Skip to content

Add a formal semver 2.0.0 version type #371

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 63 commits into
base: feature-PR371-semver2.0
Choose a base branch
from
Open

Add a formal semver 2.0.0 version type #371

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
63 commits
Select commit Hold shift + click to select a range
c50a136
Add a formal semver 2.0.0 version type
darakian Dec 9, 2024
bec099b
Add an example for discussion
darakian Jan 22, 2025
20f9b39
Add some text for the parameters and remove markdown horizontal break
darakian Jan 22, 2025
e637776
Expand example to show inclusive/exclusive bounds and single version …
darakian Jan 30, 2025
fffd0cd
Add explainer
darakian Jan 30, 2025
16680d2
Add examples of single sided ranges. ex < 1.0.0 or >= 9.0.0 to allow …
darakian Feb 19, 2025
208980b
Add status back as a parameter after sync chat in QWG meeting on 2025…
darakian Feb 20, 2025
0ce6601
Stub new properties
darakian Mar 5, 2025
62db169
Add pattern regex
darakian Mar 5, 2025
34af2ae
and trim newline
darakian Mar 5, 2025
046dadd
Add an attempt at json schema options for semver 2.0.0
darakian Mar 6, 2025
484ca76
Add valid forms of semver-2.0.0 usage
darakian Mar 12, 2025
3527158
trim extra comma
darakian Mar 12, 2025
b037e53
Switch from anyOf to oneOf
darakian Mar 12, 2025
226158a
Update build.js to reference current schema location
darakian Mar 12, 2025
e264318
Add missing comma
darakian Mar 12, 2025
ddf4895
Double slash seems to be the correct approach
darakian Mar 13, 2025
7b77630
Fix typo to allow stand alone inclusive lower bound
darakian Mar 13, 2025
bf48730
Add validation of schemas to the workflow
darakian Mar 14, 2025
e333f53
Prefer test over validate for symmetry with invalid test to come
darakian Mar 14, 2025
992e9c3
Be strict about versionType value
darakian Mar 14, 2025
9226d60
Add invalid test for missing versionType
darakian Mar 14, 2025
3f33ceb
Break tests out for easier long term managment
darakian Mar 14, 2025
eb4fd2f
Add test case for mixing exactly with a range
darakian Mar 14, 2025
36a22ee
Add test case for duplicate upper bounds
darakian Mar 14, 2025
fd0d7e1
Add test case for duplicate lower bounds
darakian Mar 14, 2025
745cc6f
Add semver tests to the workflow
darakian Mar 14, 2025
a0ff77b
Remove test
darakian Mar 14, 2025
9f839d6
Removing this test for now. Unclear why it fails
darakian Mar 14, 2025
5cc921e
Move semver regex out to a single def and reference it
darakian Apr 1, 2025
9a4ad63
stub idea for changes block
darakian Apr 1, 2025
50d0e12
Add a test to ensure asterisk usage fails
darakian Apr 18, 2025
a72e5b8
Update schema with working concept of reusing old parameters. Adds tw…
darakian Apr 30, 2025
9d53824
Update positive tests. IMO they are less readable than before
darakian Apr 30, 2025
30bd0de
Check for invalid format in semver 2.0.0 rather than invalid version …
darakian Apr 30, 2025
10c83ec
Clean up language on usage of the two new parameters
darakian May 1, 2025
fc8b7b8
Typo fix 🤦
darakian May 1, 2025
6135668
Remove missing version test since not specifying is valid and the use…
darakian May 8, 2025
43e4f17
Update negative tests
darakian May 8, 2025
1e91117
ref instead of duplicate regex
darakian May 11, 2025
0dc04e2
remove overconstraint I guess. This lets two tests pass (mixedRange1 …
darakian May 11, 2025
da94093
Stub rfd from template
darakian Jun 14, 2025
5ac7c5f
Stage draft RFD
darakian Jun 16, 2025
a3f5748
Update success metrics
darakian Jun 17, 2025
b8b9afd
Update migration
darakian Jun 17, 2025
85af8eb
update impact
darakian Jun 17, 2025
97f14c2
Remove blank line
darakian Jun 17, 2025
b800796
typo plus a +
darakian Jun 26, 2025
69aba3f
Better impact
darakian Jun 26, 2025
c9fde50
Remove the word new
darakian Jul 16, 2025
bc077f5
Update verbiage
darakian Jul 16, 2025
64774b5
Update examples
darakian Jul 16, 2025
4d091a0
Mention that not adopting is an option
darakian Jul 16, 2025
7ba977b
Remove template text for supporting data/research
darakian Jul 16, 2025
1bb151e
Delete some trailing commas
darakian Jul 17, 2025
4427021
Provide symmetry in parameter requirements
darakian Jul 17, 2025
c6e12cb
Delete two more trailing commas
darakian Jul 18, 2025
46c5293
Small fix
darakian Jul 31, 2025
cffccd7
Restore first construction.
darakian Sep 14, 2025
8a4824a
Convert invalid tests
darakian Sep 14, 2025
f7c4fe6
Convert valid tests
darakian Sep 14, 2025
5cfcb16
Convert doc text
darakian Sep 14, 2025
56f7a0e
Convert rfd text
darakian Sep 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions schema/CVE_Record_Format.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,30 @@
},
{
"required": ["version", "status", "versionType", "lessThanOrEqual"]
},
{
"required": ["status", "versionType"],
"oneOf": [
{"required": ["exactly"]},
{"required": ["inclusiveUpperBound"]},
{"required": ["exclusiveLowerBound"]},
{"required": ["inclusiveUpperBound"]},
{"required": ["exclusiveUpperBound"]}
]
},
{
"required": ["status", "versionType", "inclusiveLowerBound"],
"oneOf": [
{"required": ["inclusiveUpperBound"]},
{"required": ["exclusiveUpperBound"]}
]
}
{
"required": ["status", "versionType", "exclusiveLowerBound"],
"oneOf": [
{"required": ["inclusiveUpperBound"]},
{"required": ["exclusiveUpperBound"]}
]
}
],
"properties": {
Expand Down Expand Up @@ -357,6 +381,29 @@
}
}
}
},
"exactly": {
"description": "A single semver 2.0.0 version to mark",
"pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$"
},
"inclusiveLowerBound": {
"description": "A valid semver 2.0.0 value used as a lower bound. Explicitly also affected.",
"pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$"

},
"exclusiveLowerBound": {
"description": "A valid semver 2.0.0 value used as a lower bound. Explicitly not affected.",
"pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$"

},
"inclusiveUpperBound": {
"description": "A valid semver 2.0.0 value used as an upper bound. Explicitly also affected.",
"pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$"

},
"exclusiveUpperBound": {
"description": "A valid semver 2.0.0 value used as an upper bound. Explicitly not affected.",
"pattern": "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$"
}
},
"additionalProperties": false
Expand Down
72 changes: 72 additions & 0 deletions schema/docs/versions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -288,6 +288,78 @@ Now that we know how to encode version objects, that would be written as:
}
]

### Version Types

#### Semantic versioning 2.0.0

Type identifier: `semver-2.0.0`
Formally specified here at https://semver.org/spec/v2.0.0.html
`semver-2.0.0` is new type introduced to formally specify usage of semantic versioning.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: "new type" → "type"

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call. Removed in c9fde50


`semver-2.0.0` in its simplest form is a dot separated triple. eg `1.2.3`. The three parts have names with the first being the `MAJOR`, the second being `MINOR` and the third `PATCH`. The [Semantic](https://en.wikipedia.org/wiki/Semantics) meaning of each is described as
1. MAJOR version when you make incompatible API changes
2. MINOR version when you add functionality in a backward compatible manner
3. PATCH version when you make backward compatible bug fixes
This triple can be extended with either a `-` or a `+` or with both for `pre-release` and `build` identifiers.
The triple can only be populated with non-negative integers and must not contain leading zeros.
Ordering of the triple is determined by the first difference when comparing each of these identifiers from left to right as follows: Major, minor, and patch versions are always compared numerically.
Full ordering for pre-releases and builds are described in the semver document [here](https://semver.org/spec/v2.0.0.html#spec-item-11).
While the triple can only contain numeric values the `pre-release` and `build` are free to be alpha numeric.
A complete definition of this version type can be viewed here
https://semver.org/spec/v2.0.0.html#backusnaur-form-grammar-for-valid-semver-versions

In the interest of simplicity the `semver-2.0.0` version type has two parameters which define a continuous range. `lowerBound` and `upperBound` each must be a valid semver triple with optional pre-release/build extensions.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this hasn't been rewritten from a prior version of the proposal which used inclusiveLowerBound et al.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in
bc077f5
and
64774b5


##### Example

```
"affected": [
{
"vendor": "Example.org",
"product": "Example Enterprise",
"versions": [
{
"versionType": "semver-2.0.0",
"status": "affected",
"inclusiveLowerBound": "1.2.3-alpha",
"exclusiveUpperBound": "2.3.4+build17"
}
{
"versionType": "semver-2.0.0",
"status": "unaffected",
"exclusiveLowerBound": "3.4.5-beta",
"inclusiveUpperBound": "4.5.6+assembly88"
}
{
"versionType": "semver-2.0.0",
"status": "affected",
"exactly": "5.6.7-gamma",
}
{
"versionType": "semver-2.0.0",
"status": "affected",
"exactly": "6.7.8-delta",
}
{
"versionType": "semver-2.0.0",
"status": "affected",
"exclusiveUpperBound": "1.0.0",
}
{
"versionType": "semver-2.0.0",
"status": "unknown",
"inclusiveLowerBound": "9.0.0",
}
],
}
],
```

#### Explainer

A `semver-2.0.0` version is expressed as either a range or as a single exact version. Chaining multiple `semver-2.0.0` versions can be done to express more complex ranges. A `semver-2.0.0` range must begin with a lower bound which is followed by an upper bound. Each bound may be either inclusive or exclusive. These terms map as `exclusiveUpperBound` to `<`, `inclusiveUpperBound` to `<=`, `exclusiveLowerBound` to `>`, `inclusiveLowerBound` to `>=` and `exactly` to `=`. Thus the first example above could be rewritten as `>= 1.2.3-alpha, < 2.3.4+build17`.


## Version Status Changes

As presented in the previous section,
Expand Down
2 changes: 1 addition & 1 deletion schema/support/Node_Validator/build.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ const path = require("path")
const Ajv = require('ajv').default;
const standaloneCode = require("ajv/dist/standalone").default
const addFormats = require('ajv-formats').default;
const schema = require("../../docs/CVE_JSON_bundled.json")
const schema = require("../../docs/CVE_Record_Format_bundled.json")

function reduceSchema(o) {
for(prop in o) {
Expand Down
151 changes: 151 additions & 0 deletions schema/support/tests/valid/semver2-0-0.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,151 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-1900-1234",
"assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6"
},
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-78 OS Command Injection"
}
]
}
],
"affected": [
{
"vendor": "Example.org",
"product": "Example Enterprise",
"versions": [
{
"versionType": "semver-2.0.0",
"status": "affected",
"exactly": "1.2.3"
}
],
"defaultStatus": "unaffected"
},
{
"vendor": "Example2.org",
"product": "Another Example Enterprise",
"versions": [
{
"versionType": "semver-2.0.0",
"status": "affected",
"exclusiveLowerBound": "1.2.3"
}
],
"defaultStatus": "unaffected"
},
{
"vendor": "Example3.org",
"product": "Another Example Enterprise",
"versions": [
{
"versionType": "semver-2.0.0",
"status": "affected",
"inclusiveLowerBound": "1.2.3"
}
],
"defaultStatus": "unaffected"
},
{
"vendor": "Example4.org",
"product": "Another Example Enterprise",
"versions": [
{
"versionType": "semver-2.0.0",
"status": "affected",
"inclusiveUpperBound": "1.2.3"
}
],
"defaultStatus": "unaffected"
},
{
"vendor": "Example4.org",
"product": "Another Example Enterprise",
"versions": [
{
"versionType": "semver-2.0.0",
"status": "affected",
"exclusiveUpperBound": "1.2.3"
}
],
"defaultStatus": "unaffected"
},
{
"vendor": "Example5.org",
"product": "Another Example Enterprise",
"versions": [
{
"versionType": "semver-2.0.0",
"status": "affected",
"inclusiveLowerBound": "1.2.3",
"inclusiveUpperBound": "2.3.4"
}
],
"defaultStatus": "unaffected"
},
{
"vendor": "Example6.org",
"product": "Another Example Enterprise",
"versions": [
{
"versionType": "semver-2.0.0",
"status": "affected",
"inclusiveLowerBound": "1.2.3",
"exclusiveUpperBound": "2.3.4"
}
],
"defaultStatus": "unaffected"
},
{
"vendor": "Example7.org",
"product": "Another Example Enterprise",
"versions": [
{
"versionType": "semver-2.0.0",
"status": "affected",
"exclusiveLowerBound": "1.2.3",
"inclusiveUpperBound": "2.3.4"
}
],
"defaultStatus": "unaffected"
},
{
"vendor": "Example8.org",
"product": "Another Example Enterprise",
"versions": [
{
"versionType": "semver-2.0.0",
"status": "affected",
"exclusiveLowerBound": "1.2.3",
"exclusiveUpperBound": "2.3.4"
}
],
"defaultStatus": "unaffected"
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9."
}
],
"references": [
{
"url": "https://example.org/ESA-22-11-CVE-1900-1234"
}
]
}
}
}