Skip to content

Commit

Permalink
load all schema url refs for offline validation (#436)
Browse files Browse the repository at this point in the history 
Signed-off-by: Alex Goodman <[email protected]>
  • Loading branch information
@wagoodman
wagoodman authored Jan 3, 2024
1 parent 5fbc7f4 commit f7001c5
Show file tree
Hide file tree
Showing 6 changed files with 421 additions and 2 deletions.
2 changes: 2 additions & 0 deletions schema/vulnerability/nvd/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

This schema governs the data shape for a single NVD vulnerability record.

Derived from schemas located on the [NVD website](https://nvd.nist.gov/developers/vulnerabilities).

## Updating the schema

Versioning the JSON schema must be done manually by copying the existing JSON schema into a new `schema-x.y.z.json` file and manually making the necessary updates (or by using an online tool such as https://www.liquid-technologies.com/online-json-to-schema-converter).
Expand Down
5 changes: 5 additions & 0 deletions schema/vulnerability/nvd/cvss/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
These are cvss schemas found [here](https://nvd.nist.gov/developers/vulnerabilities) that are referenced in the main NVD schema.

Local copies have been made to ensure that schema valiations can be performed without network access being required.

This is facilitated by loading the file-to-url mapping in the test fixture (in conftest.py) that is responsible for json schema validation.
103 changes: 103 additions & 0 deletions schema/vulnerability/nvd/cvss/schema-v2.0.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
{
"license": [
"Copyright (c) 2017, FIRST.ORG, INC.",
"All rights reserved.",
"",
"Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ",
"following conditions are met:",
"1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ",
" disclaimer.",
"2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ",
" following disclaimer in the documentation and/or other materials provided with the distribution.",
"3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ",
" products derived from this software without specific prior written permission.",
"",
"THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ",
"INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ",
"DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ",
"SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ",
"SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ",
"WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ",
"OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
],

"$schema": "http://json-schema.org/draft-07/schema#",
"title": "JSON Schema for Common Vulnerability Scoring System version 2.0",
"type": "object",
"definitions": {
"accessVectorType": {
"type": "string",
"enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL" ]
},
"accessComplexityType": {
"type": "string",
"enum": [ "HIGH", "MEDIUM", "LOW" ]
},
"authenticationType": {
"type": "string",
"enum": [ "MULTIPLE", "SINGLE", "NONE" ]
},
"ciaType": {
"type": "string",
"enum": [ "NONE", "PARTIAL", "COMPLETE" ]
},
"exploitabilityType": {
"type": "string",
"enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ]
},
"remediationLevelType": {
"type": "string",
"enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ]
},
"reportConfidenceType": {
"type": "string",
"enum": [ "UNCONFIRMED", "UNCORROBORATED", "CONFIRMED", "NOT_DEFINED" ]
},
"collateralDamagePotentialType": {
"type": "string",
"enum": [ "NONE", "LOW", "LOW_MEDIUM", "MEDIUM_HIGH", "HIGH", "NOT_DEFINED" ]
},
"targetDistributionType": {
"type": "string",
"enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ]
},
"ciaRequirementType": {
"type": "string",
"enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ]
},
"scoreType": {
"type": "number",
"minimum": 0,
"maximum": 10
}
},
"properties": {
"version": {
"description": "CVSS Version",
"type": "string",
"enum": [ "2.0" ]
},
"vectorString": {
"type": "string",
"pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$"
},
"accessVector": { "$ref": "#/definitions/accessVectorType" },
"accessComplexity": { "$ref": "#/definitions/accessComplexityType" },
"authentication": { "$ref": "#/definitions/authenticationType" },
"confidentialityImpact": { "$ref": "#/definitions/ciaType" },
"integrityImpact": { "$ref": "#/definitions/ciaType" },
"availabilityImpact": { "$ref": "#/definitions/ciaType" },
"baseScore": { "$ref": "#/definitions/scoreType" },
"exploitability": { "$ref": "#/definitions/exploitabilityType" },
"remediationLevel": { "$ref": "#/definitions/remediationLevelType" },
"reportConfidence": { "$ref": "#/definitions/reportConfidenceType" },
"temporalScore": { "$ref": "#/definitions/scoreType" },
"collateralDamagePotential": { "$ref": "#/definitions/collateralDamagePotentialType" },
"targetDistribution": { "$ref": "#/definitions/targetDistributionType" },
"confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" },
"integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" },
"availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" },
"environmentalScore": { "$ref": "#/definitions/scoreType" }
},
"required": [ "version", "vectorString", "baseScore" ]
}
142 changes: 142 additions & 0 deletions schema/vulnerability/nvd/cvss/schema-v3.0.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,142 @@
{
"license": [
"Copyright (c) 2017, FIRST.ORG, INC.",
"All rights reserved.",
"",
"Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ",
"following conditions are met:",
"1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following ",
" disclaimer.",
"2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ",
" following disclaimer in the documentation and/or other materials provided with the distribution.",
"3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote ",
" products derived from this software without specific prior written permission.",
"",
"THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, ",
"INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ",
"DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ",
"SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ",
"SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ",
"WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ",
"OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
],

"$schema": "http://json-schema.org/draft-07/schema#",
"title": "JSON Schema for Common Vulnerability Scoring System version 3.0",
"type": "object",
"definitions": {
"attackVectorType": {
"type": "string",
"enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL" ]
},
"modifiedAttackVectorType": {
"type": "string",
"enum": [ "NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL", "NOT_DEFINED" ]
},
"attackComplexityType": {
"type": "string",
"enum": [ "HIGH", "LOW" ]
},
"modifiedAttackComplexityType": {
"type": "string",
"enum": [ "HIGH", "LOW", "NOT_DEFINED" ]
},
"privilegesRequiredType": {
"type": "string",
"enum": [ "HIGH", "LOW", "NONE" ]
},
"modifiedPrivilegesRequiredType": {
"type": "string",
"enum": [ "HIGH", "LOW", "NONE", "NOT_DEFINED" ]
},
"userInteractionType": {
"type": "string",
"enum": [ "NONE", "REQUIRED" ]
},
"modifiedUserInteractionType": {
"type": "string",
"enum": [ "NONE", "REQUIRED", "NOT_DEFINED" ]
},
"scopeType": {
"type": "string",
"enum": [ "UNCHANGED", "CHANGED" ]
},
"modifiedScopeType": {
"type": "string",
"enum": [ "UNCHANGED", "CHANGED", "NOT_DEFINED" ]
},
"ciaType": {
"type": "string",
"enum": [ "NONE", "LOW", "HIGH" ]
},
"modifiedCiaType": {
"type": "string",
"enum": [ "NONE", "LOW", "HIGH", "NOT_DEFINED" ]
},
"exploitCodeMaturityType": {
"type": "string",
"enum": [ "UNPROVEN", "PROOF_OF_CONCEPT", "FUNCTIONAL", "HIGH", "NOT_DEFINED" ]
},
"remediationLevelType": {
"type": "string",
"enum": [ "OFFICIAL_FIX", "TEMPORARY_FIX", "WORKAROUND", "UNAVAILABLE", "NOT_DEFINED" ]
},
"confidenceType": {
"type": "string",
"enum": [ "UNKNOWN", "REASONABLE", "CONFIRMED", "NOT_DEFINED" ]
},
"ciaRequirementType": {
"type": "string",
"enum": [ "LOW", "MEDIUM", "HIGH", "NOT_DEFINED" ]
},
"scoreType": {
"type": "number",
"minimum": 0,
"maximum": 10
},
"severityType": {
"type": "string",
"enum": [ "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL" ]
}
},
"properties": {
"version": {
"description": "CVSS Version",
"type": "string",
"enum": [ "3.0" ]
},
"vectorString": {
"type": "string",
"pattern": "^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"
},
"attackVector": { "$ref": "#/definitions/attackVectorType" },
"attackComplexity": { "$ref": "#/definitions/attackComplexityType" },
"privilegesRequired": { "$ref": "#/definitions/privilegesRequiredType" },
"userInteraction": { "$ref": "#/definitions/userInteractionType" },
"scope": { "$ref": "#/definitions/scopeType" },
"confidentialityImpact": { "$ref": "#/definitions/ciaType" },
"integrityImpact": { "$ref": "#/definitions/ciaType" },
"availabilityImpact": { "$ref": "#/definitions/ciaType" },
"baseScore": { "$ref": "#/definitions/scoreType" },
"baseSeverity": { "$ref": "#/definitions/severityType" },
"exploitCodeMaturity": { "$ref": "#/definitions/exploitCodeMaturityType" },
"remediationLevel": { "$ref": "#/definitions/remediationLevelType" },
"reportConfidence": { "$ref": "#/definitions/confidenceType" },
"temporalScore": { "$ref": "#/definitions/scoreType" },
"temporalSeverity": { "$ref": "#/definitions/severityType" },
"confidentialityRequirement": { "$ref": "#/definitions/ciaRequirementType" },
"integrityRequirement": { "$ref": "#/definitions/ciaRequirementType" },
"availabilityRequirement": { "$ref": "#/definitions/ciaRequirementType" },
"modifiedAttackVector": { "$ref": "#/definitions/modifiedAttackVectorType" },
"modifiedAttackComplexity": { "$ref": "#/definitions/modifiedAttackComplexityType" },
"modifiedPrivilegesRequired": { "$ref": "#/definitions/modifiedPrivilegesRequiredType" },
"modifiedUserInteraction": { "$ref": "#/definitions/modifiedUserInteractionType" },
"modifiedScope": { "$ref": "#/definitions/modifiedScopeType" },
"modifiedConfidentialityImpact": { "$ref": "#/definitions/modifiedCiaType" },
"modifiedIntegrityImpact": { "$ref": "#/definitions/modifiedCiaType" },
"modifiedAvailabilityImpact": { "$ref": "#/definitions/modifiedCiaType" },
"environmentalScore": { "$ref": "#/definitions/scoreType" },
"environmentalSeverity": { "$ref": "#/definitions/severityType" }
},
"required": [ "version", "vectorString", "baseScore", "baseSeverity" ]
}
Loading

0 comments on commit f7001c5

Please sign in to comment.