diff --git a/CHANGELOG.md b/CHANGELOG.md index ee9079f..52888f5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## [1.7.0](https://github.com/RedHatProductSecurity/cvelib/compare/1.6.0...1.7.0) (Dec 5, 2024) + +* Updated CVE record schemas to version 5.1.1 (#96). +* Added a new subcommand, `validate`, to verify that a CVE record (or a specific container of a record) is valid + against a specific CVE v5 schema (#95). +* Switched to a stricter version of the CVE ID matching regex (6f18918). + ## [1.6.0](https://github.com/RedHatProductSecurity/cvelib/compare/1.5.0...1.6.0) (Oct 11, 2024) * Subcommands that not require authentication credentials no longer require `-u/-o/-a` options to be set (#93). diff --git a/README.md b/README.md index 8873fba..eb105a6 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ A library and a command line interface for the CVE Services API. -**Note**: version 1.4.0 of cvelib is compatible with CVE Services 2.3.1 and CVE JSON schema 5.1.0. +**Note**: version 1.7.0 of cvelib is compatible with CVE Services 2.5.0 and CVE JSON schema 5.1.1. ## Requirements @@ -239,7 +239,7 @@ For more information, see the individual methods defined in the ```bash git clone https://github.com/RedHatProductSecurity/cvelib.git cd cvelib -python3 -m venv venv # Must be Python 3.6 or later +python3 -m venv venv source venv/bin/activate pip install --upgrade pip pip install -e . @@ -275,10 +275,10 @@ Running tests and linters: tox # Run format check only tox -e black -# Run tests against Python 3.6 only -tox -e py36 -# Run a single test against Python 3.6 only -tox -e py36 -- tests/test_cli.py::test_cve_show +# Run tests using a specific version of Python +tox -e py313 +# Run a single test using a specific version of Python +tox -e py313 -- tests/test_cli.py::test_cve_show ``` Any changes in the commands, their options, or help texts must be reflected in the generated man pages. To refresh diff --git a/cvelib/__init__.py b/cvelib/__init__.py index e4adfb8..14d9d2f 100644 --- a/cvelib/__init__.py +++ b/cvelib/__init__.py @@ -1 +1 @@ -__version__ = "1.6.0" +__version__ = "1.7.0" diff --git a/man/cve-list.1 b/man/cve-list.1 index 57b695a..4a21b3c 100644 --- a/man/cve-list.1 +++ b/man/cve-list.1 @@ -1,4 +1,4 @@ -.TH "CVE LIST" "1" "2024-10-11" "1.6.0" "cve list Manual" +.TH "CVE LIST" "1" "2024-12-05" "1.6.0" "cve list Manual" .SH NAME cve\-list \- Filter and list reserved CVE IDs owned by... .SH SYNOPSIS diff --git a/man/cve-org-users.1 b/man/cve-org-users.1 index 0766b2a..7ac9bb1 100644 --- a/man/cve-org-users.1 +++ b/man/cve-org-users.1 @@ -1,4 +1,4 @@ -.TH "CVE ORG USERS" "1" "2024-10-11" "1.6.0" "cve org users Manual" +.TH "CVE ORG USERS" "1" "2024-12-05" "1.6.0" "cve org users Manual" .SH NAME cve\-org\-users \- List all users in your organization. .SH SYNOPSIS diff --git a/man/cve-org.1 b/man/cve-org.1 index c8b50db..0e4c645 100644 --- a/man/cve-org.1 +++ b/man/cve-org.1 @@ -1,4 +1,4 @@ -.TH "CVE ORG" "1" "2024-10-11" "1.6.0" "cve org Manual" +.TH "CVE ORG" "1" "2024-12-05" "1.6.0" "cve org Manual" .SH NAME cve\-org \- Show information about your organization. .SH SYNOPSIS diff --git a/man/cve-ping.1 b/man/cve-ping.1 index a8f4efb..4bc07b8 100644 --- a/man/cve-ping.1 +++ b/man/cve-ping.1 @@ -1,4 +1,4 @@ -.TH "CVE PING" "1" "2024-10-11" "1.6.0" "cve ping Manual" +.TH "CVE PING" "1" "2024-12-05" "1.6.0" "cve ping Manual" .SH NAME cve\-ping \- Ping the CVE Services API to see if it is up. .SH SYNOPSIS diff --git a/man/cve-publish-adp.1 b/man/cve-publish-adp.1 index 0687e1d..31dd327 100644 --- a/man/cve-publish-adp.1 +++ b/man/cve-publish-adp.1 @@ -1,4 +1,4 @@ -.TH "CVE PUBLISH-ADP" "1" "2024-10-11" "1.6.0" "cve publish-adp Manual" +.TH "CVE PUBLISH-ADP" "1" "2024-12-05" "1.6.0" "cve publish-adp Manual" .SH NAME cve\-publish-adp \- Add or update an ADP container in a CVE... .SH SYNOPSIS @@ -7,26 +7,25 @@ cve\-publish-adp \- Add or update an ADP container in a CVE... .SH DESCRIPTION Add or update an ADP container in a CVE record for a published CVE ID. .PP - NOTE: a published ADP container cannot be removed, only updated with new data. +NOTE: a published ADP container cannot be removed, only updated with new data. .PP - The ADP container can be specified as a string: +The ADP container can be specified as a string: .PP - cve publish-adp CVE-2022-1234 -j '{"affected": [], "descriptions": [], "references": {}, ...}' + cve publish-adp CVE-2022-1234 -j '{"affected": [], "descriptions": [], "references": {}, ...}' .PP - Or passed in a file: +Or passed in a file: .PP - cve publish-adp CVE-2022-1234 -f adp.json + cve publish-adp CVE-2022-1234 -f adp.json .PP - For information on the required properties in a given ADP container of a CVE record, - see the schema in: +For information on the required properties in a given ADP container of a CVE record, +see the schema in: .PP - https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json - https://cveproject.github.io/cve-schema/schema/v5.0/docs/#oneOf_i0_containers_adp +https://cveproject.github.io/cve-schema/schema/docs/ +.PP +Because the CVE Services API only expects the ADP container contents of the full CVE v5 record, +the data you pass to this command can specify just the attributes defined by the adpContainer +subschema. .PP - Because the CVE Services API only expects the ADP container contents of the full CVE v5 record, - the data you pass to this command can specify just the attributes defined by the adpContainer - subschema. - .SH OPTIONS .TP \fB\-j,\fP \-\-adp\-json TEXT diff --git a/man/cve-publish.1 b/man/cve-publish.1 index 03bd71b..6888f61 100644 --- a/man/cve-publish.1 +++ b/man/cve-publish.1 @@ -1,4 +1,4 @@ -.TH "CVE PUBLISH" "1" "2024-10-11" "1.6.0" "cve publish Manual" +.TH "CVE PUBLISH" "1" "2024-12-05" "1.6.0" "cve publish Manual" .SH NAME cve\-publish \- Publish a CNA container of a CVE record... .SH SYNOPSIS @@ -7,28 +7,27 @@ cve\-publish \- Publish a CNA container of a CVE record... .SH DESCRIPTION Publish a CNA container of a CVE record for a reserved (or rejected) CVE ID. .PP - If the CVE is already published, this action will update the CNA container in its record. A - published CVE can only be moved to the rejected state with an appropriate reject record (see - `cve reject`). A published CVE cannot be moved back to the reserved state. +If the CVE is already published, this action will update the CNA container in its record. A +published CVE can only be moved to the rejected state with an appropriate reject record (see +`cve reject`). A published CVE cannot be moved back to the reserved state. .PP - The CNA container can be specified as a string: +The CNA container can be specified as a string: .PP - cve publish CVE-2022-1234 -j '{"affected": [], "descriptions": [], "references": {}, ...}' + cve publish CVE-2022-1234 -j '{"affected": [], "descriptions": [], "references": {}, ...}' .PP - Or passed in a file: +Or passed in a file: .PP - cve publish CVE-2022-1234 -f cve.json + cve publish CVE-2022-1234 -f cve.json .PP - For information on the required properties in a given CNA container of a CVE record, - see the schema in: +For information on the required properties in a given CNA container of a CVE record, +see the schema in: .PP - https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json - https://cveproject.github.io/cve-schema/schema/v5.0/docs/#oneOf_i0_containers_cna +https://cveproject.github.io/cve-schema/schema/docs/ +.PP +Because the CVE Services API only expects the CNA container contents of the full CVE v5 record, +the data you pass to this command can specify just the attributes defined by the +cnaPublishedContainer or cnaRejectedContainer subschemas, and not the full schema record. .PP - Because the CVE Services API only expects the CNA container contents of the full CVE v5 record, - the data you pass to this command can specify just the attributes defined by the - cnaPublishedContainer or cnaRejectedContainer subschemas, and not the full schema record. - .SH OPTIONS .TP \fB\-j,\fP \-\-cve\-json TEXT diff --git a/man/cve-quota.1 b/man/cve-quota.1 index ee46ac9..f8c269c 100644 --- a/man/cve-quota.1 +++ b/man/cve-quota.1 @@ -1,4 +1,4 @@ -.TH "CVE QUOTA" "1" "2024-10-11" "1.6.0" "cve quota Manual" +.TH "CVE QUOTA" "1" "2024-12-05" "1.6.0" "cve quota Manual" .SH NAME cve\-quota \- Display the available CVE ID quota for... .SH SYNOPSIS @@ -7,11 +7,11 @@ cve\-quota \- Display the available CVE ID quota for... .SH DESCRIPTION Display the available CVE ID quota for your CNA. .PP -  - - "Limit": how many CVE IDs your organization can have in the RESERVED state at once. - - "Reserved": the number of CVE IDs that are in the RESERVED state across all years. - - "Available": the number of CVE IDs that can be reserved (that is, "Limit" - "Reserved") - + +- "Limit": how many CVE IDs your organization can have in the RESERVED state at once. +- "Reserved": the number of CVE IDs that are in the RESERVED state across all years. +- "Available": the number of CVE IDs that can be reserved (that is, "Limit" - "Reserved") +.PP .SH OPTIONS .TP \fB\-\-raw\fP diff --git a/man/cve-reject.1 b/man/cve-reject.1 index b7f62e6..062d59c 100644 --- a/man/cve-reject.1 +++ b/man/cve-reject.1 @@ -1,4 +1,4 @@ -.TH "CVE REJECT" "1" "2024-10-11" "1.6.0" "cve reject Manual" +.TH "CVE REJECT" "1" "2024-12-05" "1.6.0" "cve reject Manual" .SH NAME cve\-reject \- Reject a CVE record for a reserved or... .SH SYNOPSIS @@ -7,28 +7,28 @@ cve\-reject \- Reject a CVE record for a reserved or... .SH DESCRIPTION Reject a CVE record for a reserved or published CVE ID. .PP - If the CVE is already rejected, this action will update its record if one is supplied. - A rejected CVE with a record can only be moved to the published state (see `cve publish`). - A rejected CVE without a record can be moved to the reserved state. A published CVE can only - be rejected with an accompanying record. Reserved CVEs can be rejected with or without a record. +If the CVE is already rejected, this action will update its record if one is supplied. +A rejected CVE with a record can only be moved to the published state (see `cve publish`). +A rejected CVE without a record can be moved to the reserved state. A published CVE can only +be rejected with an accompanying record. Reserved CVEs can be rejected with or without a record. .PP - Note: Rejecting a published CVE removes both the CNA and ADP data of that record. +Note: Rejecting a published CVE removes both the CNA and ADP data of that record. .PP - The CVE reject record can be specified as a string: +The CVE reject record can be specified as a string: .PP - cve reject CVE-2022-1234 -j '{"rejectedReasons": [{"lang": "en", "value": "A reason."}]}' + cve reject CVE-2022-1234 -j '{"rejectedReasons": [{"lang": "en", "value": "A reason."}]}' .PP - Or passed in a file: +Or passed in a file: .PP - cve reject CVE-2022-1234 -f v5_reject_record.json + cve reject CVE-2022-1234 -f v5_reject_record.json .PP - For information on the required properties in a given CVE JSON record, see the schema in: +For information on the required properties in a given CVE JSON record, see the schema in: .PP - https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json +https://cveproject.github.io/cve-schema/schema/docs/ +.PP +Because the CVE Services API only expects the cnaRejectedContainer contents of the full record, +the record you pass to this command can specify just that data, and not the full record. .PP - Because the CVE Services API only expects the cnaRejectedContainer contents of the full record, - the record you pass to this command can specify just that data, and not the full record. - .SH OPTIONS .TP \fB\-j,\fP \-\-cve\-json TEXT diff --git a/man/cve-reserve.1 b/man/cve-reserve.1 index b8b7291..0f00de5 100644 --- a/man/cve-reserve.1 +++ b/man/cve-reserve.1 @@ -1,4 +1,4 @@ -.TH "CVE RESERVE" "1" "2024-10-11" "1.6.0" "cve reserve Manual" +.TH "CVE RESERVE" "1" "2024-12-05" "1.6.0" "cve reserve Manual" .SH NAME cve\-reserve \- Reserve one or more CVE IDs. .SH SYNOPSIS @@ -7,15 +7,15 @@ cve\-reserve \- Reserve one or more CVE IDs. .SH DESCRIPTION Reserve one or more CVE IDs. COUNT is the number of CVEs to reserve; defaults to 1. .PP - CVE IDs can be reserved one by one (the lowest IDs are reserved first) or in batches of - multiple IDs per single request. When reserving multiple IDs, you can request those IDs to be - generated sequentially (default) or non-sequentially (random IDs are selected from your CVE ID - range). +CVE IDs can be reserved one by one (the lowest IDs are reserved first) or in batches of +multiple IDs per single request. When reserving multiple IDs, you can request those IDs to be +generated sequentially (default) or non-sequentially (random IDs are selected from your CVE ID +range). +.PP + +For more information, see the "Developer Guide to CVE Services API": +https://github.com/CVEProject/cve-services/wiki/Developer-Guide-to-CVE-Services-API#different-reservation-types .PP -  - For more information, see the "Developer Guide to CVE Services API": - https://github.com/CVEProject/cve-services/wiki/Developer-Guide-to-CVE-Services-API#different-reservation-types - .SH OPTIONS .TP \fB\-r,\fP \-\-random diff --git a/man/cve-show.1 b/man/cve-show.1 index 89f0f7b..df6e5de 100644 --- a/man/cve-show.1 +++ b/man/cve-show.1 @@ -1,11 +1,11 @@ -.TH "CVE SHOW" "1" "2024-10-11" "1.6.0" "cve show Manual" +.TH "CVE SHOW" "1" "2024-12-05" "1.6.0" "cve show Manual" .SH NAME cve\-show \- Display a specific CVE ID (and optionally... .SH SYNOPSIS .B cve show [OPTIONS] CVE_ID .SH DESCRIPTION -Display a specific CVE ID (and optionally its record) owned by your CNA. +Display a specific CVE ID (and optionally its record). .SH OPTIONS .TP \fB\-r,\fP \-\-show\-record diff --git a/man/cve-undo-reject.1 b/man/cve-undo-reject.1 index 6145fbe..1091c20 100644 --- a/man/cve-undo-reject.1 +++ b/man/cve-undo-reject.1 @@ -1,4 +1,4 @@ -.TH "CVE UNDO-REJECT" "1" "2024-10-11" "1.6.0" "cve undo-reject Manual" +.TH "CVE UNDO-REJECT" "1" "2024-12-05" "1.6.0" "cve undo-reject Manual" .SH NAME cve\-undo-reject \- Move a rejected CVE ID without a record... .SH SYNOPSIS diff --git a/man/cve-user-create.1 b/man/cve-user-create.1 index bea23c2..1631e40 100644 --- a/man/cve-user-create.1 +++ b/man/cve-user-create.1 @@ -1,4 +1,4 @@ -.TH "CVE USER CREATE" "1" "2024-10-11" "1.6.0" "cve user create Manual" +.TH "CVE USER CREATE" "1" "2024-12-05" "1.6.0" "cve user create Manual" .SH NAME cve\-user\-create \- Create a user in your organization. .SH SYNOPSIS @@ -7,11 +7,11 @@ cve\-user\-create \- Create a user in your organization. .SH DESCRIPTION Create a user in your organization. .PP - This action is restricted to users with the ADMIN role. +This action is restricted to users with the ADMIN role. +.PP +Note: Once a user is created, they cannot be removed, only marked as inactive. Only create +users when you really need them. .PP - Note: Once a user is created, they cannot be removed, only marked as inactive. Only create - users when you really need them. - .SH OPTIONS .TP \fB\-u,\fP \-\-username TEXT diff --git a/man/cve-user-reset-key.1 b/man/cve-user-reset-key.1 index 8cadb88..1375fce 100644 --- a/man/cve-user-reset-key.1 +++ b/man/cve-user-reset-key.1 @@ -1,4 +1,4 @@ -.TH "CVE USER RESET-KEY" "1" "2024-10-11" "1.6.0" "cve user reset-key Manual" +.TH "CVE USER RESET-KEY" "1" "2024-12-05" "1.6.0" "cve user reset-key Manual" .SH NAME cve\-user\-reset-key \- Reset a user's personal access token (API... .SH SYNOPSIS @@ -7,10 +7,10 @@ cve\-user\-reset-key \- Reset a user's personal access token (API... .SH DESCRIPTION Reset a user's personal access token (API key). .PP - You must explicitly specify the user being updated using the `-u` option. +You must explicitly specify the user being updated using the `-u` option. +.PP +This API key is used to authenticate each request to the CVE API. .PP - This API key is used to authenticate each request to the CVE API. - .SH OPTIONS .TP \fB\-u,\fP \-\-username TEXT diff --git a/man/cve-user-update.1 b/man/cve-user-update.1 index f7d4d43..a6cdc1c 100644 --- a/man/cve-user-update.1 +++ b/man/cve-user-update.1 @@ -1,4 +1,4 @@ -.TH "CVE USER UPDATE" "1" "2024-10-11" "1.6.0" "cve user update Manual" +.TH "CVE USER UPDATE" "1" "2024-12-05" "1.6.0" "cve user update Manual" .SH NAME cve\-user\-update \- Update a user. .SH SYNOPSIS @@ -7,10 +7,10 @@ cve\-user\-update \- Update a user. .SH DESCRIPTION Update a user. .PP - You must explicitly specify the user being updated using the `-u` option. +You must explicitly specify the user being updated using the `-u` option. +.PP +To reset a user's API key, use `cve user reset-key`. .PP - To reset a user's API key, use `cve user reset-key`. - .SH OPTIONS .TP \fB\-u,\fP \-\-username TEXT diff --git a/man/cve-user.1 b/man/cve-user.1 index f525900..bfee399 100644 --- a/man/cve-user.1 +++ b/man/cve-user.1 @@ -1,4 +1,4 @@ -.TH "CVE USER" "1" "2024-10-11" "1.6.0" "cve user Manual" +.TH "CVE USER" "1" "2024-12-05" "1.6.0" "cve user Manual" .SH NAME cve\-user \- Show information about a user. .SH SYNOPSIS diff --git a/man/cve-validate.1 b/man/cve-validate.1 new file mode 100644 index 0000000..cf9a98d --- /dev/null +++ b/man/cve-validate.1 @@ -0,0 +1,18 @@ +.TH "CVE VALIDATE" "1" "2024-12-05" "1.6.0" "cve validate Manual" +.SH NAME +cve\-validate \- Validate a CVE record against the 5.1.1... +.SH SYNOPSIS +.B cve validate +[OPTIONS] +.SH DESCRIPTION +Validate a CVE record against the 5.1.1 CVE JSON (sub)schema. +.SH OPTIONS +.TP +\fB\-j,\fP \-\-cve\-json TEXT +JSON body of CVE record. +.TP +\fB\-f,\fP \-\-cve\-json\-file FILENAME +File containing JSON body of a CVE record. +.TP +\fB\-s,\fP \-\-schema\-type [full|cna\-published|cna\-rejected|adp] +Specific type of schema to validate against [default: cna-published] diff --git a/man/cve.1 b/man/cve.1 index 5c156cb..ceb0b83 100644 --- a/man/cve.1 +++ b/man/cve.1 @@ -1,4 +1,4 @@ -.TH "CVE" "1" "2024-10-11" "1.6.0" "cve Manual" +.TH "CVE" "1" "2024-12-05" "1.6.0" "cve Manual" .SH NAME cve \- A CLI interface for the CVE Services API. .SH SYNOPSIS @@ -70,6 +70,10 @@ Show the version and exit. Show information about your organization. See \fBcve-org(1)\fP for full documentation on the \fBorg\fP command. .PP +\fBvalidate\fP + Validate a CVE record against the 5.1.1... + See \fBcve-validate(1)\fP for full documentation on the \fBvalidate\fP command. +.PP \fBping\fP Ping the CVE Services API to see if it is up. See \fBcve-ping(1)\fP for full documentation on the \fBping\fP command. diff --git a/setup.py b/setup.py index 64f6279..51a6fc9 100644 --- a/setup.py +++ b/setup.py @@ -2,7 +2,7 @@ install_requires = [ "click>=7.1.2", - "requests>=2.24.0", + "requests>=2.32.0", "jsonschema>=4.7.2", ]