From a24ada2e7dfa6a150e1fc68ccd416f7120f8ae02 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Tue, 30 Sep 2025 12:57:24 -0400 Subject: [PATCH 1/8] Updated with RFD as requested by @ccoffin --- rfds/0459-SSVC-2-0-0-add.md | 145 ++++ schema/docs/full-record-advanced-example.json | 795 +++++++++--------- 2 files changed, 560 insertions(+), 380 deletions(-) create mode 100644 rfds/0459-SSVC-2-0-0-add.md diff --git a/rfds/0459-SSVC-2-0-0-add.md b/rfds/0459-SSVC-2-0-0-add.md new file mode 100644 index 00000000000..b64d6bee7ca --- /dev/null +++ b/rfds/0459-SSVC-2-0-0-add.md @@ -0,0 +1,145 @@ +# Adding SSVC 2.0.0 as optional structured metrics to CVE metrics block + +| Field | Value | +|:-----------------|:-------| +| RFD Submitter | Vijay Sarvepalli (CERT/CC) | +| RFD Pull Request | [RFD #0459](https://github.com/CVEProject/cve-schema/pull/459) | + +## Summary +[summary]: #summary + +This proposal adds support for ** Stakeholder-Specific Vulnerability Categorization (SSVC) 2.0.0** as an optional structured element under the CVE `metrics` block. + +Currently, SSVC data is included inconsistently in the unstructured `"other"` field, which limits its machine readability, interoperability, and adoption. By providing a formal schema location for SSVC, CVE Records will be able to more reliably capture and distribute this emerging prioritization framework. + +## Problem Statement +[problem-statement]: #problem-statement + +- SSVC is operationally used by organizations (e.g., CISA, VulnCheck, CERT/CC) to prioritize vulnerability response. +- Today, SSVC values are often published only in custom structured, reducing consistency and limiting automated analysis. +- Embedding SSVC data in the `"other"` field of CVE Records creates barriers to adoption: + - Lack of machine readability and tooling support. + - Inconsistent implementations across CNAs and ADPs. + - Increased cost for downstream consumers to parse and normalize data. + +Without a structured, standardized location in the CVE schema, SSVC cannot fulfill its intended role as a practical complement to CVSS and other metrics. + +## Proposed Solution +[proposed-solution]: #proposed-solution + +- Add an optional `ssvc` object under the `metrics` block of the CVE Record schema. +- Specify versioned support (both schema versions 1.0.0 and 2.0.0 are included). +- Ensure fields capture the core SSVC decision points and outcomes in a standardized way. +- Maintain backwards compatibility with existing CVE Records (non-breaking change). + +This ensures that CVE Records can cleanly incorporate SSVC alongside other structured metrics such as CVSS and EPSS. + +## Examples +[examples]: #examples + +The test-cases for PR [#459](https://github.com/CVEProject/cve-schema/pull/459) illustrate how SSVC data can be expressed. For example: + +https://certcc.github.io/SSVC/data/schema_examples/CVE-1900-1234-Decision_Point_Value_Selection-2-0-0.json + +```json +{ + "target_ids": ["CVE-1900-1234"], + "timestamp": "2021-09-29T15:29:44Z", + "schemaVersion": "2.0.0", + "selections": [ + { + "namespace": "ssvc", + "name": "Exploitation", + "key": "E", + "version": "1.1.0", + "values": [ + {"name":"Active", "key": "A"} + ] + }, + { + "namespace": "ssvc", + "name": "Automatable", + "key": "A", + "version": "2.0.0", + "values": [ + {"name": "Yes", "key": "Y"} + ] + }, + { + "namespace": "ssvc", + "name": "Technical Impact", + "key": "TI", + "version": "1.0.0", + "values": [ + {"name": "Total","key":"T"} + ] + } + ] +} +``` + +## Impact Assessment +[impact-assessment]: #impact-assessment + +For CNAs/ADPs: Provides a formal schema location to include SSVC, reducing ambiguity and effort in data publication. + +For Consumers: Simplifies automated ingestion of SSVC data, reducing the need for scraping or custom parsers. + +For the CVE Program: Strengthens the role of CVE Records as a hub for standardized vulnerability metadata, aligning with the needs of defenders and decision-makers. + +## Compatibility and Migration +[compatibility-and-migration]: #compatibility-and-migration + +Backwards compatible: Existing CVE Records and tooling remain unaffected. + +Adoption is optional: CNAs/ADPs can choose whether to include SSVC. + +Migration path: CNAs currently embedding SSVC in "other" fields can gradually shift to using the structured ssvc block. + +## Success Metrics [success-metrics]: #success-metrics + +RFD will be considered successful if: +* At least one ADP (e.g., CISA, VulnCheck, CERT/CC) adopts the new structured ssvc block within one year. + +* Major consumer tools (CVE Services,vuln enrichment pipelines, dashboards) can automatically parse SSVC data without special parsing logic. + +If adoption is slow, additional tooling or guidance may be provided to ease integration. + +## Supporting Data or Research +[supporting-data-or-research]: #supporting-data-or-research + +CISA Vulnrichment and VulnCheck both actively publish SSVC prioritization data, but not in a standardized, machine-readable format. + +VulnCheck currently has SSVC coverage for 244,866 CVEs, while CISA Vulnrichment covers 64,142 CVEs. + +See: Automating SSVC (VulnCheck blog)[[https://www.vulncheck.com/blog/automating-ssvc] + + + +## Related Issues or Proposals +[related-issues-or-proposals]: #related-issues-or-proposals + +* CVE Schema discussion on extending metrics beyond CVSS. + +* Related work on EPSS and KEV integration into CVE Records. + +## Recommended Priority +[recommended-priority]: #recommended-priority + +Medium. + +SSVC is not yet universal, but adoption is growing rapidly. + +Providing structured schema support now will prevent fragmentation and reduce downstream costs. + +## Unresolved Questions +[unresolved-questions]: #unresolved-questions + +No new questions arise except other known concerns in metrics + +## Future Possibilities +[future-possibilities]: #future-possibilities + +Tooling for Vulnogram and cveClient to adopt and use SSVC natively + + diff --git a/schema/docs/full-record-advanced-example.json b/schema/docs/full-record-advanced-example.json index 89ce394fe11..32fd840c991 100644 --- a/schema/docs/full-record-advanced-example.json +++ b/schema/docs/full-record-advanced-example.json @@ -1,383 +1,418 @@ { - "dataType": "CVE_RECORD", - "dataVersion": "5.1", - "cveMetadata": { - "cveId": "CVE-1900-1234", - "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", - "assignerShortName": "example", - "requesterUserId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", - "serial": 1, - "state": "PUBLISHED" - }, - "containers": { - "cna": { - "providerMetadata": { - "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", - "shortName": "example", - "dateUpdated": "2021-09-08T16:24:00.000Z" - }, - "title": "Buffer overflow in Example Enterprise allows Privilege Escalation.", - "datePublic": "2021-09-08T16:24:00.000Z", - "problemTypes": [ - { - "descriptions": [ - { - "lang": "en", - "cweId": "CWE-78", - "description": "CWE-78 OS Command Injection", - "type": "CWE" - } - ] - } - ], - "impacts": [ - { - "capecId": "CAPEC-233", - "descriptions": [ - { - "lang": "en", - "value": "CAPEC-233 Privilege Escalation" - } - ] - } - ], - "affected": [ - { - "vendor": "Example.org", - "product": "Example Enterprise", - "platforms": [ - "Windows", - "MacOS", - "XT-4500" - ], - "collectionURL": "https://example.org/packages", - "packageName": "example_enterprise", - "repo": "git://example.org/source/example_enterprise", - "modules": [ - "Web-Management-Interface" - ], - "programFiles": [ - "example_enterprise/example.php" - ], - "programRoutines": [ - { - "name": "parseFilename" - } - ], - "versions": [ - { - "version": "1.0.0", - "status": "affected", - "lessThan": "1.0.6", - "versionType": "semver" - }, - { - "version": "2.1.0", - "status": "unaffected", - "lessThan": "2.1.*", - "changes": [ - { - "at": "2.1.6", - "status": "affected" - }, - { - "at": "2.1.9", - "status": "unaffected" - } - ], - "versionType": "semver" - }, - { - "version": "3.0.0", - "status": "unaffected", - "lessThan": "*", - "versionType": "semver" - } - ], - "defaultStatus": "unaffected" - } - ], - "cpeApplicability": [ - { - "operator": "AND", - "nodes": [ - { - "operator": "OR", - "negate": false, - "cpeMatch": [ - { - "vulnerable": true, - "criteria": "cpe:2.3:a:example_org:example_enterprise:*:*:*:*:*:*:*:*", - "versionStartIncluding": "1.0.0", - "versionEndExcluding": "1.0.6" - }, - { - "vulnerable": true, - "criteria": "cpe:2.3:a:example_org:example_enterprise:*:*:*:*:*:*:*:*", - "versionStartIncluding": "2.1.6", - "versionEndExcluding": "2.1.9" - } - ] - }, - { - "operator": "OR", - "negate": false, - "cpeMatch": [ - { - "vulnerable": false, - "criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*" - }, - { - "vulnerable": false, - "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*" - }, - { - "vulnerable": false, - "criteria": "cpe:2.3:h:some_company:xt-4500:*:*:*:*:*:*:*:*" - } - ] - } - ] - } - ], - "descriptions": [ - { - "lang": "en", - "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, macOS, and XT-4500 allows remote unauthenticated attackers to escalate privileges. This issue affects: 1.0 versions before 1.0.6, 2.1 versions from 2.16 until 2.1.9.", - "supportingMedia": [ - { - "type": "text/html", - "base64": false, - "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, macOS, and XT-4500 allows remote unauthenticated attackers to escalate privileges.

This issue affects:
" - } - ] - }, - { - "lang": "eo", - "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise \u0109e Windows, macOS kaj XT-4500 permesas al malproksimaj nea\u016dtentikigitaj atakantoj eskaladi privilegiojn. \u0108i tiu afero efikas: 1.0-versioj anta\u016d 1.0.6, 2.1-versioj de 2.16 \u011dis 2.1.9.", - "supportingMedia": [ - { - "type": "text/html", - "base64": false, - "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise \u0109e Windows, macOS kaj XT-4500 permesas al malproksimaj nea\u016dtentikigitaj atakantoj eskaladi privilegiojn.

\u0108i tiu afero efikas:
" - } - ] - } - ], - "metrics": [ - { - "format": "CVSS", - "scenarios": [ - { - "lang": "en", - "value": "GENERAL" - } - ], - "ssvcV1_0_1": { - "id": "CVE-1900-1234", - "selections": [ - { - "namespace": "ssvc", - "name": "Exploitation", - "values": [ - "Public PoC", - "Active" - ], - "version": "1.1.0" - }, - { - "namespace": "ssvc", - "name": "Technical Impact", - "values": [ - "Total" - ], - "version": "1.0.0" - } - ], - "timestamp": "1999-04-23T18:25:43.511Z", - "schemaVersion": "1-0-1" - }, - "cvssV4_0": { - "baseScore": 7.8, - "baseSeverity": "HIGH", - "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L", - "version": "4.0" - }, - "cvssV3_1": { - "version": "3.1", - "attackVector": "NETWORK", - "attackComplexity": "LOW", - "privilegesRequired": "NONE", - "userInteraction": "NONE", - "scope": "UNCHANGED", - "confidentialityImpact": "HIGH", - "integrityImpact": "HIGH", - "availabilityImpact": "HIGH", - "baseScore": 9.8, - "baseSeverity": "CRITICAL", - "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - }, - { - "format": "CVSS", - "scenarios": [ - { - "lang": "en", - "value": "If the enhanced host protection mode is turned on, this vulnerability can only be exploited to run os commands as user 'nobody'. Privilege escalation is not possible." - } - ], - "cvssV3_1": { - "version": "3.1", - "attackVector": "NETWORK", - "attackComplexity": "LOW", - "privilegesRequired": "NONE", - "userInteraction": "NONE", - "scope": "UNCHANGED", - "confidentialityImpact": "LOW", - "integrityImpact": "LOW", - "availabilityImpact": "LOW", - "baseScore": 7.3, - "baseSeverity": "HIGH", - "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" - } - } - ], - "solutions": [ - { - "lang": "en", - "value": "This issue is fixed in 1.0.6, 2.1.9, and 3.0.0 and all later versions.", - "supportingMedia": [ - { - "type": "text/html", - "base64": false, - "value": "This issue is fixed in 1.0.6, 2.1.9, and 3.0.0 and all later versions." - } - ] - } - ], - "workarounds": [ - { - "lang": "en", - "value": "Disable the web management interface with the command\n> service disable webmgmt", - "supportingMedia": [ - { - "type": "text/html", - "base64": false, - "value": "Disable the web management interface with the command
> service disable webmgmt
" - } - ] - } - ], - "configurations": [ - { - "lang": "en", - "value": "Web management interface should be enabled.\n> service status webmgmt\nwebmgmt running", - "supportingMedia": [ - { - "type": "text/html", - "base64": false, - "value": "Web management interface should be enabled.
> service status webmgmt
webmgmt running
" - } - ] - } - ], - "exploits": [ - { - "lang": "en", - "value": "Example.org is not aware of any malicious exploitation of the issue however exploits targeting this issue are publicly available.", - "supportingMedia": [ - { - "type": "text/html", - "base64": false, - "value": "Example.org is not aware of any malicious exploitation of the issue however exploits targeting this issue are publicly available." - } - ] - } - ], - "timeline": [ - { - "time": "2001-09-01T07:31:00.000Z", - "lang": "en", - "value": "Issue discovered by Alice using Acme Autofuzz" - }, - { - "time": "2021-09-02T16:36:00.000Z", - "lang": "en", - "value": "Confirmed by Bob" - }, - { - "time": "2021-09-07T16:37:00.000Z", - "lang": "en", - "value": "Fixes released" - } - ], - "credits": [ - { - "lang": "en", - "value": "Alice", - "type": "finder" - }, - { - "lang": "en", - "value": "Bob", - "type": "analyst" - }, - { - "lang": "en", - "value": "Acme Autofuzz", - "type": "tool" - } - ], - "references": [ - { - "url": "https://example.org/ESA-22-11-CVE-1900-1234", - "name": "ESA-22-11", - "tags": [ - "vendor-advisory" - ] - }, - { - "url": "https://example.com/blog/alice/pwning_example_enterprise", - "name": "Pwning Example Enterprise", - "tags": [ - "technical-description", - "third-party-advisory" - ] - }, - { - "url": "https://example.org/bugs/EXAMPLE-1234", - "name": "EXAMPLE-1234", - "tags": [ - "issue-tracking" - ] - }, - { - "url": "https://example.org/ExampleEnterprise", - "tags": [ - "product" - ] - } - ], - "source": { - "defects": [ - "EXAMPLE-1234" - ], - "advisory": "ESA-22-11", - "discovery": "EXTERNAL" - }, - "taxonomyMappings": [ - { - "taxonomyName": "ATT&CK", - "taxonomyVersion": "v9", - "taxonomyRelations": [ - { - "taxonomyId": "T1190", - "relationshipName": "mitigated by", - "relationshipValue": "M1048" - } - ] - } - ] + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-1900-1234", + "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "assignerShortName": "example", + "requesterUserId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "serial": 1, + "state": "PUBLISHED" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", + "shortName": "example", + "dateUpdated": "2021-09-08T16:24:00.000Z" + }, + "title": "Buffer overflow in Example Enterprise allows Privilege Escalation.", + "datePublic": "2021-09-08T16:24:00.000Z", + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "cweId": "CWE-78", + "description": "CWE-78 OS Command Injection", + "type": "CWE" + } + ] + } + ], + "impacts": [ + { + "capecId": "CAPEC-233", + "descriptions": [ + { + "lang": "en", + "value": "CAPEC-233 Privilege Escalation" + } + ] + } + ], + "affected": [ + { + "vendor": "Example.org", + "product": "Example Enterprise", + "platforms": [ + "Windows", + "MacOS", + "XT-4500" + ], + "collectionURL": "https://example.org/packages", + "packageName": "example_enterprise", + "repo": "git://example.org/source/example_enterprise", + "modules": [ + "Web-Management-Interface" + ], + "programFiles": [ + "example_enterprise/example.php" + ], + "programRoutines": [ + { + "name": "parseFilename" + } + ], + "versions": [ + { + "version": "1.0.0", + "status": "affected", + "lessThan": "1.0.6", + "versionType": "semver" + }, + { + "version": "2.1.0", + "status": "unaffected", + "lessThan": "2.1.*", + "changes": [ + { + "at": "2.1.6", + "status": "affected" + }, + { + "at": "2.1.9", + "status": "unaffected" + } + ], + "versionType": "semver" + }, + { + "version": "3.0.0", + "status": "unaffected", + "lessThan": "*", + "versionType": "semver" + } + ], + "defaultStatus": "unaffected" + } + ], + "cpeApplicability": [ + { + "operator": "AND", + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:example_org:example_enterprise:*:*:*:*:*:*:*:*", + "versionStartIncluding": "1.0.0", + "versionEndExcluding": "1.0.6" + }, + { + "vulnerable": true, + "criteria": "cpe:2.3:a:example_org:example_enterprise:*:*:*:*:*:*:*:*", + "versionStartIncluding": "2.1.6", + "versionEndExcluding": "2.1.9" + } + ] + }, + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": false, + "criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*" + }, + { + "vulnerable": false, + "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*" + }, + { + "vulnerable": false, + "criteria": "cpe:2.3:h:some_company:xt-4500:*:*:*:*:*:*:*:*" + } + ] + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, macOS, and XT-4500 allows remote unauthenticated attackers to escalate privileges. This issue affects: 1.0 versions before 1.0.6, 2.1 versions from 2.16 until 2.1.9.", + "supportingMedia": [ + { + "type": "text/html", + "base64": false, + "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, macOS, and XT-4500 allows remote unauthenticated attackers to escalate privileges.

This issue affects:
" + } + ] + }, + { + "lang": "eo", + "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise \u0109e Windows, macOS kaj XT-4500 permesas al malproksimaj nea\u016dtentikigitaj atakantoj eskaladi privilegiojn. \u0108i tiu afero efikas: 1.0-versioj anta\u016d 1.0.6, 2.1-versioj de 2.16 \u011dis 2.1.9.", + "supportingMedia": [ + { + "type": "text/html", + "base64": false, + "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise \u0109e Windows, macOS kaj XT-4500 permesas al malproksimaj nea\u016dtentikigitaj atakantoj eskaladi privilegiojn.

\u0108i tiu afero efikas:
" + } + ] + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en", + "value": "GENERAL" + } + ], + "ssvcV1_0_1": { + "id": "CVE-1900-1234", + "selections": [ + { + "namespace": "ssvc", + "name": "Exploitation", + "values": [ + "Public PoC", + "Active" + ], + "version": "1.1.0" + }, + { + "namespace": "ssvc", + "name": "Technical Impact", + "values": [ + "Total" + ], + "version": "1.0.0" + } + ], + "timestamp": "1999-04-23T18:25:43.511Z", + "schemaVersion": "1-0-1" + }, + "ssvcV2_0_0":{ + "target_ids": ["CVE-1900-1234"], + "timestamp": "2021-09-29T15:29:44Z", + "schemaVersion": "2.0.0", + "selections": [ + { + "namespace": "ssvc", + "name": "Exploitation", + "key": "E", + "version": "1.1.0", + "values": [ + {"name":"Active", "key": "A"} + ] + }, + { + "namespace": "ssvc", + "name": "Automatable", + "key": "A", + "version": "2.0.0", + "values": [ + {"name": "Yes", "key": "Y"} + ] + }, + { + "namespace": "ssvc", + "name": "Technical Impact", + "key": "TI", + "version": "1.0.0", + "values": [ + {"name": "Total","key":"T"} + ] + } + ] + }, + + "cvssV4_0": { + "baseScore": 7.8, + "baseSeverity": "HIGH", + "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L", + "version": "4.0" + }, + "cvssV3_1": { + "version": "3.1", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + }, + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en", + "value": "If the enhanced host protection mode is turned on, this vulnerability can only be exploited to run os commands as user 'nobody'. Privilege escalation is not possible." + } + ], + "cvssV3_1": { + "version": "3.1", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "LOW", + "baseScore": 7.3, + "baseSeverity": "HIGH", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + } + ], + "solutions": [ + { + "lang": "en", + "value": "This issue is fixed in 1.0.6, 2.1.9, and 3.0.0 and all later versions.", + "supportingMedia": [ + { + "type": "text/html", + "base64": false, + "value": "This issue is fixed in 1.0.6, 2.1.9, and 3.0.0 and all later versions." + } + ] + } + ], + "workarounds": [ + { + "lang": "en", + "value": "Disable the web management interface with the command\n> service disable webmgmt", + "supportingMedia": [ + { + "type": "text/html", + "base64": false, + "value": "Disable the web management interface with the command
> service disable webmgmt
" + } + ] + } + ], + "configurations": [ + { + "lang": "en", + "value": "Web management interface should be enabled.\n> service status webmgmt\nwebmgmt running", + "supportingMedia": [ + { + "type": "text/html", + "base64": false, + "value": "Web management interface should be enabled.
> service status webmgmt
webmgmt running
" + } + ] + } + ], + "exploits": [ + { + "lang": "en", + "value": "Example.org is not aware of any malicious exploitation of the issue however exploits targeting this issue are publicly available.", + "supportingMedia": [ + { + "type": "text/html", + "base64": false, + "value": "Example.org is not aware of any malicious exploitation of the issue however exploits targeting this issue are publicly available." + } + ] + } + ], + "timeline": [ + { + "time": "2001-09-01T07:31:00.000Z", + "lang": "en", + "value": "Issue discovered by Alice using Acme Autofuzz" + }, + { + "time": "2021-09-02T16:36:00.000Z", + "lang": "en", + "value": "Confirmed by Bob" + }, + { + "time": "2021-09-07T16:37:00.000Z", + "lang": "en", + "value": "Fixes released" + } + ], + "credits": [ + { + "lang": "en", + "value": "Alice", + "type": "finder" + }, + { + "lang": "en", + "value": "Bob", + "type": "analyst" + }, + { + "lang": "en", + "value": "Acme Autofuzz", + "type": "tool" + } + ], + "references": [ + { + "url": "https://example.org/ESA-22-11-CVE-1900-1234", + "name": "ESA-22-11", + "tags": [ + "vendor-advisory" + ] + }, + { + "url": "https://example.com/blog/alice/pwning_example_enterprise", + "name": "Pwning Example Enterprise", + "tags": [ + "technical-description", + "third-party-advisory" + ] + }, + { + "url": "https://example.org/bugs/EXAMPLE-1234", + "name": "EXAMPLE-1234", + "tags": [ + "issue-tracking" + ] + }, + { + "url": "https://example.org/ExampleEnterprise", + "tags": [ + "product" + ] + } + ], + "source": { + "defects": [ + "EXAMPLE-1234" + ], + "advisory": "ESA-22-11", + "discovery": "EXTERNAL" + }, + "taxonomyMappings": [ + { + "taxonomyName": "ATT&CK", + "taxonomyVersion": "v9", + "taxonomyRelations": [ + { + "taxonomyId": "T1190", + "relationshipName": "mitigated by", + "relationshipValue": "M1048" + } + ] + } + ] + } } - } } From 1fd97f5f2fb07d25e88dfa3abdf6358eaccf460c Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Tue, 30 Sep 2025 13:03:08 -0400 Subject: [PATCH 2/8] RFD text on history --- rfds/0459-SSVC-2-0-0-add.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rfds/0459-SSVC-2-0-0-add.md b/rfds/0459-SSVC-2-0-0-add.md index b64d6bee7ca..e18efbc6bef 100644 --- a/rfds/0459-SSVC-2-0-0-add.md +++ b/rfds/0459-SSVC-2-0-0-add.md @@ -12,6 +12,8 @@ This proposal adds support for ** Stakeholder-Specific Vulnerability Categorizat Currently, SSVC data is included inconsistently in the unstructured `"other"` field, which limits its machine readability, interoperability, and adoption. By providing a formal schema location for SSVC, CVE Records will be able to more reliably capture and distribute this emerging prioritization framework. +Note: this proposal was previously approved in a QWG chaired by Jay Jacobs and Chris Coffin around December 2024 and initially merged in Jan 17 2025, but continued to evolve as SSVC has continued to evolve. + ## Problem Statement [problem-statement]: #problem-statement From 4284ad069b65307d891c5f9d356d6c24049c4f64 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Thu, 2 Oct 2025 17:20:35 -0400 Subject: [PATCH 3/8] Updates from October 2 meeting feedback --- rfds/0459-SSVC-2-0-0-add.md | 37 ++++++++++++++++--- schema/docs/full-record-advanced-example.json | 22 +---------- 2 files changed, 32 insertions(+), 27 deletions(-) diff --git a/rfds/0459-SSVC-2-0-0-add.md b/rfds/0459-SSVC-2-0-0-add.md index e18efbc6bef..f61c89a16d8 100644 --- a/rfds/0459-SSVC-2-0-0-add.md +++ b/rfds/0459-SSVC-2-0-0-add.md @@ -42,22 +42,38 @@ This ensures that CVE Records can cleanly incorporate SSVC alongside other struc The test-cases for PR [#459](https://github.com/CVEProject/cve-schema/pull/459) illustrate how SSVC data can be expressed. For example: https://certcc.github.io/SSVC/data/schema_examples/CVE-1900-1234-Decision_Point_Value_Selection-2-0-0.json - +A minimal record looks like below ```json { - "target_ids": ["CVE-1900-1234"], "timestamp": "2021-09-29T15:29:44Z", "schemaVersion": "2.0.0", "selections": [ { "namespace": "ssvc", - "name": "Exploitation", "key": "E", "version": "1.1.0", "values": [ - {"name":"Active", "key": "A"} + {"key": "A"} ] - }, + } + ] +``` + +A more advanced record looks like below for a similar infomration + +```json +{ + "timestamp": "2021-09-29T15:29:44Z", + "schemaVersion": "2.0.0", + "selections": [ + { + "namespace": "ssvc", + "key": "E", + "version": "1.1.0", + "values": [ + {"key": "A"} + ] + }, { "namespace": "ssvc", "name": "Automatable", @@ -76,7 +92,15 @@ https://certcc.github.io/SSVC/data/schema_examples/CVE-1900-1234-Decision_Point_ {"name": "Total","key":"T"} ] } - ] + ], + "decision_point_resources": [{ + "summary": "A JSON file containing SSVC update to Exploitation Decision Point", + "uri": "https://certcc.github.io/SSVC/data/json/decision_points/ssvc/exploitation_1_1_0.json" + }], + "references": [{ + "summary": "An exploitation example was published for this vulnerability", + "uri": "https://example.com/report" + }] } ``` @@ -116,6 +140,7 @@ VulnCheck currently has SSVC coverage for 244,866 CVEs, while CISA Vulnrichment See: Automating SSVC (VulnCheck blog)[[https://www.vulncheck.com/blog/automating-ssvc] +See: SSVC community which captures usage of SSVC in the real-world at (SSVC Dicssions Sightings)[https://github.com/CERTCC/SSVC/discussions/291] ## Related Issues or Proposals diff --git a/schema/docs/full-record-advanced-example.json b/schema/docs/full-record-advanced-example.json index 32fd840c991..06cda6590b5 100644 --- a/schema/docs/full-record-advanced-example.json +++ b/schema/docs/full-record-advanced-example.json @@ -198,35 +198,15 @@ "schemaVersion": "1-0-1" }, "ssvcV2_0_0":{ - "target_ids": ["CVE-1900-1234"], "timestamp": "2021-09-29T15:29:44Z", "schemaVersion": "2.0.0", "selections": [ { "namespace": "ssvc", - "name": "Exploitation", "key": "E", "version": "1.1.0", "values": [ - {"name":"Active", "key": "A"} - ] - }, - { - "namespace": "ssvc", - "name": "Automatable", - "key": "A", - "version": "2.0.0", - "values": [ - {"name": "Yes", "key": "Y"} - ] - }, - { - "namespace": "ssvc", - "name": "Technical Impact", - "key": "TI", - "version": "1.0.0", - "values": [ - {"name": "Total","key":"T"} + {"key": "A"} ] } ] From cba6677f213bef170f719359ca9b2006171cef52 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Thu, 2 Oct 2025 17:23:36 -0400 Subject: [PATCH 4/8] Stray paranthesis cleaned up --- rfds/0459-SSVC-2-0-0-add.md | 1 + 1 file changed, 1 insertion(+) diff --git a/rfds/0459-SSVC-2-0-0-add.md b/rfds/0459-SSVC-2-0-0-add.md index f61c89a16d8..185c2da7b4c 100644 --- a/rfds/0459-SSVC-2-0-0-add.md +++ b/rfds/0459-SSVC-2-0-0-add.md @@ -57,6 +57,7 @@ A minimal record looks like below ] } ] +} ``` A more advanced record looks like below for a similar infomration From 2d84be8e67826de83331adcbf591f6bb04afe41a Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Mon, 15 Dec 2025 16:06:17 -0500 Subject: [PATCH 5/8] Remove SSVC 1.0.1 schema --- schema/CVE_Record_Format.json | 4 - schema/imports/ssvc/deep-ssvc-v1.0.1.json | 86 --------------- schema/imports/ssvc/ssvc-v1.0.1.json | 125 ---------------------- 3 files changed, 215 deletions(-) delete mode 100644 schema/imports/ssvc/deep-ssvc-v1.0.1.json delete mode 100644 schema/imports/ssvc/ssvc-v1.0.1.json diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 175dd8748ca..6a26a41a8f2 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -963,9 +963,6 @@ { "required": ["cvssV2_0"] }, - { - "required": ["ssvcV1_0_1"] - }, { "required": ["ssvcV2_0_0"] }, @@ -1008,7 +1005,6 @@ "cvssV3_1": {"$ref": "file:imports/cvss/cvss-v3.1.json"}, "cvssV3_0": {"$ref": "file:imports/cvss/cvss-v3.0.json"}, "cvssV2_0": {"$ref": "file:imports/cvss/cvss-v2.0.json"}, - "ssvcV1_0_1": {"$ref": "file:imports/ssvc/ssvc-v1.0.1.json"}, "ssvcV2_0_0": {"$ref": "file:imports/ssvc/SelectionList_2_0_0.schema.json"}, "other": { "type": "object", diff --git a/schema/imports/ssvc/deep-ssvc-v1.0.1.json b/schema/imports/ssvc/deep-ssvc-v1.0.1.json deleted file mode 100644 index ca5b1115114..00000000000 --- a/schema/imports/ssvc/deep-ssvc-v1.0.1.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", - "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.", - "$defs": { - "id": { - "type": "string", - "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", - "examples": ["CVE-1900-1234","VU#11111","GHSA-11a1-22b2-33c3"], - "minLength": 1 - }, - "role": { - "type": "string", - "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", - "examples": ["Supplier","Deployer","Coordinator"], - "minLength": 1 - }, - "timestamp" : { - "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.", - "type": "string", - "format": "date-time" - }, - "SsvcdecisionpointselectionSchema": { - "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.", - "properties": { - "name": { - "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/name" - }, - "namespace": { - "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/namespace" - }, - "values": { - "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.", - "title": "values", - "type": "array", - "minItems": 1, - "items": { - "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point_value/properties/name" - } - }, - "version": { - "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version" - } - }, - "type": "object", - "required": [ - "name", - "namespace", - "values", - "version" - ], - "additionalProperties": false - } - }, - "properties": { - "id": { - "$ref": "#/$defs/id" - }, - "role": { - "$ref": "#/$defs/role" - }, - "schemaVersion": { - "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/schemaVersion" - }, - "timestamp": { - "$ref": "#/$defs/timestamp" - }, - "selections": { - "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.", - "title": "selections", - "type": "array", - "minItems": 1, - "items": { - "$ref": "#/$defs/SsvcdecisionpointselectionSchema" - } - } - }, - "type": "object", - "required": [ - "selections", - "id", - "timestamp", - "schemaVersion" - ], - "additionalProperties": false -} diff --git a/schema/imports/ssvc/ssvc-v1.0.1.json b/schema/imports/ssvc/ssvc-v1.0.1.json deleted file mode 100644 index 306ea086228..00000000000 --- a/schema/imports/ssvc/ssvc-v1.0.1.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json", - "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.", - "$defs": { - "id": { - "type": "string", - "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", - "examples": [ - "CVE-1900-1234", - "VU#11111", - "GHSA-11a1-22b2-33c3" - ], - "minLength": 1 - }, - "role": { - "type": "string", - "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", - "examples": [ - "Supplier", - "Deployer", - "Coordinator" - ], - "minLength": 1 - }, - "timestamp": { - "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.", - "type": "string", - "format": "date-time" - }, - "SsvcdecisionpointselectionSchema": { - "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.", - "properties": { - "name": { - "type": "string", - "description": "A short label that identifies a Decision Point.", - "minLength": 1, - "examples": [ - "Exploitation", - "Automatable" - ] - }, - "namespace": { - "type": "string", - "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.", - "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$", - "examples": [ - "ssvc", - "cvss", - "ssvc-jp", - "ssvc/acme", - "ssvc/example.com" - ] - }, - "values": { - "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.", - "title": "values", - "type": "array", - "minItems": 1, - "items": { - "type": "string", - "description": "A short label that identifies a Decision Point Value", - "minLength": 1, - "examples": [ - "Public PoC", - "Yes" - ] - } - }, - "version": { - "type": "string", - "description": "Version (a semantic version string) that identifies the version of a Decision Point.", - "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", - "examples": [ - "1.0.1", - "1.0.1-alpha" - ] - } - }, - "type": "object", - "required": [ - "name", - "namespace", - "values", - "version" - ], - "additionalProperties": false - } - }, - "properties": { - "id": { - "$ref": "#/$defs/id" - }, - "role": { - "$ref": "#/$defs/role" - }, - "schemaVersion": { - "description": "Schema version used to represent this Decision Point.", - "type": "string", - "enum": [ - "1-0-1" - ] - }, - "timestamp": { - "$ref": "#/$defs/timestamp" - }, - "selections": { - "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.", - "title": "selections", - "type": "array", - "minItems": 1, - "items": { - "$ref": "#/$defs/SsvcdecisionpointselectionSchema" - } - } - }, - "type": "object", - "required": [ - "selections", - "id", - "timestamp", - "schemaVersion" - ], - "additionalProperties": false -} From 539bd635a85596d87e8f80268f7210227f1d7a61 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Mon, 15 Dec 2025 16:20:43 -0500 Subject: [PATCH 6/8] Completed tests without SSVC 1.0.1 --- schema/cve-schema.json | 4 - schema/docs/CVE_Record_Format_bundled.json | 129 ------------------ ...VE_Record_Format_bundled_adpContainer.json | 129 ------------------ ..._Format_bundled_cnaPublishedContainer.json | 129 ------------------ ...d_Format_bundled_cnaRejectedContainer.json | 129 ------------------ schema/docs/full-record-advanced-example.json | 24 ---- .../support/schema2markmap/schema-bundle.js | 1 - tools/cve-schema-test.sh | 3 +- 8 files changed, 2 insertions(+), 546 deletions(-) diff --git a/schema/cve-schema.json b/schema/cve-schema.json index 8ec11887741..61274eb4e48 100644 --- a/schema/cve-schema.json +++ b/schema/cve-schema.json @@ -963,9 +963,6 @@ { "required": ["cvssV2_0"] }, - { - "required": ["ssvcV1_0_1"] - }, { "required": ["ssvcV2_0_0"] }, @@ -1008,7 +1005,6 @@ "cvssV3_1": {"$ref": "imports/cvss/cvss-v3.1.json"}, "cvssV3_0": {"$ref": "imports/cvss/cvss-v3.0.json"}, "cvssV2_0": {"$ref": "imports/cvss/cvss-v2.0.json"}, - "ssvcV1_0_1": {"$ref": "imports/ssvc/ssvc-v1.0.1.json"}, "ssvcV2_0_0": {"$ref": "imports/ssvc/SelectionList_2_0_0.schema.json"}, "other": { "type": "object", diff --git a/schema/docs/CVE_Record_Format_bundled.json b/schema/docs/CVE_Record_Format_bundled.json index f8f2b3e72c3..3aceb67a2a9 100644 --- a/schema/docs/CVE_Record_Format_bundled.json +++ b/schema/docs/CVE_Record_Format_bundled.json @@ -1077,11 +1077,6 @@ "cvssV2_0" ] }, - { - "required": [ - "ssvcV1_0_1" - ] - }, { "required": [ "ssvcV2_0_0" @@ -3171,130 +3166,6 @@ ], "additionalProperties": false }, - "ssvcV1_0_1": { - "$schema": "https://json-schema.org/draft/2020-12/schema", - "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.", - "$defs": { - "id": { - "type": "string", - "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", - "examples": [ - "CVE-1900-1234", - "VU#11111", - "GHSA-11a1-22b2-33c3" - ], - "minLength": 1 - }, - "role": { - "type": "string", - "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", - "examples": [ - "Supplier", - "Deployer", - "Coordinator" - ], - "minLength": 1 - }, - "timestamp": { - "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.", - "type": "string", - "format": "date-time" - }, - "SsvcdecisionpointselectionSchema": { - "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.", - "properties": { - "name": { - "type": "string", - "description": "A short label that identifies a Decision Point.", - "minLength": 1, - "examples": [ - "Exploitation", - "Automatable" - ] - }, - "namespace": { - "type": "string", - "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.", - "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$", - "examples": [ - "ssvc", - "cvss", - "ssvc-jp", - "ssvc/acme", - "ssvc/example.com" - ] - }, - "values": { - "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.", - "title": "values", - "type": "array", - "minItems": 1, - "items": { - "type": "string", - "description": "A short label that identifies a Decision Point Value", - "minLength": 1, - "examples": [ - "Public PoC", - "Yes" - ] - } - }, - "version": { - "type": "string", - "description": "Version (a semantic version string) that identifies the version of a Decision Point.", - "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", - "examples": [ - "1.0.1", - "1.0.1-alpha" - ] - } - }, - "type": "object", - "required": [ - "name", - "namespace", - "values", - "version" - ], - "additionalProperties": false - } - }, - "properties": { - "id": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/id" - }, - "role": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/role" - }, - "schemaVersion": { - "description": "Schema version used to represent this Decision Point.", - "type": "string", - "enum": [ - "1-0-1" - ] - }, - "timestamp": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/timestamp" - }, - "selections": { - "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.", - "title": "selections", - "type": "array", - "minItems": 1, - "items": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/SsvcdecisionpointselectionSchema" - } - } - }, - "type": "object", - "required": [ - "selections", - "id", - "timestamp", - "schemaVersion" - ], - "additionalProperties": false - }, "ssvcV2_0_0": { "title": "SelectionList", "$schema": "https://json-schema.org/draft/2020-12/schema", diff --git a/schema/docs/CVE_Record_Format_bundled_adpContainer.json b/schema/docs/CVE_Record_Format_bundled_adpContainer.json index d7ac90ff8a3..8242bbbbea2 100644 --- a/schema/docs/CVE_Record_Format_bundled_adpContainer.json +++ b/schema/docs/CVE_Record_Format_bundled_adpContainer.json @@ -1077,11 +1077,6 @@ "cvssV2_0" ] }, - { - "required": [ - "ssvcV1_0_1" - ] - }, { "required": [ "ssvcV2_0_0" @@ -3171,130 +3166,6 @@ ], "additionalProperties": false }, - "ssvcV1_0_1": { - "$schema": "https://json-schema.org/draft/2020-12/schema", - "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.", - "$defs": { - "id": { - "type": "string", - "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", - "examples": [ - "CVE-1900-1234", - "VU#11111", - "GHSA-11a1-22b2-33c3" - ], - "minLength": 1 - }, - "role": { - "type": "string", - "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", - "examples": [ - "Supplier", - "Deployer", - "Coordinator" - ], - "minLength": 1 - }, - "timestamp": { - "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.", - "type": "string", - "format": "date-time" - }, - "SsvcdecisionpointselectionSchema": { - "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.", - "properties": { - "name": { - "type": "string", - "description": "A short label that identifies a Decision Point.", - "minLength": 1, - "examples": [ - "Exploitation", - "Automatable" - ] - }, - "namespace": { - "type": "string", - "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.", - "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$", - "examples": [ - "ssvc", - "cvss", - "ssvc-jp", - "ssvc/acme", - "ssvc/example.com" - ] - }, - "values": { - "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.", - "title": "values", - "type": "array", - "minItems": 1, - "items": { - "type": "string", - "description": "A short label that identifies a Decision Point Value", - "minLength": 1, - "examples": [ - "Public PoC", - "Yes" - ] - } - }, - "version": { - "type": "string", - "description": "Version (a semantic version string) that identifies the version of a Decision Point.", - "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", - "examples": [ - "1.0.1", - "1.0.1-alpha" - ] - } - }, - "type": "object", - "required": [ - "name", - "namespace", - "values", - "version" - ], - "additionalProperties": false - } - }, - "properties": { - "id": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/id" - }, - "role": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/role" - }, - "schemaVersion": { - "description": "Schema version used to represent this Decision Point.", - "type": "string", - "enum": [ - "1-0-1" - ] - }, - "timestamp": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/timestamp" - }, - "selections": { - "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.", - "title": "selections", - "type": "array", - "minItems": 1, - "items": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/SsvcdecisionpointselectionSchema" - } - } - }, - "type": "object", - "required": [ - "selections", - "id", - "timestamp", - "schemaVersion" - ], - "additionalProperties": false - }, "ssvcV2_0_0": { "title": "SelectionList", "$schema": "https://json-schema.org/draft/2020-12/schema", diff --git a/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json index c1427dc4386..622efc8526e 100644 --- a/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json +++ b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json @@ -1077,11 +1077,6 @@ "cvssV2_0" ] }, - { - "required": [ - "ssvcV1_0_1" - ] - }, { "required": [ "ssvcV2_0_0" @@ -3171,130 +3166,6 @@ ], "additionalProperties": false }, - "ssvcV1_0_1": { - "$schema": "https://json-schema.org/draft/2020-12/schema", - "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.", - "$defs": { - "id": { - "type": "string", - "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", - "examples": [ - "CVE-1900-1234", - "VU#11111", - "GHSA-11a1-22b2-33c3" - ], - "minLength": 1 - }, - "role": { - "type": "string", - "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", - "examples": [ - "Supplier", - "Deployer", - "Coordinator" - ], - "minLength": 1 - }, - "timestamp": { - "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.", - "type": "string", - "format": "date-time" - }, - "SsvcdecisionpointselectionSchema": { - "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.", - "properties": { - "name": { - "type": "string", - "description": "A short label that identifies a Decision Point.", - "minLength": 1, - "examples": [ - "Exploitation", - "Automatable" - ] - }, - "namespace": { - "type": "string", - "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.", - "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$", - "examples": [ - "ssvc", - "cvss", - "ssvc-jp", - "ssvc/acme", - "ssvc/example.com" - ] - }, - "values": { - "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.", - "title": "values", - "type": "array", - "minItems": 1, - "items": { - "type": "string", - "description": "A short label that identifies a Decision Point Value", - "minLength": 1, - "examples": [ - "Public PoC", - "Yes" - ] - } - }, - "version": { - "type": "string", - "description": "Version (a semantic version string) that identifies the version of a Decision Point.", - "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", - "examples": [ - "1.0.1", - "1.0.1-alpha" - ] - } - }, - "type": "object", - "required": [ - "name", - "namespace", - "values", - "version" - ], - "additionalProperties": false - } - }, - "properties": { - "id": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/id" - }, - "role": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/role" - }, - "schemaVersion": { - "description": "Schema version used to represent this Decision Point.", - "type": "string", - "enum": [ - "1-0-1" - ] - }, - "timestamp": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/timestamp" - }, - "selections": { - "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.", - "title": "selections", - "type": "array", - "minItems": 1, - "items": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/SsvcdecisionpointselectionSchema" - } - } - }, - "type": "object", - "required": [ - "selections", - "id", - "timestamp", - "schemaVersion" - ], - "additionalProperties": false - }, "ssvcV2_0_0": { "title": "SelectionList", "$schema": "https://json-schema.org/draft/2020-12/schema", diff --git a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json index 13eacd2c7c3..aaec6e48fba 100644 --- a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json +++ b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json @@ -1077,11 +1077,6 @@ "cvssV2_0" ] }, - { - "required": [ - "ssvcV1_0_1" - ] - }, { "required": [ "ssvcV2_0_0" @@ -3171,130 +3166,6 @@ ], "additionalProperties": false }, - "ssvcV1_0_1": { - "$schema": "https://json-schema.org/draft/2020-12/schema", - "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.", - "$defs": { - "id": { - "type": "string", - "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.", - "examples": [ - "CVE-1900-1234", - "VU#11111", - "GHSA-11a1-22b2-33c3" - ], - "minLength": 1 - }, - "role": { - "type": "string", - "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/", - "examples": [ - "Supplier", - "Deployer", - "Coordinator" - ], - "minLength": 1 - }, - "timestamp": { - "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.", - "type": "string", - "format": "date-time" - }, - "SsvcdecisionpointselectionSchema": { - "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.", - "properties": { - "name": { - "type": "string", - "description": "A short label that identifies a Decision Point.", - "minLength": 1, - "examples": [ - "Exploitation", - "Automatable" - ] - }, - "namespace": { - "type": "string", - "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.", - "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$", - "examples": [ - "ssvc", - "cvss", - "ssvc-jp", - "ssvc/acme", - "ssvc/example.com" - ] - }, - "values": { - "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.", - "title": "values", - "type": "array", - "minItems": 1, - "items": { - "type": "string", - "description": "A short label that identifies a Decision Point Value", - "minLength": 1, - "examples": [ - "Public PoC", - "Yes" - ] - } - }, - "version": { - "type": "string", - "description": "Version (a semantic version string) that identifies the version of a Decision Point.", - "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", - "examples": [ - "1.0.1", - "1.0.1-alpha" - ] - } - }, - "type": "object", - "required": [ - "name", - "namespace", - "values", - "version" - ], - "additionalProperties": false - } - }, - "properties": { - "id": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/id" - }, - "role": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/role" - }, - "schemaVersion": { - "description": "Schema version used to represent this Decision Point.", - "type": "string", - "enum": [ - "1-0-1" - ] - }, - "timestamp": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/timestamp" - }, - "selections": { - "description": "An array of Decision Points and their selected values for the identified Vulnerability. If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.", - "title": "selections", - "type": "array", - "minItems": 1, - "items": { - "$ref": "#/definitions/metrics/items/properties/ssvcV1_0_1/%24defs/SsvcdecisionpointselectionSchema" - } - } - }, - "type": "object", - "required": [ - "selections", - "id", - "timestamp", - "schemaVersion" - ], - "additionalProperties": false - }, "ssvcV2_0_0": { "title": "SelectionList", "$schema": "https://json-schema.org/draft/2020-12/schema", diff --git a/schema/docs/full-record-advanced-example.json b/schema/docs/full-record-advanced-example.json index 06cda6590b5..cb5a7668347 100644 --- a/schema/docs/full-record-advanced-example.json +++ b/schema/docs/full-record-advanced-example.json @@ -173,30 +173,6 @@ "value": "GENERAL" } ], - "ssvcV1_0_1": { - "id": "CVE-1900-1234", - "selections": [ - { - "namespace": "ssvc", - "name": "Exploitation", - "values": [ - "Public PoC", - "Active" - ], - "version": "1.1.0" - }, - { - "namespace": "ssvc", - "name": "Technical Impact", - "values": [ - "Total" - ], - "version": "1.0.0" - } - ], - "timestamp": "1999-04-23T18:25:43.511Z", - "schemaVersion": "1-0-1" - }, "ssvcV2_0_0":{ "timestamp": "2021-09-29T15:29:44Z", "schemaVersion": "2.0.0", diff --git a/schema/support/schema2markmap/schema-bundle.js b/schema/support/schema2markmap/schema-bundle.js index 2e81fb143cd..10ca80acedd 100644 --- a/schema/support/schema2markmap/schema-bundle.js +++ b/schema/support/schema2markmap/schema-bundle.js @@ -21,7 +21,6 @@ async function schemaBundle() { delete metricProperties.cvssV3_1.license; delete metricProperties.cvssV3_0.license; delete metricProperties.cvssV2_0.license; - delete metricProperties.ssvcV1_0_1.$id; delete metricProperties.ssvcV2_0_0.$id; diff --git a/tools/cve-schema-test.sh b/tools/cve-schema-test.sh index 03acfe5f1a4..39322fa7304 100644 --- a/tools/cve-schema-test.sh +++ b/tools/cve-schema-test.sh @@ -7,7 +7,8 @@ CVE_SCHEMA_FILENAME=CVE_Record_Format.json npm --prefix "${CVE_SCHEMA_DIR}/support/schema2markmap" install "${CVE_SCHEMA_DIR}/support/schema2markmap" -python3.12 "${REPO_DIR}/tools/merge_schema.py" "${CVE_SCHEMA_DIR}/imports/ssvc/deep-ssvc-v1.0.1.json" > "${CVE_SCHEMA_DIR}/imports/ssvc/ssvc-v1.0.1.json" +#ssvc1.0.1 removed +#python3.12 "${REPO_DIR}/tools/merge_schema.py" "${CVE_SCHEMA_DIR}/imports/ssvc/deep-ssvc-v1.0.1.json" > "${CVE_SCHEMA_DIR}/imports/ssvc/ssvc-v1.0.1.json" sed 's/file\://g' "${CVE_SCHEMA_DIR}/${CVE_SCHEMA_FILENAME}" > "${CVE_SCHEMA_DIR}/cve-schema.json" From af83ab907478656f9f8b5298884cfcafc7e306c6 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Mon, 15 Dec 2025 16:56:38 -0500 Subject: [PATCH 7/8] Updated to remove schemaVersion, target-ids, as requested --- schema/CVE_Record_Format.json | 2 +- schema/cve-schema.json | 2 +- schema/docs/CVE_Record_Format_bundled.json | 43 ++------- ...VE_Record_Format_bundled_adpContainer.json | 43 ++------- ..._Format_bundled_cnaPublishedContainer.json | 43 ++------- ...d_Format_bundled_cnaRejectedContainer.json | 43 ++------- schema/docs/full-record-advanced-example.json | 2 - .../support/schema2markmap/schema-bundle.js | 2 + tools/cve-schema-test.sh | 2 + tools/ssvc_cve_schema.js | 88 +++++++++++++++++++ 10 files changed, 122 insertions(+), 148 deletions(-) create mode 100644 tools/ssvc_cve_schema.js diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 6a26a41a8f2..316954c1ab6 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -1005,7 +1005,7 @@ "cvssV3_1": {"$ref": "file:imports/cvss/cvss-v3.1.json"}, "cvssV3_0": {"$ref": "file:imports/cvss/cvss-v3.0.json"}, "cvssV2_0": {"$ref": "file:imports/cvss/cvss-v2.0.json"}, - "ssvcV2_0_0": {"$ref": "file:imports/ssvc/SelectionList_2_0_0.schema.json"}, + "ssvcV2_0_0": {"$ref": "file:imports/ssvc/SelectionList_2_0_0_CVE.schema.json"}, "other": { "type": "object", "description": "A non-standard impact description, may be prose or JSON block.", diff --git a/schema/cve-schema.json b/schema/cve-schema.json index 61274eb4e48..06ac61bfe6b 100644 --- a/schema/cve-schema.json +++ b/schema/cve-schema.json @@ -1005,7 +1005,7 @@ "cvssV3_1": {"$ref": "imports/cvss/cvss-v3.1.json"}, "cvssV3_0": {"$ref": "imports/cvss/cvss-v3.0.json"}, "cvssV2_0": {"$ref": "imports/cvss/cvss-v2.0.json"}, - "ssvcV2_0_0": {"$ref": "imports/ssvc/SelectionList_2_0_0.schema.json"}, + "ssvcV2_0_0": {"$ref": "imports/ssvc/SelectionList_2_0_0_CVE.schema.json"}, "other": { "type": "object", "description": "A non-standard impact description, may be prose or JSON block.", diff --git a/schema/docs/CVE_Record_Format_bundled.json b/schema/docs/CVE_Record_Format_bundled.json index 3aceb67a2a9..96263e0400b 100644 --- a/schema/docs/CVE_Record_Format_bundled.json +++ b/schema/docs/CVE_Record_Format_bundled.json @@ -3238,18 +3238,15 @@ "description": "A minimal selection object that contains the decision point ID and the selected values.\nWhile the Selection object parallels the DecisionPoint object, it is intentionally minimal, with\nfewer required fields and no additional metadata, as it is meant to represent a selection made from a\npreviously defined decision point. The expectation is that a Selection object will usually have\nfewer values than the original decision point, as it represents a specific evaluation\nat a specific time and may therefore rule out some values that were previously considered.\nOther fields like name and description may be copied from the decision point, but are not required.", "properties": { "namespace": { - "title": "Namespace", - "description": "The namespace of the SSVC object.", - "examples": [ - "ssvc", + "type": "string", + "enum": [ "cisa", - "x_example.test#test//.example.test#private-extension", - "ssvc/de-DE/.example.organization#reference-arch-1" + "cvss", + "ssvc", + "aivss" ], - "maxLength": 1000, - "minLength": 3, - "pattern": "^(x_([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*|[a-z]([a-z]|[0-9])(((\\.|-))?(([a-z]|[0-9]))+)+(#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*)?)((/|/(([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo))((/((([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo)|\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*|\\.(([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+|([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*)\\$(([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo)))+)?)?$", - "type": "string" + "title": "Namespace", + "description": "The namespace of the SSVC object. (Restricted to CVE Program" }, "key": { "title": "Key", @@ -3340,31 +3337,6 @@ "format": "date-time", "type": "string" }, - "schemaVersion": { - "title": "Schemaversion", - "const": "2.0.0", - "description": "The schema version of this selection list.", - "type": "string" - }, - "target_ids": { - "title": "Target Ids", - "description": "Optional list of identifiers for the item or items (vulnerabilities, reports, advisories, systems, assets, etc.) being evaluated by these selections.", - "examples": [ - [ - "CVE-1900-0000" - ], - [ - "VU#999999", - "GHSA-0123-4567-89ab" - ] - ], - "items": { - "type": "string" - }, - "minItems": 1, - "type": "array", - "uniqueItems": true - }, "selections": { "title": "Selections", "description": "List of selections made from decision points. Each selection item corresponds to value keys contained in a specific decision point identified by its namespace, key, and version. Note that selection objects are deliberately minimal objects and do not contain the full decision point details.", @@ -3419,7 +3391,6 @@ }, "required": [ "timestamp", - "schemaVersion", "selections" ], "additionalProperties": false diff --git a/schema/docs/CVE_Record_Format_bundled_adpContainer.json b/schema/docs/CVE_Record_Format_bundled_adpContainer.json index 8242bbbbea2..7464972c009 100644 --- a/schema/docs/CVE_Record_Format_bundled_adpContainer.json +++ b/schema/docs/CVE_Record_Format_bundled_adpContainer.json @@ -3238,18 +3238,15 @@ "description": "A minimal selection object that contains the decision point ID and the selected values.\nWhile the Selection object parallels the DecisionPoint object, it is intentionally minimal, with\nfewer required fields and no additional metadata, as it is meant to represent a selection made from a\npreviously defined decision point. The expectation is that a Selection object will usually have\nfewer values than the original decision point, as it represents a specific evaluation\nat a specific time and may therefore rule out some values that were previously considered.\nOther fields like name and description may be copied from the decision point, but are not required.", "properties": { "namespace": { - "title": "Namespace", - "description": "The namespace of the SSVC object.", - "examples": [ - "ssvc", + "type": "string", + "enum": [ "cisa", - "x_example.test#test//.example.test#private-extension", - "ssvc/de-DE/.example.organization#reference-arch-1" + "cvss", + "ssvc", + "aivss" ], - "maxLength": 1000, - "minLength": 3, - "pattern": "^(x_([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*|[a-z]([a-z]|[0-9])(((\\.|-))?(([a-z]|[0-9]))+)+(#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*)?)((/|/(([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo))((/((([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo)|\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*|\\.(([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+|([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*)\\$(([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo)))+)?)?$", - "type": "string" + "title": "Namespace", + "description": "The namespace of the SSVC object. (Restricted to CVE Program" }, "key": { "title": "Key", @@ -3340,31 +3337,6 @@ "format": "date-time", "type": "string" }, - "schemaVersion": { - "title": "Schemaversion", - "const": "2.0.0", - "description": "The schema version of this selection list.", - "type": "string" - }, - "target_ids": { - "title": "Target Ids", - "description": "Optional list of identifiers for the item or items (vulnerabilities, reports, advisories, systems, assets, etc.) being evaluated by these selections.", - "examples": [ - [ - "CVE-1900-0000" - ], - [ - "VU#999999", - "GHSA-0123-4567-89ab" - ] - ], - "items": { - "type": "string" - }, - "minItems": 1, - "type": "array", - "uniqueItems": true - }, "selections": { "title": "Selections", "description": "List of selections made from decision points. Each selection item corresponds to value keys contained in a specific decision point identified by its namespace, key, and version. Note that selection objects are deliberately minimal objects and do not contain the full decision point details.", @@ -3419,7 +3391,6 @@ }, "required": [ "timestamp", - "schemaVersion", "selections" ], "additionalProperties": false diff --git a/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json index 622efc8526e..829d647f081 100644 --- a/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json +++ b/schema/docs/CVE_Record_Format_bundled_cnaPublishedContainer.json @@ -3238,18 +3238,15 @@ "description": "A minimal selection object that contains the decision point ID and the selected values.\nWhile the Selection object parallels the DecisionPoint object, it is intentionally minimal, with\nfewer required fields and no additional metadata, as it is meant to represent a selection made from a\npreviously defined decision point. The expectation is that a Selection object will usually have\nfewer values than the original decision point, as it represents a specific evaluation\nat a specific time and may therefore rule out some values that were previously considered.\nOther fields like name and description may be copied from the decision point, but are not required.", "properties": { "namespace": { - "title": "Namespace", - "description": "The namespace of the SSVC object.", - "examples": [ - "ssvc", + "type": "string", + "enum": [ "cisa", - "x_example.test#test//.example.test#private-extension", - "ssvc/de-DE/.example.organization#reference-arch-1" + "cvss", + "ssvc", + "aivss" ], - "maxLength": 1000, - "minLength": 3, - "pattern": "^(x_([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*|[a-z]([a-z]|[0-9])(((\\.|-))?(([a-z]|[0-9]))+)+(#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*)?)((/|/(([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo))((/((([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo)|\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*|\\.(([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+|([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*)\\$(([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo)))+)?)?$", - "type": "string" + "title": "Namespace", + "description": "The namespace of the SSVC object. (Restricted to CVE Program" }, "key": { "title": "Key", @@ -3340,31 +3337,6 @@ "format": "date-time", "type": "string" }, - "schemaVersion": { - "title": "Schemaversion", - "const": "2.0.0", - "description": "The schema version of this selection list.", - "type": "string" - }, - "target_ids": { - "title": "Target Ids", - "description": "Optional list of identifiers for the item or items (vulnerabilities, reports, advisories, systems, assets, etc.) being evaluated by these selections.", - "examples": [ - [ - "CVE-1900-0000" - ], - [ - "VU#999999", - "GHSA-0123-4567-89ab" - ] - ], - "items": { - "type": "string" - }, - "minItems": 1, - "type": "array", - "uniqueItems": true - }, "selections": { "title": "Selections", "description": "List of selections made from decision points. Each selection item corresponds to value keys contained in a specific decision point identified by its namespace, key, and version. Note that selection objects are deliberately minimal objects and do not contain the full decision point details.", @@ -3419,7 +3391,6 @@ }, "required": [ "timestamp", - "schemaVersion", "selections" ], "additionalProperties": false diff --git a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json index aaec6e48fba..c8fc4638fe5 100644 --- a/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json +++ b/schema/docs/CVE_Record_Format_bundled_cnaRejectedContainer.json @@ -3238,18 +3238,15 @@ "description": "A minimal selection object that contains the decision point ID and the selected values.\nWhile the Selection object parallels the DecisionPoint object, it is intentionally minimal, with\nfewer required fields and no additional metadata, as it is meant to represent a selection made from a\npreviously defined decision point. The expectation is that a Selection object will usually have\nfewer values than the original decision point, as it represents a specific evaluation\nat a specific time and may therefore rule out some values that were previously considered.\nOther fields like name and description may be copied from the decision point, but are not required.", "properties": { "namespace": { - "title": "Namespace", - "description": "The namespace of the SSVC object.", - "examples": [ - "ssvc", + "type": "string", + "enum": [ "cisa", - "x_example.test#test//.example.test#private-extension", - "ssvc/de-DE/.example.organization#reference-arch-1" + "cvss", + "ssvc", + "aivss" ], - "maxLength": 1000, - "minLength": 3, - "pattern": "^(x_([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*|[a-z]([a-z]|[0-9])(((\\.|-))?(([a-z]|[0-9]))+)+(#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*)?)((/|/(([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo))((/((([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo)|\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*|\\.(([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+|([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?(\\.([a-z]|[0-9])(((([a-z]|[0-9])|-)){0,61}([a-z]|[0-9]))?)+#(([a-z]|[0-9]))+((\\.|-)(([a-z]|[0-9]))+)*)\\$(([a-zA-Z]{2,3}(-[a-zA-Z]{3}(-[a-zA-Z]{3}){0,2})?|[a-zA-Z]{4,8})(-[a-zA-Z]{4})?(-([a-zA-Z]{2}|[0-9]{3}))?(-(([a-zA-Z0-9]){5,8}|[0-9]([a-zA-Z0-9]){3}))*(-[0-9A-WY-Za-wy-z](-([a-zA-Z0-9]){2,8})+)*(-[xX](-([a-zA-Z0-9]){2,8})+)?|[xX](-([a-zA-Z0-9]){2,8})+|i-default|i-mingo)))+)?)?$", - "type": "string" + "title": "Namespace", + "description": "The namespace of the SSVC object. (Restricted to CVE Program" }, "key": { "title": "Key", @@ -3340,31 +3337,6 @@ "format": "date-time", "type": "string" }, - "schemaVersion": { - "title": "Schemaversion", - "const": "2.0.0", - "description": "The schema version of this selection list.", - "type": "string" - }, - "target_ids": { - "title": "Target Ids", - "description": "Optional list of identifiers for the item or items (vulnerabilities, reports, advisories, systems, assets, etc.) being evaluated by these selections.", - "examples": [ - [ - "CVE-1900-0000" - ], - [ - "VU#999999", - "GHSA-0123-4567-89ab" - ] - ], - "items": { - "type": "string" - }, - "minItems": 1, - "type": "array", - "uniqueItems": true - }, "selections": { "title": "Selections", "description": "List of selections made from decision points. Each selection item corresponds to value keys contained in a specific decision point identified by its namespace, key, and version. Note that selection objects are deliberately minimal objects and do not contain the full decision point details.", @@ -3419,7 +3391,6 @@ }, "required": [ "timestamp", - "schemaVersion", "selections" ], "additionalProperties": false diff --git a/schema/docs/full-record-advanced-example.json b/schema/docs/full-record-advanced-example.json index cb5a7668347..8c3d03211e8 100644 --- a/schema/docs/full-record-advanced-example.json +++ b/schema/docs/full-record-advanced-example.json @@ -175,7 +175,6 @@ ], "ssvcV2_0_0":{ "timestamp": "2021-09-29T15:29:44Z", - "schemaVersion": "2.0.0", "selections": [ { "namespace": "ssvc", @@ -187,7 +186,6 @@ } ] }, - "cvssV4_0": { "baseScore": 7.8, "baseSeverity": "HIGH", diff --git a/schema/support/schema2markmap/schema-bundle.js b/schema/support/schema2markmap/schema-bundle.js index 10ca80acedd..3f7b254b9ba 100644 --- a/schema/support/schema2markmap/schema-bundle.js +++ b/schema/support/schema2markmap/schema-bundle.js @@ -22,6 +22,8 @@ async function schemaBundle() { delete metricProperties.cvssV3_0.license; delete metricProperties.cvssV2_0.license; delete metricProperties.ssvcV2_0_0.$id; + ssvc_2_0_0_cve_namespace = {"type": "string", "enum": ["cisa", "cvss", "ssvc", "aivss"], "title": "Namespace", "description": "The namespace of the SSVC object. (Restricted to CVE Program"}; + metricProperties.ssvcV2_0_0.$defs.Selection.properties.namespace = ssvc_2_0_0_cve_namespace; fs.writeFile(`${dirName}/CVE_Record_Format_bundled.json`, diff --git a/tools/cve-schema-test.sh b/tools/cve-schema-test.sh index 39322fa7304..162618da8aa 100644 --- a/tools/cve-schema-test.sh +++ b/tools/cve-schema-test.sh @@ -10,6 +10,8 @@ npm --prefix "${CVE_SCHEMA_DIR}/support/schema2markmap" install "${CVE_SCHEMA_DI #ssvc1.0.1 removed #python3.12 "${REPO_DIR}/tools/merge_schema.py" "${CVE_SCHEMA_DIR}/imports/ssvc/deep-ssvc-v1.0.1.json" > "${CVE_SCHEMA_DIR}/imports/ssvc/ssvc-v1.0.1.json" +node "${REPO_DIR}/tools/ssvc_cve_schema.js" "${REPO_DIR}/schema/imports/ssvc/SelectionList_2_0_0_CVE.schema.json" + sed 's/file\://g' "${CVE_SCHEMA_DIR}/${CVE_SCHEMA_FILENAME}" > "${CVE_SCHEMA_DIR}/cve-schema.json" node "${CVE_SCHEMA_DIR}/support/schema2markmap/schema-bundle.js" "${CVE_SCHEMA_DIR}/cve-schema.json" "${CVE_SCHEMA_DIR}/docs/" diff --git a/tools/ssvc_cve_schema.js b/tools/ssvc_cve_schema.js new file mode 100644 index 00000000000..916ce362872 --- /dev/null +++ b/tools/ssvc_cve_schema.js @@ -0,0 +1,88 @@ +import fs from "fs"; +import https from "https"; +import path from "path"; + +const SOURCE_URL = + "https://certcc.github.io/SSVC/data/schema/v2/SelectionList_2_0_0.schema.json"; + +// ---- CLI ARG HANDLING ---- +const outputFile = process.argv[2]; + +if (!outputFile) { + console.error( + "Usage: node support/ssvc_cve_schema.js " + ); + process.exit(1); +} + +// Ensure directory exists (helpful in CI) +fs.mkdirSync(path.dirname(outputFile), { recursive: true }); + +// ---- FETCH HELPER ---- +function fetchJson(url) { + return new Promise((resolve, reject) => { + https + .get(url, (res) => { + let data = ""; + res.on("data", (chunk) => (data += chunk)); + res.on("end", () => { + try { + resolve(JSON.parse(data)); + } catch (err) { + reject(new Error("Invalid JSON received")); + } + }); + }) + .on("error", reject); + }); +} + +// ---- MAIN ---- +(async () => { + try { + const schema = await fetchJson(SOURCE_URL); + + // Replace $defs.Selection.properties.namespace + if (schema.$defs?.Selection?.properties) { + schema.$defs.Selection.properties.namespace = { + type: "string", + enum: ["cisa", "cvss", "ssvc", "aivss"], + title: "Namespace", + description: + "The namespace of the SSVC object. (Restricted to CVE Program)" + }; + } else { + throw new Error( + "Expected path $defs.Selection.properties not found" + ); + } + + // Remove properties.schemaVersion + delete schema.properties?.schemaVersion; + + // Remove properties.target_ids + delete schema.properties?.target_ids; + + // Remove 'schemaVersion' from required + if (Array.isArray(schema.required)) { + schema.required = schema.required.filter( + (item) => item !== "schemaVersion" + ); + } + + // Remove $id + delete schema.$id; + + // Write output + fs.writeFileSync( + outputFile, + JSON.stringify(schema, null, 2), + "utf8" + ); + + console.log(`Schema written to ${outputFile}`); + } catch (err) { + console.error("Failed to generate schema:", err.message); + process.exit(1); + } +})(); From 35c1d9ddb59e8446b2ed3251e14561da4f8dacb9 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Mon, 15 Dec 2025 16:59:36 -0500 Subject: [PATCH 8/8] Added CI/CD script created file --- .../ssvc/SelectionList_2_0_0_CVE.schema.json | 229 ++++++++++++++++++ 1 file changed, 229 insertions(+) create mode 100644 schema/imports/ssvc/SelectionList_2_0_0_CVE.schema.json diff --git a/schema/imports/ssvc/SelectionList_2_0_0_CVE.schema.json b/schema/imports/ssvc/SelectionList_2_0_0_CVE.schema.json new file mode 100644 index 00000000000..3e43cab375d --- /dev/null +++ b/schema/imports/ssvc/SelectionList_2_0_0_CVE.schema.json @@ -0,0 +1,229 @@ +{ + "title": "SelectionList", + "$schema": "https://json-schema.org/draft/2020-12/schema", + "description": "This schema defines the structure to represent an SSVC SelectionList object.", + "type": "object", + "$defs": { + "MinimalDecisionPointValue": { + "title": "MinimalDecisionPointValue", + "additionalProperties": false, + "description": "A minimal representation of a decision point value.\nIntended to parallel the DecisionPointValue object, but with fewer required fields.\nA decision point value is uniquely identified within a decision point by its key.\nGlobally, the combination of Decision Point namespace, key, and version coupled with the value key\nuniquely identifies a value across all decision points and values.\nOther required fields in the DecisionPointValue object, such as name and description, are optional here.", + "properties": { + "name": { + "title": "Name", + "minLength": 1, + "type": "string" + }, + "definition": { + "title": "Definition", + "minLength": 1, + "type": "string" + }, + "key": { + "title": "Key", + "description": "A short, non-empty string identifier for the object. Keys must start with an alphanumeric, contain only alphanumerics and `_`, and end with an alphanumeric.(`T*` is explicitly grandfathered in as a valid key, but should not be used for new objects.)", + "examples": [ + "E", + "A", + "SI", + "L", + "M", + "H", + "Mixed_case_OK", + "alph4num3ric" + ], + "minLength": 1, + "pattern": "^(([a-zA-Z0-9])|([a-zA-Z0-9][a-zA-Z0-9_]*[a-zA-Z0-9])|(T\\*))$", + "type": "string" + } + }, + "required": [ + "key" + ], + "type": "object" + }, + "Reference": { + "title": "Reference", + "additionalProperties": false, + "description": "A reference to a resource that provides additional context about the decision points or selections.\nThis object is intentionally minimal and contains only the URL and an optional description.", + "properties": { + "uri": { + "title": "Uri", + "format": "uri", + "minLength": 1, + "type": "string" + }, + "summary": { + "title": "Summary", + "type": "string" + } + }, + "required": [ + "uri", + "summary" + ], + "type": "object" + }, + "Selection": { + "title": "Selection", + "additionalProperties": false, + "description": "A minimal selection object that contains the decision point ID and the selected values.\nWhile the Selection object parallels the DecisionPoint object, it is intentionally minimal, with\nfewer required fields and no additional metadata, as it is meant to represent a selection made from a\npreviously defined decision point. The expectation is that a Selection object will usually have\nfewer values than the original decision point, as it represents a specific evaluation\nat a specific time and may therefore rule out some values that were previously considered.\nOther fields like name and description may be copied from the decision point, but are not required.", + "properties": { + "namespace": { + "type": "string", + "enum": [ + "cisa", + "cvss", + "ssvc", + "aivss" + ], + "title": "Namespace", + "description": "The namespace of the SSVC object. (Restricted to CVE Program)" + }, + "key": { + "title": "Key", + "description": "A short, non-empty string identifier for the object. Keys must start with an alphanumeric, contain only alphanumerics and `_`, and end with an alphanumeric.(`T*` is explicitly grandfathered in as a valid key, but should not be used for new objects.)", + "examples": [ + "E", + "A", + "SI", + "L", + "M", + "H", + "Mixed_case_OK", + "alph4num3ric" + ], + "minLength": 1, + "pattern": "^(([a-zA-Z0-9])|([a-zA-Z0-9][a-zA-Z0-9_]*[a-zA-Z0-9])|(T\\*))$", + "type": "string" + }, + "version": { + "title": "Version", + "description": "The version of the SSVC object. This must be a valid semantic version string.", + "examples": [ + "1.0.0", + "2.1.3" + ], + "minLength": 5, + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", + "type": "string" + }, + "name": { + "title": "Name", + "minLength": 1, + "type": "string" + }, + "definition": { + "title": "Definition", + "minLength": 1, + "type": "string" + }, + "values": { + "title": "Values", + "description": "A list of selected value keys from the decision point values.", + "examples": [ + [ + { + "key": "N" + }, + { + "key": "Y" + } + ], + [ + { + "key": "A" + }, + { + "key": "B" + }, + { + "key": "C" + } + ] + ], + "items": { + "$ref": "#/$defs/MinimalDecisionPointValue" + }, + "minItems": 1, + "type": "array" + } + }, + "required": [ + "namespace", + "key", + "version", + "values" + ], + "type": "object" + } + }, + "properties": { + "timestamp": { + "title": "Timestamp", + "description": "Timestamp of the selections, in RFC 3339 format.", + "examples": [ + "2025-01-01T12:00:00Z", + "2025-01-02T15:30:45-04:00" + ], + "format": "date-time", + "type": "string" + }, + "selections": { + "title": "Selections", + "description": "List of selections made from decision points. Each selection item corresponds to value keys contained in a specific decision point identified by its namespace, key, and version. Note that selection objects are deliberately minimal objects and do not contain the full decision point details.", + "items": { + "$ref": "#/$defs/Selection" + }, + "minItems": 1, + "type": "array" + }, + "decision_point_resources": { + "title": "Decision Point Resources", + "description": "A list of resources that provide additional context about the decision points found in this selection.", + "examples": [ + [ + { + "summary": "Documentation for a set of decision points", + "uri": "https://example.com/decision_points" + }, + { + "summary": "JSON representation of decision point 2", + "uri": "https://example.org/definitions/dp2.json" + }, + { + "summary": "A JSON file containing extension decision points in the x_com.example namespace", + "uri": "https://example.com/ssvc/x_com.example/decision_points.json" + } + ] + ], + "items": { + "$ref": "#/$defs/Reference" + }, + "minItems": 1, + "type": "array" + }, + "references": { + "title": "References", + "description": "A list of references that provide additional context about the specific values selected.", + "examples": [ + [ + { + "summary": "A report on which the selections were based", + "uri": "https://example.com/report" + } + ] + ], + "items": { + "$ref": "#/$defs/Reference" + }, + "minItems": 1, + "type": "array" + } + }, + "required": [ + "timestamp", + "selections" + ], + "additionalProperties": false +} \ No newline at end of file