You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This means that containers.cna.affected.programFiles can have an array of filename strings when the "POST /cve/:id" endpoint is used (which is the intended behavior according to the 5.0 schema), but cannot have an array of filename strings when the "POST /cve/:id/cna" endpoint is used. The error is:
{"error":"INVALID_JSON_SCHEMA","message":"CVE cnaContainer JSON schema validation FAILED.",
"details":{"errors":[{"instancePath":"/cnaContainer/affected/0/programFiles/0",
"schemaPath":"#/definitions/uriType/format","keyword":"format","params":{"format":"uri"},
"message":"must match format \"uri\""}]}}
(same error on cveawg.mitre.org and cveawg-test.mitre.org)
No CNA has successfully used programFiles, but we don't know how many tried. One new CNA wants to use programFiles today.
A former team member tried to work around this defect by putting a URL in the CNA container example, even though there is no URL in the full CVE Record example:
cve-services/src/controller/cve.controller/index.js
Line 613 in 617d201
cve-services/src/controller/cve.controller/cve.middleware.js
Line 7 in 617d201
cve-services/src/controller/cve.controller/cve.middleware.js
Line 14 in 617d201
cve-services/src/controller/cve.controller/cve.middleware.js
Lines 134 to 136 in 617d201
cve-services/src/controller/cve.controller/cna_container_schema.json
Lines 288 to 296 in 617d201
This is not the same as programFiles in the 5.0 schema:
cve-services/src/middleware/5.0_bundled_schema.json
Lines 270 to 280 in 617d201
https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json#L222-L232
This means that containers.cna.affected.programFiles can have an array of filename strings when the "POST /cve/:id" endpoint is used (which is the intended behavior according to the 5.0 schema), but cannot have an array of filename strings when the "POST /cve/:id/cna" endpoint is used. The error is:
(same error on cveawg.mitre.org and cveawg-test.mitre.org)
No CNA has successfully used programFiles, but we don't know how many tried. One new CNA wants to use programFiles today.
A former team member tried to work around this defect by putting a URL in the CNA container example, even though there is no URL in the full CVE Record example:
https://github.com/CVEProject/cve-schema/blob/6b11a1b3a7c3a9e504c5cba1b39129d279a7f147/schema/v5.0/docs/cnaContainer-advanced-example.json#L43-L44
versus
https://github.com/CVEProject/cve-schema/blob/6b11a1b3a7c3a9e504c5cba1b39129d279a7f147/schema/v5.0/docs/full-record-advanced-example.json#L59-L60
and this does make the example work; however, real products typically do not use URIs for filenames.
One solution is to update cna_container_schema.json so that it allows exactly the same CNA container content as 5.0_bundled_schema.json.
The text was updated successfully, but these errors were encountered: