | "remediationLevel": { "$ref": "#/definitions/remediationLevelType" }, 125 | "reportConfidence": { "$ref": "#/definitions/confidenceType" }, 126 | "temporalScore": { "$ref": "#/definitions/scoreType" }, 127 | "temporalSeverity": { "$ref": "#/definitions/severityType" }, 128 | "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 129 | "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 130 | "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 131 | "modifiedAttackVector": { "$ref": "#/definitions/modifiedAttackVectorType" }, 132 | "modifiedAttackComplexity": { "$ref": "#/definitions/modifiedAttackComplexityType" }, 133 | "modifiedPrivilegesRequired": { "$ref": "#/definitions/modifiedPrivilegesRequiredType" }, 134 | "modifiedUserInteraction": { "$ref": "#/definitions/modifiedUserInteractionType" }, 135 | "modifiedScope": { "$ref": "#/definitions/modifiedScopeType" }, 136 | "modifiedConfidentialityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 137 | "modifiedIntegrityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 138 | "modifiedAvailabilityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 139 | "environmentalScore": { "$ref": "#/definitions/scoreType" }, 140 | "environmentalSeverity": { "$ref": "#/definitions/severityType" } 141 | }, 142 | "required": [ "version", "vectorString", "baseScore", "baseSeverity" ] 143 | } 144 | -------------------------------------------------------------------------------- /schema/support/Python3.x_Validator/cvss-v3.1.json: -------------------------------------------------------------------------------- 1 | { 2 | "license": [ 3 | "Copyright (c) 2019, FIRST.ORG, INC.", 4 | "All rights reserved.", 5 | "", 6 | "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ", 7 | "following conditions are met:", 8 | "1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ", 9 | " disclaimer.", 10 | "2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ", 11 | " following disclaimer in the documentation and/or other materials provided with the distribution.", 12 | "3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ", 13 | " products derived from this software without specific prior written permission.", 14 | "", 15 | "THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ", 16 | "INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ", 17 | "DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ", 18 | "SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ", 19 | "SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ", 20 | "WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ", 21 | "OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." 22 | ], 23 | 24 | "$schema": "http://json-schema.org/draft-07/schema#", 25 | "title": "JSON Schema for Common Vulnerability Scoring System version 3.1", 26 | "id": "https://www.first.org/cvss/cvss-v3.1.json?20190610", 27 | "type": "object", 28 | "definitions": { 29 | "attackVectorType": { 30 | "type": "string", 31 | "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL" ] 32 | }, 33 | "modifiedAttackVectorType": { 34 | "type": "string", 35 | "enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL", "NOT_DEFINED" ] 36 | }, 37 | "attackComplexityType": { 38 | "type": "string", 39 | "enum": [ "HIGH", "LOW" ] 40 | }, 41 | "modifiedAttackComplexityType": { 42 | "type": "string", 43 | "enum": [ "HIGH", "LOW", "NOT_DEFINED" ] 44 | }, 45 | "privilegesRequiredType": { 46 | "type": "string", 47 | "enum": [ "HIGH", "LOW", "NONE" ] 48 | }, 49 | "modifiedPrivilegesRequiredType": { 50 | "type": "string", 51 | "enum": [ "HIGH", "LOW", "NONE", "NOT_DEFINED" ] 52 | }, 53 | "userInteractionType": { 54 | "type": "string", 55 | "enum": [ "NONE", "REQUIRED" ] 56 | }, 57 | "modifiedUserInteractionType": { 58 | "type": "string", 59 | "enum": [ "NONE", "REQUIRED", "NOT_DEFINED" ] 60 | }, 61 | "scopeType": { 62 | "type": "string", 63 | "enum": [ "UNCHANGED", "CHANGED" ] 64 | }, 65 | "modifiedScopeType": { 66 | "type": "string", 67 | "enum": [ "UNCHANGED", "CHANGED", "NOT_DEFINED" ] 68 | }, 69 | "ciaType": { 70 | "type": "string", 71 | "enum": [ "NONE", "LOW", "HIGH" ] 72 | }, 73 | "modifiedCiaType": { 74 | "type": "string", 75 | "enum": [ "NONE", "LOW", "HIGH", "NOT_DEFINED" ] 76 | }, 77 | "exploitCodeMaturityType": { 78 | "type": "string", 79 | "enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ] 80 | }, 81 | "remediationLevelType": { 82 | "type": "string", 83 | "enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ] 84 | }, 85 | "confidenceType": { 86 | "type": "string", 87 | "enum": [ "UNKNOWN", "REASONABLE", "CONFIRMED", "NOT_DEFINED" ] 88 | }, 89 | "ciaRequirementType": { 90 | "type": "string", 91 | "enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ] 92 | }, 93 | "scoreType": { 94 | "type": "number", 95 | "minimum": 0, 96 | "maximum": 10 97 | }, 98 | "severityType": { 99 | "type": "string", 100 | "enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL" ] 101 | } 102 | }, 103 | "properties": { 104 | "version": { 105 | "description": "CVSS Version", 106 | "type": "string", 107 | "enum": [ "3.1" ] 108 | }, 109 | "vectorString": { 110 | "type": "string", 111 | "pattern": "^CVSS:3.1/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$" 112 | }, 113 | "attackVector": { "$ref": "#/definitions/attackVectorType" }, 114 | "attackComplexity": { "$ref": "#/definitions/attackComplexityType" }, 115 | "privilegesRequired": { "$ref": "#/definitions/privilegesRequiredType" }, 116 | "userInteraction": { "$ref": "#/definitions/userInteractionType" }, 117 | "scope": { "$ref": "#/definitions/scopeType" }, 118 | "confidentialityImpact": { "$ref": "#/definitions/ciaType" }, 119 | "integrityImpact": { "$ref": "#/definitions/ciaType" }, 120 | "availabilityImpact": { "$ref": "#/definitions/ciaType" }, 121 | "baseScore": { "$ref": "#/definitions/scoreType" }, 122 | "baseSeverity": { "$ref": "#/definitions/severityType" }, 123 | "exploitCodeMaturity": { "$ref": "#/definitions/exploitCodeMaturityType" }, 124 | "remediationLevel": { "$ref": "#/definitions/remediationLevelType" }, 125 | "reportConfidence": { "$ref": "#/definitions/confidenceType" }, 126 | "temporalScore": { "$ref": "#/definitions/scoreType" }, 127 | "temporalSeverity": { "$ref": "#/definitions/severityType" }, 128 | "confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 129 | "integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 130 | "availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" }, 131 | "modifiedAttackVector": { "$ref": "#/definitions/modifiedAttackVectorType" }, 132 | "modifiedAttackComplexity": { "$ref": "#/definitions/modifiedAttackComplexityType" }, 133 | "modifiedPrivilegesRequired": { "$ref": "#/definitions/modifiedPrivilegesRequiredType" }, 134 | "modifiedUserInteraction": { "$ref": "#/definitions/modifiedUserInteractionType" }, 135 | "modifiedScope": { "$ref": "#/definitions/modifiedScopeType" }, 136 | "modifiedConfidentialityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 137 | "modifiedIntegrityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 138 | "modifiedAvailabilityImpact": { "$ref": "#/definitions/modifiedCiaType" }, 139 | "environmentalScore": { "$ref": "#/definitions/scoreType" }, 140 | "environmentalSeverity": { "$ref": "#/definitions/severityType" } 141 | }, 142 | "required": [ "version", "vectorString", "baseScore", "baseSeverity" ] 143 | } 144 | -------------------------------------------------------------------------------- /schema/support/docs/css_override.css: -------------------------------------------------------------------------------- 1 | 2 | .examples, .highlight.jumbotron, .card-header { 3 | padding: 0rem !important; 4 | } 5 | .jumbotron { 6 | margin-bottom: 0px !important; 7 | } 8 | 9 | .badge { 10 | font-size: 80% !important; 11 | margin-bottom: 0px !important; 12 | } 13 | h2, h4, .h2, .h4 { 14 | font-size: 100% !important; 15 | } 16 | .btn.btn-link { 17 | font-size: 16px; 18 | } 19 | .property-name-button { 20 | padding: 0px 5px; 21 | } 22 | .btn.btn-primary { 23 | margin: 5px; 24 | } 25 | 26 | p { 27 | margin-bottom: 0px; 28 | } 29 | 30 | .list-group-item { 31 | padding: 3px 8px; 32 | } 33 | 34 | .pl-5, .card-body { 35 | padding-left: 0.5em !important; 36 | } 37 | 38 | #root h1:before { 39 | background: url("https://cve.mitre.org/images/cvelogobanner.png") no-repeat; 40 | background-size: contain; 41 | background-position-y: center; 42 | width: 120px; 43 | height: 30px; 44 | display: inline-block; 45 | content: ""; 46 | } 47 | 48 | span.description ~ p { 49 | display: inline-block; 50 | margin-right: 3px; 51 | } 52 | -------------------------------------------------------------------------------- /schema/support/docs/docs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cd ../../ 3 | sed 's/file\://g' CVE_JSON_5.1_schema.json > tmp.json | generate-schema-doc --minify tmp.json docs/index.html 4 | perl -pi -e 's//>/g' docs/index.html 5 | node support/schema2markmap/index.js tmp.json > 'docs/mindmap.html' 6 | node support/schema2markmap/schema-bundle.js tmp.json './docs/' 7 | rm tmp.json 8 | cat support/docs/css_override.css >> docs/schema_doc.css 9 | -------------------------------------------------------------------------------- /schema/support/qualityReport/README.md: -------------------------------------------------------------------------------- 1 | 2 | # CVE Quality Report Generator 3 | 4 | Eg., 5 | 6 | $ node report.js [path where CVE JSON records are kept] > report.html 7 | 8 | $ node report.js ~/Documents/GitHub/cvelistV5/cves > index.html 9 | -------------------------------------------------------------------------------- /schema/support/schema2markmap/index.js: -------------------------------------------------------------------------------- 1 | // Author: Chandan BN (c) 2021 2 | // (1) convert CVE JSON schema to a mindmap 3 | 4 | var ml = require('markmap-lib') 5 | var Transformer = ml.Transformer; 6 | var fillTemplate = ml.fillTemplate; 7 | var sw = require('@cloudflare/json-schema-walker'); 8 | var rp = require('json-schema-ref-parser'); 9 | var fold = ['metrics', 'cvssV3_1', 'cvssV3_0', 'cvssV2_0', 'supportingMedia', 10 | 'tags', 'impacts', 'configurations', 'workarounds', 'solutions', 'exploits', 11 | 'timeline', 'credits', 'tags', 'taxonomyMappings', 'adp']; 12 | var symbol = { object: '', array: '[]', string: '', boolean: '☯', number: '', integer: '', undefined: '' }; 13 | const fs = require('fs'); 14 | var markmap = require('markmap-view'); 15 | const { Markmap, loadCSS, loadJS } = markmap; 16 | 17 | let forDeletion = ['properties', 'items', 'anyOf', 'allOf', 'oneOf']; 18 | 19 | var markdown = "# CVE JSON Record\n"; 20 | 21 | function postfunc(obj, path, parent, parentPath) { 22 | if (path[1] && isNaN(path[1])) { 23 | var depth = parentPath.filter(i => !forDeletion.includes(i)).length; 24 | var reqStart = ""; 25 | var reqEnd = ""; 26 | 27 | if (parent?.required?.includes(path[1])) { 28 | reqStart = ""; 29 | reqEnd = ""; 30 | } 31 | markdown += (" ".repeat(depth) 32 | + "* " + reqStart + path[1] + reqEnd 33 | + ' ' + (fold.includes(path[1]) ? '' : '') 34 | + symbol[obj.type] 35 | + (obj.examples ? 'e.g., `' + obj.examples[0] + '`' : '') 36 | + (obj.enum ? '`' + obj.enum.join('` `') + '`' : '')) 37 | + '\n'; 38 | } 39 | } 40 | 41 | async function schemaMindMap() { 42 | var cveSchema = await rp.dereference(process.argv[2]); 43 | markdown += "## Published \n"; 44 | sw.schemaWalk(cveSchema.oneOf[0], postfunc, null); 45 | 46 | markdown += "## Rejected \n"; 47 | sw.schemaWalk(cveSchema.oneOf[1], postfunc, null); 48 | 49 | const transformer = new Transformer(); 50 | 51 | // transform markdown 52 | const { root, features } = transformer.transform(markdown); 53 | 54 | // get assets required by used features 55 | var assets = transformer.getUsedAssets(features); 56 | 57 | // create mindmap html 58 | var html = fillTemplate(root, assets); 59 | html = html.replace('Markmap', 'CVE JSON v5 Mindmap'); 60 | console.log(html); 61 | } 62 | 63 | schemaMindMap(); 64 | -------------------------------------------------------------------------------- /schema/support/schema2markmap/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "schema2markmap", 3 | "version": "1.0.0", 4 | "description": "Convert CVE JSON schema to a Mardkdown document suitable for use with Markmap.js", 5 | "main": "index.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "repository": { 10 | "type": "git", 11 | "url": "https://github.com/CVEProject/cve-schema/tree/master/schema/v5.0/support" 12 | }, 13 | "keywords": [ 14 | "JSON", 15 | "Schema", 16 | "Markdown", 17 | "Markmap" 18 | ], 19 | "author": "Chandan B.N.", 20 | "license": "CC0-1.0", 21 | "dependencies": { 22 | "@cloudflare/json-schema-walker": "^0.1.1", 23 | "json-schema-ref-parser": "^9.0.9", 24 | "markmap-lib": "^0.11.6", 25 | "markmap-view": "^0.2.6" 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /schema/support/schema2markmap/schema-bundle.js: -------------------------------------------------------------------------------- 1 | // Author: Chandan BN (c) 2021 2 | // (2) creates a bundled schema 3 | const rp = require('json-schema-ref-parser'); 4 | const fs = require('fs'); 5 | 6 | const dirName = process.argv[3]; 7 | 8 | if(!dirName) { 9 | console.error('Please specify directory name'); 10 | process.exit(1); 11 | } 12 | 13 | async function schemaBundle() { 14 | var cveSchemaBundle = await rp.bundle(process.argv[2]); 15 | var metricProperties = cveSchemaBundle.definitions.metrics.items.properties; 16 | delete metricProperties.cvssV4_0.$id; 17 | delete metricProperties.cvssV3_1.id; 18 | delete metricProperties.cvssV3_0.id; 19 | delete metricProperties.cvssV2_0.id; 20 | delete metricProperties.cvssV4_0.license; 21 | delete metricProperties.cvssV3_1.license; 22 | delete metricProperties.cvssV3_0.license; 23 | delete metricProperties.cvssV2_0.license; 24 | 25 | 26 | fs.writeFile(`${dirName}/CVE_Record_Format_bundled.json`, 27 | JSON.stringify(cveSchemaBundle, null, 2), 28 | err => { 29 | if(err) 30 | throw err; 31 | else 32 | console.log('CVE_Record_Format_bundled.json created'); 33 | } 34 | ); 35 | 36 | for(let t of ['cnaPublishedContainer', 'cnaRejectedContainer', 'adpContainer']) { 37 | var subSchema = { 38 | "$schema": "http://json-schema.org/draft-07/schema#", 39 | "$id": `https://cveproject.github.io/cve-schema/schema/docs/CVE_Record_Format_bundled_${t}.json`, 40 | "title": `CVE Record Format ${t} sub schema`, 41 | "description": `CVE Record Format ${t} format`, 42 | "definitions": cveSchemaBundle.definitions, 43 | "properties": { 44 | }, 45 | "additionalProperties": false 46 | } 47 | subSchema.properties[t.replace(/Published|Rejected/,'')] = { 48 | "$ref": `#/definitions/${t}` 49 | } 50 | 51 | fs.writeFile(`${dirName}/CVE_Record_Format_bundled_${t}.json`, 52 | JSON.stringify(subSchema, null, 2), 53 | err => { 54 | if(err) 55 | throw err; 56 | else 57 | console.log(`CVE_Record_Format_bundled_${t}.json created`); 58 | } 59 | ); 60 | } 61 | } 62 | 63 | schemaBundle(); 64 | -------------------------------------------------------------------------------- /schema/support/tests/README.md: -------------------------------------------------------------------------------- 1 | # All records in vald directory must validate: 2 | 3 | $ node ../Node_validator/validate.js valid/*.json 4 | 5 | ... 6 | Summary: All files PASSED validation. 7 | 8 | # All records in invald directory must fail to validate: 9 | 10 | $ node ../Node_validator/validate.js invalid/*.json 11 | 12 | .... 13 | Summary: Validation FAILED for 5 out of 5 files! 14 | -------------------------------------------------------------------------------- /schema/tags/adp-tags.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-07/schema#", 3 | "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/", 4 | "type": "string", 5 | "description": "disputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.", 6 | "enum": ["disputed"] 7 | } 8 | -------------------------------------------------------------------------------- /schema/tags/cna-tags.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-07/schema#", 3 | "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/", 4 | "type": "string", 5 | "description": "exclusively-hosted-service: All known software and/or hardware affected by this CVE Record is known to exist only in the affected hosted service. If the vulnerability affects both hosted and on-prem software and/or hardware, then the tag should not be used.\n\nunsupported-when-assigned: Used by the assigning CNA to indicate that when a request for a CVE assignment was received, the product was already end-of-life (EOL) or a product or specific version was deemed not to be supported by the vendor. This tag should only be applied to a CVE Record when all affected products or version lines referenced in the CVE-Record are EOL.\n\ndisputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.", 6 | "enum": ["unsupported-when-assigned", "exclusively-hosted-service", "disputed"] 7 | } 8 | -------------------------------------------------------------------------------- /schema/tags/reference-tags.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-07/schema#", 3 | "$id": "https://cve.mitre.org/cve/v5_00/tags/reference/", 4 | "type": "string", 5 | "description": "broken-link: The reference link is returning a 404 error, or the site is no longer online.\n\ncustomer-entitlement: Similar to Privileges Required, but specific to references that require non-public/paid access for customers of the particular vendor.\n\nexploit: Reference contains an in-depth/detailed description of steps to exploit a vulnerability OR the reference contains any legitimate Proof of Concept (PoC) code or exploit kit.\n\ngovernment-resource: All reference links that are from a government agency or organization should be given the Government Resource tag.\n\nissue-tracking: The reference is a post from a bug tracking tool such as MantisBT, Bugzilla, JIRA, Github Issues, etc...\n\nmailing-list: The reference is from a mailing list -- often specific to a product or vendor.\n\nmitigation: The reference contains information on steps to mitigate against the vulnerability in the event a patch can't be applied or is unavailable or for EOL product situations.\n\nnot-applicable: The reference link is not applicable to the vulnerability and was likely associated by MITRE accidentally (should be used sparingly).\n\npatch: The reference contains an update to the software that fixes the vulnerability.\n\npermissions-required: The reference link provided is blocked by a logon page. If credentials are required to see any information this tag must be applied.\n\nmedia-coverage: The reference is from a media outlet such as a newspaper, magazine, social media, or weblog. This tag is not intended to apply to any individual's personal social media account. It is strictly intended for public media entities.\n\nproduct: A reference appropriate for describing a product for the purpose of CPE or SWID.\n\nrelated: A reference that is for a related (but not the same) vulnerability.\n\nrelease-notes: The reference is in the format of a vendor or open source project's release notes or change log.\n\nsignature: The reference contains a method to detect or prevent the presence or exploitation of the vulnerability.\n\ntechnical-description: The reference contains in-depth technical information about a vulnerability and its exploitation process, typically in the form of a presentation or whitepaper.\n\nthird-party-advisory: Advisory is from an organization that is not the vulnerable product's vendor/publisher/maintainer.\n\nvendor-advisory: Advisory is from the vendor/publisher/maintainer of the product or the parent organization.\n\nvdb-entry: VDBs are loosely defined as sites that provide information about this vulnerability, such as advisories, with identifiers. Included VDBs are free to access, substantially public, and have broad scope and coverage (not limited to a single vendor or research organization). See: https://www.first.org/global/sigs/vrdx/vdb-catalog", 6 | "enum": [ 7 | "broken-link", 8 | "customer-entitlement", 9 | "exploit", 10 | "government-resource", 11 | "issue-tracking", 12 | "mailing-list", 13 | "mitigation", 14 | "not-applicable", 15 | "patch", 16 | "permissions-required", 17 | "media-coverage", 18 | "product", 19 | "related", 20 | "release-notes", 21 | "signature", 22 | "technical-description", 23 | "third-party-advisory", 24 | "vendor-advisory", 25 | "vdb-entry" 26 | ] 27 | } -------------------------------------------------------------------------------- /tools/McAfee PSIRT Assigned CVEs Spreadsheet - 22 Dec 2016.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CVEProject/cve-schema/a29f28e5d48383cc5e179f9c6655ac49e8ffe1f9/tools/McAfee PSIRT Assigned CVEs Spreadsheet - 22 Dec 2016.xlsx -------------------------------------------------------------------------------- /tools/cmdlinejsonvalidator.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | ################################################################################### 4 | ###################### Python Script to validate JSON file ######################## 5 | ################################################################################### 6 | 7 | ### Usage ### 8 | 9 | # To run this script you must have the following: 10 | # Python 2.7 11 | # Python modules json and jsonschema installed on your machine. 12 | 13 | # Simply run following command in terminal to validate json file against schema: 14 | 15 | # ./cmdlinejsonvalidator.py example.json jsonschema.json 16 | 17 | # Where example will be the name of your JSON file and jsonschema is the schema 18 | # you wish to compare the json file against. 19 | 20 | # ***NOTE*** 21 | # If you do not place the script in same directory as the jsonschema file and 22 | # json file you will need to use absolute/relative path names to the files as 23 | # your arguments. 24 | 25 | ################################################################################### 26 | ################################################################################### 27 | import sys 28 | import json 29 | import jsonschema 30 | from jsonschema import validate 31 | from jsonschema import Draft4Validator 32 | 33 | 34 | def jsonvalidation(json_doc_path, json_schema_path): 35 | with open(json_schema_path, 'r') as fp: 36 | schema_doc = json.load(fp) 37 | 38 | # Open the file for reading 39 | with open(json_doc_path, 'r') as fp: 40 | try: 41 | json_doc = json.load(fp) 42 | except ValueError as err: 43 | sys.stderr.write("Failed to parse JSON : \n") 44 | sys.stderr.write(" " + str(err) + "\n") 45 | raise SystemExit 46 | 47 | try: 48 | validate(json_doc, schema_doc) 49 | sys.stdout.write("Record passed validation \n") 50 | except jsonschema.exceptions.ValidationError as incorrect: 51 | v = Draft4Validator(schema_doc) 52 | errors = sorted(v.iter_errors(json_doc), key=lambda e: e.path) 53 | for error in errors: 54 | sys.stderr.write("Record did not pass: \n") 55 | sys.stderr.write(str(error.message) + "\n") 56 | 57 | 58 | def main(): 59 | import argparse 60 | 61 | parser = argparse.ArgumentParser(description='validate a JSON file') 62 | parser.add_argument('jsondoc', type=str, help='path/to/doc.json') 63 | parser.add_argument('schema', type=str, help='path/to/schema.json') 64 | args = parser.parse_args() 65 | 66 | jsonvalidation(args.jsondoc, args.schema) 67 | 68 | 69 | if __name__ == '__main__': 70 | main() 71 | -------------------------------------------------------------------------------- /tools/cna-assignment-info-to-json.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | # 3 | # Convert CNA assignment information in CSV or flat file format to JSON. 4 | # 5 | # Copyright (C) The MITRE Corporation. 6 | 7 | 8 | ###################################################################### 9 | use strict; 10 | use Getopt::Long; 11 | use JSON::XS; 12 | use Text::CSV_XS; 13 | 14 | 15 | 16 | ###################################################################### 17 | # Initialize variables. 18 | $| = 1; 19 | 20 | my $cve_pat = qr/CVE-[12]\d{3}-\d{4,}/; 21 | 22 | my $data_version = "4.0"; 23 | my @supported_data_versions = ( 24 | $data_version, 25 | ); 26 | 27 | # Set the assigner and vendor, then remove the "die" line below. 28 | die "\$assigner and \$vendor variables need to be configured!"; 29 | my $assigner = '*** unspecified ***'; # e-mail address for the security PoC. 30 | my $vendor = '*** unspecified ***'; # vendor name. 31 | 32 | 33 | ###################################################################### 34 | # Process commandline arguments. 35 | my %options = ( 36 | 'spec' => \$data_version, 37 | ); 38 | Getopt::Long::Configure('bundling'); 39 | GetOptions( 40 | \%options, 41 | "help|h|?!", 42 | "files|f!", 43 | "spec|s=s", 44 | "vendor|v=s", 45 | ) or $options{help} = 1; 46 | $0 =~ s/^.+\///; 47 | if ($options{help} or @ARGV > 0) 48 | { 49 | warn "\n" . 50 | "Usage: $0 [options]\n" . 51 | "\n" . 52 | "Converts CVE assignment information from STDIN to JSON.\n" . 53 | "\n" . 54 | "Options :\n" . 55 | " -?, -h, --help Display this help and exit.\n" . 56 | " -f, --files Write output to individual files instead of to STDOUT.\n" . 57 | " -s, --spec Output JSON that conforms to specified specification (defaults to $data_version).\n" . 58 | " -v, --vendor Use as the specified vendor instead of '$vendor'.\n"; 59 | exit 1; 60 | } 61 | 62 | $vendor = $options{vendor} if (exists $options{vendor}); 63 | 64 | 65 | 66 | ###################################################################### 67 | # Process input. 68 | my $json = new JSON::XS; 69 | my @data; 70 | 71 | my $csv = Text::CSV_XS->new({ binary => 1, allow_whitespace => 1 }); 72 | my $contents = do { local $/; <> }; 73 | 74 | my @lines = split(/\n/, $contents); 75 | my $input_fmt = ($lines[0] =~ /^\s*\[CVEID\]/ ? "multi-line" : "csv"); 76 | 77 | my $l = 0; 78 | while (@lines) 79 | { 80 | my $line = shift @lines; 81 | $l++; 82 | 83 | next unless $line =~ /\S/; 84 | 85 | my($id, $product, $version, $problem_type, @urls, $description); 86 | 87 | if ($input_fmt eq "csv") 88 | { 89 | unless ($csv->parse($line)) 90 | { 91 | warn "Failed to parse line $l - " . $csv->error_input() . "\n"; 92 | next; 93 | } 94 | my @fields = $csv->fields(); 95 | unless (@fields == 6) 96 | { 97 | warn "Unexpected number of fields in line $l!\n"; 98 | next; 99 | } 100 | $id = $fields[0]; 101 | $product = $fields[1]; 102 | $version = $fields[2]; 103 | $problem_type = $fields[3]; 104 | push(@urls, split(/\s+/, $fields[4])); 105 | $description = $fields[5]; 106 | } 107 | else 108 | { 109 | die "*** Invalid content in line $l ($line)! ***\n" unless ($line =~ /^\s*\[CVEID\]\s*:\s*(.+?)\s*$/); 110 | $id = $1; 111 | 112 | $line = shift @lines or die "*** Incomplete entry for $id at line $l! ***\n"; 113 | $l++; 114 | die "*** Invalid content in line $l ($line)! ***\n" unless ($line =~ /^\s*\[PRODUCT\]\s*:\s*(.+?)\s*$/); 115 | $product = $1; 116 | 117 | $line = shift @lines or die "*** Incomplete entry for $id at line $l! ***\n"; 118 | $l++; 119 | die "*** Invalid content in line $l ($line)! ***\n" unless ($line =~ /^\s*\[VERSION\]\s*:\s*(.+?)\s*$/); 120 | $version = $1; 121 | 122 | $line = shift @lines or die "*** Incomplete entry for $id at line $l! ***\n"; 123 | $l++; 124 | die "*** Invalid content in line $l ($line)! ***\n" unless ($line =~ /^\s*\[PROBLEMTYPE\]\s*:\s*(.+?)\s*$/); 125 | $problem_type = $1; 126 | 127 | $line = shift @lines or die "*** Incomplete entry for $id at line $l! ***\n"; 128 | $l++; 129 | die "*** Invalid content in line $l ($line)! ***\n" unless ($line =~ /^\s*\[REFERENCES\]\s*:\s*(.+?)\s*$/); 130 | @urls = split(/\s+/, $1); 131 | 132 | $line = shift @lines or die "*** Incomplete entry for $id at line $l! ***\n"; 133 | $l++; 134 | die "*** Invalid content in line $l ($line)! ***\n" unless ($line =~ /^\s*\[DESCRIPTION\]\s*:\s*(.+?)\s*$/); 135 | $description = $1; 136 | } 137 | $id =~ s/^\s+|\s+$//g; 138 | $product =~ s/^\s+|\s+$//g; 139 | $version =~ s/^\s+|\s+$//g; 140 | $problem_type =~ s/^\s+|\s+$//g; 141 | $description =~ s/^\s+|\s+$//g; 142 | 143 | unless ($id =~ /^$cve_pat$/) 144 | { 145 | warn "ignored - '$id' is not a valid CVE id.\n"; 146 | next; 147 | } 148 | 149 | my $datum; 150 | if ($data_version == "4.0") 151 | { 152 | $datum->{data_type} = "CVE"; 153 | $datum->{data_format} = "MITRE"; 154 | $datum->{data_version} = $data_version; 155 | $datum->{CVE_data_meta} = { 156 | 'ID' => $id, 157 | }; 158 | 159 | $datum->{problemtype} = { 160 | "problemtype_data" => [ 161 | { 162 | "description" => [ 163 | { 164 | "lang" => "eng", 165 | "value" => "$problem_type", 166 | }, 167 | ], 168 | }, 169 | ], 170 | }; 171 | 172 | my @version_objs; 173 | foreach my $v (split /\s*;\s*/, $version) 174 | { 175 | $v =~ s/^\s*and\s+(\S)/$1/; 176 | $v =~ s/^\s+|\s+$//g; 177 | push(@version_objs, { "version_value" => $v }); 178 | } 179 | 180 | $datum->{affects} = { 181 | "vendor" => { 182 | "vendor_data" => [ 183 | { 184 | "vendor_name" => "$vendor", 185 | "product" => { 186 | "product_data" => [ 187 | { 188 | "product_name" => "$product", 189 | "version" => { 190 | "version_data" => [ 191 | @version_objs 192 | ], 193 | }, 194 | }, 195 | ], 196 | }, 197 | }, 198 | ], 199 | }, 200 | }; 201 | 202 | $datum->{CVE_data_meta}->{ASSIGNER} = $assigner; 203 | 204 | $datum->{CVE_data_meta}->{STATE} = "PUBLIC"; 205 | 206 | $datum->{description} = { 207 | 'description_data' => [ 208 | { 209 | "value" => $description, 210 | "lang" => "eng", 211 | } 212 | ], 213 | }; 214 | 215 | foreach my $url (@urls) 216 | { 217 | my $ref_obj = { 218 | "url" => $url, 219 | }; 220 | push(@{$datum->{references}->{reference_data}}, $ref_obj); 221 | } 222 | } 223 | 224 | if ($options{files}) 225 | { 226 | my $file = $id . ".json"; 227 | my $fh; 228 | unless (open $fh, ">:encoding(UTF-8)", "$file") 229 | { 230 | warn "Failed to write to '$file' - $!\n"; 231 | next; 232 | } 233 | print $fh $json->canonical(1)->pretty(1)->encode($datum); 234 | close($fh); 235 | } 236 | else 237 | { 238 | push(@data, $datum); 239 | } 240 | } 241 | print $json->canonical(1)->pretty(1)->encode(\@data) unless $options{files}; 242 | 243 | -------------------------------------------------------------------------------- /tools/mitre-cna-assignment-info.js: -------------------------------------------------------------------------------- 1 | // 2 | // Runs an HTTP server to prompt for CVE assignment information and 3 | // outputs that in a format for submission to MITRE. 4 | // 5 | 6 | var listen_on = 38103; 7 | var output_format = 'json40'; 8 | var state = 'PUBLIC'; 9 | 10 | var title = 'CVE CNA Assignment Information Form'; 11 | var instructions = 'Use this form to enter CNA assignment information for an single id to be submitted to MITRE. Note that the form does not have support for multiple vendors, products, versions, or references.'; 12 | 13 | var header = '' + '\n' + 14 | '' + '\n' + 15 | '' + title + '' + '\n' + 16 | '' + '\n'; 17 | var footer = '' + '\n'; 18 | 19 | var http = require('http'); 20 | var qs = require('querystring'); 21 | 22 | 23 | var server = http.createServer(function(request, response) { 24 | var headers = request.headers; 25 | var method = request.method; 26 | var url = request.url; 27 | var body = []; 28 | request.on('error', function(err) { 29 | console.error(err); 30 | }).on('data', function(chunk) { 31 | body.push(chunk); 32 | }).on('end', function() { 33 | body = Buffer.concat(body).toString(); 34 | 35 | if (method.toLowerCase() == 'get') { 36 | body = '' + '\n' + 37 | '

    ' + instructions + '

    ' + '\n' + 38 | '\n' + 39 | '
    ' + '\n' + 40 | '' + '\n' + 41 | '' + '\n' + 42 | '' + '\n' + 43 | '' + '\n' + 44 | '' + '\n' + 45 | '' + '\n' + 46 | '' + '\n' + 47 | '' + '\n' + 48 | '' + '\n' + 49 | '' + '\n' + 50 | '' + '\n' + 52 | '' + '\n' + 53 | '' + '\n' + 54 | '
    CNA :
    CVE id :
    Vendor :
    Assigner : (e-mail address)
    Product(s) :
    Version(s) :
    Problem type :
    References :
    Description :
    Format : json-4.0 ' + 51 | 'flat
     
     
    ' + '\n' + 55 | '
    ' + '\n' + 56 | ''; 57 | } 58 | else if (method.toLowerCase() == 'post') { 59 | var post = qs.parse(body); 60 | 61 | var errs = []; 62 | 63 | // Validate submitted data. 64 | if (!post['id']) { 65 | errs.push("The CVE id is required!"); 66 | } 67 | else if (!post['id'].match(/^CVE-\d{4}-\d{4,}$/)) { 68 | errs.push("'" + post['id'] + "' is not a valid CVE id!"); 69 | } 70 | if (!post['vendor']) { 71 | errs.push("The vendor name is required!"); 72 | } 73 | if (!post['assigner']) { 74 | errs.push("The assigner e-mail is required!"); 75 | } 76 | else if (!post['assigner'].match(/^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$/)) { 77 | errs.push("'" + post['assigner'] + "' does not look like an e-mail address!"); 78 | } 79 | if (!post['product']) { 80 | errs.push("Product name information is required!"); 81 | } 82 | if (!post['version']) { 83 | errs.push("Product version information is required!"); 84 | } 85 | if (!post['problem_type']) { 86 | errs.push("Problem type information is required!"); 87 | } 88 | if (!post['references']) { 89 | errs.push("At least one reference is required!"); 90 | } 91 | else { 92 | if (!post['references'].match(/^(ftp|http)s?:\/\/[^\/]+(\/\S+)?$/)) { 93 | errs.push("'" + post['references'] + "' is not a valid reference!"); 94 | } 95 | } 96 | if (!post['description']) { 97 | errs.push("A description is required!"); 98 | } 99 | 100 | output_format = post['format']; 101 | 102 | if (errs.length == 0) { 103 | body = '

    Now submit the following information to MITRE via either the CVE request form or an e-mail to cve@mitre.org.

    ' + '\n' + 104 | '\n' + 105 | '
    ' + '\n';
106 |         if (output_format == 'json40') {
107 |           var json40 = new Object();
108 |  
109 |           json40.data_type = 'CVE';
110 |           json40.data_format = 'MITRE';
111 |           json40.data_version = '4.0';
112 |           json40.CVE_data_meta = {
113 |             CVE_data_meta: {
114 |               ASSIGNER: post['assigner'],
115 |               ID: post['id'],
116 |               STATE: state
117 |             }
118 |           };
119 |           json40.affects = {
120 |             vendor: {
121 |               vendor_data: [
122 |                 {
123 |                   vendor_name: post['vendor'],
124 |                   product: {
125 |                     product_data: [
126 |                       {
127 |                         product_name: post['product'],
128 |                         version: {
129 |                           version_data: [
130 |                            { "version_value": post['version'] }
131 |                           ]
132 |                         }
133 |                       }
134 |                     ]
135 |                   }
136 |                 }
137 |               ]
138 |              }
139 |           };
140 |           json40.problemtype = {
141 |             problemtype_data: [
142 |               {
143 |                 description: [
144 |                   {
145 |                     lang: "eng",
146 |                     value: post['problem_type']
147 |                   }
148 |                 ]
149 |               }
150 |             ]
151 |           };
152 |           json40.references = {
153 |             reference_data: [
154 |              {
155 |                url: post['references']
156 |              }
157 |             ]
158 |           };
159 |           json40.description = {
160 |             description_data: [
161 |               {
162 |                 lang: "eng",
163 |                 value: post['description'].replace(/(?:\r\n|\r)/g, '\n')
164 |               }
165 |             ]
166 |           };
167 |  
168 |           body += JSON.stringify({ json40 }, null, 2);
169 |         }
170 |         else if (output_format == 'flat') {
171 |           body += 
172 |                '[CVEID]:' + post['id'] + '\n' +
173 |                '[PRODUCT]:' + post['vendor'] + ' ' + post['product'] + '\n' +
174 |                '[VERSION]:' + post['version'] + '\n' +
175 |                '[PROBLEMTYPE]:' + post['problem_type'] + '\n' +
176 |                '[REFERENCES]:' + post['references'] + '\n' +
177 |                '[DESCRIPTION]:' + post['description'] + '\n';
178 |           if (post['cna']) {
179 |             body += '[ASSIGNINGCNA]:' + post['cna'] + '\n';
180 |           }
181 |         }
182 |         body += '
    ' + '\n' 183 | 184 | if (output_format == 'json40') { 185 | body += '

    Note: The JSON 4.0 specification is still in draft.' + '\n'; 186 | } 187 | } 188 | else { 189 | body = '

    The following error(s) must be addressed:

    ' + '\n' + 190 | '
      ' + '\n'; 191 | errs.forEach(function(item, index) { 192 | body += '
    • ' + item + '
      • ' + '\n'; 193 | }); 194 | body += '
    ' + '\n'; 195 | } 196 | } 197 | data = header + '\n' + body + '\n' + footer; 198 | response.writeHead(200, { 199 | 'Content-Type': 'text/html', 200 | 'Content-Length': data.length 201 | }); 202 | response.write(data); 203 | }) 204 | }); 205 | 206 | 207 | server.listen(listen_on, 'localhost'); 208 | console.log("server listening on localhost:" + listen_on + "."); 209 | --------------------------------------------------------------------------------