Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

5.1.0 accepts undefined properties under "affected" #259

Closed
ElectricNroff opened this issue Dec 14, 2023 · 1 comment
Closed

5.1.0 accepts undefined properties under "affected" #259

ElectricNroff opened this issue Dec 14, 2023 · 1 comment
Labels
bug Something isn't working section:affected_product Schema location is affected or product
Milestone
CVE Record JSON F...

Comments

@ElectricNroff
Copy link

At the 2023-12-14 TWG meeting, the discussion suggested that, during testing of the 5.1.0 schema, any CVE Record that validated even though the record format was not "intended" would be considered a "loophole."

As far as I know, it was not intended that arbitrary properties be allowed under "affected" in a container, but records with these do validate.

minimal/plausible test case (the CNA uses the arbitrary property version even though it is a misspelling of the intended property versions)

{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-0001",
"assignerOrgId":"b3476cb9-2e3d-41a6-98d0-0f47421a65b6","state":"PUBLISHED"},
"containers":{"cna":{"providerMetadata":{"orgId":"b3476cb9-2e3d-41a6-98d0-0f47421a65b6"},
"affected":[{"vendor":"v","product":"p",
"version":[{"version":"1","status":"affected"}],
"defaultStatus":"affected"}],
"descriptions":[{"lang":"en","value":"d"}],"references":[{"url":"https://a.ai"}]}}}

possible solution:

  1. Find the text Name of the organization in the schema.
  2. Go up four lines.
  3. Insert "additionalProperties":false,

issues on the current CVE List:

  • additional property of "cpe"
CVE-2022-1415
CVE-2022-1438
CVE-2022-3466
CVE-2022-3596
CVE-2022-3916
CVE-2022-3962
CVE-2022-4039
CVE-2022-4137
CVE-2022-4244
CVE-2022-4245
CVE-2022-4318
CVE-2023-0118
CVE-2023-0119
CVE-2023-0813
CVE-2023-0833
CVE-2023-0923
CVE-2023-1108
CVE-2023-1260
CVE-2023-1476
CVE-2023-1584
CVE-2023-2422
CVE-2023-2974
CVE-2023-3223
CVE-2023-3347
CVE-2023-3637
CVE-2023-38200
CVE-2023-38201
CVE-2023-3899
CVE-2023-3961
CVE-2023-3971
CVE-2023-3972
CVE-2023-4004
CVE-2023-4065
CVE-2023-4066
CVE-2023-4091
CVE-2023-4128
CVE-2023-4147
CVE-2023-4380
CVE-2023-4456
CVE-2023-4527
CVE-2023-46846
CVE-2023-46847
CVE-2023-46848
CVE-2023-4806
CVE-2023-4813
CVE-2023-4853
CVE-2023-4911
CVE-2023-5157
CVE-2023-5408
CVE-2023-5625
  • additional property of "collection_url"
CVE-2022-1970
CVE-2022-3205
@andrewpollock andrewpollock mentioned this issue Apr 10, 2024
Open
@ccoffin ccoffin added this to the CVE Record JSON Format v5.2.0 milestone Nov 22, 2024
@jayjacobs jayjacobs added section:affected_product Schema location is affected or product bug Something isn't working labels Nov 22, 2024
ccoffin added a commit to ccoffin/cve-schema that referenced this issue Dec 27, 2024
@ccoffin
Update CVE_Record_Format.json
ae1ec10 
Add additionalProperties equal to false for the product object in the base schema. This resolves Issue CVEProject#259.
ccoffin added a commit to ccoffin/cve-schema that referenced this issue Dec 27, 2024
@ccoffin
Update CVE_Record_Format_bundled.json
cf1bb0b 
Add additionalProperties equal to false for the product object in the bundled schema. This resolves Issue CVEProject#259.
ccoffin added a commit to ccoffin/cve-schema that referenced this issue Dec 27, 2024
@ccoffin
Update CVE_Record_Format_bundled_adpContainer.json
43e9c61 
Add additionalProperties equal to false for the product object in the bundled schema. This resolves Issue CVEProject#259.
ccoffin added a commit to ccoffin/cve-schema that referenced this issue Dec 27, 2024
@ccoffin
Update CVE_Record_Format_bundled_cnaPublishedContainer.json
ef5b717 
Add additionalProperties equal to false for the product object in the bundled schema. This resolves Issue CVEProject#259.
ccoffin added a commit to ccoffin/cve-schema that referenced this issue Dec 27, 2024
@ccoffin
Update CVE_Record_Format_bundled_cnaRejectedContainer.json
a606264 
Add additionalProperties equal to false for the product object in the bundled schema. This resolves Issue CVEProject#259.
@ccoffin ccoffin mentioned this issue Dec 27, 2024
Merged
@ccoffin
Copy link
Collaborator

ccoffin commented Dec 27, 2024

The above commits fix this issue by adding an additionalProperties false for the product object. This may result in some current CVE Records not validating if they have unexpected properties within affected/product. I went ahead and added additionalProperties to the bundled schemas as well since it is an easy addition.

@ccoffin ccoffin closed this as completed Dec 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working section:affected_product Schema location is affected or product
Projects
None yet
Milestone
CVE Record JSON Format v5.2.0
Development

No branches or pull requests
3 participants
@jayjacobs @ccoffin @ElectricNroff