Skip to content

Commit

Permalink
Merge pull request #1190 from CVEProject/5.1-schema-test
Browse files Browse the repository at this point in the history 
Draft: Resolves #1124, #1126, #1185, #1186 5.1 schema implementation
  • Loading branch information
@david-rocca
david-rocca committed Feb 27, 2024
2 parents f91d651 + 537a75e commit 82fc7cb
Show file tree
Hide file tree
Showing 38 changed files with 5,855 additions and 3,926 deletions.
3 changes: 0 additions & 3 deletions schemas/cve/update-full-cve-record-response.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,9 +98,6 @@
"name": {
"type": "string"
},
"refsource": {
"type": "string"
},
"url": {
"type": "string"
}
Expand Down
2 changes: 1 addition & 1 deletion src/constants/index.js
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
const fs = require('fs')
const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/5.0_bundled_schema.json'))
const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1_bundled.json'))

/**
* Return default values.
Expand Down
4 changes: 2 additions & 2 deletions src/controller/cve.controller/cve.middleware.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ const errors = require('./error')
const error = new errors.CveControllerError()
const utils = require('../../utils/utils')
const fs = require('fs')
const RejectedSchema = JSON.parse(fs.readFileSync('src/middleware/Reject_5.0_Schema.json'))
const cnaContainerSchema = JSON.parse(fs.readFileSync('src/controller/cve.controller/cna_container_schema.json'))
const RejectedSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.1_rejected_cna_container.json'))
const cnaContainerSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.1_published_cna_container.json'))
const logger = require('../../middleware/logger')
const Ajv = require('ajv')
const addFormats = require('ajv-formats')
Expand Down
2,034 changes: 0 additions & 2,034 deletions src/middleware/5.0_bundled_schema.json
View file

This file was deleted.

12 changes: 11 additions & 1 deletion src/middleware/Reject_5.0_Schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,10 +147,17 @@
"$ref": "#/definitions/providerMetadata"
},
"rejectedReasons": {
"description": "Reasons for rejecting this CVE Record.",
"$ref": "#/definitions/rejectedReasons"
},
"replacedBy": {
"$ref": "#/definitions/replacedBy"
"type": "array",
"description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.",
"minItems": 1,
"uniqueItems": true,
"items": {
"$ref": "#/definitions/cveId"
}
}
},
"required": [
Expand All @@ -162,5 +169,8 @@
"additionalProperties": false
}
},
"required": [
"cnaContainer"
],
"additionalProperties": false
}
4 changes: 2 additions & 2 deletions src/middleware/middleware.js
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
const getConstants = require('../constants').getConstants
const fs = require('fs')
const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/5.0_bundled_schema.json'))
const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1_bundled.json'))
const argon2 = require('argon2')
const logger = require('./logger')
const Ajv = require('ajv')
Expand Down Expand Up @@ -321,7 +321,7 @@ function validateCveJsonSchema (req, res, next) {
logger.info({ uuid: req.ctx.uuid, message: 'Validating CVE JSON schema.' })
let result

if (cveVersion === '5.0') {
if (cveVersion === '5.1') {
if (['PUBLISHED', 'RESERVED', 'REJECTED'].includes(cveState)) {
result = validate(cve)
} else {
Expand Down
2,300 changes: 2,300 additions & 0 deletions src/middleware/schemas/5.1_published_cna_container.json
View file

Large diffs are not rendered by default.

188 changes: 188 additions & 0 deletions src/middleware/schemas/5.1_rejected_cna_container.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,188 @@
{
"definitions": {
"uuidType": {
"description": "A version 4 (random) universally unique identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122#section-4.1.3).",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"cveId": {
"type": "string",
"pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
},
"orgId": {
"description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.",
"$ref": "#/definitions/uuidType"
},
"shortName": {
"description": "A 2-32 character name that can be used to complement an organization's UUID.",
"type": "string",
"minLength": 2,
"maxLength": 32
},
"timestamp": {
"type": "string",
"format": "date-time",
"description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.",
"pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"
},
"providerMetadata": {
"type": "object",
"description": "Details related to the information container provider (CNA or ADP).",
"properties": {
"orgId": {
"$ref": "#/definitions/orgId",
"description": "The container provider's organizational UUID."
},
"shortName": {
"$ref": "#/definitions/shortName",
"description": "The container provider's organizational short name."
},
"dateUpdated": {
"$ref": "#/definitions/timestamp",
"description": "Timestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission."
}
},
"required": [
"orgId"
],
"additionalProperties": false
},
"description": {
"type": "object",
"description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.",
"properties": {
"lang": {
"$ref": "#/definitions/language"
},
"value": {
"type": "string",
"description": "Plain text description.",
"minLength": 1,
"maxLength": 4096
},
"supportingMedia": {
"type": "array",
"title": "Supporting media",
"description": "Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.",
"uniqueItems": true,
"minItems": 1,
"items": {
"type": "object",
"properties": {
"type": {
"type": "string",
"title": "Media type",
"minLength": 1,
"maxLength": 256,
"description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.",
"examples": [
"text/markdown",
"text/html",
"image/png",
"image/svg",
"audio/mp3"
]
},
"base64": {
"type": "boolean",
"title": "Encoding",
"description": "If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.",
"default": false
},
"value": {
"type": "string",
"description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.",
"minLength": 1,
"maxLength": 16384
}
},
"required": [
"type",
"value"
],
"additionalProperties": false
}
}
},
"required": [
"lang",
"value"
],
"additionalProperties": false
},
"englishLanguageDescription": {
"type": "object",
"description": "A description with lang set to an English language (en, en_US, en_UK, and so on).",
"properties": {
"lang": {
"$ref": "#/definitions/englishLanguage"
}
},
"required": [
"lang"
],
"$comment": "Cannot use additionalProperties: false here, as this prevents the other properties used by /definitions/description."
},
"descriptions": {
"type": "array",
"description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].",
"minItems": 1,
"uniqueItems": true,
"items": {
"$ref": "#/definitions/description"
},
"contains": {
"$ref": "#/definitions/englishLanguageDescription"
}
},
"language": {
"type": "string",
"description": "BCP 47 language code, language-region.",
"default": "en",
"pattern": "^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"
},
"englishLanguage": {
"type": "string",
"description": "BCP 47 language code, language-region, required to be English.",
"pattern": "^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$"
}
},
"properties": {
"cnaContainer": {
"description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a rejected CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA.",
"type": "object",
"properties": {
"providerMetadata": {
"$ref": "#/definitions/providerMetadata"
},
"rejectedReasons": {
"description": "Reasons for rejecting this CVE Record.",
"$ref": "#/definitions/descriptions"
},
"replacedBy": {
"type": "array",
"description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.",
"minItems": 1,
"uniqueItems": true,
"items": {
"$ref": "#/definitions/cveId"
}
}
},
"required": [
"rejectedReasons"
],
"patternProperties": {
"^x_[^.]*$": {}
},
"additionalProperties": false
}
},
"required": [
"cnaContainer"
],
"$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
"additionalProperties": false,
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "rejected_cna_container_bundled"
}
Loading

0 comments on commit 82fc7cb

Please sign in to comment.