in production, CNA containers validated against wrong schema

[ElectricNroff]

cve-services/src/controller/cve.controller/index.js

Line 613 in 617d201

validateCveCnaContainerJsonSchema,

cve-services/src/controller/cve.controller/cve.middleware.js

Line 7 in 617d201

const cnaContainerSchema = JSON.parse(fs.readFileSync('src/controller/cve.controller/cna_container_schema.json'))

cve-services/src/controller/cve.controller/cve.middleware.js

Line 14 in 617d201

const validateCnaContainer = ajv.compile(cnaContainerSchema)

cve-services/src/controller/cve.controller/cve.middleware.js

Lines 134 to 136 in 617d201

	const result = validateCnaContainer(cnaContainer)
	if (!result) {
	logger.error(JSON.stringify({ uuid: req.ctx.uuid, message: 'CVE JSON schema validation FAILED.' }))

cve-services/src/controller/cve.controller/cna_container_schema.json

Lines 288 to 296 in 617d201

	"programFiles": {
	"type": "array",
	"description": "A list of the affected source code files (optional)",
	"uniqueItems": true,
	"items": {
	"description": "Name or path or location of the affected source code file in RFC3986 compliant format (optional).",
	"$ref": "#/definitions/uriType"
	}
	},

This is not the same as programFiles in the 5.0 schema:

cve-services/src/middleware/5.0_bundled_schema.json

Lines 270 to 280 in 617d201

	"programFiles": {
	"type": "array",
	"description": "A list of the affected source code files (optional).",
	"uniqueItems": true,
	"items": {
	"description": "Name or path or location of the affected source code file.",
	"type": "string",
	"minLength": 1,
	"maxLength": 1024
	}
	},

https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json#L222-L232

This means that containers.cna.affected.programFiles can have an array of filename strings when the "POST /cve/:id" endpoint is used (which is the intended behavior according to the 5.0 schema), but cannot have an array of filename strings when the "POST /cve/:id/cna" endpoint is used. The error is:

{"error":"INVALID_JSON_SCHEMA","message":"CVE cnaContainer JSON schema validation FAILED.",
"details":{"errors":[{"instancePath":"/cnaContainer/affected/0/programFiles/0",
"schemaPath":"#/definitions/uriType/format","keyword":"format","params":{"format":"uri"},
"message":"must match format \"uri\""}]}}

(same error on cveawg.mitre.org and cveawg-test.mitre.org)

No CNA has successfully used programFiles, but we don't know how many tried. One new CNA wants to use programFiles today.

A former team member tried to work around this defect by putting a URL in the CNA container example, even though there is no URL in the full CVE Record example:

https://github.com/CVEProject/cve-schema/blob/6b11a1b3a7c3a9e504c5cba1b39129d279a7f147/schema/v5.0/docs/cnaContainer-advanced-example.json#L43-L44
versus
https://github.com/CVEProject/cve-schema/blob/6b11a1b3a7c3a9e504c5cba1b39129d279a7f147/schema/v5.0/docs/full-record-advanced-example.json#L59-L60

and this does make the example work; however, real products typically do not use URIs for filenames.

One solution is to update cna_container_schema.json so that it allows exactly the same CNA container content as 5.0_bundled_schema.json.