Misc. Record Format fixes

.gitignore

@@ -1,3 +1,8 @@
 
 package-lock.json
 node_modules
+schema/cve-schema.json
+schema/docs/CVE_Record_Format_bundled.json
+schema/docs/CVE_Record_Format_bundled_adpContainer.json
+schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json
+schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json

schema/CVE_Record_Format.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema#",
     "$id": "https://cveproject.github.io/cve-schema/schema/CVE_Record_Format.json",
     "title": "CVE JSON record format",
-    "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://www.cve.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).",
+    "description": "The CVE Record Format is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://www.cve.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).",
     "definitions": {
         "uriType": {
             "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).",
@@ -82,16 +82,13 @@
             "minLength": 2,
             "maxLength": 32
         },
-        "datestamp": {
-            "description": "Date/time format based on RFC3339 and ISO ISO8601.",
-            "type": "string",
-            "format": "date",
-            "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$"
-        },
         "timestamp": {
             "type": "string",
-            "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.",
-            "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"
+            "description": "Date/time format based on RFC3339 and ISO ISO8601, with a mandatory timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'.",
+            "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])([+-][0-9]{2}:[0-9]{2})$",
+            "examples": [
+                "2025-01-04T12:01:01+05:30"
+            ]
         },
         "version": {
             "description": "A single version of a product, as expressed in its own version numbering scheme.",
@@ -385,7 +382,9 @@
             "required": [
                 "cveId",
                 "assignerOrgId",
-                "state"
+                "state",
+                "datePublished",
+                "dateReserved"
             ],
             "properties": {
                 "cveId": {
@@ -435,7 +434,9 @@
             "required": [
                 "cveId",
                 "assignerOrgId",
-                "state"
+                "state",
+                "datePublished",
+                "dateReserved"
             ],
             "properties": {
                 "cveId": {
@@ -658,7 +659,8 @@
                 "providerMetadata",
                 "descriptions",
                 "affected",
-                "references"
+                "references",
+                "datePublic"
             ],
             "patternProperties": {
                 "^x_[^.]*$": {}
@@ -835,6 +837,10 @@
                         ],
                         "additionalProperties": false
                     }
+                },
+                "preformatted": {
+                    "type": "boolean",
+                    "description": "If true, indicates the 'description' is preformatted text that should be rendered to preserve spacing and other formatting. If false, will be rendered without preserving formatting."
                 }
             },
             "required": [
@@ -1081,7 +1087,6 @@
                 ],
                 "properties": {
                     "time": {
-                        "description": "Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00) is assumed.",
                         "$ref": "#/definitions/timestamp"
                     },
                     "lang": {
@@ -1147,7 +1152,38 @@
         "source": {
             "type": "object",
             "description": "This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.",
-            "minProperties": 1
+            "minProperties": 1,
+            "properties": {
+                "defect": {
+                    "title": "Defects",
+                    "type": "array",
+                    "description": "CNA specific bug or defect tracking IDs (optional).",
+                    "uniqueItems": true,
+                    "items": {
+                        "type": "string",
+                        "maxLength": 64
+                    }
+                },
+                "advisory": {
+                    "title": "Advisory ID",
+                    "type": "string",
+                    "description": "CNA specific advisory IDs (optional).",
+                    "maxLength": 64
+                },
+                "discovery": {
+                    "type": "string",
+                    "title": "Source of vulnerability discovery",
+                    "enum": [
+                        "INTERNAL",
+                        "EXTERNAL",
+                        "USER",
+                        "UPSTREAM",
+                        "UNKNOWN"
+                    ],
+                    "description": "Source of vulnerability discovery. This may be a factor for some consumers in prioritizing vulnerability response. \nINTERNAL: this vulnerability was found by the CNA's internal research.\nEXTERNAL: this vulnerability was found during research external to a CNA.\nUSER: This vulnerability was discovered during product use.\nUPSTREAM: This vulnerability was found by an upstream vendor or producer.\nUNKNOWN: Source of discovery is not defined or is unknown",
+                    "default": "UNKNOWN"
+                }
+            }
         },
         "language": {
             "type": "string",

schema/docs/CVE_Record_Format_bundled.json

@@ -2,7 +2,7 @@
   "$schema": "http://json-schema.org/draft-07/schema#",
   "$id": "https://cveproject.github.io/cve-schema/schema/CVE_Record_Format.json",
   "title": "CVE JSON record format",
-  "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).",
+  "description": "The CVE Record Format is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://www.cve.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).",
   "definitions": {
     "uriType": {
       "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).",
@@ -77,6 +77,7 @@
     },
     "cveId": {
       "type": "string",
+      "description": "The official CVE identifier contains the string 'CVE', followed by the year, followed by a 4 to 19 digit number. Note that the year-part of the identifier should indicate either the year the vulnerability was discovered, or the year the CVE ID is published in. CVE IDs must be unique.",
       "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
     },
     "cpe22and23": {
@@ -107,16 +108,13 @@
       "minLength": 2,
       "maxLength": 32
     },
-    "datestamp": {
-      "description": "Date/time format based on RFC3339 and ISO ISO8601.",
-      "type": "string",
-      "format": "date",
-      "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$"
-    },
     "timestamp": {
       "type": "string",
-      "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.",
-      "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"
+      "description": "Date/time format based on RFC3339 and ISO ISO8601, with a mandatory timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'.",
+      "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])([+-][0-9]{2}:[0-9]{2})$",
+      "examples": [
+        "2025-01-04T12:01:01+05:30"
+      ]
     },
     "version": {
       "description": "A single version of a product, as expressed in its own version numbering scheme.",
@@ -345,7 +343,7 @@
         },
         "versions": {
           "type": "array",
-          "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.",
+          "description": "Set of product versions or version ranges related to the vulnerability. The versions help satisfy the CNA Rules [5.1.3 requirement](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_5-1_Required_CVE_Record_Content). Versions or defaultStatus may be omitted, but not both.",
           "minItems": 1,
           "uniqueItems": true,
           "items": {
@@ -465,7 +463,9 @@
       "required": [
         "cveId",
         "assignerOrgId",
-        "state"
+        "state",
+        "datePublished",
+        "dateReserved"
       ],
       "properties": {
         "cveId": {
@@ -517,7 +517,9 @@
       "required": [
         "cveId",
         "assignerOrgId",
-        "state"
+        "state",
+        "datePublished",
+        "dateReserved"
       ],
       "properties": {
         "cveId": {
@@ -743,7 +745,8 @@
         "providerMetadata",
         "descriptions",
         "affected",
-        "references"
+        "references",
+        "datePublic"
       ],
       "patternProperties": {
         "^x_[^.]*$": {}
@@ -924,6 +927,10 @@
             ],
             "additionalProperties": false
           }
+        },
+        "preformatted": {
+          "type": "boolean",
+          "description": "If true, indicates the 'description' is preformatted text that should be rendered to preserve spacing and other formatting. If false, will be rendered without preserving formatting."
         }
       },
       "required": [
@@ -3239,7 +3246,6 @@
         ],
         "properties": {
           "time": {
-            "description": "Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00) is assumed.",
             "$ref": "#/definitions/timestamp"
           },
           "lang": {
@@ -3305,7 +3311,38 @@
     "source": {
       "type": "object",
       "description": "This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.",
-      "minProperties": 1
+      "minProperties": 1,
+      "properties": {
+        "defect": {
+          "title": "Defects",
+          "type": "array",
+          "description": "CNA specific bug or defect tracking IDs (optional).",
+          "uniqueItems": true,
+          "items": {
+            "type": "string",
+            "maxLength": 64
+          }
+        },
+        "advisory": {
+          "title": "Advisory ID",
+          "type": "string",
+          "description": "CNA specific advisory IDs (optional).",
+          "maxLength": 64
+        },
+        "discovery": {
+          "type": "string",
+          "title": "Source of vulnerability discovery",
+          "enum": [
+            "INTERNAL",
+            "EXTERNAL",
+            "USER",
+            "UPSTREAM",
+            "UNKNOWN"
+          ],
+          "description": "Source of vulnerability discovery. This may be a factor for some consumers in prioritizing vulnerability response. \nINTERNAL: this vulnerability was found by the CNA's internal research.\nEXTERNAL: this vulnerability was found during research external to a CNA.\nUSER: This vulnerability was discovered during product use.\nUPSTREAM: This vulnerability was found by an upstream vendor or producer.\nUNKNOWN: Source of discovery is not defined or is unknown",
+          "default": "UNKNOWN"
+        }
+      }
     },
     "language": {
       "type": "string",
@@ -3519,4 +3556,4 @@
       "additionalProperties": false
     }
   ]
-}
+}