From 571174848f8f4a25413e86eaad5fa4d74462123e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Burgd=C3=B6rfer?= Date: Wed, 18 Jun 2025 09:41:36 +0200 Subject: [PATCH] feat: update csaf 2.1 schema --- csaf | 2 +- csaf_2_1/schemaTests/csaf_2_1/schema.js | 181 ++++++++++++++++-- .../schemaTests/csaf_2_1_strict/schema.js | 147 ++++++++++++-- 3 files changed, 289 insertions(+), 41 deletions(-) diff --git a/csaf b/csaf index 8e6d3ea3..7265d641 160000 --- a/csaf +++ b/csaf @@ -1 +1 @@ -Subproject commit 8e6d3ea3ce7eeedfaa6a153d6db130bcbce8ac13 +Subproject commit 7265d6414a652ca53c87e92e8b3d9249f54258df diff --git a/csaf_2_1/schemaTests/csaf_2_1/schema.js b/csaf_2_1/schemaTests/csaf_2_1/schema.js index 40e55c90..2e7346ea 100644 --- a/csaf_2_1/schemaTests/csaf_2_1/schema.js +++ b/csaf_2_1/schemaTests/csaf_2_1/schema.js @@ -1,6 +1,6 @@ export default { - $schema: 'https://json-schema.org/draft/2020-12/schema', - $id: 'https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json', + $schema: 'https://docs.oasis-open.org/csaf/csaf/v2.1/schema/meta.json', + $id: 'https://docs.oasis-open.org/csaf/csaf/v2.1/schema/csaf.json', title: 'Common Security Advisory Framework', description: 'Representation of security advisory information as a JSON document.', @@ -65,6 +65,7 @@ export default { }, }, }, + additionalProperties: false, }, }, branches_t: { @@ -126,6 +127,7 @@ export default { $ref: '#/$defs/full_product_name_t', }, }, + additionalProperties: false, }, }, full_product_name_t: { @@ -220,6 +222,7 @@ export default { ], }, }, + additionalProperties: false, }, }, filename: { @@ -231,19 +234,19 @@ export default { examples: ['WINWORD.EXE', 'msotadddin.dll', 'sudoers.so'], }, }, + additionalProperties: false, }, }, model_numbers: { title: 'List of models', - description: - 'Contains a list of full or abbreviated (partial) model numbers.', + description: 'Contains a list of model numbers.', type: 'array', minItems: 1, uniqueItems: true, items: { title: 'Model number', description: - 'Contains a full or abbreviated (partial) model number of the component to identify.', + 'Contains a model number of the component to identify - possibly with placeholders.', type: 'string', minLength: 1, }, @@ -279,15 +282,14 @@ export default { }, serial_numbers: { title: 'List of serial numbers', - description: - 'Contains a list of full or abbreviated (partial) serial numbers.', + description: 'Contains a list of serial numbers.', type: 'array', minItems: 1, uniqueItems: true, items: { title: 'Serial number', description: - 'Contains a full or abbreviated (partial) serial number of the component to identify.', + 'Contains a serial number of the component to identify - possibly with placeholders.', type: 'string', minLength: 1, }, @@ -333,11 +335,14 @@ export default { format: 'uri', }, }, + additionalProperties: false, }, }, }, + additionalProperties: false, }, }, + additionalProperties: false, }, lang_t: { title: 'Language type', @@ -387,6 +392,12 @@ export default { 'summary', ], }, + group_ids: { + $ref: '#/$defs/product_groups_t', + }, + product_ids: { + $ref: '#/$defs/products_t', + }, text: { title: 'Note content', description: @@ -408,6 +419,7 @@ export default { ], }, }, + additionalProperties: false, }, }, product_group_id_t: { @@ -481,6 +493,7 @@ export default { format: 'uri', }, }, + additionalProperties: false, }, }, version_t: { @@ -500,9 +513,7 @@ export default { description: 'Contains the URL of the CSAF JSON schema which the document promises to be valid for.', type: 'string', - enum: [ - 'https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json', - ], + enum: ['https://docs.oasis-open.org/csaf/csaf/v2.1/schema/csaf.json'], format: 'uri', }, document: { @@ -547,6 +558,7 @@ export default { examples: ['Critical', 'Important', 'Moderate'], }, }, + additionalProperties: false, }, category: { title: 'Document category', @@ -607,6 +619,7 @@ export default { ], }, }, + additionalProperties: false, }, text: { title: 'Textual description', @@ -647,8 +660,10 @@ export default { ], }, }, + additionalProperties: false, }, }, + additionalProperties: false, }, lang: { title: 'Document language', @@ -656,6 +671,19 @@ export default { 'Identifies the language used by this document, corresponding to IETF BCP 47 / RFC 5646.', $ref: '#/$defs/lang_t', }, + license_expression: { + title: 'License expression', + description: + 'Contains the SPDX license expression for the CSAF document.', + type: 'string', + minLength: 1, + examples: [ + 'CC-BY-4.0', + 'LicenseRef-www.example.org-Example-CSAF-License-3.0+', + 'LicenseRef-scancode-public-domain', + 'MIT OR any-OSI', + ], + }, notes: { title: 'Document notes', description: 'Holds notes associated with the whole document.', @@ -716,6 +744,7 @@ export default { examples: ['https://csaf.io', 'https://www.example.com'], }, }, + additionalProperties: false, }, references: { title: 'Document references', @@ -815,8 +844,10 @@ export default { examples: ['0.6.0', '1.0.0-beta+exp.sha.a1c44f85', '2'], }, }, + additionalProperties: false, }, }, + additionalProperties: false, }, id: { title: 'Unique identifier for the document', @@ -833,7 +864,8 @@ export default { }, initial_release_date: { title: 'Initial release date', - description: 'The date when this document was first published.', + description: + 'The date when this document was first released to the specified target group.', type: 'string', format: 'date-time', }, @@ -875,6 +907,7 @@ export default { examples: ['Initial version.'], }, }, + additionalProperties: false, }, }, status: { @@ -887,8 +920,10 @@ export default { $ref: '#/$defs/version_t', }, }, + additionalProperties: false, }, }, + additionalProperties: false, }, product_tree: { title: 'Product tree', @@ -947,6 +982,7 @@ export default { ], }, }, + additionalProperties: false, }, }, relationships: { @@ -995,9 +1031,11 @@ export default { $ref: '#/$defs/product_id_t', }, }, + additionalProperties: false, }, }, }, + additionalProperties: false, }, vulnerabilities: { title: 'Vulnerabilities', @@ -1050,6 +1088,7 @@ export default { description: 'Holds the full name of the weakness as given in the CWE specification.', type: 'string', + pattern: '^[^\\s\\-_\\.](.*[^\\s\\-_\\.])?$', minLength: 1, examples: [ 'Cross-Site Request Forgery (CSRF)', @@ -1062,13 +1101,20 @@ export default { description: 'Holds the version string of the CWE specification this weakness was extracted from.', type: 'string', - minLength: 1, pattern: '^[1-9]\\d*\\.([0-9]|([1-9]\\d+))(\\.\\d+)?$', examples: ['1.0', '3.4.1', '4.0', '4.11', '4.12'], }, }, + additionalProperties: false, }, }, + disclosure_date: { + title: 'Disclosure date', + description: + 'Holds the date and time the vulnerability was originally disclosed to the public.', + type: 'string', + format: 'date-time', + }, discovery_date: { title: 'Discovery date', description: @@ -1076,6 +1122,45 @@ export default { type: 'string', format: 'date-time', }, + first_known_exploitation_dates: { + title: 'List of first known exploitation dates', + description: + 'Contains a list of dates of first known exploitations.', + type: 'array', + minItems: 1, + uniqueItems: true, + items: { + title: 'First known exploitation date', + description: + 'Contains information on when this vulnerability was first known to be exploited in the wild in the products specified.', + type: 'object', + minProperties: 3, + required: ['date', 'exploitation_date'], + properties: { + date: { + title: 'Date of the information', + description: + 'Contains the date when the information was last updated.', + type: 'string', + format: 'date-time', + }, + exploitation_date: { + title: 'Date of the exploitation', + description: + 'Contains the date when the exploitation happened.', + type: 'string', + format: 'date-time', + }, + group_ids: { + $ref: '#/$defs/product_groups_t', + }, + product_ids: { + $ref: '#/$defs/products_t', + }, + }, + additionalProperties: false, + }, + }, flags: { title: 'List of flags', description: 'Contains a list of machine readable flags.', @@ -1115,6 +1200,7 @@ export default { $ref: '#/$defs/products_t', }, }, + additionalProperties: false, }, }, ids: { @@ -1148,6 +1234,7 @@ export default { examples: ['CSCso66472', 'oasis-tcs/csaf#210'], }, }, + additionalProperties: false, }, }, involvements: { @@ -1163,6 +1250,13 @@ export default { type: 'object', required: ['party', 'status'], properties: { + contact: { + title: 'Party contact information', + description: + 'Contains the contact information of the party that was used in this state.', + type: 'string', + minLength: 1, + }, date: { title: 'Date of involvement', description: @@ -1170,6 +1264,9 @@ export default { type: 'string', format: 'date-time', }, + group_ids: { + $ref: '#/$defs/product_groups_t', + }, party: { title: 'Party category', description: 'Defines the category of the involved party.', @@ -1182,6 +1279,9 @@ export default { 'vendor', ], }, + product_ids: { + $ref: '#/$defs/products_t', + }, status: { title: 'Party status', description: 'Defines contact status of the involved party.', @@ -1203,6 +1303,7 @@ export default { minLength: 1, }, }, + additionalProperties: false, }, }, metrics: { @@ -1242,7 +1343,41 @@ export default { cvss_v4: { $ref: 'https://www.first.org/cvss/cvss-v4.0.json', }, + epss: { + title: 'EPSS', + description: 'Contains the EPSS data.', + type: 'object', + required: ['percentile', 'probability', 'timestamp'], + properties: { + percentile: { + title: 'Percentile', + description: + 'Contains the rank ordering of probabilities from highest to lowest.', + type: 'string', + pattern: '^(([0]\\.([0-9])+)|([1]\\.[0]+))$', + }, + probability: { + title: 'Probability', + description: + 'Contains the likelihood that any exploitation activity for this Vulnerability is being observed in the 30 days following the given timestamp.', + type: 'string', + pattern: '^(([0]\\.([0-9])+)|([1]\\.[0]+))$', + }, + timestamp: { + title: 'EPSS timestamp', + description: + 'Holds the date and time the EPSS value was recorded.', + type: 'string', + format: 'date-time', + }, + }, + additionalProperties: false, + }, + ssvc_v1: { + $ref: 'https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json', + }, }, + additionalProperties: false, }, products: { $ref: '#/$defs/products_t', @@ -1255,6 +1390,7 @@ export default { format: 'uri', }, }, + additionalProperties: false, }, }, notes: { @@ -1317,7 +1453,14 @@ export default { 'It is not known yet whether these versions are or are not affected by the vulnerability. However, it is still under investigation - the result will be provided in a later release of the document.', $ref: '#/$defs/products_t', }, + unknown: { + title: 'Unknown', + description: + 'It is not known whether these versions are or are not affected by the vulnerability. There is also no investigation and therefore the status might never be determined.', + $ref: '#/$defs/products_t', + }, }, + additionalProperties: false, }, references: { title: 'Vulnerability references', @@ -1325,13 +1468,6 @@ export default { 'Holds a list of references associated with this vulnerability item.', $ref: '#/$defs/references_t', }, - release_date: { - title: 'Release date', - description: - 'Holds the date and time the vulnerability was originally released into the wild.', - type: 'string', - format: 'date-time', - }, remediations: { title: 'List of remediations', description: 'Contains a list of remediations.', @@ -1424,6 +1560,7 @@ export default { minLength: 1, }, }, + additionalProperties: false, }, url: { title: 'URL to the remediation', @@ -1433,6 +1570,7 @@ export default { format: 'uri', }, }, + additionalProperties: false, }, }, threats: { @@ -1476,6 +1614,7 @@ export default { $ref: '#/$defs/products_t', }, }, + additionalProperties: false, }, }, title: { @@ -1486,7 +1625,9 @@ export default { minLength: 1, }, }, + additionalProperties: false, }, }, }, + additionalProperties: false, } diff --git a/csaf_2_1/schemaTests/csaf_2_1_strict/schema.js b/csaf_2_1/schemaTests/csaf_2_1_strict/schema.js index 72b15f07..b489afb8 100644 --- a/csaf_2_1/schemaTests/csaf_2_1_strict/schema.js +++ b/csaf_2_1/schemaTests/csaf_2_1_strict/schema.js @@ -229,11 +229,10 @@ export default { type: 'array', }, model_numbers: { - description: - 'Contains a list of full or abbreviated (partial) model numbers.', + description: 'Contains a list of model numbers.', items: { description: - 'Contains a full or abbreviated (partial) model number of the component to identify.', + 'Contains a model number of the component to identify - possibly with placeholders.', minLength: 1, title: 'Model number', type: 'string', @@ -273,11 +272,10 @@ export default { type: 'array', }, serial_numbers: { - description: - 'Contains a list of full or abbreviated (partial) serial numbers.', + description: 'Contains a list of serial numbers.', items: { description: - 'Contains a full or abbreviated (partial) serial number of the component to identify.', + 'Contains a serial number of the component to identify - possibly with placeholders.', minLength: 1, title: 'Serial number', type: 'string', @@ -383,6 +381,12 @@ export default { title: 'Note category', type: 'string', }, + group_ids: { + $ref: '#/$defs/product_groups_t', + }, + product_ids: { + $ref: '#/$defs/products_t', + }, text: { description: 'Holds the content of the note. Content varies depending on type.', @@ -496,8 +500,8 @@ export default { type: 'string', }, }, - $id: 'https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json?strict', - $schema: 'https://json-schema.org/draft/2020-12/schema', + $id: 'https://docs.oasis-open.org/csaf/csaf/v2.1/schema/csaf.json?strict', + $schema: 'https://docs.oasis-open.org/csaf/csaf/v2.1/schema/meta.json', additionalProperties: false, description: 'Representation of security advisory information as a JSON document.', @@ -505,9 +509,7 @@ export default { $schema: { description: 'Contains the URL of the CSAF JSON schema which the document promises to be valid for.', - enum: [ - 'https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json', - ], + enum: ['https://docs.oasis-open.org/csaf/csaf/v2.1/schema/csaf.json'], format: 'uri', title: 'JSON schema', type: 'string', @@ -658,6 +660,19 @@ export default { 'Identifies the language used by this document, corresponding to IETF BCP 47 / RFC 5646.', title: 'Document language', }, + license_expression: { + description: + 'Contains the SPDX license expression for the CSAF document.', + examples: [ + 'CC-BY-4.0', + 'LicenseRef-www.example.org-Example-CSAF-License-3.0+', + 'LicenseRef-scancode-public-domain', + 'MIT OR any-OSI', + ], + minLength: 1, + title: 'License expression', + type: 'string', + }, notes: { $ref: '#/$defs/notes_t', description: 'Holds notes associated with the whole document.', @@ -828,7 +843,8 @@ export default { type: 'string', }, initial_release_date: { - description: 'The date when this document was first published.', + description: + 'The date when this document was first released to the specified target group.', format: 'date-time', title: 'Initial release date', type: 'string', @@ -1064,6 +1080,7 @@ export default { "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", ], minLength: 1, + pattern: '^[^\\s\\-_\\.](.*[^\\s\\-_\\.])?$', title: 'Weakness name', type: 'string', }, @@ -1071,7 +1088,6 @@ export default { description: 'Holds the version string of the CWE specification this weakness was extracted from.', examples: ['1.0', '3.4.1', '4.0', '4.11', '4.12'], - minLength: 1, pattern: '^[1-9]\\d*\\.([0-9]|([1-9]\\d+))(\\.\\d+)?$', title: 'CWE version', type: 'string', @@ -1086,6 +1102,13 @@ export default { type: 'array', uniqueItems: true, }, + disclosure_date: { + description: + 'Holds the date and time the vulnerability was originally disclosed to the public.', + format: 'date-time', + title: 'Disclosure date', + type: 'string', + }, discovery_date: { description: 'Holds the date and time the vulnerability was originally discovered.', @@ -1093,6 +1116,45 @@ export default { title: 'Discovery date', type: 'string', }, + first_known_exploitation_dates: { + description: + 'Contains a list of dates of first known exploitations.', + items: { + additionalProperties: false, + description: + 'Contains information on when this vulnerability was first known to be exploited in the wild in the products specified.', + minProperties: 3, + properties: { + date: { + description: + 'Contains the date when the information was last updated.', + format: 'date-time', + title: 'Date of the information', + type: 'string', + }, + exploitation_date: { + description: + 'Contains the date when the exploitation happened.', + format: 'date-time', + title: 'Date of the exploitation', + type: 'string', + }, + group_ids: { + $ref: '#/$defs/product_groups_t', + }, + product_ids: { + $ref: '#/$defs/products_t', + }, + }, + required: ['date', 'exploitation_date'], + title: 'First known exploitation date', + type: 'object', + }, + minItems: 1, + title: 'List of first known exploitation dates', + type: 'array', + uniqueItems: true, + }, flags: { description: 'Contains a list of machine readable flags.', items: { @@ -1176,6 +1238,13 @@ export default { description: 'Is a container, that allows the document producers to comment on the level of involvement (or engagement) of themselves or third parties in the vulnerability identification, scoping, and remediation process.', properties: { + contact: { + description: + 'Contains the contact information of the party that was used in this state.', + minLength: 1, + title: 'Party contact information', + type: 'string', + }, date: { description: 'Holds the date and time of the involvement entry.', @@ -1183,6 +1252,9 @@ export default { title: 'Date of involvement', type: 'string', }, + group_ids: { + $ref: '#/$defs/product_groups_t', + }, party: { description: 'Defines the category of the involved party.', enum: [ @@ -1195,6 +1267,9 @@ export default { title: 'Party category', type: 'string', }, + product_ids: { + $ref: '#/$defs/products_t', + }, status: { description: 'Defines contact status of the involved party.', enum: [ @@ -1255,6 +1330,39 @@ export default { cvss_v4: { $ref: 'https://www.first.org/cvss/cvss-v4.0.json', }, + epss: { + additionalProperties: false, + description: 'Contains the EPSS data.', + properties: { + percentile: { + description: + 'Contains the rank ordering of probabilities from highest to lowest.', + pattern: '^(([0]\\.([0-9])+)|([1]\\.[0]+))$', + title: 'Percentile', + type: 'string', + }, + probability: { + description: + 'Contains the likelihood that any exploitation activity for this Vulnerability is being observed in the 30 days following the given timestamp.', + pattern: '^(([0]\\.([0-9])+)|([1]\\.[0]+))$', + title: 'Probability', + type: 'string', + }, + timestamp: { + description: + 'Holds the date and time the EPSS value was recorded.', + format: 'date-time', + title: 'EPSS timestamp', + type: 'string', + }, + }, + required: ['percentile', 'probability', 'timestamp'], + title: 'EPSS', + type: 'object', + }, + ssvc_v1: { + $ref: 'https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json', + }, }, title: 'Content', type: 'object', @@ -1338,6 +1446,12 @@ export default { 'It is not known yet whether these versions are or are not affected by the vulnerability. However, it is still under investigation - the result will be provided in a later release of the document.', title: 'Under investigation', }, + unknown: { + $ref: '#/$defs/products_t', + description: + 'It is not known whether these versions are or are not affected by the vulnerability. There is also no investigation and therefore the status might never be determined.', + title: 'Unknown', + }, }, title: 'Product status', type: 'object', @@ -1348,13 +1462,6 @@ export default { 'Holds a list of references associated with this vulnerability item.', title: 'Vulnerability references', }, - release_date: { - description: - 'Holds the date and time the vulnerability was originally released into the wild.', - format: 'date-time', - title: 'Release date', - type: 'string', - }, remediations: { description: 'Contains a list of remediations.', items: {