Skip to content

CVE Record Format version 5.2.0

Latest
Latest

Choose a tag to compare

View all tags
@ccoffin ccoffin released this 29 Oct 13:44
· 1 commit to main since this release
v5.2.0
5533f60
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Changes in CVE Record Format 5.2.0:

  1. Added support for PURL (Package URL) identifiers using the packageURL property within the affected array items (i.e., product objects).
  2. Added additionalProperties equal to false for the affected array items. New or renamed properties are no longer allowed for affected array items (i.e., product objects).
  3. Updates were made to the example CVE Records including PURL examples, tag examples, and a fix to improve compliance with the CNA Rules.
  4. Multiple documentation and infrastructure improvements were made to better support future CVE Record Format updates.

CVE JSON producing tools or CVE client implementation considerations:

⚠️ Important Vulnogram Compatibility Update - Vulnogram is a widely used tool for creating and editing CVE information in CVE JSON format, and for generating advisories. A live instance of Vulnogram is available and can be used immediately for creating and submitting CVE Records, and it was recently updated to allow loading of the new CVE Record Format 5.2.0 Records.
If you have either forked or developed tools based on Vulnogram, you may need to update your code to support loading of 5.2.0 CVE Records.

You should modify default/cve5/script.js (was line 526 within Vulnogram) so that 5.2 is a valid value. A similar update where the 5.1 support was added can be viewed in a GitHub commit here.

Replace:

(res && res.dataVersion == "5.0" || res.dataVersion == "5.1")

with

(res && (res.dataVersion == "5.0" || res.dataVersion == "5.1" || res.dataVersion == "5.2"))

Another alternative would be to replace the code with something that allows all 5.x versions such as:

(res?.dataVersion?.match?.(/^5\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))?$/))

⚠️ In some rare instances, if a tool is defining JSON property names incorrectly or adding additional properties under the affected array (product objects), the schema validation will now flag and disallow these cases.

⚠️ If a CVE services client is performing schema validation prior to submission, please use the CVE Record Format 5.2.0 schema to validate the Record.

✅ Note that adding PURLs to a CVE Record is optional and NOT required for CNAs.

✅ The CVE Record Format will disallow a package version as part of a PURL. The reason is that it could conflict with the version property that is already part of the affected array data. PURLs within the CVE Record Format should NOT include a version.

✅ Important Additional Guidance for PURL Support - When included, the provided PURLs should align with the human-readable product and version properties that are already required when producing CVE Records.

✅ With the exception of the rare case described above, if a tool is already producing valid CVE 5.1.1 Records then no changes to client-side tooling are required. However, it is recommended to upgrade to the CVE Record Format 5.2.0 to support the new features listed above.

CVE data consumer considerations:

⚠️ If a CVE data consumer is validating the JSON data against the CVE Record Format schema, then it is recommended that they begin using the CVE Record Format 5.2.0 schema to validate Records.

✅ If a CVE data consumer is not validating the JSON data against the CVE Record Format schema, then no changes are required to the consumer side code.

Assets 2
Loading