diff --git a/rfds/0459-SSVC-2-0-0-add.md b/rfds/0459-SSVC-2-0-0-add.md
new file mode 100644
index 00000000000..185c2da7b4c
--- /dev/null
+++ b/rfds/0459-SSVC-2-0-0-add.md
@@ -0,0 +1,173 @@
+# Adding SSVC 2.0.0 as optional structured metrics to CVE metrics block
+
+| Field | Value |
+|:-----------------|:-------|
+| RFD Submitter | Vijay Sarvepalli (CERT/CC) |
+| RFD Pull Request | [RFD #0459](https://github.com/CVEProject/cve-schema/pull/459) |
+
+## Summary
+[summary]: #summary
+
+This proposal adds support for ** Stakeholder-Specific Vulnerability Categorization (SSVC) 2.0.0** as an optional structured element under the CVE `metrics` block.
+
+Currently, SSVC data is included inconsistently in the unstructured `"other"` field, which limits its machine readability, interoperability, and adoption. By providing a formal schema location for SSVC, CVE Records will be able to more reliably capture and distribute this emerging prioritization framework.
+
+Note: this proposal was previously approved in a QWG chaired by Jay Jacobs and Chris Coffin around December 2024 and initially merged in Jan 17 2025, but continued to evolve as SSVC has continued to evolve.
+
+## Problem Statement
+[problem-statement]: #problem-statement
+
+- SSVC is operationally used by organizations (e.g., CISA, VulnCheck, CERT/CC) to prioritize vulnerability response.
+- Today, SSVC values are often published only in custom structured, reducing consistency and limiting automated analysis.
+- Embedding SSVC data in the `"other"` field of CVE Records creates barriers to adoption:
+ - Lack of machine readability and tooling support.
+ - Inconsistent implementations across CNAs and ADPs.
+ - Increased cost for downstream consumers to parse and normalize data.
+
+Without a structured, standardized location in the CVE schema, SSVC cannot fulfill its intended role as a practical complement to CVSS and other metrics.
+
+## Proposed Solution
+[proposed-solution]: #proposed-solution
+
+- Add an optional `ssvc` object under the `metrics` block of the CVE Record schema.
+- Specify versioned support (both schema versions 1.0.0 and 2.0.0 are included).
+- Ensure fields capture the core SSVC decision points and outcomes in a standardized way.
+- Maintain backwards compatibility with existing CVE Records (non-breaking change).
+
+This ensures that CVE Records can cleanly incorporate SSVC alongside other structured metrics such as CVSS and EPSS.
+
+## Examples
+[examples]: #examples
+
+The test-cases for PR [#459](https://github.com/CVEProject/cve-schema/pull/459) illustrate how SSVC data can be expressed. For example:
+
+https://certcc.github.io/SSVC/data/schema_examples/CVE-1900-1234-Decision_Point_Value_Selection-2-0-0.json
+A minimal record looks like below
+```json
+{
+ "timestamp": "2021-09-29T15:29:44Z",
+ "schemaVersion": "2.0.0",
+ "selections": [
+ {
+ "namespace": "ssvc",
+ "key": "E",
+ "version": "1.1.0",
+ "values": [
+ {"key": "A"}
+ ]
+ }
+ ]
+}
+```
+
+A more advanced record looks like below for a similar infomration
+
+```json
+{
+ "timestamp": "2021-09-29T15:29:44Z",
+ "schemaVersion": "2.0.0",
+ "selections": [
+ {
+ "namespace": "ssvc",
+ "key": "E",
+ "version": "1.1.0",
+ "values": [
+ {"key": "A"}
+ ]
+ },
+ {
+ "namespace": "ssvc",
+ "name": "Automatable",
+ "key": "A",
+ "version": "2.0.0",
+ "values": [
+ {"name": "Yes", "key": "Y"}
+ ]
+ },
+ {
+ "namespace": "ssvc",
+ "name": "Technical Impact",
+ "key": "TI",
+ "version": "1.0.0",
+ "values": [
+ {"name": "Total","key":"T"}
+ ]
+ }
+ ],
+ "decision_point_resources": [{
+ "summary": "A JSON file containing SSVC update to Exploitation Decision Point",
+ "uri": "https://certcc.github.io/SSVC/data/json/decision_points/ssvc/exploitation_1_1_0.json"
+ }],
+ "references": [{
+ "summary": "An exploitation example was published for this vulnerability",
+ "uri": "https://example.com/report"
+ }]
+}
+```
+
+## Impact Assessment
+[impact-assessment]: #impact-assessment
+
+For CNAs/ADPs: Provides a formal schema location to include SSVC, reducing ambiguity and effort in data publication.
+
+For Consumers: Simplifies automated ingestion of SSVC data, reducing the need for scraping or custom parsers.
+
+For the CVE Program: Strengthens the role of CVE Records as a hub for standardized vulnerability metadata, aligning with the needs of defenders and decision-makers.
+
+## Compatibility and Migration
+[compatibility-and-migration]: #compatibility-and-migration
+
+Backwards compatible: Existing CVE Records and tooling remain unaffected.
+
+Adoption is optional: CNAs/ADPs can choose whether to include SSVC.
+
+Migration path: CNAs currently embedding SSVC in "other" fields can gradually shift to using the structured ssvc block.
+
+## Success Metrics [success-metrics]: #success-metrics
+
+RFD will be considered successful if:
+* At least one ADP (e.g., CISA, VulnCheck, CERT/CC) adopts the new structured ssvc block within one year.
+
+* Major consumer tools (CVE Services,vuln enrichment pipelines, dashboards) can automatically parse SSVC data without special parsing logic.
+
+If adoption is slow, additional tooling or guidance may be provided to ease integration.
+
+## Supporting Data or Research
+[supporting-data-or-research]: #supporting-data-or-research
+
+CISA Vulnrichment and VulnCheck both actively publish SSVC prioritization data, but not in a standardized, machine-readable format.
+
+VulnCheck currently has SSVC coverage for 244,866 CVEs, while CISA Vulnrichment covers 64,142 CVEs.
+
+See: Automating SSVC (VulnCheck blog)[[https://www.vulncheck.com/blog/automating-ssvc]
+
+See: SSVC community which captures usage of SSVC in the real-world at (SSVC Dicssions Sightings)[https://github.com/CERTCC/SSVC/discussions/291]
+
+
+## Related Issues or Proposals
+[related-issues-or-proposals]: #related-issues-or-proposals
+
+* CVE Schema discussion on extending metrics beyond CVSS.
+
+* Related work on EPSS and KEV integration into CVE Records.
+
+## Recommended Priority
+[recommended-priority]: #recommended-priority
+
+Medium.
+
+SSVC is not yet universal, but adoption is growing rapidly.
+
+Providing structured schema support now will prevent fragmentation and reduce downstream costs.
+
+## Unresolved Questions
+[unresolved-questions]: #unresolved-questions
+
+No new questions arise except other known concerns in metrics
+
+## Future Possibilities
+[future-possibilities]: #future-possibilities
+
+Tooling for Vulnogram and cveClient to adopt and use SSVC natively
+
+
diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json
index 175dd8748ca..316954c1ab6 100644
--- a/schema/CVE_Record_Format.json
+++ b/schema/CVE_Record_Format.json
@@ -963,9 +963,6 @@
{
"required": ["cvssV2_0"]
},
- {
- "required": ["ssvcV1_0_1"]
- },
{
"required": ["ssvcV2_0_0"]
},
@@ -1008,8 +1005,7 @@
"cvssV3_1": {"$ref": "file:imports/cvss/cvss-v3.1.json"},
"cvssV3_0": {"$ref": "file:imports/cvss/cvss-v3.0.json"},
"cvssV2_0": {"$ref": "file:imports/cvss/cvss-v2.0.json"},
- "ssvcV1_0_1": {"$ref": "file:imports/ssvc/ssvc-v1.0.1.json"},
- "ssvcV2_0_0": {"$ref": "file:imports/ssvc/SelectionList_2_0_0.schema.json"},
+ "ssvcV2_0_0": {"$ref": "file:imports/ssvc/SelectionList_2_0_0_CVE.schema.json"},
"other": {
"type": "object",
"description": "A non-standard impact description, may be prose or JSON block.",
diff --git a/schema/cve-schema.json b/schema/cve-schema.json
index 8ec11887741..06ac61bfe6b 100644
--- a/schema/cve-schema.json
+++ b/schema/cve-schema.json
@@ -963,9 +963,6 @@
{
"required": ["cvssV2_0"]
},
- {
- "required": ["ssvcV1_0_1"]
- },
{
"required": ["ssvcV2_0_0"]
},
@@ -1008,8 +1005,7 @@
"cvssV3_1": {"$ref": "imports/cvss/cvss-v3.1.json"},
"cvssV3_0": {"$ref": "imports/cvss/cvss-v3.0.json"},
"cvssV2_0": {"$ref": "imports/cvss/cvss-v2.0.json"},
- "ssvcV1_0_1": {"$ref": "imports/ssvc/ssvc-v1.0.1.json"},
- "ssvcV2_0_0": {"$ref": "imports/ssvc/SelectionList_2_0_0.schema.json"},
+ "ssvcV2_0_0": {"$ref": "imports/ssvc/SelectionList_2_0_0_CVE.schema.json"},
"other": {
"type": "object",
"description": "A non-standard impact description, may be prose or JSON block.",
diff --git a/schema/docs/CVE_Record_Format_bundled.json b/schema/docs/CVE_Record_Format_bundled.json
index f8f2b3e72c3..96263e0400b 100644
--- a/schema/docs/CVE_Record_Format_bundled.json
+++ b/schema/docs/CVE_Record_Format_bundled.json
@@ -1077,11 +1077,6 @@
"cvssV2_0"
]
},
- {
- "required": [
- "ssvcV1_0_1"
- ]
- },
{
"required": [
"ssvcV2_0_0"
@@ -3171,130 +3166,6 @@
],
"additionalProperties": false
},
- "ssvcV1_0_1": {
- "$schema": "https://json-schema.org/draft/2020-12/schema",
- "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.",
- "$defs": {
- "id": {
- "type": "string",
- "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
- "examples": [
- "CVE-1900-1234",
- "VU#11111",
- "GHSA-11a1-22b2-33c3"
- ],
- "minLength": 1
- },
- "role": {
- "type": "string",
- "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
- "examples": [
- "Supplier",
- "Deployer",
- "Coordinator"
- ],
- "minLength": 1
- },
- "timestamp": {
- "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.",
- "type": "string",
- "format": "date-time"
- },
- "SsvcdecisionpointselectionSchema": {
- "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.",
- "properties": {
- "name": {
- "type": "string",
- "description": "A short label that identifies a Decision Point.",
- "minLength": 1,
- "examples": [
- "Exploitation",
- "Automatable"
- ]
- },
- "namespace": {
- "type": "string",
- "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.",
- "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$",
- "examples": [
- "ssvc",
- "cvss",
- "ssvc-jp",
- "ssvc/acme",
- "ssvc/example.com"
- ]
- },
- "values": {
- "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.",
- "title": "values",
- "type": "array",
- "minItems": 1,
- "items": {
- "type": "string",
- "description": "A short label that identifies a Decision Point Value",
- "minLength": 1,
- "examples": [
- "Public PoC",
- "Yes"
- ]
- }
- },
- "version": {
- "type": "string",
- "description": "Version (a semantic version string) that identifies the version of a Decision Point.",
- "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$",
- "examples": [
- "1.0.1",
- "1.0.1-alpha"
- ]
- }
- },
- "type": "object",
- "required": [
- "name",
- "namespace",
- "values",
- "version"
- ],
- "additionalProperties": false
- }
- },
- "properties": {
- "id": {
- "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/id"
- },
- "role": {
- "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/role"
- },
- "schemaVersion": {
- "description": "Schema version used to represent this Decision Point.",
- "type": "string",
- "enum": [
- "1-0-1"
- ]
- },
- "timestamp": {
- "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/timestamp"
- },
- "selections": {
- "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.",
- "title": "selections",
- "type": "array",
- "minItems": 1,
- "items": {
- "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/SsvcdecisionpointselectionSchema"
- }
- }
- },
- "type": "object",
- "required": [
- "selections",
- "id",
- "timestamp",
- "schemaVersion"
- ],
- "additionalProperties": false
- },
"ssvcV2_0_0": {
"title": "SelectionList",
"$schema": "https://json-schema.org/draft/2020-12/schema",
@@ -3367,18 +3238,15 @@
"description": "A minimal selection object that contains the decision point ID and the selected values.\nWhile the Selection object parallels the DecisionPoint object, it is intentionally minimal, with\nfewer required fields and no additional metadata, as it is meant to represent a selection made from a\npreviously defined decision point. The expectation is that a Selection object will usually have\nfewer values than the original decision point, as it represents a specific evaluation\nat a specific time and may therefore rule out some values that were previously considered.\nOther fields like name and description may be copied from the decision point, but are not required.",
"properties": {
"namespace": {
- "title": "Namespace",
- "description": "The namespace of the SSVC object.",
- "examples": [
- "ssvc",
+ "type": "string",
+ "enum": [
"cisa",
- "x_example.test#test//.example.test#private-extension",
- "ssvc/de-DE/.example.organization#reference-arch-1"
+ "cvss",
+ "ssvc",
+ "aivss"
],
- "maxLength": 1000,
- "minLength": 3,
- "pattern": "^(x_([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*|[a-z]([a-z]|[0-9])(((\\.|-))?(([a-z]|[0-9]))+)+(#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*)?)((/|/(([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo))((/((([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo)|\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*|\\.(([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+|([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*)\\$(([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo)))+)?)?$",
- "type": "string"
+ "title": "Namespace",
+ "description": "The namespace of the SSVC object. (Restricted to CVE Program"
},
"key": {
"title": "Key",
@@ -3469,31 +3337,6 @@
"format": "date-time",
"type": "string"
},
- "schemaVersion": {
- "title": "Schemaversion",
- "const": "2.0.0",
- "description": "The schema version of this selection list.",
- "type": "string"
- },
- "target_ids": {
- "title": "Target Ids",
- "description": "Optional list of identifiers for the item or items (vulnerabilities, reports, advisories, systems, assets, etc.) being evaluated by these selections.",
- "examples": [
- [
- "CVE-1900-0000"
- ],
- [
- "VU#999999",
- "GHSA-0123-4567-89ab"
- ]
- ],
- "items": {
- "type": "string"
- },
- "minItems": 1,
- "type": "array",
- "uniqueItems": true
- },
"selections": {
"title": "Selections",
"description": "List of selections made from decision points. Each selection item corresponds to value keys contained in a specific decision point identified by its namespace, key, and version. Note that selection objects are deliberately minimal objects and do not contain the full decision point details.",
@@ -3548,7 +3391,6 @@
},
"required": [
"timestamp",
- "schemaVersion",
"selections"
],
"additionalProperties": false
diff --git a/schema/docs/CVE_Record_Format_bundled_adpContainer.json b/schema/docs/CVE_Record_Format_bundled_adpContainer.json
index d7ac90ff8a3..7464972c009 100644
--- a/schema/docs/CVE_Record_Format_bundled_adpContainer.json
+++ b/schema/docs/CVE_Record_Format_bundled_adpContainer.json
@@ -1077,11 +1077,6 @@
"cvssV2_0"
]
},
- {
- "required": [
- "ssvcV1_0_1"
- ]
- },
{
"required": [
"ssvcV2_0_0"
@@ -3171,130 +3166,6 @@
],
"additionalProperties": false
},
- "ssvcV1_0_1": {
- "$schema": "https://json-schema.org/draft/2020-12/schema",
- "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.",
- "$defs": {
- "id": {
- "type": "string",
- "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
- "examples": [
- "CVE-1900-1234",
- "VU#11111",
- "GHSA-11a1-22b2-33c3"
- ],
- "minLength": 1
- },
- "role": {
- "type": "string",
- "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
- "examples": [
- "Supplier",
- "Deployer",
- "Coordinator"
- ],
- "minLength": 1
- },
- "timestamp": {
- "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.",
- "type": "string",
- "format": "date-time"
- },
- "SsvcdecisionpointselectionSchema": {
- "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.",
- "properties": {
- "name": {
- "type": "string",
- "description": "A short label that identifies a Decision Point.",
- "minLength": 1,
- "examples": [
- "Exploitation",
- "Automatable"
- ]
- },
- "namespace": {
- "type": "string",
- "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.",
- "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$",
- "examples": [
- "ssvc",
- "cvss",
- "ssvc-jp",
- "ssvc/acme",
- "ssvc/example.com"
- ]
- },
- "values": {
- "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.",
- "title": "values",
- "type": "array",
- "minItems": 1,
- "items": {
- "type": "string",
- "description": "A short label that identifies a Decision Point Value",
- "minLength": 1,
- "examples": [
- "Public PoC",
- "Yes"
- ]
- }
- },
- "version": {
- "type": "string",
- "description": "Version (a semantic version string) that identifies the version of a Decision Point.",
- "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$",
- "examples": [
- "1.0.1",
- "1.0.1-alpha"
- ]
- }
- },
- "type": "object",
- "required": [
- "name",
- "namespace",
- "values",
- "version"
- ],
- "additionalProperties": false
- }
- },
- "properties": {
- "id": {
- "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/id"
- },
- "role": {
- "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/role"
- },
- "schemaVersion": {
- "description": "Schema version used to represent this Decision Point.",
- "type": "string",
- "enum": [
- "1-0-1"
- ]
- },
- "timestamp": {
- "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/timestamp"
- },
- "selections": {
- "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.",
- "title": "selections",
- "type": "array",
- "minItems": 1,
- "items": {
- "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/SsvcdecisionpointselectionSchema"
- }
- }
- },
- "type": "object",
- "required": [
- "selections",
- "id",
- "timestamp",
- "schemaVersion"
- ],
- "additionalProperties": false
- },
"ssvcV2_0_0": {
"title": "SelectionList",
"$schema": "https://json-schema.org/draft/2020-12/schema",
@@ -3367,18 +3238,15 @@
"description": "A minimal selection object that contains the decision point ID and the selected values.\nWhile the Selection object parallels the DecisionPoint object, it is intentionally minimal, with\nfewer required fields and no additional metadata, as it is meant to represent a selection made from a\npreviously defined decision point. The expectation is that a Selection object will usually have\nfewer values than the original decision point, as it represents a specific evaluation\nat a specific time and may therefore rule out some values that were previously considered.\nOther fields like name and description may be copied from the decision point, but are not required.",
"properties": {
"namespace": {
- "title": "Namespace",
- "description": "The namespace of the SSVC object.",
- "examples": [
- "ssvc",
+ "type": "string",
+ "enum": [
"cisa",
- "x_example.test#test//.example.test#private-extension",
- "ssvc/de-DE/.example.organization#reference-arch-1"
+ "cvss",
+ "ssvc",
+ "aivss"
],
- "maxLength": 1000,
- "minLength": 3,
- "pattern": "^(x_([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*|[a-z]([a-z]|[0-9])(((\\.|-))?(([a-z]|[0-9]))+)+(#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*)?)((/|/(([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo))((/((([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo)|\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*|\\.(([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+|([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*)\\$(([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo)))+)?)?$",
- "type": "string"
+ "title": "Namespace",
+ "description": "The namespace of the SSVC object. (Restricted to CVE Program"
},
"key": {
"title": "Key",
@@ -3469,31 +3337,6 @@
"format": "date-time",
"type": "string"
},
- "schemaVersion": {
- "title": "Schemaversion",
- "const": "2.0.0",
- "description": "The schema version of this selection list.",
- "type": "string"
- },
- "target_ids": {
- "title": "Target Ids",
- "description": "Optional list of identifiers for the item or items (vulnerabilities, reports, advisories, systems, assets, etc.) being evaluated by these selections.",
- "examples": [
- [
- "CVE-1900-0000"
- ],
- [
- "VU#999999",
- "GHSA-0123-4567-89ab"
- ]
- ],
- "items": {
- "type": "string"
- },
- "minItems": 1,
- "type": "array",
- "uniqueItems": true
- },
"selections": {
"title": "Selections",
"description": "List of selections made from decision points. Each selection item corresponds to value keys contained in a specific decision point identified by its namespace, key, and version. Note that selection objects are deliberately minimal objects and do not contain the full decision point details.",
@@ -3548,7 +3391,6 @@
},
"required": [
"timestamp",
- "schemaVersion",
"selections"
],
"additionalProperties": false
diff --git a/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json
index c1427dc4386..829d647f081 100644
--- a/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json
+++ b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json
@@ -1077,11 +1077,6 @@
"cvssV2_0"
]
},
- {
- "required": [
- "ssvcV1_0_1"
- ]
- },
{
"required": [
"ssvcV2_0_0"
@@ -3171,130 +3166,6 @@
],
"additionalProperties": false
},
- "ssvcV1_0_1": {
- "$schema": "https://json-schema.org/draft/2020-12/schema",
- "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.",
- "$defs": {
- "id": {
- "type": "string",
- "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
- "examples": [
- "CVE-1900-1234",
- "VU#11111",
- "GHSA-11a1-22b2-33c3"
- ],
- "minLength": 1
- },
- "role": {
- "type": "string",
- "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
- "examples": [
- "Supplier",
- "Deployer",
- "Coordinator"
- ],
- "minLength": 1
- },
- "timestamp": {
- "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.",
- "type": "string",
- "format": "date-time"
- },
- "SsvcdecisionpointselectionSchema": {
- "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.",
- "properties": {
- "name": {
- "type": "string",
- "description": "A short label that identifies a Decision Point.",
- "minLength": 1,
- "examples": [
- "Exploitation",
- "Automatable"
- ]
- },
- "namespace": {
- "type": "string",
- "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.",
- "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$",
- "examples": [
- "ssvc",
- "cvss",
- "ssvc-jp",
- "ssvc/acme",
- "ssvc/example.com"
- ]
- },
- "values": {
- "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.",
- "title": "values",
- "type": "array",
- "minItems": 1,
- "items": {
- "type": "string",
- "description": "A short label that identifies a Decision Point Value",
- "minLength": 1,
- "examples": [
- "Public PoC",
- "Yes"
- ]
- }
- },
- "version": {
- "type": "string",
- "description": "Version (a semantic version string) that identifies the version of a Decision Point.",
- "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$",
- "examples": [
- "1.0.1",
- "1.0.1-alpha"
- ]
- }
- },
- "type": "object",
- "required": [
- "name",
- "namespace",
- "values",
- "version"
- ],
- "additionalProperties": false
- }
- },
- "properties": {
- "id": {
- "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/id"
- },
- "role": {
- "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/role"
- },
- "schemaVersion": {
- "description": "Schema version used to represent this Decision Point.",
- "type": "string",
- "enum": [
- "1-0-1"
- ]
- },
- "timestamp": {
- "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/timestamp"
- },
- "selections": {
- "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.",
- "title": "selections",
- "type": "array",
- "minItems": 1,
- "items": {
- "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/SsvcdecisionpointselectionSchema"
- }
- }
- },
- "type": "object",
- "required": [
- "selections",
- "id",
- "timestamp",
- "schemaVersion"
- ],
- "additionalProperties": false
- },
"ssvcV2_0_0": {
"title": "SelectionList",
"$schema": "https://json-schema.org/draft/2020-12/schema",
@@ -3367,18 +3238,15 @@
"description": "A minimal selection object that contains the decision point ID and the selected values.\nWhile the Selection object parallels the DecisionPoint object, it is intentionally minimal, with\nfewer required fields and no additional metadata, as it is meant to represent a selection made from a\npreviously defined decision point. The expectation is that a Selection object will usually have\nfewer values than the original decision point, as it represents a specific evaluation\nat a specific time and may therefore rule out some values that were previously considered.\nOther fields like name and description may be copied from the decision point, but are not required.",
"properties": {
"namespace": {
- "title": "Namespace",
- "description": "The namespace of the SSVC object.",
- "examples": [
- "ssvc",
+ "type": "string",
+ "enum": [
"cisa",
- "x_example.test#test//.example.test#private-extension",
- "ssvc/de-DE/.example.organization#reference-arch-1"
+ "cvss",
+ "ssvc",
+ "aivss"
],
- "maxLength": 1000,
- "minLength": 3,
- "pattern": "^(x_([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*|[a-z]([a-z]|[0-9])(((\\.|-))?(([a-z]|[0-9]))+)+(#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*)?)((/|/(([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo))((/((([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo)|\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*|\\.(([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+|([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*)\\$(([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo)))+)?)?$",
- "type": "string"
+ "title": "Namespace",
+ "description": "The namespace of the SSVC object. (Restricted to CVE Program"
},
"key": {
"title": "Key",
@@ -3469,31 +3337,6 @@
"format": "date-time",
"type": "string"
},
- "schemaVersion": {
- "title": "Schemaversion",
- "const": "2.0.0",
- "description": "The schema version of this selection list.",
- "type": "string"
- },
- "target_ids": {
- "title": "Target Ids",
- "description": "Optional list of identifiers for the item or items (vulnerabilities, reports, advisories, systems, assets, etc.) being evaluated by these selections.",
- "examples": [
- [
- "CVE-1900-0000"
- ],
- [
- "VU#999999",
- "GHSA-0123-4567-89ab"
- ]
- ],
- "items": {
- "type": "string"
- },
- "minItems": 1,
- "type": "array",
- "uniqueItems": true
- },
"selections": {
"title": "Selections",
"description": "List of selections made from decision points. Each selection item corresponds to value keys contained in a specific decision point identified by its namespace, key, and version. Note that selection objects are deliberately minimal objects and do not contain the full decision point details.",
@@ -3548,7 +3391,6 @@
},
"required": [
"timestamp",
- "schemaVersion",
"selections"
],
"additionalProperties": false
diff --git a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json
index 13eacd2c7c3..c8fc4638fe5 100644
--- a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json
+++ b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json
@@ -1077,11 +1077,6 @@
"cvssV2_0"
]
},
- {
- "required": [
- "ssvcV1_0_1"
- ]
- },
{
"required": [
"ssvcV2_0_0"
@@ -3171,130 +3166,6 @@
],
"additionalProperties": false
},
- "ssvcV1_0_1": {
- "$schema": "https://json-schema.org/draft/2020-12/schema",
- "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.",
- "$defs": {
- "id": {
- "type": "string",
- "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
- "examples": [
- "CVE-1900-1234",
- "VU#11111",
- "GHSA-11a1-22b2-33c3"
- ],
- "minLength": 1
- },
- "role": {
- "type": "string",
- "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
- "examples": [
- "Supplier",
- "Deployer",
- "Coordinator"
- ],
- "minLength": 1
- },
- "timestamp": {
- "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.",
- "type": "string",
- "format": "date-time"
- },
- "SsvcdecisionpointselectionSchema": {
- "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.",
- "properties": {
- "name": {
- "type": "string",
- "description": "A short label that identifies a Decision Point.",
- "minLength": 1,
- "examples": [
- "Exploitation",
- "Automatable"
- ]
- },
- "namespace": {
- "type": "string",
- "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.",
- "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$",
- "examples": [
- "ssvc",
- "cvss",
- "ssvc-jp",
- "ssvc/acme",
- "ssvc/example.com"
- ]
- },
- "values": {
- "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.",
- "title": "values",
- "type": "array",
- "minItems": 1,
- "items": {
- "type": "string",
- "description": "A short label that identifies a Decision Point Value",
- "minLength": 1,
- "examples": [
- "Public PoC",
- "Yes"
- ]
- }
- },
- "version": {
- "type": "string",
- "description": "Version (a semantic version string) that identifies the version of a Decision Point.",
- "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$",
- "examples": [
- "1.0.1",
- "1.0.1-alpha"
- ]
- }
- },
- "type": "object",
- "required": [
- "name",
- "namespace",
- "values",
- "version"
- ],
- "additionalProperties": false
- }
- },
- "properties": {
- "id": {
- "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/id"
- },
- "role": {
- "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/role"
- },
- "schemaVersion": {
- "description": "Schema version used to represent this Decision Point.",
- "type": "string",
- "enum": [
- "1-0-1"
- ]
- },
- "timestamp": {
- "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/timestamp"
- },
- "selections": {
- "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.",
- "title": "selections",
- "type": "array",
- "minItems": 1,
- "items": {
- "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/SsvcdecisionpointselectionSchema"
- }
- }
- },
- "type": "object",
- "required": [
- "selections",
- "id",
- "timestamp",
- "schemaVersion"
- ],
- "additionalProperties": false
- },
"ssvcV2_0_0": {
"title": "SelectionList",
"$schema": "https://json-schema.org/draft/2020-12/schema",
@@ -3367,18 +3238,15 @@
"description": "A minimal selection object that contains the decision point ID and the selected values.\nWhile the Selection object parallels the DecisionPoint object, it is intentionally minimal, with\nfewer required fields and no additional metadata, as it is meant to represent a selection made from a\npreviously defined decision point. The expectation is that a Selection object will usually have\nfewer values than the original decision point, as it represents a specific evaluation\nat a specific time and may therefore rule out some values that were previously considered.\nOther fields like name and description may be copied from the decision point, but are not required.",
"properties": {
"namespace": {
- "title": "Namespace",
- "description": "The namespace of the SSVC object.",
- "examples": [
- "ssvc",
+ "type": "string",
+ "enum": [
"cisa",
- "x_example.test#test//.example.test#private-extension",
- "ssvc/de-DE/.example.organization#reference-arch-1"
+ "cvss",
+ "ssvc",
+ "aivss"
],
- "maxLength": 1000,
- "minLength": 3,
- "pattern": "^(x_([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*|[a-z]([a-z]|[0-9])(((\\.|-))?(([a-z]|[0-9]))+)+(#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*)?)((/|/(([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo))((/((([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo)|\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*|\\.(([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+|([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*)\\$(([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo)))+)?)?$",
- "type": "string"
+ "title": "Namespace",
+ "description": "The namespace of the SSVC object. (Restricted to CVE Program"
},
"key": {
"title": "Key",
@@ -3469,31 +3337,6 @@
"format": "date-time",
"type": "string"
},
- "schemaVersion": {
- "title": "Schemaversion",
- "const": "2.0.0",
- "description": "The schema version of this selection list.",
- "type": "string"
- },
- "target_ids": {
- "title": "Target Ids",
- "description": "Optional list of identifiers for the item or items (vulnerabilities, reports, advisories, systems, assets, etc.) being evaluated by these selections.",
- "examples": [
- [
- "CVE-1900-0000"
- ],
- [
- "VU#999999",
- "GHSA-0123-4567-89ab"
- ]
- ],
- "items": {
- "type": "string"
- },
- "minItems": 1,
- "type": "array",
- "uniqueItems": true
- },
"selections": {
"title": "Selections",
"description": "List of selections made from decision points. Each selection item corresponds to value keys contained in a specific decision point identified by its namespace, key, and version. Note that selection objects are deliberately minimal objects and do not contain the full decision point details.",
@@ -3548,7 +3391,6 @@
},
"required": [
"timestamp",
- "schemaVersion",
"selections"
],
"additionalProperties": false
diff --git a/schema/docs/full-record-advanced-example.json b/schema/docs/full-record-advanced-example.json
index 89ce394fe11..8c3d03211e8 100644
--- a/schema/docs/full-record-advanced-example.json
+++ b/schema/docs/full-record-advanced-example.json
@@ -1,383 +1,372 @@
{
- "dataType": "CVE_RECORD",
- "dataVersion": "5.1",
- "cveMetadata": {
- "cveId": "CVE-1900-1234",
- "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6",
- "assignerShortName": "example",
- "requesterUserId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6",
- "serial": 1,
- "state": "PUBLISHED"
- },
- "containers": {
- "cna": {
- "providerMetadata": {
- "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6",
- "shortName": "example",
- "dateUpdated": "2021-09-08T16:24:00.000Z"
- },
- "title": "Buffer overflow in Example Enterprise allows Privilege Escalation.",
- "datePublic": "2021-09-08T16:24:00.000Z",
- "problemTypes": [
- {
- "descriptions": [
- {
- "lang": "en",
- "cweId": "CWE-78",
- "description": "CWE-78 OS Command Injection",
- "type": "CWE"
- }
- ]
- }
- ],
- "impacts": [
- {
- "capecId": "CAPEC-233",
- "descriptions": [
- {
- "lang": "en",
- "value": "CAPEC-233 Privilege Escalation"
- }
- ]
- }
- ],
- "affected": [
- {
- "vendor": "Example.org",
- "product": "Example Enterprise",
- "platforms": [
- "Windows",
- "MacOS",
- "XT-4500"
- ],
- "collectionURL": "https://example.org/packages",
- "packageName": "example_enterprise",
- "repo": "git://example.org/source/example_enterprise",
- "modules": [
- "Web-Management-Interface"
- ],
- "programFiles": [
- "example_enterprise/example.php"
- ],
- "programRoutines": [
- {
- "name": "parseFilename"
- }
- ],
- "versions": [
- {
- "version": "1.0.0",
- "status": "affected",
- "lessThan": "1.0.6",
- "versionType": "semver"
- },
- {
- "version": "2.1.0",
- "status": "unaffected",
- "lessThan": "2.1.*",
- "changes": [
- {
- "at": "2.1.6",
- "status": "affected"
- },
- {
- "at": "2.1.9",
- "status": "unaffected"
- }
- ],
- "versionType": "semver"
- },
- {
- "version": "3.0.0",
- "status": "unaffected",
- "lessThan": "*",
- "versionType": "semver"
- }
- ],
- "defaultStatus": "unaffected"
- }
- ],
- "cpeApplicability": [
- {
- "operator": "AND",
- "nodes": [
- {
- "operator": "OR",
- "negate": false,
- "cpeMatch": [
- {
- "vulnerable": true,
- "criteria": "cpe:2.3:a:example_org:example_enterprise:*:*:*:*:*:*:*:*",
- "versionStartIncluding": "1.0.0",
- "versionEndExcluding": "1.0.6"
- },
- {
- "vulnerable": true,
- "criteria": "cpe:2.3:a:example_org:example_enterprise:*:*:*:*:*:*:*:*",
- "versionStartIncluding": "2.1.6",
- "versionEndExcluding": "2.1.9"
- }
- ]
- },
- {
- "operator": "OR",
- "negate": false,
- "cpeMatch": [
- {
- "vulnerable": false,
- "criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*"
- },
- {
- "vulnerable": false,
- "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*"
- },
- {
- "vulnerable": false,
- "criteria": "cpe:2.3:h:some_company:xt-4500:*:*:*:*:*:*:*:*"
- }
- ]
- }
- ]
- }
- ],
- "descriptions": [
- {
- "lang": "en",
- "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, macOS, and XT-4500 allows remote unauthenticated attackers to escalate privileges. This issue affects: 1.0 versions before 1.0.6, 2.1 versions from 2.16 until 2.1.9.",
- "supportingMedia": [
- {
- "type": "text/html",
- "base64": false,
- "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, macOS, and XT-4500 allows remote unauthenticated attackers to escalate privileges.
This issue affects:
- 1.0 versions before 1.0.6
- 2.1 versions from 2.16 until 2.1.9.
"
- }
- ]
- },
- {
- "lang": "eo",
- "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise \u0109e Windows, macOS kaj XT-4500 permesas al malproksimaj nea\u016dtentikigitaj atakantoj eskaladi privilegiojn. \u0108i tiu afero efikas: 1.0-versioj anta\u016d 1.0.6, 2.1-versioj de 2.16 \u011dis 2.1.9.",
- "supportingMedia": [
- {
- "type": "text/html",
- "base64": false,
- "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise \u0109e Windows, macOS kaj XT-4500 permesas al malproksimaj nea\u016dtentikigitaj atakantoj eskaladi privilegiojn.
\u0108i tiu afero efikas:
- 1.0-versioj anta\u016d 1.0.6
- 2.1-versioj de 2.16 \u011dis 2.1.9.
"
- }
- ]
- }
- ],
- "metrics": [
- {
- "format": "CVSS",
- "scenarios": [
- {
- "lang": "en",
- "value": "GENERAL"
- }
- ],
- "ssvcV1_0_1": {
- "id": "CVE-1900-1234",
- "selections": [
- {
- "namespace": "ssvc",
- "name": "Exploitation",
- "values": [
- "Public PoC",
- "Active"
- ],
- "version": "1.1.0"
- },
- {
- "namespace": "ssvc",
- "name": "Technical Impact",
- "values": [
- "Total"
- ],
- "version": "1.0.0"
- }
- ],
- "timestamp": "1999-04-23T18:25:43.511Z",
- "schemaVersion": "1-0-1"
- },
- "cvssV4_0": {
- "baseScore": 7.8,
- "baseSeverity": "HIGH",
- "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L",
- "version": "4.0"
- },
- "cvssV3_1": {
- "version": "3.1",
- "attackVector": "NETWORK",
- "attackComplexity": "LOW",
- "privilegesRequired": "NONE",
- "userInteraction": "NONE",
- "scope": "UNCHANGED",
- "confidentialityImpact": "HIGH",
- "integrityImpact": "HIGH",
- "availabilityImpact": "HIGH",
- "baseScore": 9.8,
- "baseSeverity": "CRITICAL",
- "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
- }
- },
- {
- "format": "CVSS",
- "scenarios": [
- {
- "lang": "en",
- "value": "If the enhanced host protection mode is turned on, this vulnerability can only be exploited to run os commands as user 'nobody'. Privilege escalation is not possible."
- }
- ],
- "cvssV3_1": {
- "version": "3.1",
- "attackVector": "NETWORK",
- "attackComplexity": "LOW",
- "privilegesRequired": "NONE",
- "userInteraction": "NONE",
- "scope": "UNCHANGED",
- "confidentialityImpact": "LOW",
- "integrityImpact": "LOW",
- "availabilityImpact": "LOW",
- "baseScore": 7.3,
- "baseSeverity": "HIGH",
- "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
- }
- }
- ],
- "solutions": [
- {
- "lang": "en",
- "value": "This issue is fixed in 1.0.6, 2.1.9, and 3.0.0 and all later versions.",
- "supportingMedia": [
- {
- "type": "text/html",
- "base64": false,
- "value": "This issue is fixed in 1.0.6, 2.1.9, and 3.0.0 and all later versions."
- }
- ]
- }
- ],
- "workarounds": [
- {
- "lang": "en",
- "value": "Disable the web management interface with the command\n> service disable webmgmt",
- "supportingMedia": [
- {
- "type": "text/html",
- "base64": false,
- "value": "Disable the web management interface with the command
> service disable webmgmt
"
- }
- ]
- }
- ],
- "configurations": [
- {
- "lang": "en",
- "value": "Web management interface should be enabled.\n> service status webmgmt\nwebmgmt running",
- "supportingMedia": [
- {
- "type": "text/html",
- "base64": false,
- "value": "Web management interface should be enabled.
> service status webmgmt
webmgmt running
"
- }
- ]
- }
- ],
- "exploits": [
- {
- "lang": "en",
- "value": "Example.org is not aware of any malicious exploitation of the issue however exploits targeting this issue are publicly available.",
- "supportingMedia": [
- {
- "type": "text/html",
- "base64": false,
- "value": "Example.org is not aware of any malicious exploitation of the issue however exploits targeting this issue are publicly available."
- }
- ]
- }
- ],
- "timeline": [
- {
- "time": "2001-09-01T07:31:00.000Z",
- "lang": "en",
- "value": "Issue discovered by Alice using Acme Autofuzz"
- },
- {
- "time": "2021-09-02T16:36:00.000Z",
- "lang": "en",
- "value": "Confirmed by Bob"
- },
- {
- "time": "2021-09-07T16:37:00.000Z",
- "lang": "en",
- "value": "Fixes released"
- }
- ],
- "credits": [
- {
- "lang": "en",
- "value": "Alice",
- "type": "finder"
- },
- {
- "lang": "en",
- "value": "Bob",
- "type": "analyst"
- },
- {
- "lang": "en",
- "value": "Acme Autofuzz",
- "type": "tool"
- }
- ],
- "references": [
- {
- "url": "https://example.org/ESA-22-11-CVE-1900-1234",
- "name": "ESA-22-11",
- "tags": [
- "vendor-advisory"
- ]
- },
- {
- "url": "https://example.com/blog/alice/pwning_example_enterprise",
- "name": "Pwning Example Enterprise",
- "tags": [
- "technical-description",
- "third-party-advisory"
- ]
- },
- {
- "url": "https://example.org/bugs/EXAMPLE-1234",
- "name": "EXAMPLE-1234",
- "tags": [
- "issue-tracking"
- ]
- },
- {
- "url": "https://example.org/ExampleEnterprise",
- "tags": [
- "product"
- ]
- }
- ],
- "source": {
- "defects": [
- "EXAMPLE-1234"
- ],
- "advisory": "ESA-22-11",
- "discovery": "EXTERNAL"
- },
- "taxonomyMappings": [
- {
- "taxonomyName": "ATT&CK",
- "taxonomyVersion": "v9",
- "taxonomyRelations": [
- {
- "taxonomyId": "T1190",
- "relationshipName": "mitigated by",
- "relationshipValue": "M1048"
- }
- ]
- }
- ]
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.1",
+ "cveMetadata": {
+ "cveId": "CVE-1900-1234",
+ "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6",
+ "assignerShortName": "example",
+ "requesterUserId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6",
+ "serial": 1,
+ "state": "PUBLISHED"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6",
+ "shortName": "example",
+ "dateUpdated": "2021-09-08T16:24:00.000Z"
+ },
+ "title": "Buffer overflow in Example Enterprise allows Privilege Escalation.",
+ "datePublic": "2021-09-08T16:24:00.000Z",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "cweId": "CWE-78",
+ "description": "CWE-78 OS Command Injection",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "impacts": [
+ {
+ "capecId": "CAPEC-233",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "CAPEC-233 Privilege Escalation"
+ }
+ ]
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "Example.org",
+ "product": "Example Enterprise",
+ "platforms": [
+ "Windows",
+ "MacOS",
+ "XT-4500"
+ ],
+ "collectionURL": "https://example.org/packages",
+ "packageName": "example_enterprise",
+ "repo": "git://example.org/source/example_enterprise",
+ "modules": [
+ "Web-Management-Interface"
+ ],
+ "programFiles": [
+ "example_enterprise/example.php"
+ ],
+ "programRoutines": [
+ {
+ "name": "parseFilename"
+ }
+ ],
+ "versions": [
+ {
+ "version": "1.0.0",
+ "status": "affected",
+ "lessThan": "1.0.6",
+ "versionType": "semver"
+ },
+ {
+ "version": "2.1.0",
+ "status": "unaffected",
+ "lessThan": "2.1.*",
+ "changes": [
+ {
+ "at": "2.1.6",
+ "status": "affected"
+ },
+ {
+ "at": "2.1.9",
+ "status": "unaffected"
+ }
+ ],
+ "versionType": "semver"
+ },
+ {
+ "version": "3.0.0",
+ "status": "unaffected",
+ "lessThan": "*",
+ "versionType": "semver"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "cpeApplicability": [
+ {
+ "operator": "AND",
+ "nodes": [
+ {
+ "operator": "OR",
+ "negate": false,
+ "cpeMatch": [
+ {
+ "vulnerable": true,
+ "criteria": "cpe:2.3:a:example_org:example_enterprise:*:*:*:*:*:*:*:*",
+ "versionStartIncluding": "1.0.0",
+ "versionEndExcluding": "1.0.6"
+ },
+ {
+ "vulnerable": true,
+ "criteria": "cpe:2.3:a:example_org:example_enterprise:*:*:*:*:*:*:*:*",
+ "versionStartIncluding": "2.1.6",
+ "versionEndExcluding": "2.1.9"
+ }
+ ]
+ },
+ {
+ "operator": "OR",
+ "negate": false,
+ "cpeMatch": [
+ {
+ "vulnerable": false,
+ "criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*"
+ },
+ {
+ "vulnerable": false,
+ "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*"
+ },
+ {
+ "vulnerable": false,
+ "criteria": "cpe:2.3:h:some_company:xt-4500:*:*:*:*:*:*:*:*"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, macOS, and XT-4500 allows remote unauthenticated attackers to escalate privileges. This issue affects: 1.0 versions before 1.0.6, 2.1 versions from 2.16 until 2.1.9.",
+ "supportingMedia": [
+ {
+ "type": "text/html",
+ "base64": false,
+ "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, macOS, and XT-4500 allows remote unauthenticated attackers to escalate privileges.
This issue affects:
- 1.0 versions before 1.0.6
- 2.1 versions from 2.16 until 2.1.9.
"
+ }
+ ]
+ },
+ {
+ "lang": "eo",
+ "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise \u0109e Windows, macOS kaj XT-4500 permesas al malproksimaj nea\u016dtentikigitaj atakantoj eskaladi privilegiojn. \u0108i tiu afero efikas: 1.0-versioj anta\u016d 1.0.6, 2.1-versioj de 2.16 \u011dis 2.1.9.",
+ "supportingMedia": [
+ {
+ "type": "text/html",
+ "base64": false,
+ "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise \u0109e Windows, macOS kaj XT-4500 permesas al malproksimaj nea\u016dtentikigitaj atakantoj eskaladi privilegiojn.
\u0108i tiu afero efikas:
- 1.0-versioj anta\u016d 1.0.6
- 2.1-versioj de 2.16 \u011dis 2.1.9.
"
+ }
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "format": "CVSS",
+ "scenarios": [
+ {
+ "lang": "en",
+ "value": "GENERAL"
+ }
+ ],
+ "ssvcV2_0_0":{
+ "timestamp": "2021-09-29T15:29:44Z",
+ "selections": [
+ {
+ "namespace": "ssvc",
+ "key": "E",
+ "version": "1.1.0",
+ "values": [
+ {"key": "A"}
+ ]
+ }
+ ]
+ },
+ "cvssV4_0": {
+ "baseScore": 7.8,
+ "baseSeverity": "HIGH",
+ "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L",
+ "version": "4.0"
+ },
+ "cvssV3_1": {
+ "version": "3.1",
+ "attackVector": "NETWORK",
+ "attackComplexity": "LOW",
+ "privilegesRequired": "NONE",
+ "userInteraction": "NONE",
+ "scope": "UNCHANGED",
+ "confidentialityImpact": "HIGH",
+ "integrityImpact": "HIGH",
+ "availabilityImpact": "HIGH",
+ "baseScore": 9.8,
+ "baseSeverity": "CRITICAL",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ }
+ },
+ {
+ "format": "CVSS",
+ "scenarios": [
+ {
+ "lang": "en",
+ "value": "If the enhanced host protection mode is turned on, this vulnerability can only be exploited to run os commands as user 'nobody'. Privilege escalation is not possible."
+ }
+ ],
+ "cvssV3_1": {
+ "version": "3.1",
+ "attackVector": "NETWORK",
+ "attackComplexity": "LOW",
+ "privilegesRequired": "NONE",
+ "userInteraction": "NONE",
+ "scope": "UNCHANGED",
+ "confidentialityImpact": "LOW",
+ "integrityImpact": "LOW",
+ "availabilityImpact": "LOW",
+ "baseScore": 7.3,
+ "baseSeverity": "HIGH",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+ }
+ }
+ ],
+ "solutions": [
+ {
+ "lang": "en",
+ "value": "This issue is fixed in 1.0.6, 2.1.9, and 3.0.0 and all later versions.",
+ "supportingMedia": [
+ {
+ "type": "text/html",
+ "base64": false,
+ "value": "This issue is fixed in 1.0.6, 2.1.9, and 3.0.0 and all later versions."
+ }
+ ]
+ }
+ ],
+ "workarounds": [
+ {
+ "lang": "en",
+ "value": "Disable the web management interface with the command\n> service disable webmgmt",
+ "supportingMedia": [
+ {
+ "type": "text/html",
+ "base64": false,
+ "value": "Disable the web management interface with the command
> service disable webmgmt
"
+ }
+ ]
+ }
+ ],
+ "configurations": [
+ {
+ "lang": "en",
+ "value": "Web management interface should be enabled.\n> service status webmgmt\nwebmgmt running",
+ "supportingMedia": [
+ {
+ "type": "text/html",
+ "base64": false,
+ "value": "Web management interface should be enabled.
> service status webmgmt
webmgmt running
"
+ }
+ ]
+ }
+ ],
+ "exploits": [
+ {
+ "lang": "en",
+ "value": "Example.org is not aware of any malicious exploitation of the issue however exploits targeting this issue are publicly available.",
+ "supportingMedia": [
+ {
+ "type": "text/html",
+ "base64": false,
+ "value": "Example.org is not aware of any malicious exploitation of the issue however exploits targeting this issue are publicly available."
+ }
+ ]
+ }
+ ],
+ "timeline": [
+ {
+ "time": "2001-09-01T07:31:00.000Z",
+ "lang": "en",
+ "value": "Issue discovered by Alice using Acme Autofuzz"
+ },
+ {
+ "time": "2021-09-02T16:36:00.000Z",
+ "lang": "en",
+ "value": "Confirmed by Bob"
+ },
+ {
+ "time": "2021-09-07T16:37:00.000Z",
+ "lang": "en",
+ "value": "Fixes released"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Alice",
+ "type": "finder"
+ },
+ {
+ "lang": "en",
+ "value": "Bob",
+ "type": "analyst"
+ },
+ {
+ "lang": "en",
+ "value": "Acme Autofuzz",
+ "type": "tool"
+ }
+ ],
+ "references": [
+ {
+ "url": "https://example.org/ESA-22-11-CVE-1900-1234",
+ "name": "ESA-22-11",
+ "tags": [
+ "vendor-advisory"
+ ]
+ },
+ {
+ "url": "https://example.com/blog/alice/pwning_example_enterprise",
+ "name": "Pwning Example Enterprise",
+ "tags": [
+ "technical-description",
+ "third-party-advisory"
+ ]
+ },
+ {
+ "url": "https://example.org/bugs/EXAMPLE-1234",
+ "name": "EXAMPLE-1234",
+ "tags": [
+ "issue-tracking"
+ ]
+ },
+ {
+ "url": "https://example.org/ExampleEnterprise",
+ "tags": [
+ "product"
+ ]
+ }
+ ],
+ "source": {
+ "defects": [
+ "EXAMPLE-1234"
+ ],
+ "advisory": "ESA-22-11",
+ "discovery": "EXTERNAL"
+ },
+ "taxonomyMappings": [
+ {
+ "taxonomyName": "ATT&CK",
+ "taxonomyVersion": "v9",
+ "taxonomyRelations": [
+ {
+ "taxonomyId": "T1190",
+ "relationshipName": "mitigated by",
+ "relationshipValue": "M1048"
+ }
+ ]
+ }
+ ]
+ }
}
- }
}
diff --git a/schema/imports/ssvc/SelectionList_2_0_0_CVE.schema.json b/schema/imports/ssvc/SelectionList_2_0_0_CVE.schema.json
new file mode 100644
index 00000000000..3e43cab375d
--- /dev/null
+++ b/schema/imports/ssvc/SelectionList_2_0_0_CVE.schema.json
@@ -0,0 +1,229 @@
+{
+ "title": "SelectionList",
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
+ "description": "This schema defines the structure to represent an SSVC SelectionList object.",
+ "type": "object",
+ "$defs": {
+ "MinimalDecisionPointValue": {
+ "title": "MinimalDecisionPointValue",
+ "additionalProperties": false,
+ "description": "A minimal representation of a decision point value.\nIntended to parallel the DecisionPointValue object, but with fewer required fields.\nA decision point value is uniquely identified within a decision point by its key.\nGlobally, the combination of Decision Point namespace, key, and version coupled with the value key\nuniquely identifies a value across all decision points and values.\nOther required fields in the DecisionPointValue object, such as name and description, are optional here.",
+ "properties": {
+ "name": {
+ "title": "Name",
+ "minLength": 1,
+ "type": "string"
+ },
+ "definition": {
+ "title": "Definition",
+ "minLength": 1,
+ "type": "string"
+ },
+ "key": {
+ "title": "Key",
+ "description": "A short, non-empty string identifier for the object. Keys must start with an alphanumeric, contain only alphanumerics and `_`, and end with an alphanumeric.(`T*` is explicitly grandfathered in as a valid key, but should not be used for new objects.)",
+ "examples": [
+ "E",
+ "A",
+ "SI",
+ "L",
+ "M",
+ "H",
+ "Mixed_case_OK",
+ "alph4num3ric"
+ ],
+ "minLength": 1,
+ "pattern": "^(([a-zA-Z0-9])|([a-zA-Z0-9][a-zA-Z0-9_]*[a-zA-Z0-9])|(T\\*))$",
+ "type": "string"
+ }
+ },
+ "required": [
+ "key"
+ ],
+ "type": "object"
+ },
+ "Reference": {
+ "title": "Reference",
+ "additionalProperties": false,
+ "description": "A reference to a resource that provides additional context about the decision points or selections.\nThis object is intentionally minimal and contains only the URL and an optional description.",
+ "properties": {
+ "uri": {
+ "title": "Uri",
+ "format": "uri",
+ "minLength": 1,
+ "type": "string"
+ },
+ "summary": {
+ "title": "Summary",
+ "type": "string"
+ }
+ },
+ "required": [
+ "uri",
+ "summary"
+ ],
+ "type": "object"
+ },
+ "Selection": {
+ "title": "Selection",
+ "additionalProperties": false,
+ "description": "A minimal selection object that contains the decision point ID and the selected values.\nWhile the Selection object parallels the DecisionPoint object, it is intentionally minimal, with\nfewer required fields and no additional metadata, as it is meant to represent a selection made from a\npreviously defined decision point. The expectation is that a Selection object will usually have\nfewer values than the original decision point, as it represents a specific evaluation\nat a specific time and may therefore rule out some values that were previously considered.\nOther fields like name and description may be copied from the decision point, but are not required.",
+ "properties": {
+ "namespace": {
+ "type": "string",
+ "enum": [
+ "cisa",
+ "cvss",
+ "ssvc",
+ "aivss"
+ ],
+ "title": "Namespace",
+ "description": "The namespace of the SSVC object. (Restricted to CVE Program)"
+ },
+ "key": {
+ "title": "Key",
+ "description": "A short, non-empty string identifier for the object. Keys must start with an alphanumeric, contain only alphanumerics and `_`, and end with an alphanumeric.(`T*` is explicitly grandfathered in as a valid key, but should not be used for new objects.)",
+ "examples": [
+ "E",
+ "A",
+ "SI",
+ "L",
+ "M",
+ "H",
+ "Mixed_case_OK",
+ "alph4num3ric"
+ ],
+ "minLength": 1,
+ "pattern": "^(([a-zA-Z0-9])|([a-zA-Z0-9][a-zA-Z0-9_]*[a-zA-Z0-9])|(T\\*))$",
+ "type": "string"
+ },
+ "version": {
+ "title": "Version",
+ "description": "The version of the SSVC object. This must be a valid semantic version string.",
+ "examples": [
+ "1.0.0",
+ "2.1.3"
+ ],
+ "minLength": 5,
+ "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$",
+ "type": "string"
+ },
+ "name": {
+ "title": "Name",
+ "minLength": 1,
+ "type": "string"
+ },
+ "definition": {
+ "title": "Definition",
+ "minLength": 1,
+ "type": "string"
+ },
+ "values": {
+ "title": "Values",
+ "description": "A list of selected value keys from the decision point values.",
+ "examples": [
+ [
+ {
+ "key": "N"
+ },
+ {
+ "key": "Y"
+ }
+ ],
+ [
+ {
+ "key": "A"
+ },
+ {
+ "key": "B"
+ },
+ {
+ "key": "C"
+ }
+ ]
+ ],
+ "items": {
+ "$ref": "#/$defs/MinimalDecisionPointValue"
+ },
+ "minItems": 1,
+ "type": "array"
+ }
+ },
+ "required": [
+ "namespace",
+ "key",
+ "version",
+ "values"
+ ],
+ "type": "object"
+ }
+ },
+ "properties": {
+ "timestamp": {
+ "title": "Timestamp",
+ "description": "Timestamp of the selections, in RFC 3339 format.",
+ "examples": [
+ "2025-01-01T12:00:00Z",
+ "2025-01-02T15:30:45-04:00"
+ ],
+ "format": "date-time",
+ "type": "string"
+ },
+ "selections": {
+ "title": "Selections",
+ "description": "List of selections made from decision points. Each selection item corresponds to value keys contained in a specific decision point identified by its namespace, key, and version. Note that selection objects are deliberately minimal objects and do not contain the full decision point details.",
+ "items": {
+ "$ref": "#/$defs/Selection"
+ },
+ "minItems": 1,
+ "type": "array"
+ },
+ "decision_point_resources": {
+ "title": "Decision Point Resources",
+ "description": "A list of resources that provide additional context about the decision points found in this selection.",
+ "examples": [
+ [
+ {
+ "summary": "Documentation for a set of decision points",
+ "uri": "https://example.com/decision_points"
+ },
+ {
+ "summary": "JSON representation of decision point 2",
+ "uri": "https://example.org/definitions/dp2.json"
+ },
+ {
+ "summary": "A JSON file containing extension decision points in the x_com.example namespace",
+ "uri": "https://example.com/ssvc/x_com.example/decision_points.json"
+ }
+ ]
+ ],
+ "items": {
+ "$ref": "#/$defs/Reference"
+ },
+ "minItems": 1,
+ "type": "array"
+ },
+ "references": {
+ "title": "References",
+ "description": "A list of references that provide additional context about the specific values selected.",
+ "examples": [
+ [
+ {
+ "summary": "A report on which the selections were based",
+ "uri": "https://example.com/report"
+ }
+ ]
+ ],
+ "items": {
+ "$ref": "#/$defs/Reference"
+ },
+ "minItems": 1,
+ "type": "array"
+ }
+ },
+ "required": [
+ "timestamp",
+ "selections"
+ ],
+ "additionalProperties": false
+}
\ No newline at end of file
diff --git a/schema/imports/ssvc/deep-ssvc-v1.0.1.json b/schema/imports/ssvc/deep-ssvc-v1.0.1.json
deleted file mode 100644
index ca5b1115114..00000000000
--- a/schema/imports/ssvc/deep-ssvc-v1.0.1.json
+++ /dev/null
@@ -1,86 +0,0 @@
-{
- "$schema": "https://json-schema.org/draft/2020-12/schema",
- "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json",
- "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.",
- "$defs": {
- "id": {
- "type": "string",
- "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
- "examples": ["CVE-1900-1234","VU#11111","GHSA-11a1-22b2-33c3"],
- "minLength": 1
- },
- "role": {
- "type": "string",
- "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
- "examples": ["Supplier","Deployer","Coordinator"],
- "minLength": 1
- },
- "timestamp" : {
- "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.",
- "type": "string",
- "format": "date-time"
- },
- "SsvcdecisionpointselectionSchema": {
- "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.",
- "properties": {
- "name": {
- "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/name"
- },
- "namespace": {
- "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/namespace"
- },
- "values": {
- "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.",
- "title": "values",
- "type": "array",
- "minItems": 1,
- "items": {
- "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point_value/properties/name"
- }
- },
- "version": {
- "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version"
- }
- },
- "type": "object",
- "required": [
- "name",
- "namespace",
- "values",
- "version"
- ],
- "additionalProperties": false
- }
- },
- "properties": {
- "id": {
- "$ref": "#/$defs/id"
- },
- "role": {
- "$ref": "#/$defs/role"
- },
- "schemaVersion": {
- "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/schemaVersion"
- },
- "timestamp": {
- "$ref": "#/$defs/timestamp"
- },
- "selections": {
- "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.",
- "title": "selections",
- "type": "array",
- "minItems": 1,
- "items": {
- "$ref": "#/$defs/SsvcdecisionpointselectionSchema"
- }
- }
- },
- "type": "object",
- "required": [
- "selections",
- "id",
- "timestamp",
- "schemaVersion"
- ],
- "additionalProperties": false
-}
diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json
deleted file mode 100644
index 306ea086228..00000000000
--- a/schema/imports/ssvc/ssvc-v1.0.1.json
+++ /dev/null
@@ -1,125 +0,0 @@
-{
- "$schema": "https://json-schema.org/draft/2020-12/schema",
- "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json",
- "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.",
- "$defs": {
- "id": {
- "type": "string",
- "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
- "examples": [
- "CVE-1900-1234",
- "VU#11111",
- "GHSA-11a1-22b2-33c3"
- ],
- "minLength": 1
- },
- "role": {
- "type": "string",
- "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
- "examples": [
- "Supplier",
- "Deployer",
- "Coordinator"
- ],
- "minLength": 1
- },
- "timestamp": {
- "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.",
- "type": "string",
- "format": "date-time"
- },
- "SsvcdecisionpointselectionSchema": {
- "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.",
- "properties": {
- "name": {
- "type": "string",
- "description": "A short label that identifies a Decision Point.",
- "minLength": 1,
- "examples": [
- "Exploitation",
- "Automatable"
- ]
- },
- "namespace": {
- "type": "string",
- "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.",
- "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$",
- "examples": [
- "ssvc",
- "cvss",
- "ssvc-jp",
- "ssvc/acme",
- "ssvc/example.com"
- ]
- },
- "values": {
- "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.",
- "title": "values",
- "type": "array",
- "minItems": 1,
- "items": {
- "type": "string",
- "description": "A short label that identifies a Decision Point Value",
- "minLength": 1,
- "examples": [
- "Public PoC",
- "Yes"
- ]
- }
- },
- "version": {
- "type": "string",
- "description": "Version (a semantic version string) that identifies the version of a Decision Point.",
- "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$",
- "examples": [
- "1.0.1",
- "1.0.1-alpha"
- ]
- }
- },
- "type": "object",
- "required": [
- "name",
- "namespace",
- "values",
- "version"
- ],
- "additionalProperties": false
- }
- },
- "properties": {
- "id": {
- "$ref": "#/$defs/id"
- },
- "role": {
- "$ref": "#/$defs/role"
- },
- "schemaVersion": {
- "description": "Schema version used to represent this Decision Point.",
- "type": "string",
- "enum": [
- "1-0-1"
- ]
- },
- "timestamp": {
- "$ref": "#/$defs/timestamp"
- },
- "selections": {
- "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.",
- "title": "selections",
- "type": "array",
- "minItems": 1,
- "items": {
- "$ref": "#/$defs/SsvcdecisionpointselectionSchema"
- }
- }
- },
- "type": "object",
- "required": [
- "selections",
- "id",
- "timestamp",
- "schemaVersion"
- ],
- "additionalProperties": false
-}
diff --git a/schema/support/schema2markmap/schema-bundle.js b/schema/support/schema2markmap/schema-bundle.js
index 2e81fb143cd..3f7b254b9ba 100644
--- a/schema/support/schema2markmap/schema-bundle.js
+++ b/schema/support/schema2markmap/schema-bundle.js
@@ -21,8 +21,9 @@ async function schemaBundle() {
delete metricProperties.cvssV3_1.license;
delete metricProperties.cvssV3_0.license;
delete metricProperties.cvssV2_0.license;
- delete metricProperties.ssvcV1_0_1.$id;
delete metricProperties.ssvcV2_0_0.$id;
+ ssvc_2_0_0_cve_namespace = {"type": "string", "enum": ["cisa", "cvss", "ssvc", "aivss"], "title": "Namespace", "description": "The namespace of the SSVC object. (Restricted to CVE Program"};
+ metricProperties.ssvcV2_0_0.$defs.Selection.properties.namespace = ssvc_2_0_0_cve_namespace;
fs.writeFile(`${dirName}/CVE_Record_Format_bundled.json`,
diff --git a/tools/cve-schema-test.sh b/tools/cve-schema-test.sh
index 03acfe5f1a4..162618da8aa 100644
--- a/tools/cve-schema-test.sh
+++ b/tools/cve-schema-test.sh
@@ -7,7 +7,10 @@ CVE_SCHEMA_FILENAME=CVE_Record_Format.json
npm --prefix "${CVE_SCHEMA_DIR}/support/schema2markmap" install "${CVE_SCHEMA_DIR}/support/schema2markmap"
-python3.12 "${REPO_DIR}/tools/merge_schema.py" "${CVE_SCHEMA_DIR}/imports/ssvc/deep-ssvc-v1.0.1.json" > "${CVE_SCHEMA_DIR}/imports/ssvc/ssvc-v1.0.1.json"
+#ssvc1.0.1 removed
+#python3.12 "${REPO_DIR}/tools/merge_schema.py" "${CVE_SCHEMA_DIR}/imports/ssvc/deep-ssvc-v1.0.1.json" > "${CVE_SCHEMA_DIR}/imports/ssvc/ssvc-v1.0.1.json"
+
+node "${REPO_DIR}/tools/ssvc_cve_schema.js" "${REPO_DIR}/schema/imports/ssvc/SelectionList_2_0_0_CVE.schema.json"
sed 's/file\://g' "${CVE_SCHEMA_DIR}/${CVE_SCHEMA_FILENAME}" > "${CVE_SCHEMA_DIR}/cve-schema.json"
diff --git a/tools/ssvc_cve_schema.js b/tools/ssvc_cve_schema.js
new file mode 100644
index 00000000000..916ce362872
--- /dev/null
+++ b/tools/ssvc_cve_schema.js
@@ -0,0 +1,88 @@
+import fs from "fs";
+import https from "https";
+import path from "path";
+
+const SOURCE_URL =
+ "https://certcc.github.io/SSVC/data/schema/v2/SelectionList_2_0_0.schema.json";
+
+// ---- CLI ARG HANDLING ----
+const outputFile = process.argv[2];
+
+if (!outputFile) {
+ console.error(
+ "Usage: node support/ssvc_cve_schema.js "
+ );
+ process.exit(1);
+}
+
+// Ensure directory exists (helpful in CI)
+fs.mkdirSync(path.dirname(outputFile), { recursive: true });
+
+// ---- FETCH HELPER ----
+function fetchJson(url) {
+ return new Promise((resolve, reject) => {
+ https
+ .get(url, (res) => {
+ let data = "";
+ res.on("data", (chunk) => (data += chunk));
+ res.on("end", () => {
+ try {
+ resolve(JSON.parse(data));
+ } catch (err) {
+ reject(new Error("Invalid JSON received"));
+ }
+ });
+ })
+ .on("error", reject);
+ });
+}
+
+// ---- MAIN ----
+(async () => {
+ try {
+ const schema = await fetchJson(SOURCE_URL);
+
+ // Replace $defs.Selection.properties.namespace
+ if (schema.$defs?.Selection?.properties) {
+ schema.$defs.Selection.properties.namespace = {
+ type: "string",
+ enum: ["cisa", "cvss", "ssvc", "aivss"],
+ title: "Namespace",
+ description:
+ "The namespace of the SSVC object. (Restricted to CVE Program)"
+ };
+ } else {
+ throw new Error(
+ "Expected path $defs.Selection.properties not found"
+ );
+ }
+
+ // Remove properties.schemaVersion
+ delete schema.properties?.schemaVersion;
+
+ // Remove properties.target_ids
+ delete schema.properties?.target_ids;
+
+ // Remove 'schemaVersion' from required
+ if (Array.isArray(schema.required)) {
+ schema.required = schema.required.filter(
+ (item) => item !== "schemaVersion"
+ );
+ }
+
+ // Remove $id
+ delete schema.$id;
+
+ // Write output
+ fs.writeFileSync(
+ outputFile,
+ JSON.stringify(schema, null, 2),
+ "utf8"
+ );
+
+ console.log(`Schema written to ${outputFile}`);
+ } catch (err) {
+ console.error("Failed to generate schema:", err.message);
+ process.exit(1);
+ }
+})();