From c50a13683dc2d76e233610edb1f1b322bf636796 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Mon, 9 Dec 2024 13:33:06 -0800 Subject: [PATCH 01/63] Add a formal semver 2.0.0 version type First crack at adding a formal version type in response to https://github.com/CVEProject/cve-schema/issues/362#issuecomment-2529000807 Any others which are agreed upon should be spun up in their own PRs so that conversations in the PRs can be kept on topic Happy to expand this if people think the full semver spec should be in this repo as well. I went back and forth on that. --- schema/docs/versions.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index e87a6a26a17..e0b31f51a54 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -288,6 +288,27 @@ Now that we know how to encode version objects, that would be written as: } ] +### Version Types + +#### Semantic versioning 2.0.0 +Type identifier: `semver-2.0.0` +Formally specified here at https://semver.org/spec/v2.0.0.html +`semver-2.0.0` is new type introduced to formally specify usage of semantic versioning. +--- +`semver-2.0.0` in its simplest form is a dot separated triple. eg `1.2.3`. The three parts have names with the first being the `MAJOR`, the second being `MINOR` and the third `PATCH`. The [Semantic](https://en.wikipedia.org/wiki/Semantics) meaning of each is described as +1. MAJOR version when you make incompatible API changes +2. MINOR version when you add functionality in a backward compatible manner +3. PATCH version when you make backward compatible bug fixes +This triple can be extended with either a `-` or a `+` or with both for `pre-release` and `build` identifiers. +The triple can only be populated with non-negative integers and must not contain leading zeros. +Ordering of the triple is determined by the first difference when comparing each of these identifiers from left to right as follows: Major, minor, and patch versions are always compared numerically. +Full ordering for pre-releases and builds are described in the semver document [here](https://semver.org/spec/v2.0.0.html#spec-item-11). +While the triple can only contain numeric values the `pre-release` and `build` are free to be alpha numeric. +A complete definition of this version type can be viewed here +https://semver.org/spec/v2.0.0.html#backusnaur-form-grammar-for-valid-semver-versions + + + ## Version Status Changes As presented in the previous section, From bec099b4925e97bd81b3d91fc8377833ac743ce7 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 22 Jan 2025 13:23:22 -0800 Subject: [PATCH 02/63] Add an example for discussion --- schema/docs/versions.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index e0b31f51a54..376542d0ef6 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -291,6 +291,7 @@ Now that we know how to encode version objects, that would be written as: ### Version Types #### Semantic versioning 2.0.0 + Type identifier: `semver-2.0.0` Formally specified here at https://semver.org/spec/v2.0.0.html `semver-2.0.0` is new type introduced to formally specify usage of semantic versioning. @@ -307,6 +308,23 @@ While the triple can only contain numeric values the `pre-release` and `build` a A complete definition of this version type can be viewed here https://semver.org/spec/v2.0.0.html#backusnaur-form-grammar-for-valid-semver-versions +##### Example + +``` +"affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "lowerBound": "1.2.3-alpha", + "upperBound": "2.3.4+build17" + } + ], + } + ], +``` ## Version Status Changes From 20f9b39bea8a9c8eb4f63a39e9cb0ac1170ca378 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 22 Jan 2025 13:30:14 -0800 Subject: [PATCH 03/63] Add some text for the parameters and remove markdown horizontal break --- schema/docs/versions.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index 376542d0ef6..e43a3559f3e 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -295,7 +295,7 @@ Now that we know how to encode version objects, that would be written as: Type identifier: `semver-2.0.0` Formally specified here at https://semver.org/spec/v2.0.0.html `semver-2.0.0` is new type introduced to formally specify usage of semantic versioning. ---- + `semver-2.0.0` in its simplest form is a dot separated triple. eg `1.2.3`. The three parts have names with the first being the `MAJOR`, the second being `MINOR` and the third `PATCH`. The [Semantic](https://en.wikipedia.org/wiki/Semantics) meaning of each is described as 1. MAJOR version when you make incompatible API changes 2. MINOR version when you add functionality in a backward compatible manner @@ -308,6 +308,8 @@ While the triple can only contain numeric values the `pre-release` and `build` a A complete definition of this version type can be viewed here https://semver.org/spec/v2.0.0.html#backusnaur-form-grammar-for-valid-semver-versions +In the interest of simplicity the `semver-2.0.0` version type has two parameters which define a continuous range. `lowerBound` and `upperBound` each must be a valid semver triple with optional pre-release/build extensions. + ##### Example ``` From e637776f78c5fca15314e54e032fbf21b55626f8 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 30 Jan 2025 10:11:51 -0800 Subject: [PATCH 04/63] Expand example to show inclusive/exclusive bounds and single version `exactly` --- schema/docs/versions.md | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index e43a3559f3e..4d336101132 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -320,8 +320,21 @@ In the interest of simplicity the `semver-2.0.0` version type has two parameters "versions": [ { "versionType": "semver-2.0.0", - "lowerBound": "1.2.3-alpha", - "upperBound": "2.3.4+build17" + "inclusiveLowerBound": "1.2.3-alpha", + "exclusiveUpperBound": "2.3.4+build17" + } + { + "versionType": "semver-2.0.0", + "exclusiveLowerBound": "3.4.5-beta", + "inclusiveUpperBound": "4.5.6+assembly88" + } + { + "versionType": "semver-2.0.0", + "exactly": "5.6.7-gamma", + } + { + "versionType": "semver-2.0.0", + "exactly": "6.7.8-delta", } ], } From fffd0cdc586d26f918a9d94c3b4ec2bd95a2359e Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 30 Jan 2025 15:50:56 -0800 Subject: [PATCH 05/63] Add explainer --- schema/docs/versions.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index 4d336101132..027b185f0c5 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -341,6 +341,10 @@ In the interest of simplicity the `semver-2.0.0` version type has two parameters ], ``` +#### Explainer + +A `semver-2.0.0` version is expressed as either a range or as a single exact version. Chaining multiple `semver-2.0.0` versions can be done to express more complex ranges. A `semver-2.0.0` range must begin with a lower bound which is followed by an upper bound. Each bound may be either inclusive or exclusive. These terms map as `exclusiveUpperBound` to `<`, `inclusiveUpperBound` to `<=`, `exclusiveLowerBound` to `>`, `inclusiveLowerBound` to `>=` and `exactly` to `=`. Thus the first example above could be rewritten as `>= 1.2.3-alpha, < 2.3.4+build17`. + ## Version Status Changes From 16680d277522c03da4105a4720598c0bb78be821 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 19 Feb 2025 12:59:33 -0800 Subject: [PATCH 06/63] Add examples of single sided ranges. ex < 1.0.0 or >= 9.0.0 to allow for the expressions of "everything under X" or "everything over Y" --- schema/docs/versions.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index 027b185f0c5..eade1b04224 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -336,6 +336,14 @@ In the interest of simplicity the `semver-2.0.0` version type has two parameters "versionType": "semver-2.0.0", "exactly": "6.7.8-delta", } + { + "versionType": "semver-2.0.0", + "exclusiveUpperBound": "1.0.0", + } + { + "versionType": "semver-2.0.0", + "inclusiveLowerBound": "9.0.0", + } ], } ], From 208980b38d7dd33fcaa23fa8df5d9ac3e19730ff Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 20 Feb 2025 14:35:58 -0800 Subject: [PATCH 07/63] Add status back as a parameter after sync chat in QWG meeting on 2025-02-20. The status conversation will happen another day --- schema/docs/versions.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index eade1b04224..0dd9d38da90 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -320,28 +320,34 @@ In the interest of simplicity the `semver-2.0.0` version type has two parameters "versions": [ { "versionType": "semver-2.0.0", + "status": "affected", "inclusiveLowerBound": "1.2.3-alpha", "exclusiveUpperBound": "2.3.4+build17" } { "versionType": "semver-2.0.0", + "status": "unaffected", "exclusiveLowerBound": "3.4.5-beta", "inclusiveUpperBound": "4.5.6+assembly88" } { "versionType": "semver-2.0.0", + "status": "affected", "exactly": "5.6.7-gamma", } { "versionType": "semver-2.0.0", + "status": "affected", "exactly": "6.7.8-delta", } { "versionType": "semver-2.0.0", + "status": "affected", "exclusiveUpperBound": "1.0.0", } { "versionType": "semver-2.0.0", + "status": "unknown", "inclusiveLowerBound": "9.0.0", } ], From 0ce66016774aee34b9dc418bbfd0e2f5f19ff837 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Tue, 4 Mar 2025 17:19:46 -0800 Subject: [PATCH 08/63] Stub new properties --- schema/CVE_Record_Format.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index aaf5f5adb7c..e35974d5501 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -357,6 +357,21 @@ } } } + }, + "exactly": { + "description": "A single semver 2.0.0 version to mark", + }, + "inclusiveLowerBound": { + "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly also affected." + }, + "exclusiveLowerBound": { + "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly not affected." + }, + "inclusiveUpperBound": { + "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly also affected." + }, + "exclusiveUpperBound": { + "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected." } }, "additionalProperties": false From 62db1699e85fcdb35ae3ac4061fb00d771da5848 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Tue, 4 Mar 2025 17:23:07 -0800 Subject: [PATCH 09/63] Add pattern regex --- schema/CVE_Record_Format.json | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index e35974d5501..831a17b3b62 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -360,18 +360,27 @@ }, "exactly": { "description": "A single semver 2.0.0 version to mark", + "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" }, "inclusiveLowerBound": { - "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly also affected." + "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly also affected.", + "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + }, "exclusiveLowerBound": { - "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly not affected." + "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly not affected.", + "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + }, "inclusiveUpperBound": { - "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly also affected." + "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly also affected.", + "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + }, "exclusiveUpperBound": { - "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected." + "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected.", + "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + } }, "additionalProperties": false From 34af2ae1e813a041ad37ac22d66e77db143bc2b2 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Tue, 4 Mar 2025 17:23:28 -0800 Subject: [PATCH 10/63] and trim newline --- schema/CVE_Record_Format.json | 1 - 1 file changed, 1 deletion(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 831a17b3b62..bc025081ee3 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -380,7 +380,6 @@ "exclusiveUpperBound": { "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected.", "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" - } }, "additionalProperties": false From 046daddf67692e4ca0bcc7c7fe98dfd0e47abbe3 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 6 Mar 2025 11:23:40 -0800 Subject: [PATCH 11/63] Add an attempt at json schema options for semver 2.0.0 If this is valid then still need to ensure version type is set to semver-2.0.0 for these combinations --- schema/CVE_Record_Format.json | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index bc025081ee3..47e539c0252 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -303,6 +303,30 @@ }, { "required": ["version", "status", "versionType", "lessThanOrEqual"] + }, + { + "required": ["status", "versionType"], + "anyOf": [ + {"required": ["exactly"]}, + {"required": ["inclusiveUpperBound"]}, + {"required": ["exclusiveLowerBound"]}, + {"required": ["inclusiveUpperBound"]}, + {"required": ["exclusiveUpperBound"]} + ] + }, + { + "required": ["status", "versionType", "inclusiveLowerBound"], + "anyOf": [ + {"required": ["inclusiveUpperBound"]}, + {"required": ["exclusiveUpperBound"]} + ] + } + { + "required": ["status", "versionType", "exclusiveLowerBound"], + "anyOf": [ + {"required": ["inclusiveUpperBound"]}, + {"required": ["exclusiveUpperBound"]} + ] } ], "properties": { From 484ca7678e03f7d0fc5482f03c42e44b6cd30596 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 12 Mar 2025 12:33:12 -0700 Subject: [PATCH 12/63] Add valid forms of semver-2.0.0 usage --- schema/support/tests/valid/semver2-0-0.json | 151 ++++++++++++++++++++ 1 file changed, 151 insertions(+) create mode 100644 schema/support/tests/valid/semver2-0-0.json diff --git a/schema/support/tests/valid/semver2-0-0.json b/schema/support/tests/valid/semver2-0-0.json new file mode 100644 index 00000000000..9c98ac92d92 --- /dev/null +++ b/schema/support/tests/valid/semver2-0-0.json @@ -0,0 +1,151 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exactly": "1.2.3" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "Example2.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "Example3.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "Example4.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveUpperBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "Example4.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveUpperBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "Example5.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3", + "inclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "Example6.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3", + "exclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "Example7.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "inclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + }, + { + "vendor": "Example8.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "exclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + }, + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file From 35271580132a7eee413d72ca21309440f8cb2a9b Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 12 Mar 2025 12:46:45 -0700 Subject: [PATCH 13/63] trim extra comma --- schema/support/tests/valid/semver2-0-0.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/support/tests/valid/semver2-0-0.json b/schema/support/tests/valid/semver2-0-0.json index 9c98ac92d92..a5580a0108a 100644 --- a/schema/support/tests/valid/semver2-0-0.json +++ b/schema/support/tests/valid/semver2-0-0.json @@ -133,7 +133,7 @@ } ], "defaultStatus": "unaffected" - }, + } ], "descriptions": [ { From b037e53cb12aa7eab227d6783a93e5070cbf8f3e Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 12 Mar 2025 13:19:51 -0700 Subject: [PATCH 14/63] Switch from anyOf to oneOf --- schema/CVE_Record_Format.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 47e539c0252..88319b6b1c2 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -306,7 +306,7 @@ }, { "required": ["status", "versionType"], - "anyOf": [ + "oneOf": [ {"required": ["exactly"]}, {"required": ["inclusiveUpperBound"]}, {"required": ["exclusiveLowerBound"]}, @@ -316,14 +316,14 @@ }, { "required": ["status", "versionType", "inclusiveLowerBound"], - "anyOf": [ + "oneOf": [ {"required": ["inclusiveUpperBound"]}, {"required": ["exclusiveUpperBound"]} ] } { "required": ["status", "versionType", "exclusiveLowerBound"], - "anyOf": [ + "oneOf": [ {"required": ["inclusiveUpperBound"]}, {"required": ["exclusiveUpperBound"]} ] From 226158afb5174b6a4f89125c60789a55a08a2eee Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 12 Mar 2025 13:38:57 -0700 Subject: [PATCH 15/63] Update build.js to reference current schema location --- schema/support/Node_Validator/build.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/support/Node_Validator/build.js b/schema/support/Node_Validator/build.js index 09ab39b0cd4..2284c3d187f 100644 --- a/schema/support/Node_Validator/build.js +++ b/schema/support/Node_Validator/build.js @@ -3,7 +3,7 @@ const path = require("path") const Ajv = require('ajv').default; const standaloneCode = require("ajv/dist/standalone").default const addFormats = require('ajv-formats').default; -const schema = require("../../docs/CVE_JSON_bundled.json") +const schema = require("../../docs/CVE_Record_Format_bundled.json") function reduceSchema(o) { for(prop in o) { From e2643185eac418fada252bfb9f46aea19f507c1b Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 12 Mar 2025 15:00:16 -0700 Subject: [PATCH 16/63] Add missing comma --- schema/CVE_Record_Format.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 88319b6b1c2..2f54b7eea47 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -320,7 +320,7 @@ {"required": ["inclusiveUpperBound"]}, {"required": ["exclusiveUpperBound"]} ] - } + }, { "required": ["status", "versionType", "exclusiveLowerBound"], "oneOf": [ From ddf4895d98f254aecdf96b3cc44f2470aef3be18 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 13 Mar 2025 11:05:08 -0700 Subject: [PATCH 17/63] Double slash seems to be the correct approach --- schema/CVE_Record_Format.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 2f54b7eea47..41ba8d2db32 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -384,26 +384,26 @@ }, "exactly": { "description": "A single semver 2.0.0 version to mark", - "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" }, "inclusiveLowerBound": { "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly also affected.", - "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" }, "exclusiveLowerBound": { "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly not affected.", - "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" }, "inclusiveUpperBound": { "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly also affected.", - "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" }, "exclusiveUpperBound": { "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected.", - "pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" } }, "additionalProperties": false From 7b77630754e4955f811e6cfa443fee9b123c9d15 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 13 Mar 2025 11:22:17 -0700 Subject: [PATCH 18/63] Fix typo to allow stand alone inclusive lower bound --- schema/CVE_Record_Format.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 41ba8d2db32..0f0241359ff 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -308,7 +308,7 @@ "required": ["status", "versionType"], "oneOf": [ {"required": ["exactly"]}, - {"required": ["inclusiveUpperBound"]}, + {"required": ["inclusiveLowerBound"]}, {"required": ["exclusiveLowerBound"]}, {"required": ["inclusiveUpperBound"]}, {"required": ["exclusiveUpperBound"]} From bf48730b38f2b4792e685131353cd085660686c4 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 12:21:44 -0700 Subject: [PATCH 19/63] Add validation of schemas to the workflow --- .github/workflows/validate-schema.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/validate-schema.yml b/.github/workflows/validate-schema.yml index 6545dee93b1..d68d8f69251 100644 --- a/.github/workflows/validate-schema.yml +++ b/.github/workflows/validate-schema.yml @@ -36,3 +36,4 @@ jobs: ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-advanced-example.json" ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-advanced-example.json" ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-basic-example.json" + ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/support/tests/valid/*.json" From e333f536041c279ebed62c8347a819744616cceb Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 12:31:00 -0700 Subject: [PATCH 20/63] Prefer test over validate for symmetry with invalid test to come --- .github/workflows/validate-schema.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/validate-schema.yml b/.github/workflows/validate-schema.yml index d68d8f69251..a2f075d24a0 100644 --- a/.github/workflows/validate-schema.yml +++ b/.github/workflows/validate-schema.yml @@ -36,4 +36,5 @@ jobs: ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-advanced-example.json" ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-advanced-example.json" ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-basic-example.json" - ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/support/tests/valid/*.json" + ajv test -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/support/tests/valid/*.json" --valid + From 992e9c334dd63c29a51c3619cbeb9bcdfc526a28 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 12:38:58 -0700 Subject: [PATCH 21/63] Be strict about versionType value --- schema/CVE_Record_Format.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 0f0241359ff..f088cacfbd6 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -306,6 +306,7 @@ }, { "required": ["status", "versionType"], + "properties": {"versionType": { "const": "semver-2.0.0" }}, "oneOf": [ {"required": ["exactly"]}, {"required": ["inclusiveLowerBound"]}, @@ -316,6 +317,7 @@ }, { "required": ["status", "versionType", "inclusiveLowerBound"], + "properties": {"versionType": { "const": "semver-2.0.0" }}, "oneOf": [ {"required": ["inclusiveUpperBound"]}, {"required": ["exclusiveUpperBound"]} @@ -323,6 +325,7 @@ }, { "required": ["status", "versionType", "exclusiveLowerBound"], + "properties": {"versionType": { "const": "semver-2.0.0" }}, "oneOf": [ {"required": ["inclusiveUpperBound"]}, {"required": ["exclusiveUpperBound"]} From 9226d60fe254d6dfabbf37a660efc6738e9e8570 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 12:40:28 -0700 Subject: [PATCH 22/63] Add invalid test for missing versionType --- .../tests/invalid/invalid-semver2-0-0.json | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 schema/support/tests/invalid/invalid-semver2-0-0.json diff --git a/schema/support/tests/invalid/invalid-semver2-0-0.json b/schema/support/tests/invalid/invalid-semver2-0-0.json new file mode 100644 index 00000000000..563aa583f15 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver2-0-0.json @@ -0,0 +1,50 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "status": "affected", + "exactly": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file From 3f33cebc01d48815331685de3eb31991e856b98b Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 12:49:23 -0700 Subject: [PATCH 23/63] Break tests out for easier long term managment This should make the tests easier to refactor/read/debug over time Add types and max property limits --- schema/CVE_Record_Format.json | 12 +- .../invalid-semver-2-0-0/dupe-bounds.json | 52 ++++++ .../missing-versionType.json} | 0 .../wrong-versionType.json | 51 ++++++ schema/support/tests/valid/semver2-0-0.json | 151 ------------------ .../valid/valid-semver-2-0-0/exactly-one.json | 51 ++++++ .../valid-semver-2-0-0/exclusiveRange.json | 52 ++++++ .../valid-semver-2-0-0/inclusiveRange.json | 52 ++++++ .../valid/valid-semver-2-0-0/mixedRange1.json | 52 ++++++ .../valid/valid-semver-2-0-0/mixedRange2.json | 52 ++++++ .../only-exclusiveLowerBound.json | 51 ++++++ .../only-exclusiveUpperBound.json | 51 ++++++ .../only-inclusiveLowerBound.json | 51 ++++++ .../only-inclusiveUpperBound.json | 51 ++++++ 14 files changed, 576 insertions(+), 153 deletions(-) create mode 100644 schema/support/tests/invalid/invalid-semver-2-0-0/dupe-bounds.json rename schema/support/tests/invalid/{invalid-semver2-0-0.json => invalid-semver-2-0-0/missing-versionType.json} (100%) create mode 100644 schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json delete mode 100644 schema/support/tests/valid/semver2-0-0.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json create mode 100644 schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index f088cacfbd6..27fc199d66a 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -306,17 +306,19 @@ }, { "required": ["status", "versionType"], + "maxProperties": 3, "properties": {"versionType": { "const": "semver-2.0.0" }}, "oneOf": [ {"required": ["exactly"]}, {"required": ["inclusiveLowerBound"]}, {"required": ["exclusiveLowerBound"]}, {"required": ["inclusiveUpperBound"]}, - {"required": ["exclusiveUpperBound"]} - ] + {"required": ["exclusiveUpperBound"]}, + ], }, { "required": ["status", "versionType", "inclusiveLowerBound"], + "maxProperties": 4, "properties": {"versionType": { "const": "semver-2.0.0" }}, "oneOf": [ {"required": ["inclusiveUpperBound"]}, @@ -325,6 +327,7 @@ }, { "required": ["status", "versionType", "exclusiveLowerBound"], + "maxProperties": 4, "properties": {"versionType": { "const": "semver-2.0.0" }}, "oneOf": [ {"required": ["inclusiveUpperBound"]}, @@ -386,25 +389,30 @@ } }, "exactly": { + "type": "string", "description": "A single semver 2.0.0 version to mark", "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" }, "inclusiveLowerBound": { + "type": "string", "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly also affected.", "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" }, "exclusiveLowerBound": { + "type": "string", "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly not affected.", "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" }, "inclusiveUpperBound": { + "type": "string", "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly also affected.", "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" }, "exclusiveUpperBound": { + "type": "string", "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected.", "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" } diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-bounds.json b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-bounds.json new file mode 100644 index 00000000000..13ea0cb1be7 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-bounds.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "exclusiveLowerBound": "1.2.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/invalid/invalid-semver2-0-0.json b/schema/support/tests/invalid/invalid-semver-2-0-0/missing-versionType.json similarity index 100% rename from schema/support/tests/invalid/invalid-semver2-0-0.json rename to schema/support/tests/invalid/invalid-semver-2-0-0/missing-versionType.json diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json b/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json new file mode 100644 index 00000000000..52ed16c2a61 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-8.0.8", + "status": "affected", + "exactly": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/semver2-0-0.json b/schema/support/tests/valid/semver2-0-0.json deleted file mode 100644 index a5580a0108a..00000000000 --- a/schema/support/tests/valid/semver2-0-0.json +++ /dev/null @@ -1,151 +0,0 @@ -{ - "dataType": "CVE_RECORD", - "dataVersion": "5.1", - "cveMetadata": { - "cveId": "CVE-1900-1234", - "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", - "state": "PUBLISHED" - }, - "containers": { - "cna": { - "providerMetadata": { - "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" - }, - "problemTypes": [ - { - "descriptions": [ - { - "lang": "en", - "description": "CWE-78 OS Command Injection" - } - ] - } - ], - "affected": [ - { - "vendor": "Example.org", - "product": "Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "exactly": "1.2.3" - } - ], - "defaultStatus": "unaffected" - }, - { - "vendor": "Example2.org", - "product": "Another Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "exclusiveLowerBound": "1.2.3" - } - ], - "defaultStatus": "unaffected" - }, - { - "vendor": "Example3.org", - "product": "Another Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "inclusiveLowerBound": "1.2.3" - } - ], - "defaultStatus": "unaffected" - }, - { - "vendor": "Example4.org", - "product": "Another Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "inclusiveUpperBound": "1.2.3" - } - ], - "defaultStatus": "unaffected" - }, - { - "vendor": "Example4.org", - "product": "Another Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "exclusiveUpperBound": "1.2.3" - } - ], - "defaultStatus": "unaffected" - }, - { - "vendor": "Example5.org", - "product": "Another Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "inclusiveLowerBound": "1.2.3", - "inclusiveUpperBound": "2.3.4" - } - ], - "defaultStatus": "unaffected" - }, - { - "vendor": "Example6.org", - "product": "Another Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "inclusiveLowerBound": "1.2.3", - "exclusiveUpperBound": "2.3.4" - } - ], - "defaultStatus": "unaffected" - }, - { - "vendor": "Example7.org", - "product": "Another Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "exclusiveLowerBound": "1.2.3", - "inclusiveUpperBound": "2.3.4" - } - ], - "defaultStatus": "unaffected" - }, - { - "vendor": "Example8.org", - "product": "Another Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "exclusiveLowerBound": "1.2.3", - "exclusiveUpperBound": "2.3.4" - } - ], - "defaultStatus": "unaffected" - } - ], - "descriptions": [ - { - "lang": "en", - "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." - } - ], - "references": [ - { - "url": "https://example.org/ESA-22-11-CVE-1900-1234" - } - ] - } - } -} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json b/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json new file mode 100644 index 00000000000..11e9da27faf --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exactly": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json b/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json new file mode 100644 index 00000000000..997db73a90b --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example8.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "exclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json b/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json new file mode 100644 index 00000000000..d9be70ff698 --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example5.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3", + "inclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json new file mode 100644 index 00000000000..f189b7fde54 --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example6.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3", + "exclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json new file mode 100644 index 00000000000..5377e06132e --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example7.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "inclusiveUpperBound": "2.3.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json new file mode 100644 index 00000000000..42fa4c80e38 --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example2.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json new file mode 100644 index 00000000000..426fe633b4e --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example4.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveUpperBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json new file mode 100644 index 00000000000..845d445cace --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example3.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json new file mode 100644 index 00000000000..ce9064e5d0a --- /dev/null +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example4.org", + "product": "Another Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveUpperBound": "1.2.3" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file From eb4fd2f7bd0bf25a90b07972dc1eb87988c09e07 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 14:20:23 -0700 Subject: [PATCH 24/63] Add test case for mixing exactly with a range --- .../invalid-semver-2-0-0/mixed-versions.json | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json b/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json new file mode 100644 index 00000000000..6c9db266dd1 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json @@ -0,0 +1,52 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "inclusiveLowerBound": "1.2.3", + "exactly": "1.2.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file From 36a22ee2629a8543e37c985f92ea531528eef05e Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 14:22:23 -0700 Subject: [PATCH 25/63] Add test case for duplicate upper bounds --- .../dupe-upper-bounds.json | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json new file mode 100644 index 00000000000..91306232642 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json @@ -0,0 +1,53 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "inclusiveUpperBound": "1.2.4", + "exclusiveUpperBound": "1.2.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file From fd0d7e1ac96fc7c4c334c1f121f1cba35c167b5a Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 14:23:29 -0700 Subject: [PATCH 26/63] Add test case for duplicate lower bounds --- .../dupe-lower-bounds.json | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 schema/support/tests/invalid/invalid-semver-2-0-0/dupe-lower-bounds.json diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-lower-bounds.json b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-lower-bounds.json new file mode 100644 index 00000000000..30445c1b1b2 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-lower-bounds.json @@ -0,0 +1,53 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exclusiveLowerBound": "1.2.3", + "inclusiveLowerBound": "1.2.3", + "exclusiveUpperBound": "1.2.4" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file From 745cc6fca94a01d93021c531d5d8f0992d415ea0 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 14:25:43 -0700 Subject: [PATCH 27/63] Add semver tests to the workflow The tests on the invalid records write out to the terminal but pass. There doesn't seem to be a quiet option in ajv --- .github/workflows/validate-schema.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/validate-schema.yml b/.github/workflows/validate-schema.yml index a2f075d24a0..5d969c9bab5 100644 --- a/.github/workflows/validate-schema.yml +++ b/.github/workflows/validate-schema.yml @@ -36,5 +36,7 @@ jobs: ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-advanced-example.json" ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-advanced-example.json" ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json" -d "${CVE_SCHEMA_DIR}/docs/cnaContainer-basic-example.json" - ajv test -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/support/tests/valid/*.json" --valid + # Run semver 2.0.0 tests + ajv test -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/support/tests/valid/valid-semver-2-0-0/*.json" --valid + ajv test -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_Record_Format_bundled.json" -d "${CVE_SCHEMA_DIR}/support/tests/invalid/invalid-semver-2-0-0/*.json" --invalid From a0ff77b849795d700450edce3e93fad72297a318 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 14:29:24 -0700 Subject: [PATCH 28/63] Remove test --- .../dupe-lower-bounds.json | 53 ------------------- 1 file changed, 53 deletions(-) delete mode 100644 schema/support/tests/invalid/invalid-semver-2-0-0/dupe-lower-bounds.json diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-lower-bounds.json b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-lower-bounds.json deleted file mode 100644 index 30445c1b1b2..00000000000 --- a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-lower-bounds.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "dataType": "CVE_RECORD", - "dataVersion": "5.1", - "cveMetadata": { - "cveId": "CVE-1900-1234", - "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", - "state": "PUBLISHED" - }, - "containers": { - "cna": { - "providerMetadata": { - "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" - }, - "problemTypes": [ - { - "descriptions": [ - { - "lang": "en", - "description": "CWE-78 OS Command Injection" - } - ] - } - ], - "affected": [ - { - "vendor": "Example.org", - "product": "Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "exclusiveLowerBound": "1.2.3", - "inclusiveLowerBound": "1.2.3", - "exclusiveUpperBound": "1.2.4" - } - ], - "defaultStatus": "unaffected" - } - ], - "descriptions": [ - { - "lang": "en", - "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." - } - ], - "references": [ - { - "url": "https://example.org/ESA-22-11-CVE-1900-1234" - } - ] - } - } -} \ No newline at end of file From 9f839d60042d95c246c2ead936ecc21bdafec1da Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 14 Mar 2025 14:44:44 -0700 Subject: [PATCH 29/63] Removing this test for now. Unclear why it fails --- .../invalid-semver-2-0-0/dupe-bounds.json | 52 ------------------- 1 file changed, 52 deletions(-) delete mode 100644 schema/support/tests/invalid/invalid-semver-2-0-0/dupe-bounds.json diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-bounds.json b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-bounds.json deleted file mode 100644 index 13ea0cb1be7..00000000000 --- a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-bounds.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "dataType": "CVE_RECORD", - "dataVersion": "5.1", - "cveMetadata": { - "cveId": "CVE-1900-1234", - "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", - "state": "PUBLISHED" - }, - "containers": { - "cna": { - "providerMetadata": { - "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" - }, - "problemTypes": [ - { - "descriptions": [ - { - "lang": "en", - "description": "CWE-78 OS Command Injection" - } - ] - } - ], - "affected": [ - { - "vendor": "Example.org", - "product": "Example Enterprise", - "versions": [ - { - "versionType": "semver-2.0.0", - "status": "affected", - "exclusiveLowerBound": "1.2.3", - "exclusiveLowerBound": "1.2.4" - } - ], - "defaultStatus": "unaffected" - } - ], - "descriptions": [ - { - "lang": "en", - "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." - } - ], - "references": [ - { - "url": "https://example.org/ESA-22-11-CVE-1900-1234" - } - ] - } - } -} \ No newline at end of file From 5cc921edd59aea28e0f50689a15e9d2e251e0c2b Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Tue, 1 Apr 2025 11:39:35 -0700 Subject: [PATCH 30/63] Move semver regex out to a single def and reference it --- schema/CVE_Record_Format.json | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 27fc199d66a..8544e5e86c4 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -98,6 +98,11 @@ "minLength": 1, "maxLength": 1024 }, + "semver-2.0.0-version": { + "description": "A semver 2.0.0 compatible version", + "type": "string", + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" + }, "status": { "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.", "type": "string", @@ -389,32 +394,25 @@ } }, "exactly": { - "type": "string", "description": "A single semver 2.0.0 version to mark", - "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" + "$ref": "#/definitions/semver-2.0.0-version" }, "inclusiveLowerBound": { - "type": "string", "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly also affected.", - "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" - + "$ref": "#/definitions/semver-2.0.0-version" }, "exclusiveLowerBound": { - "type": "string", "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly not affected.", - "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" - + "$ref": "#/definitions/semver-2.0.0-version" }, "inclusiveUpperBound": { - "type": "string", "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly also affected.", - "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" + "$ref": "#/definitions/semver-2.0.0-version" }, "exclusiveUpperBound": { - "type": "string", "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected.", - "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" + "$ref": "#/definitions/semver-2.0.0-version" } }, "additionalProperties": false From 9a4ad63336855dea740886ba5135ef4e62e647c7 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Tue, 1 Apr 2025 13:37:01 -0700 Subject: [PATCH 31/63] stub idea for changes block --- schema/CVE_Record_Format.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 8544e5e86c4..ba5215d8083 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -384,7 +384,10 @@ "properties": { "at": { "description": "The version at which a status change occurs.", - "$ref": "#/definitions/version" + "oneOf": [ + {"$ref": "#/definitions/version"}, + {"$ref": "#/definitions/exactly"} + ] }, "status": { "description": "The new status in the range starting at the given version.", From 50d0e1227e9292500847e95ba5928d586657ae8f Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 18 Apr 2025 11:20:03 -0700 Subject: [PATCH 32/63] Add a test to ensure asterisk usage fails --- .../invalid-semver-2-0-0/asterisk-usage.json | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 schema/support/tests/invalid/invalid-semver-2-0-0/asterisk-usage.json diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/asterisk-usage.json b/schema/support/tests/invalid/invalid-semver-2-0-0/asterisk-usage.json new file mode 100644 index 00000000000..e9925dbe964 --- /dev/null +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/asterisk-usage.json @@ -0,0 +1,51 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-78 OS Command Injection" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "versions": [ + { + "versionType": "semver-2.0.0", + "status": "affected", + "exactly": "1.2.*" + } + ], + "defaultStatus": "unaffected" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234" + } + ] + } + } +} \ No newline at end of file From a72e5b8f7868d5ccb043b8c573c921a456fdc874 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 30 Apr 2025 13:01:52 -0700 Subject: [PATCH 33/63] Update schema with working concept of reusing old parameters. Adds two new ones rather than five --- schema/CVE_Record_Format.json | 72 ++++++++++++----------------------- 1 file changed, 24 insertions(+), 48 deletions(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index ba5215d8083..2e5c28fb406 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -310,36 +310,26 @@ "required": ["version", "status", "versionType", "lessThanOrEqual"] }, { - "required": ["status", "versionType"], - "maxProperties": 3, - "properties": {"versionType": { "const": "semver-2.0.0" }}, - "oneOf": [ - {"required": ["exactly"]}, - {"required": ["inclusiveLowerBound"]}, - {"required": ["exclusiveLowerBound"]}, - {"required": ["inclusiveUpperBound"]}, - {"required": ["exclusiveUpperBound"]}, - ], + "required": ["status", "versionType", "greaterThan"] }, { - "required": ["status", "versionType", "inclusiveLowerBound"], - "maxProperties": 4, - "properties": {"versionType": { "const": "semver-2.0.0" }}, - "oneOf": [ - {"required": ["inclusiveUpperBound"]}, - {"required": ["exclusiveUpperBound"]} - ] + "required": ["status", "versionType", "greaterThanOrEqual"] }, - { - "required": ["status", "versionType", "exclusiveLowerBound"], - "maxProperties": 4, - "properties": {"versionType": { "const": "semver-2.0.0" }}, - "oneOf": [ - {"required": ["inclusiveUpperBound"]}, - {"required": ["exclusiveUpperBound"]} - ] - } ], + "if": { + "properties": { + "versionType": {"const": "semver-2.0.0"} + } + }, + "then": { + "properties": { + "version": { "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"}, + "lessThan": { "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"}, + "lessThanOrEqual": { "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"}, + "greaterThan": { "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"}, + "greaterThanOrEqual": { "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"}, + } + }, "properties": { "version": { "description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.", @@ -371,6 +361,14 @@ "description": "The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, `{version: 1.0, lessThanOrEqual: 1.3}` covers all versions from 1.0 up to and including 1.3.", "$ref": "#/definitions/version" }, + "greaterThan": { + "description": "The non-inclusive lower limit of the range. This is the lowest version NOT in the range. Used only for uncapped ranges", + "$ref": "#/definitions/version" + }, + "greaterThanOrEqual": { + "description": "The inclusive lower limit of the range. This is the lowest version in the range. Used only for uncapped ranges", + "$ref": "#/definitions/version" + }, "changes": { "type": "array", "description": "A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.", @@ -386,7 +384,6 @@ "description": "The version at which a status change occurs.", "oneOf": [ {"$ref": "#/definitions/version"}, - {"$ref": "#/definitions/exactly"} ] }, "status": { @@ -396,27 +393,6 @@ } } }, - "exactly": { - "description": "A single semver 2.0.0 version to mark", - "$ref": "#/definitions/semver-2.0.0-version" - }, - "inclusiveLowerBound": { - "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly also affected.", - "$ref": "#/definitions/semver-2.0.0-version" - }, - "exclusiveLowerBound": { - "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly not affected.", - "$ref": "#/definitions/semver-2.0.0-version" - }, - "inclusiveUpperBound": { - "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly also affected.", - "$ref": "#/definitions/semver-2.0.0-version" - - }, - "exclusiveUpperBound": { - "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected.", - "$ref": "#/definitions/semver-2.0.0-version" - } }, "additionalProperties": false } From 9d53824df77636372a62be1a7145750139b745f9 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 30 Apr 2025 13:02:26 -0700 Subject: [PATCH 34/63] Update positive tests. IMO they are less readable than before --- .../tests/valid/valid-semver-2-0-0/exactly-one.json | 2 +- .../tests/valid/valid-semver-2-0-0/exclusiveRange.json | 4 ++-- .../tests/valid/valid-semver-2-0-0/inclusiveRange.json | 4 ++-- .../tests/valid/valid-semver-2-0-0/mixedRange1.json | 4 ++-- .../tests/valid/valid-semver-2-0-0/mixedRange2.json | 10 ++++++++-- .../valid-semver-2-0-0/only-exclusiveLowerBound.json | 2 +- .../valid-semver-2-0-0/only-exclusiveUpperBound.json | 3 ++- .../valid-semver-2-0-0/only-inclusiveLowerBound.json | 2 +- .../valid-semver-2-0-0/only-inclusiveUpperBound.json | 3 ++- 9 files changed, 21 insertions(+), 13 deletions(-) diff --git a/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json b/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json index 11e9da27faf..06ffc57462e 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json @@ -29,7 +29,7 @@ { "versionType": "semver-2.0.0", "status": "affected", - "exactly": "1.2.3" + "version": "1.2.3" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json b/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json index 997db73a90b..bdc2d293faf 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json @@ -29,8 +29,8 @@ { "versionType": "semver-2.0.0", "status": "affected", - "exclusiveLowerBound": "1.2.3", - "exclusiveUpperBound": "2.3.4" + "version": "1.2.3", + "lessThan": "2.3.4" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json b/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json index d9be70ff698..ae9dcc00614 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json @@ -29,8 +29,8 @@ { "versionType": "semver-2.0.0", "status": "affected", - "inclusiveLowerBound": "1.2.3", - "inclusiveUpperBound": "2.3.4" + "version": "1.2.3", + "lessThanOrEqual": "2.3.4" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json index f189b7fde54..49184f979f4 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json @@ -29,8 +29,8 @@ { "versionType": "semver-2.0.0", "status": "affected", - "inclusiveLowerBound": "1.2.3", - "exclusiveUpperBound": "2.3.4" + "version": "1.2.3", + "lessThan": "2.3.4" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json index 5377e06132e..1783117e9b7 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json @@ -29,8 +29,14 @@ { "versionType": "semver-2.0.0", "status": "affected", - "exclusiveLowerBound": "1.2.3", - "inclusiveUpperBound": "2.3.4" + "version": "1.2.3", + "lessThanOrEqual": "2.3.4", + "changes": [ + { + "at": "1.2.3", + "status": "unaffected" + } + ] } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json index 42fa4c80e38..bd6e7a11974 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json @@ -29,7 +29,7 @@ { "versionType": "semver-2.0.0", "status": "affected", - "exclusiveLowerBound": "1.2.3" + "greaterThan": "1.2.3" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json index 426fe633b4e..34c1551ba41 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json @@ -29,7 +29,8 @@ { "versionType": "semver-2.0.0", "status": "affected", - "exclusiveUpperBound": "1.2.3" + "version": "1.2.3", + "lessThan": "1.2.3" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json index 845d445cace..b3c174886ee 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json @@ -29,7 +29,7 @@ { "versionType": "semver-2.0.0", "status": "affected", - "inclusiveLowerBound": "1.2.3" + "greaterThan": "1.2.3" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json index ce9064e5d0a..9c3fb047e03 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json @@ -29,7 +29,8 @@ { "versionType": "semver-2.0.0", "status": "affected", - "inclusiveUpperBound": "1.2.3" + "version": "1.2.3", + "lessThanOrEqual": "1.2.3" } ], "defaultStatus": "unaffected" From 30bd0dea0f5df6483838411cc458da9c47435a65 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 30 Apr 2025 13:11:29 -0700 Subject: [PATCH 35/63] Check for invalid format in semver 2.0.0 rather than invalid version type with semver 2.0.0 parameter --- .../tests/invalid/invalid-semver-2-0-0/wrong-versionType.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json b/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json index 52ed16c2a61..9717354a43f 100644 --- a/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json @@ -27,9 +27,9 @@ "product": "Example Enterprise", "versions": [ { - "versionType": "semver-8.0.8", + "versionType": "semver-2.0.0", "status": "affected", - "exactly": "1.2.3" + "exactly": "1.2.3.4" } ], "defaultStatus": "unaffected" From 10c83ece22a7e441de3688943dc1bf5ac84af401 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 1 May 2025 14:07:30 -0700 Subject: [PATCH 36/63] Clean up language on usage of the two new parameters --- schema/CVE_Record_Format.json | 7 +++++-- .../tests/invalid/invalid-semver-2-0-0/mixed-versions.json | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 2e5c28fb406..05e740cb341 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -306,6 +306,9 @@ { "required": ["version", "status", "versionType", "lessThan"] }, + { + "required": ["status", "versionType", "lessThan"] + }, { "required": ["version", "status", "versionType", "lessThanOrEqual"] }, @@ -362,11 +365,11 @@ "$ref": "#/definitions/version" }, "greaterThan": { - "description": "The non-inclusive lower limit of the range. This is the lowest version NOT in the range. Used only for uncapped ranges", + "description": "The exclusive lower limit of the range. This is the lowest version NOT in the range. Used only for ranges which extent to positive infinity.", "$ref": "#/definitions/version" }, "greaterThanOrEqual": { - "description": "The inclusive lower limit of the range. This is the lowest version in the range. Used only for uncapped ranges", + "description": "The inclusive lower limit of the range. This is the lowest version in the range. Used only for ranges which extent to positive infinity.", "$ref": "#/definitions/version" }, "changes": { diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json b/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json index 6c9db266dd1..f22716786cc 100644 --- a/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json @@ -29,8 +29,8 @@ { "versionType": "semver-2.0.0", "status": "affected", - "inclusiveLowerBound": "1.2.3", - "exactly": "1.2.4" + "lessThanOrEqualTo": "1.2.3", + "version": "1.2.4" } ], "defaultStatus": "unaffected" From fc8b7b886de438049a2554bd83dcc2c679283342 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 1 May 2025 15:15:18 -0700 Subject: [PATCH 37/63] =?UTF-8?q?Typo=20fix=20=F0=9F=A4=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- schema/CVE_Record_Format.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 05e740cb341..102dccc6b75 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -365,11 +365,11 @@ "$ref": "#/definitions/version" }, "greaterThan": { - "description": "The exclusive lower limit of the range. This is the lowest version NOT in the range. Used only for ranges which extent to positive infinity.", + "description": "The exclusive lower limit of the range. This is the lowest version NOT in the range. Used only for ranges which extend to positive infinity.", "$ref": "#/definitions/version" }, "greaterThanOrEqual": { - "description": "The inclusive lower limit of the range. This is the lowest version in the range. Used only for ranges which extent to positive infinity.", + "description": "The inclusive lower limit of the range. This is the lowest version in the range. Used only for ranges which extend to positive infinity.", "$ref": "#/definitions/version" }, "changes": { From 6135668924967f6df9ff2c3fa986ad5b0af17e41 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 7 May 2025 17:49:37 -0700 Subject: [PATCH 38/63] Remove missing version test since not specifying is valid and the use of the old parameter types means this test isnt useful --- .../missing-versionType.json | 50 ------------------- 1 file changed, 50 deletions(-) delete mode 100644 schema/support/tests/invalid/invalid-semver-2-0-0/missing-versionType.json diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/missing-versionType.json b/schema/support/tests/invalid/invalid-semver-2-0-0/missing-versionType.json deleted file mode 100644 index 563aa583f15..00000000000 --- a/schema/support/tests/invalid/invalid-semver-2-0-0/missing-versionType.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "dataType": "CVE_RECORD", - "dataVersion": "5.1", - "cveMetadata": { - "cveId": "CVE-1900-1234", - "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", - "state": "PUBLISHED" - }, - "containers": { - "cna": { - "providerMetadata": { - "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" - }, - "problemTypes": [ - { - "descriptions": [ - { - "lang": "en", - "description": "CWE-78 OS Command Injection" - } - ] - } - ], - "affected": [ - { - "vendor": "Example.org", - "product": "Example Enterprise", - "versions": [ - { - "status": "affected", - "exactly": "1.2.3" - } - ], - "defaultStatus": "unaffected" - } - ], - "descriptions": [ - { - "lang": "en", - "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." - } - ], - "references": [ - { - "url": "https://example.org/ESA-22-11-CVE-1900-1234" - } - ] - } - } -} \ No newline at end of file From 43e4f17ea7ef5a10370ba54904bc3f2f8e20d428 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 7 May 2025 17:50:18 -0700 Subject: [PATCH 39/63] Update negative tests --- .../tests/invalid/invalid-semver-2-0-0/asterisk-usage.json | 2 +- .../invalid/invalid-semver-2-0-0/dupe-upper-bounds.json | 6 +++--- .../invalid/invalid-semver-2-0-0/wrong-versionType.json | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/asterisk-usage.json b/schema/support/tests/invalid/invalid-semver-2-0-0/asterisk-usage.json index e9925dbe964..ace106d0bb6 100644 --- a/schema/support/tests/invalid/invalid-semver-2-0-0/asterisk-usage.json +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/asterisk-usage.json @@ -29,7 +29,7 @@ { "versionType": "semver-2.0.0", "status": "affected", - "exactly": "1.2.*" + "version": "1.2.*" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json index 91306232642..c4ed7930e50 100644 --- a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json @@ -29,9 +29,9 @@ { "versionType": "semver-2.0.0", "status": "affected", - "exclusiveLowerBound": "1.2.3", - "inclusiveUpperBound": "1.2.4", - "exclusiveUpperBound": "1.2.4" + "version": "1.2.3", + "greaterThan": "1.2.4", + "greaterThanEqualTo": "1.2.4" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json b/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json index 9717354a43f..2a367a69c42 100644 --- a/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json @@ -29,7 +29,7 @@ { "versionType": "semver-2.0.0", "status": "affected", - "exactly": "1.2.3.4" + "version": "1.2.3.4" } ], "defaultStatus": "unaffected" From 1e9111771d9df1d2c4a45863e7b6e851be6ff2b3 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Sun, 11 May 2025 09:37:20 -0700 Subject: [PATCH 40/63] ref instead of duplicate regex --- schema/CVE_Record_Format.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 102dccc6b75..25bf16c3ade 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -326,11 +326,11 @@ }, "then": { "properties": { - "version": { "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"}, - "lessThan": { "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"}, - "lessThanOrEqual": { "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"}, - "greaterThan": { "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"}, - "greaterThanOrEqual": { "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"}, + "version": { "$ref": "#/definitions/semver-2.0.0-version" }, + "lessThan": { "$ref": "#/definitions/semver-2.0.0-version" }, + "lessThanOrEqual": { "$ref": "#/definitions/semver-2.0.0-version" }, + "greaterThan": { "$ref": "#/definitions/semver-2.0.0-version" }, + "greaterThanOrEqual": { "$ref": "#/definitions/semver-2.0.0-version" }, } }, "properties": { From 0dc04e2a9adb9e3d50409051ce1d006d79b57a90 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Sun, 11 May 2025 09:49:03 -0700 Subject: [PATCH 41/63] remove overconstraint I guess. This lets two tests pass (mixedRange1 and exclusiveRange). Hopefully someone who knowns json schema better than I do will read this commit and make it better --- schema/CVE_Record_Format.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 25bf16c3ade..4f5b0ac3886 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -303,9 +303,6 @@ "required": ["version", "status", "versionType"], "maxProperties": 3 }, - { - "required": ["version", "status", "versionType", "lessThan"] - }, { "required": ["status", "versionType", "lessThan"] }, From da940931bef894e901dde6ccc064bfb1632c4c58 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Sat, 14 Jun 2025 10:52:25 -0700 Subject: [PATCH 42/63] Stub rfd from template --- rfds/0000-formalize-semver-version-type.md | 184 +++++++++++++++++++++ 1 file changed, 184 insertions(+) create mode 100644 rfds/0000-formalize-semver-version-type.md diff --git a/rfds/0000-formalize-semver-version-type.md b/rfds/0000-formalize-semver-version-type.md new file mode 100644 index 00000000000..d015f4cd6bd --- /dev/null +++ b/rfds/0000-formalize-semver-version-type.md @@ -0,0 +1,184 @@ +# (Title) + +| Field | Value | +|:-----------------|:-------| +| RFD Submitter | (NAME) | +| RFD Pull Request | [RFD #0000](https://github.com/CVEProject/cve-schema/pull/1234) | + +## Summary +[summary]: #summary + +One paragraph explanation of the proposed schema change. + +## Problem Statement +[problem-statement]: #problem-statement + +Explain the motivation for the proposed change to the CVE Record Format, +including what problems it may solve for users of CVE, or what additional +capability it may provide. This should explain all necessary background in +detail, so it is understandable to someone without prior knowledge or +experience with the relevant problems. It should also make clear the severity +of the problem being described. + +The problem statement should describe who is affected by the problem, with +specific use cases where the proposed change would help users of CVE, whether +those users are CVE Numbering Authorities or Authorized Data Publishers +submitting data to CVE Services, or consumers of CVE data to forward to their +own customers or to manage their own security risks. + +This section should explicitly answer the question: "what happens if we do +nothing?" + +## Proposed Solution +[proposed-solution]: #proposed-solution + +Explain in detail the proposed change to the CVE Record Format, including +why those changes are made and how they will address the problems or provide +the capabilities described in the Problem Statement. This should be very +detailed, so as to make clear to reviewers exactly what is necessary to +implement the RFD if it is accepted. RFD proposal time is the time to identify +and resolve ambiguities and uncertainties in the actual schema changes +required for a proposal, as they provide the clearest opportunity for the +QWG members and community stakeholders to review and provide input on proposed +changes. + +If a change is to implemented in multiple parts or stages, those should be +delineated separately in the RFD document, to make clear what process would be +followed if it is accepted. + +## Examples +[examples]: #examples + +Provide examples of the relevant new or modified fields in the record format. +If an RFD is only proposing eliminating or deprecating existing fields, +examples should show what the relevant container objects would like after the +change, and how the reduced schema would continue to serve the needs and +interests of CVE users. + +Diagrams may also be included here to visualize the change in structure +proposed by an RFD. + +## Impact Assessment +[impact-assessment]: #impact-assessment + +Describe the benefits and possible risks associated with an RFD, including +the weaknening or strengthening of data quality constraints and any +requirements to enforce data quality rules via CVE Services application logic +(when not enforceable in the schema itself) or to communicate constraints or +expectations to CVE stakeholders. + +## Compatibility and Migration +[compatibility-and-migration]: #compatibility-and-migration + +Describe the impacts of the proposed change on both backward and forward +compatibility. + +To address backward compatibility, explain if and how your proposal would +impact users of the schema's ability to parse existing CVE records produced +under prior versions of the CVE Record Format. Note that CVE records returned +by CVE Services are automatically updated to use new schema versions, so +interaction with historic CVE records would only arise for records stored and +obtained outside of CVE Services. + +To address forward compatibility, explain if current users of the schema would +be able to parse all, some, or none of the records produced with the schema as +modified by your proposal. If CVE consumers would need to amend their existing +parsers for CVE records be able to parse records produced under the new schema, +describe what amendments would be necessary for them. + +These explanations must specifically answer the following questions: + +1. Does your proposal modify an `enum` type to add, remove, or modify the set + of acceptable values? +2. Does your proposal modify a closed set of required fields to add a new + required field or a new alternative set of required fields? +3. Does your proposal involve the addition of a new format which CVE consumers + would need to parse? If it does include a new format... + 1. How complex is the format to parse? + 2. Are there parser implementations available under open source licenses, + and for what programming languages? + +You must also address considerations for planning migration of CVE stakeholders +to support your proposed changes. This includes both the impacts to CVE +producers, including CVE Numbering Authorities (CNAs) and Authorized Data +Publishers (ADPs), and impacts to CVE consumers. + +Considerations for migration, which must be addressed in your explanation, +include: + +1. How long should the proposed change be communicated to CVE stakeholders + before being implemented in production? +2. What testing would be needed before the change is implemented in production? + +As CVE is a large and multi-stakeholder system, detail and sensitivity in this +section of an RFD are extremely important. Particular scrutiny should be paid +by both RFD submitters and reviewers to understand the impacts of any proposed +change on all sides of the CVE system, including producers (CNAs, ADPs), +consumers, the CVE Board and Working Groups, and the Secretariat. + +## Success Metrics +[success-metrics]: #success-metrics + +Describe how success for an RFD will be determined, including expectations for +adoption of any new fields by CNAs or ADPs over a defined timeline. Also +describe any available options to assess adoption of new fields by CVE data +consumers, which may require engagement with known CVE consumer communities. + +Success metrics must include: + +- A fixed timeline for deciding success or failure. +- An unambiguous mechanism for determining success or failure. +- If the metric will involve qualitative assessment of success with CVE + stakeholders, for example via a survey or direct outreach, all questions for + this engagement must be pre-registered in the RFD. + +Describe a path to rollback RFD changes if the success metrics are not met +in the prescribed time. + +## Supporting Data or Research +[supporting-data-or-research]: #supporting-data-or-research + +Describe any evidence for the need to adopt the RFD proposal based on +community demand for specific new data or demand for better data quality. + +## Related Issues or Proposals +[related-issues-or-proposals]: #related-issues-or-proposals + +Identify other open proposals and alternative options which may be considered +by the QWG if the RFD is not deemed acceptable. Link to other proposals if +appropriate. + +## Recommended Priority +[recommended-priority]: #recommended-priority + +Identify a recommended priority for the proposal based on the RFD author's +assessment of the proposal's value and ecosystem demand. + +Possible values are: + +- __Low__: The RFD addresses minor inconsistencies or errors in the CVE Record + Format which ought to be fixed but which do not present a substantive problem + for CVE consumers. +- __Medium__: The RFD addresses a deficiency in the CVE Record Format which + limits the value CVE consumers get from CVE records. +- __High__: The RFD addresses a severe deficiency in the CVE Record Format + which is interfering with the ability of CVE consumers to manage risks from + vulnerabilities. + +## Unresolved Questions +[unresolved-questions]: #unresolved-questions + +Identify any unresolved questions related to the RFD. Ideally, all questions +listed in this section will be resolved during consideration of the RFD. +Questions which are deemed out of scope for an RFD should be moved to the +Future Possibilities section to make clear they remain open and can be the +subject of a future RFD. + +## Future Possibilities +[future-possibilities]: #future-possibilities + +Describe future extensions of the changes proposed in the RFD, including any +unresolved questions which the QWG may wish to resolve at a future date. If +an RFD is part of a larger strategy, identify the remaining steps in that +strategy to help contextualize the work of the RFD within the goals and values +of the QWG. From 5ac7c5f4b691ef7b9bd082e49c50ec6a77bf72ba Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Mon, 16 Jun 2025 14:38:18 -0700 Subject: [PATCH 43/63] Stage draft RFD --- rfds/0000-formalize-semver-version-type.md | 58 ++++++---------------- 1 file changed, 15 insertions(+), 43 deletions(-) diff --git a/rfds/0000-formalize-semver-version-type.md b/rfds/0000-formalize-semver-version-type.md index d015f4cd6bd..4e5aacdc675 100644 --- a/rfds/0000-formalize-semver-version-type.md +++ b/rfds/0000-formalize-semver-version-type.md @@ -1,75 +1,47 @@ -# (Title) +# Add a formal semver 2.0.0 version type | Field | Value | |:-----------------|:-------| -| RFD Submitter | (NAME) | -| RFD Pull Request | [RFD #0000](https://github.com/CVEProject/cve-schema/pull/1234) | +| RFD Submitter | Jon Moroney | +| RFD Pull Request | [RFD #0000](https://github.com/CVEProject/cve-schema/pull/371) | ## Summary [summary]: #summary -One paragraph explanation of the proposed schema change. +Introduce a new semantic versioning version type for the machine readable `versions` array. The goal of this addition is to provide consumers of CVE records with version information which is interoperable with off the shelf semantic versioning compatible tools. The proposed change includes schema based validation to ensure submitted records conform to the semver specification as well as tests to ensure conformity. ## Problem Statement [problem-statement]: #problem-statement -Explain the motivation for the proposed change to the CVE Record Format, -including what problems it may solve for users of CVE, or what additional -capability it may provide. This should explain all necessary background in -detail, so it is understandable to someone without prior knowledge or -experience with the relevant problems. It should also make clear the severity -of the problem being described. +Today the `versions` array allows for a number of typed version fields which should inform the reader how to interpret the data. Alas, there is no validation that a record producer must conform to and as a result the version types have been used inconsistently. A consumer reading the semantic versioning type in particular has about a [44% chance of the data conforming to the semantic versioning specification](https://darakian.github.io/2025/06/04/parsing-semver-from-cve.html). -The problem statement should describe who is affected by the problem, with -specific use cases where the proposed change would help users of CVE, whether -those users are CVE Numbering Authorities or Authorized Data Publishers -submitting data to CVE Services, or consumers of CVE data to forward to their -own customers or to manage their own security risks. +As a result consumers of CVE records cannot build reliable automation from the data in the record itself. Multiple sub-patterns do exist, but there is canonical list of them nor is there any guarantee of their stability. This leads to increased operational complexity in vulnerability management and potentially to vulnerabilities going unresolved. -This section should explicitly answer the question: "what happens if we do -nothing?" +Failing to adopt stricter datatypes will keep maintain the status quo which is generally accepted to be lacking. ## Proposed Solution [proposed-solution]: #proposed-solution -Explain in detail the proposed change to the CVE Record Format, including -why those changes are made and how they will address the problems or provide -the capabilities described in the Problem Statement. This should be very -detailed, so as to make clear to reviewers exactly what is necessary to -implement the RFD if it is accepted. RFD proposal time is the time to identify -and resolve ambiguities and uncertainties in the actual schema changes -required for a proposal, as they provide the clearest opportunity for the -QWG members and community stakeholders to review and provide input on proposed -changes. - -If a change is to implemented in multiple parts or stages, those should be -delineated separately in the RFD document, to make clear what process would be -followed if it is accepted. +The proposed change adds a new "semver-2.0.0-version" pattern and two new properties for expressing version ranges. The two new properties `greaterThan`, and `greaterThanOrEqual` allow for the expression of an either exclusive, or inclusive upper bound on a version range. The new pattern "semver-2.0.0-version" is used to validate payloads which may be provided in the `version`, `lessThan`, `lessThanOrEqual`, `greaterThan`, and `greaterThanOrEqual`. ## Examples [examples]: #examples -Provide examples of the relevant new or modified fields in the record format. -If an RFD is only proposing eliminating or deprecating existing fields, -examples should show what the relevant container objects would like after the -change, and how the reduced schema would continue to serve the needs and -interests of CVE users. - -Diagrams may also be included here to visualize the change in structure -proposed by an RFD. +Examples are provided as tests and may be viewed in the valid and invalid semver-2-0-0 subdirectories here: +https://github.com/CVEProject/cve-schema/tree/0dc04e2a9adb9e3d50409051ce1d006d79b57a90/schema/support/tests ## Impact Assessment [impact-assessment]: #impact-assessment -Describe the benefits and possible risks associated with an RFD, including -the weaknening or strengthening of data quality constraints and any -requirements to enforce data quality rules via CVE Services application logic -(when not enforceable in the schema itself) or to communicate constraints or -expectations to CVE stakeholders. +The primary benefit of this change is to enable reliable automation to be built from CVE data. ## Compatibility and Migration [compatibility-and-migration]: #compatibility-and-migration +This change adds one new possibile value to the `versions` array and should be completely backwards compatible as no prior data formats are altered. The version type is currently arbitrary and so record providers are free to populate anything in that field, however no currently published records have used `semver-2.0.0`. + +Both consumers are producers will need to update their code/process in order to make use of the new field. + Describe the impacts of the proposed change on both backward and forward compatibility. From a3f574816949d307dd51dd06d8cbccbd59e138a4 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Tue, 17 Jun 2025 10:29:51 -0700 Subject: [PATCH 44/63] Update success metrics --- rfds/0000-formalize-semver-version-type.md | 94 +++------------------- 1 file changed, 9 insertions(+), 85 deletions(-) diff --git a/rfds/0000-formalize-semver-version-type.md b/rfds/0000-formalize-semver-version-type.md index 4e5aacdc675..fd1ba3b93d2 100644 --- a/rfds/0000-formalize-semver-version-type.md +++ b/rfds/0000-formalize-semver-version-type.md @@ -40,72 +40,16 @@ The primary benefit of this change is to enable reliable automation to be built This change adds one new possibile value to the `versions` array and should be completely backwards compatible as no prior data formats are altered. The version type is currently arbitrary and so record providers are free to populate anything in that field, however no currently published records have used `semver-2.0.0`. -Both consumers are producers will need to update their code/process in order to make use of the new field. - -Describe the impacts of the proposed change on both backward and forward -compatibility. - -To address backward compatibility, explain if and how your proposal would -impact users of the schema's ability to parse existing CVE records produced -under prior versions of the CVE Record Format. Note that CVE records returned -by CVE Services are automatically updated to use new schema versions, so -interaction with historic CVE records would only arise for records stored and -obtained outside of CVE Services. - -To address forward compatibility, explain if current users of the schema would -be able to parse all, some, or none of the records produced with the schema as -modified by your proposal. If CVE consumers would need to amend their existing -parsers for CVE records be able to parse records produced under the new schema, -describe what amendments would be necessary for them. - -These explanations must specifically answer the following questions: - -1. Does your proposal modify an `enum` type to add, remove, or modify the set - of acceptable values? -2. Does your proposal modify a closed set of required fields to add a new - required field or a new alternative set of required fields? -3. Does your proposal involve the addition of a new format which CVE consumers - would need to parse? If it does include a new format... - 1. How complex is the format to parse? - 2. Are there parser implementations available under open source licenses, - and for what programming languages? - -You must also address considerations for planning migration of CVE stakeholders -to support your proposed changes. This includes both the impacts to CVE -producers, including CVE Numbering Authorities (CNAs) and Authorized Data -Publishers (ADPs), and impacts to CVE consumers. - -Considerations for migration, which must be addressed in your explanation, -include: - -1. How long should the proposed change be communicated to CVE stakeholders - before being implemented in production? -2. What testing would be needed before the change is implemented in production? - -As CVE is a large and multi-stakeholder system, detail and sensitivity in this -section of an RFD are extremely important. Particular scrutiny should be paid -by both RFD submitters and reviewers to understand the impacts of any proposed -change on all sides of the CVE system, including producers (CNAs, ADPs), -consumers, the CVE Board and Working Groups, and the Secretariat. +Both consumers are producers will need to update their code/process in order to make use of the new field. Should there be a desire to coordinate a migration an addition could be made to this RFD with guidance both for record producer and consumers, but off the shelf, semver compatible tools are expected to work. ## Success Metrics [success-metrics]: #success-metrics -Describe how success for an RFD will be determined, including expectations for -adoption of any new fields by CNAs or ADPs over a defined timeline. Also -describe any available options to assess adoption of new fields by CVE data -consumers, which may require engagement with known CVE consumer communities. +6 months after the acceptance and adoption of this RFD process, the QWG conduct a review of published CVE records to assess usage of the new version type. Additionally the QWG should solicit a survey to QWG members and outside CVE stakeholders about the perceived value of the new type. If there is low/no usage as well as a poor qualitative perception then the effort should be considered a failure and discussion of a rollback should be considered. -Success metrics must include: +If there is consistent measured usage as well as positive qualitative perception then the effort should be considered a success. Anything between these two polls will require more qualitative analysis, but it is the RFD author's opinion that if there is a lack of consensus then the effort should by default be considered a failure. -- A fixed timeline for deciding success or failure. -- An unambiguous mechanism for determining success or failure. -- If the metric will involve qualitative assessment of success with CVE - stakeholders, for example via a survey or direct outreach, all questions for - this engagement must be pre-registered in the RFD. - -Describe a path to rollback RFD changes if the success metrics are not met -in the prescribed time. +A roll back of this RFD would consist of a removal of the `semver-2.0.0` version type and associated tests. ## Supporting Data or Research [supporting-data-or-research]: #supporting-data-or-research @@ -116,41 +60,21 @@ community demand for specific new data or demand for better data quality. ## Related Issues or Proposals [related-issues-or-proposals]: #related-issues-or-proposals -Identify other open proposals and alternative options which may be considered -by the QWG if the RFD is not deemed acceptable. Link to other proposals if -appropriate. +This change originated out of a conversation detailing the shortcomings of the current versioning system here: +https://github.com/CVEProject/cve-schema/issues/362 ## Recommended Priority [recommended-priority]: #recommended-priority -Identify a recommended priority for the proposal based on the RFD author's -assessment of the proposal's value and ecosystem demand. - -Possible values are: +Medium -- __Low__: The RFD addresses minor inconsistencies or errors in the CVE Record - Format which ought to be fixed but which do not present a substantive problem - for CVE consumers. -- __Medium__: The RFD addresses a deficiency in the CVE Record Format which - limits the value CVE consumers get from CVE records. -- __High__: The RFD addresses a severe deficiency in the CVE Record Format - which is interfering with the ability of CVE consumers to manage risks from - vulnerabilities. ## Unresolved Questions [unresolved-questions]: #unresolved-questions -Identify any unresolved questions related to the RFD. Ideally, all questions -listed in this section will be resolved during consideration of the RFD. -Questions which are deemed out of scope for an RFD should be moved to the -Future Possibilities section to make clear they remain open and can be the -subject of a future RFD. +None currently. ## Future Possibilities [future-possibilities]: #future-possibilities -Describe future extensions of the changes proposed in the RFD, including any -unresolved questions which the QWG may wish to resolve at a future date. If -an RFD is part of a larger strategy, identify the remaining steps in that -strategy to help contextualize the work of the RFD within the goals and values -of the QWG. +Other common versioning types could have new, validated versions provided via subsequent RFDs. From b8b9afd28bc402034de0ced25e8d6dd6ad1a825f Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Tue, 17 Jun 2025 10:36:09 -0700 Subject: [PATCH 45/63] Update migration --- rfds/0000-formalize-semver-version-type.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rfds/0000-formalize-semver-version-type.md b/rfds/0000-formalize-semver-version-type.md index fd1ba3b93d2..3b546e46075 100644 --- a/rfds/0000-formalize-semver-version-type.md +++ b/rfds/0000-formalize-semver-version-type.md @@ -38,10 +38,12 @@ The primary benefit of this change is to enable reliable automation to be built ## Compatibility and Migration [compatibility-and-migration]: #compatibility-and-migration -This change adds one new possibile value to the `versions` array and should be completely backwards compatible as no prior data formats are altered. The version type is currently arbitrary and so record providers are free to populate anything in that field, however no currently published records have used `semver-2.0.0`. +This change adds one new, optional, value to the `versions` array and should be completely backwards compatible as no prior data formats are altered. The version type is currently arbitrary and so record providers are free to populate anything in that field, however no currently published records have used `semver-2.0.0`. Both consumers are producers will need to update their code/process in order to make use of the new field. Should there be a desire to coordinate a migration an addition could be made to this RFD with guidance both for record producer and consumers, but off the shelf, semver compatible tools are expected to work. +Existence of the new version type should be communicated to stakeholders upon the RFDs acceptance. + ## Success Metrics [success-metrics]: #success-metrics From 85af8ebd5cb6f00dc481cb8e170650c39e98588e Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Tue, 17 Jun 2025 10:39:07 -0700 Subject: [PATCH 46/63] update impact --- rfds/0000-formalize-semver-version-type.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rfds/0000-formalize-semver-version-type.md b/rfds/0000-formalize-semver-version-type.md index 3b546e46075..9af0cbf5b97 100644 --- a/rfds/0000-formalize-semver-version-type.md +++ b/rfds/0000-formalize-semver-version-type.md @@ -33,7 +33,7 @@ https://github.com/CVEProject/cve-schema/tree/0dc04e2a9adb9e3d50409051ce1d006d79 ## Impact Assessment [impact-assessment]: #impact-assessment -The primary benefit of this change is to enable reliable automation to be built from CVE data. +This proposal has been designed to be very low impact. In the base case both record producers and consumers can simply ignore the new data type. The primary benefit of the adoption of this change is to enable reliable automation. ## Compatibility and Migration [compatibility-and-migration]: #compatibility-and-migration From 97f14c256819f7ef25418ce492f948f62e5d5e7b Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Tue, 17 Jun 2025 15:56:21 -0700 Subject: [PATCH 47/63] Remove blank line --- rfds/0000-formalize-semver-version-type.md | 1 - 1 file changed, 1 deletion(-) diff --git a/rfds/0000-formalize-semver-version-type.md b/rfds/0000-formalize-semver-version-type.md index 9af0cbf5b97..3263dd43a82 100644 --- a/rfds/0000-formalize-semver-version-type.md +++ b/rfds/0000-formalize-semver-version-type.md @@ -70,7 +70,6 @@ https://github.com/CVEProject/cve-schema/issues/362 Medium - ## Unresolved Questions [unresolved-questions]: #unresolved-questions From b800796cd2a8e7cd97b0691b3384347cb0c1de41 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 26 Jun 2025 09:02:19 -0700 Subject: [PATCH 48/63] typo plus a + --- rfds/0000-formalize-semver-version-type.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rfds/0000-formalize-semver-version-type.md b/rfds/0000-formalize-semver-version-type.md index 3263dd43a82..2c20492449f 100644 --- a/rfds/0000-formalize-semver-version-type.md +++ b/rfds/0000-formalize-semver-version-type.md @@ -47,7 +47,7 @@ Existence of the new version type should be communicated to stakeholders upon th ## Success Metrics [success-metrics]: #success-metrics -6 months after the acceptance and adoption of this RFD process, the QWG conduct a review of published CVE records to assess usage of the new version type. Additionally the QWG should solicit a survey to QWG members and outside CVE stakeholders about the perceived value of the new type. If there is low/no usage as well as a poor qualitative perception then the effort should be considered a failure and discussion of a rollback should be considered. +6+ months after the acceptance and adoption of this RFD process, the QWG should conduct a review of published CVE records to assess usage of the new version type. Additionally the QWG should solicit a survey to QWG members and outside CVE stakeholders about the perceived value of the new type. If there is low/no usage as well as a poor qualitative perception then the effort should be considered a failure and discussion of a rollback should be considered. If there is consistent measured usage as well as positive qualitative perception then the effort should be considered a success. Anything between these two polls will require more qualitative analysis, but it is the RFD author's opinion that if there is a lack of consensus then the effort should by default be considered a failure. From 69aba3f21e1157b42549d4b0d3eb3d376b92ce27 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 26 Jun 2025 09:52:38 -0700 Subject: [PATCH 49/63] Better impact --- rfds/0000-formalize-semver-version-type.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rfds/0000-formalize-semver-version-type.md b/rfds/0000-formalize-semver-version-type.md index 2c20492449f..314bec0ed88 100644 --- a/rfds/0000-formalize-semver-version-type.md +++ b/rfds/0000-formalize-semver-version-type.md @@ -33,7 +33,7 @@ https://github.com/CVEProject/cve-schema/tree/0dc04e2a9adb9e3d50409051ce1d006d79 ## Impact Assessment [impact-assessment]: #impact-assessment -This proposal has been designed to be very low impact. In the base case both record producers and consumers can simply ignore the new data type. The primary benefit of the adoption of this change is to enable reliable automation. +This proposal has been designed to be very low impact. In the base case both record producers and record consumers can simply ignore the new data type. Adoption of the new data type into systems that process CVE records should be quite straight forward as semantic versioning is well supported across many languages. Once records begin to be produced with `semver-2.0.0` values a record consumer will be able to build reliable vulnerability managment automation based on the data. ## Compatibility and Migration [compatibility-and-migration]: #compatibility-and-migration From c9fde5054e8815efe8294aab9a896e5f7004cb22 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 16 Jul 2025 14:02:53 -0700 Subject: [PATCH 50/63] Remove the word new --- schema/docs/versions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index 0dd9d38da90..6826741a1e7 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -294,7 +294,7 @@ Now that we know how to encode version objects, that would be written as: Type identifier: `semver-2.0.0` Formally specified here at https://semver.org/spec/v2.0.0.html -`semver-2.0.0` is new type introduced to formally specify usage of semantic versioning. +`semver-2.0.0` is type introduced to formally specify usage of semantic versioning. `semver-2.0.0` in its simplest form is a dot separated triple. eg `1.2.3`. The three parts have names with the first being the `MAJOR`, the second being `MINOR` and the third `PATCH`. The [Semantic](https://en.wikipedia.org/wiki/Semantics) meaning of each is described as 1. MAJOR version when you make incompatible API changes From bc077f56b8d6101da067802f521469a7071c72e1 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 16 Jul 2025 14:05:22 -0700 Subject: [PATCH 51/63] Update verbiage --- schema/docs/versions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index 6826741a1e7..8e6fbed629a 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -308,7 +308,7 @@ While the triple can only contain numeric values the `pre-release` and `build` a A complete definition of this version type can be viewed here https://semver.org/spec/v2.0.0.html#backusnaur-form-grammar-for-valid-semver-versions -In the interest of simplicity the `semver-2.0.0` version type has two parameters which define a continuous range. `lowerBound` and `upperBound` each must be a valid semver triple with optional pre-release/build extensions. +The `semver-2.0.0` version type has five possible parameters which may be used to define either a single version or a continuous range. The parameters are `version`, `lessThan`, `lessThanOrEqual`, `greaterThan`, and `greaterThanOrEqual`. The use of `version` alone defines a single version when used alone or an inclusive bound when used with one of the other parameters. Each parameter must be a valid semver triple with optional pre-release/build extensions. ##### Example From 64774b5662d19383db75e1b4c65d653b72eefad3 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 16 Jul 2025 14:05:42 -0700 Subject: [PATCH 52/63] Update examples --- schema/docs/versions.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index 8e6fbed629a..f4d17812564 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -321,34 +321,34 @@ The `semver-2.0.0` version type has five possible parameters which may be used t { "versionType": "semver-2.0.0", "status": "affected", - "inclusiveLowerBound": "1.2.3-alpha", - "exclusiveUpperBound": "2.3.4+build17" + "version": "1.2.3-alpha", + "lessThan": "2.3.4+build17" } { "versionType": "semver-2.0.0", "status": "unaffected", - "exclusiveLowerBound": "3.4.5-beta", - "inclusiveUpperBound": "4.5.6+assembly88" + "greaterThan": "3.4.5-beta", + "version": "4.5.6+assembly88" } { "versionType": "semver-2.0.0", "status": "affected", - "exactly": "5.6.7-gamma", + "version": "5.6.7-gamma", } { "versionType": "semver-2.0.0", "status": "affected", - "exactly": "6.7.8-delta", + "version": "6.7.8-delta", } { "versionType": "semver-2.0.0", "status": "affected", - "exclusiveUpperBound": "1.0.0", + "lessThan": "1.0.0", } { "versionType": "semver-2.0.0", "status": "unknown", - "inclusiveLowerBound": "9.0.0", + "greaterThanOrEqual": "9.0.0", } ], } From 4d091a0616f86f2c340a9dd194084ce80169c101 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 16 Jul 2025 14:08:25 -0700 Subject: [PATCH 53/63] Mention that not adopting is an option --- rfds/0000-formalize-semver-version-type.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rfds/0000-formalize-semver-version-type.md b/rfds/0000-formalize-semver-version-type.md index 314bec0ed88..3480de885d4 100644 --- a/rfds/0000-formalize-semver-version-type.md +++ b/rfds/0000-formalize-semver-version-type.md @@ -65,6 +65,8 @@ community demand for specific new data or demand for better data quality. This change originated out of a conversation detailing the shortcomings of the current versioning system here: https://github.com/CVEProject/cve-schema/issues/362 +An alternative to adopting this RFD would be to not adopt it. + ## Recommended Priority [recommended-priority]: #recommended-priority From 7ba977b083cec619cb93b810075a7406c6ce9ef2 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 16 Jul 2025 14:08:50 -0700 Subject: [PATCH 54/63] Remove template text for supporting data/research --- rfds/0000-formalize-semver-version-type.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/rfds/0000-formalize-semver-version-type.md b/rfds/0000-formalize-semver-version-type.md index 3480de885d4..461ea6d4380 100644 --- a/rfds/0000-formalize-semver-version-type.md +++ b/rfds/0000-formalize-semver-version-type.md @@ -56,8 +56,6 @@ A roll back of this RFD would consist of a removal of the `semver-2.0.0` version ## Supporting Data or Research [supporting-data-or-research]: #supporting-data-or-research -Describe any evidence for the need to adopt the RFD proposal based on -community demand for specific new data or demand for better data quality. ## Related Issues or Proposals [related-issues-or-proposals]: #related-issues-or-proposals From 1bb151ec4331343413788456469865c38e2b98bc Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 17 Jul 2025 12:03:17 -0700 Subject: [PATCH 55/63] Delete some trailing commas --- schema/CVE_Record_Format.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 4f5b0ac3886..e6d9a6946da 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -314,7 +314,7 @@ }, { "required": ["status", "versionType", "greaterThanOrEqual"] - }, + } ], "if": { "properties": { @@ -327,7 +327,7 @@ "lessThan": { "$ref": "#/definitions/semver-2.0.0-version" }, "lessThanOrEqual": { "$ref": "#/definitions/semver-2.0.0-version" }, "greaterThan": { "$ref": "#/definitions/semver-2.0.0-version" }, - "greaterThanOrEqual": { "$ref": "#/definitions/semver-2.0.0-version" }, + "greaterThanOrEqual": { "$ref": "#/definitions/semver-2.0.0-version" } } }, "properties": { From 4427021569632fd6532735b37e92f4d43f2693c2 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 17 Jul 2025 12:04:43 -0700 Subject: [PATCH 56/63] Provide symmetry in parameter requirements --- schema/CVE_Record_Format.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index e6d9a6946da..c30ca47b882 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -307,7 +307,7 @@ "required": ["status", "versionType", "lessThan"] }, { - "required": ["version", "status", "versionType", "lessThanOrEqual"] + "required": ["status", "versionType", "lessThanOrEqual"] }, { "required": ["status", "versionType", "greaterThan"] From c6e12cb5108fadf226c70f18e0fcd41b1de06876 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Fri, 18 Jul 2025 14:02:14 -0700 Subject: [PATCH 57/63] Delete two more trailing commas --- schema/CVE_Record_Format.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index c30ca47b882..55ab662cde3 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -383,7 +383,7 @@ "at": { "description": "The version at which a status change occurs.", "oneOf": [ - {"$ref": "#/definitions/version"}, + {"$ref": "#/definitions/version"} ] }, "status": { @@ -392,7 +392,7 @@ } } } - }, + } }, "additionalProperties": false } From 46c5293235eaf6908410b0542c5f770f4c1e1abb Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 31 Jul 2025 07:47:08 -0700 Subject: [PATCH 58/63] Small fix --- rfds/0000-formalize-semver-version-type.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rfds/0000-formalize-semver-version-type.md b/rfds/0000-formalize-semver-version-type.md index 461ea6d4380..0e3e5a3ae92 100644 --- a/rfds/0000-formalize-semver-version-type.md +++ b/rfds/0000-formalize-semver-version-type.md @@ -13,11 +13,11 @@ Introduce a new semantic versioning version type for the machine readable `versi ## Problem Statement [problem-statement]: #problem-statement -Today the `versions` array allows for a number of typed version fields which should inform the reader how to interpret the data. Alas, there is no validation that a record producer must conform to and as a result the version types have been used inconsistently. A consumer reading the semantic versioning type in particular has about a [44% chance of the data conforming to the semantic versioning specification](https://darakian.github.io/2025/06/04/parsing-semver-from-cve.html). +Today the `versions` array allows for a number of typed version fields which should inform the reader how to interpret the data. Alas, there is no validation that a record producer must conform to and as a result the version types have been used inconsistently. At time of writing a consumer reading the semantic versioning type in particular has about a [44% chance of the data conforming to the semantic versioning specification](https://darakian.github.io/2025/06/04/parsing-semver-from-cve.html). As a result consumers of CVE records cannot build reliable automation from the data in the record itself. Multiple sub-patterns do exist, but there is canonical list of them nor is there any guarantee of their stability. This leads to increased operational complexity in vulnerability management and potentially to vulnerabilities going unresolved. -Failing to adopt stricter datatypes will keep maintain the status quo which is generally accepted to be lacking. +Failing to adopt stricter datatypes will maintain the status quo which is generally accepted to be lacking. ## Proposed Solution [proposed-solution]: #proposed-solution From cffccd7ea513238697202280eedd2d2cdc199d09 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Sun, 14 Sep 2025 12:57:35 -0700 Subject: [PATCH 59/63] Restore first construction. --- schema/CVE_Record_Format.json | 67 +++++++++++++++++++++++------------ 1 file changed, 45 insertions(+), 22 deletions(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 55ab662cde3..4da4785c999 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -310,26 +310,36 @@ "required": ["status", "versionType", "lessThanOrEqual"] }, { - "required": ["status", "versionType", "greaterThan"] + "required": ["status", "versionType"], + "maxProperties": 3, + "properties": {"versionType": { "const": "semver-2.0.0" }}, + "oneOf": [ + {"required": ["exactly"]}, + {"required": ["inclusiveLowerBound"]}, + {"required": ["exclusiveLowerBound"]}, + {"required": ["inclusiveUpperBound"]}, + {"required": ["exclusiveUpperBound"]} + ] }, { - "required": ["status", "versionType", "greaterThanOrEqual"] + "required": ["status", "versionType", "inclusiveLowerBound"], + "maxProperties": 4, + "properties": {"versionType": { "const": "semver-2.0.0" }}, + "oneOf": [ + {"required": ["inclusiveUpperBound"]}, + {"required": ["exclusiveUpperBound"]} + ] + }, + { + "required": ["status", "versionType", "exclusiveLowerBound"], + "maxProperties": 4, + "properties": {"versionType": { "const": "semver-2.0.0" }}, + "oneOf": [ + {"required": ["inclusiveUpperBound"]}, + {"required": ["exclusiveUpperBound"]} + ] } ], - "if": { - "properties": { - "versionType": {"const": "semver-2.0.0"} - } - }, - "then": { - "properties": { - "version": { "$ref": "#/definitions/semver-2.0.0-version" }, - "lessThan": { "$ref": "#/definitions/semver-2.0.0-version" }, - "lessThanOrEqual": { "$ref": "#/definitions/semver-2.0.0-version" }, - "greaterThan": { "$ref": "#/definitions/semver-2.0.0-version" }, - "greaterThanOrEqual": { "$ref": "#/definitions/semver-2.0.0-version" } - } - }, "properties": { "version": { "description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.", @@ -361,13 +371,26 @@ "description": "The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, `{version: 1.0, lessThanOrEqual: 1.3}` covers all versions from 1.0 up to and including 1.3.", "$ref": "#/definitions/version" }, - "greaterThan": { - "description": "The exclusive lower limit of the range. This is the lowest version NOT in the range. Used only for ranges which extend to positive infinity.", - "$ref": "#/definitions/version" + "exactly": { + "description": "A single semver 2.0.0 version to mark", + "$ref": "#/definitions/semver-2.0.0-version" }, - "greaterThanOrEqual": { - "description": "The inclusive lower limit of the range. This is the lowest version in the range. Used only for ranges which extend to positive infinity.", - "$ref": "#/definitions/version" + "inclusiveLowerBound": { + "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly also affected.", + "$ref": "#/definitions/semver-2.0.0-version" + }, + "exclusiveLowerBound": { + "description": "A valid semver 2.0.0 value used as a lower bound. Explicitly not affected.", + "$ref": "#/definitions/semver-2.0.0-version" + }, + "inclusiveUpperBound": { + "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly also affected.", + "$ref": "#/definitions/semver-2.0.0-version" + + }, + "exclusiveUpperBound": { + "description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected.", + "$ref": "#/definitions/semver-2.0.0-version" }, "changes": { "type": "array", From 8a4824abe359b82f83177a4a704ac89f1ac60ffe Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Sun, 14 Sep 2025 13:06:28 -0700 Subject: [PATCH 60/63] Convert invalid tests --- .../tests/invalid/invalid-semver-2-0-0/asterisk-usage.json | 2 +- .../tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json | 4 ++-- .../tests/invalid/invalid-semver-2-0-0/mixed-versions.json | 4 ++-- .../tests/invalid/invalid-semver-2-0-0/wrong-versionType.json | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/asterisk-usage.json b/schema/support/tests/invalid/invalid-semver-2-0-0/asterisk-usage.json index ace106d0bb6..e9925dbe964 100644 --- a/schema/support/tests/invalid/invalid-semver-2-0-0/asterisk-usage.json +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/asterisk-usage.json @@ -29,7 +29,7 @@ { "versionType": "semver-2.0.0", "status": "affected", - "version": "1.2.*" + "exactly": "1.2.*" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json index c4ed7930e50..76de31d3f92 100644 --- a/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/dupe-upper-bounds.json @@ -30,8 +30,8 @@ "versionType": "semver-2.0.0", "status": "affected", "version": "1.2.3", - "greaterThan": "1.2.4", - "greaterThanEqualTo": "1.2.4" + "exclusiveLowerBound": "1.2.4", + "inclusiveLowerBound": "1.2.4" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json b/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json index f22716786cc..9d49ad919d1 100644 --- a/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/mixed-versions.json @@ -29,8 +29,8 @@ { "versionType": "semver-2.0.0", "status": "affected", - "lessThanOrEqualTo": "1.2.3", - "version": "1.2.4" + "inclusiveUpperBound": "1.2.3", + "exactly": "1.2.4" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json b/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json index 2a367a69c42..9717354a43f 100644 --- a/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json +++ b/schema/support/tests/invalid/invalid-semver-2-0-0/wrong-versionType.json @@ -29,7 +29,7 @@ { "versionType": "semver-2.0.0", "status": "affected", - "version": "1.2.3.4" + "exactly": "1.2.3.4" } ], "defaultStatus": "unaffected" From f7c4fe6bac75537dc367f93e55dc081628d1f18a Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Sun, 14 Sep 2025 13:10:18 -0700 Subject: [PATCH 61/63] Convert valid tests --- .../tests/valid/valid-semver-2-0-0/exactly-one.json | 2 +- .../tests/valid/valid-semver-2-0-0/exclusiveRange.json | 4 ++-- .../tests/valid/valid-semver-2-0-0/inclusiveRange.json | 4 ++-- .../tests/valid/valid-semver-2-0-0/mixedRange1.json | 4 ++-- .../tests/valid/valid-semver-2-0-0/mixedRange2.json | 10 ++-------- .../valid-semver-2-0-0/only-exclusiveLowerBound.json | 2 +- .../valid-semver-2-0-0/only-exclusiveUpperBound.json | 3 +-- .../valid-semver-2-0-0/only-inclusiveLowerBound.json | 2 +- .../valid-semver-2-0-0/only-inclusiveUpperBound.json | 3 +-- 9 files changed, 13 insertions(+), 21 deletions(-) diff --git a/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json b/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json index 06ffc57462e..11e9da27faf 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/exactly-one.json @@ -29,7 +29,7 @@ { "versionType": "semver-2.0.0", "status": "affected", - "version": "1.2.3" + "exactly": "1.2.3" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json b/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json index bdc2d293faf..997db73a90b 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/exclusiveRange.json @@ -29,8 +29,8 @@ { "versionType": "semver-2.0.0", "status": "affected", - "version": "1.2.3", - "lessThan": "2.3.4" + "exclusiveLowerBound": "1.2.3", + "exclusiveUpperBound": "2.3.4" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json b/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json index ae9dcc00614..d9be70ff698 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/inclusiveRange.json @@ -29,8 +29,8 @@ { "versionType": "semver-2.0.0", "status": "affected", - "version": "1.2.3", - "lessThanOrEqual": "2.3.4" + "inclusiveLowerBound": "1.2.3", + "inclusiveUpperBound": "2.3.4" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json index 49184f979f4..f189b7fde54 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange1.json @@ -29,8 +29,8 @@ { "versionType": "semver-2.0.0", "status": "affected", - "version": "1.2.3", - "lessThan": "2.3.4" + "inclusiveLowerBound": "1.2.3", + "exclusiveUpperBound": "2.3.4" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json index 1783117e9b7..5377e06132e 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/mixedRange2.json @@ -29,14 +29,8 @@ { "versionType": "semver-2.0.0", "status": "affected", - "version": "1.2.3", - "lessThanOrEqual": "2.3.4", - "changes": [ - { - "at": "1.2.3", - "status": "unaffected" - } - ] + "exclusiveLowerBound": "1.2.3", + "inclusiveUpperBound": "2.3.4" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json index bd6e7a11974..42fa4c80e38 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveLowerBound.json @@ -29,7 +29,7 @@ { "versionType": "semver-2.0.0", "status": "affected", - "greaterThan": "1.2.3" + "exclusiveLowerBound": "1.2.3" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json index 34c1551ba41..426fe633b4e 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-exclusiveUpperBound.json @@ -29,8 +29,7 @@ { "versionType": "semver-2.0.0", "status": "affected", - "version": "1.2.3", - "lessThan": "1.2.3" + "exclusiveUpperBound": "1.2.3" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json index b3c174886ee..845d445cace 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveLowerBound.json @@ -29,7 +29,7 @@ { "versionType": "semver-2.0.0", "status": "affected", - "greaterThan": "1.2.3" + "inclusiveLowerBound": "1.2.3" } ], "defaultStatus": "unaffected" diff --git a/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json index 9c3fb047e03..ce9064e5d0a 100644 --- a/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json +++ b/schema/support/tests/valid/valid-semver-2-0-0/only-inclusiveUpperBound.json @@ -29,8 +29,7 @@ { "versionType": "semver-2.0.0", "status": "affected", - "version": "1.2.3", - "lessThanOrEqual": "1.2.3" + "inclusiveUpperBound": "1.2.3" } ], "defaultStatus": "unaffected" From 5cfcb1616b94c9a2711b4d61256836520944b053 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Sun, 14 Sep 2025 14:49:53 -0700 Subject: [PATCH 62/63] Convert doc text --- schema/docs/versions.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/schema/docs/versions.md b/schema/docs/versions.md index f4d17812564..4f4af2efc82 100644 --- a/schema/docs/versions.md +++ b/schema/docs/versions.md @@ -308,7 +308,7 @@ While the triple can only contain numeric values the `pre-release` and `build` a A complete definition of this version type can be viewed here https://semver.org/spec/v2.0.0.html#backusnaur-form-grammar-for-valid-semver-versions -The `semver-2.0.0` version type has five possible parameters which may be used to define either a single version or a continuous range. The parameters are `version`, `lessThan`, `lessThanOrEqual`, `greaterThan`, and `greaterThanOrEqual`. The use of `version` alone defines a single version when used alone or an inclusive bound when used with one of the other parameters. Each parameter must be a valid semver triple with optional pre-release/build extensions. +The `semver-2.0.0` version type has five possible parameters which may be used to define either a single version or a continuous range. The parameters are `exactly`, `inclusiveLowerBound`, `exclusiveLowerBound`, `inclusiveUpperBound`, and `exclusiveUpperBound`. The use of `exactly` alone defines a single version when used alone. The other parameters are used to define a range of values which are . ##### Example @@ -321,34 +321,34 @@ The `semver-2.0.0` version type has five possible parameters which may be used t { "versionType": "semver-2.0.0", "status": "affected", - "version": "1.2.3-alpha", - "lessThan": "2.3.4+build17" + "inclusiveLowerBound": "1.2.3-alpha", + "inclusiveUpperBound": "2.3.4+build17" } { "versionType": "semver-2.0.0", "status": "unaffected", - "greaterThan": "3.4.5-beta", - "version": "4.5.6+assembly88" + "exclusiveLowerBound": "3.4.5-beta", + "exclusiveUpperBound": "4.5.6+assembly88" } { "versionType": "semver-2.0.0", "status": "affected", - "version": "5.6.7-gamma", + "exactly": "5.6.7-gamma", } { "versionType": "semver-2.0.0", "status": "affected", - "version": "6.7.8-delta", + "exactly": "6.7.8-delta", } { "versionType": "semver-2.0.0", "status": "affected", - "lessThan": "1.0.0", + "exclusiveUpperBound": "1.0.0", } { "versionType": "semver-2.0.0", "status": "unknown", - "greaterThanOrEqual": "9.0.0", + "inclusiveLowerBound": "9.0.0", } ], } @@ -357,7 +357,7 @@ The `semver-2.0.0` version type has five possible parameters which may be used t #### Explainer -A `semver-2.0.0` version is expressed as either a range or as a single exact version. Chaining multiple `semver-2.0.0` versions can be done to express more complex ranges. A `semver-2.0.0` range must begin with a lower bound which is followed by an upper bound. Each bound may be either inclusive or exclusive. These terms map as `exclusiveUpperBound` to `<`, `inclusiveUpperBound` to `<=`, `exclusiveLowerBound` to `>`, `inclusiveLowerBound` to `>=` and `exactly` to `=`. Thus the first example above could be rewritten as `>= 1.2.3-alpha, < 2.3.4+build17`. +A `semver-2.0.0` version is expressed as either a range or as a single exact version. Chaining multiple `semver-2.0.0` versions can be done to express more complex ranges. A `semver-2.0.0` range must begin with a lower bound which is followed by an upper bound. Each bound may be either inclusive or exclusive. These terms map as `exclusiveUpperBound` to `<`, `inclusiveUpperBound` to `<=`, `exclusiveLowerBound` to `>`, `inclusiveLowerBound` to `>=` and `exactly` to `=`. Thus the first example above could be rewritten as `>= 1.2.3-alpha, <= 2.3.4+build17`. ## Version Status Changes From 56f7a0ef991098ffb4e9415c56adbe5a6e024167 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Sun, 14 Sep 2025 14:54:11 -0700 Subject: [PATCH 63/63] Convert rfd text --- rfds/0000-formalize-semver-version-type.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rfds/0000-formalize-semver-version-type.md b/rfds/0000-formalize-semver-version-type.md index 0e3e5a3ae92..5dfc2b46a93 100644 --- a/rfds/0000-formalize-semver-version-type.md +++ b/rfds/0000-formalize-semver-version-type.md @@ -22,7 +22,7 @@ Failing to adopt stricter datatypes will maintain the status quo which is genera ## Proposed Solution [proposed-solution]: #proposed-solution -The proposed change adds a new "semver-2.0.0-version" pattern and two new properties for expressing version ranges. The two new properties `greaterThan`, and `greaterThanOrEqual` allow for the expression of an either exclusive, or inclusive upper bound on a version range. The new pattern "semver-2.0.0-version" is used to validate payloads which may be provided in the `version`, `lessThan`, `lessThanOrEqual`, `greaterThan`, and `greaterThanOrEqual`. +The proposed change adds a new `semver-2.0.0-version` pattern and five new properties for expressing version ranges. The parameters are `exactly`, `inclusiveLowerBound`, `exclusiveLowerBound`, `inclusiveUpperBound`, and `exclusiveUpperBound` and map to the mathematics operators `=`, `>=`, `>`, `<=`, and `<`. These parameters are only expected to be used with the `semver-2.0.0` version type. Validation is proved in the form of a regular expression which is taken directly from semver.org in order to ensure interoperability. ## Examples [examples]: #examples