Merge pull request #230 from CVEProject/srl-208

jdaigneau5 · web-flow · commit 20a9e977d902 · 2023-04-11T12:46:36.000-04:00
Adds cnaContainer examples for v5.0
diff --git a/.github/workflows/validate-schema.yml b/.github/workflows/validate-schema.yml
@@ -32,5 +32,5 @@ jobs:
       - name: Validate JSON schema
         run: |
           ajv compile -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json"
-          ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/basic-example.json"
-          ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/advanced-example.json"
+          ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-basic-example.json"
+          ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_5.0_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-advanced-example.json"
diff --git a/README.md b/README.md
@@ -14,8 +14,12 @@ Documentation about this format is available at https://cveproject.github.io/cve
 
 A mindmap version of the CVE record structure is at https://cveproject.github.io/cve-schema/schema/v5.0/docs/mindmap.html
 
-A basic example record in 5.0 format with minimally required fields is available at https://github.com/cveproject/cve-schema/blob/master/schema/v5.0/docs/basic-example.json
+A basic example of a full record in 5.0 format with minimally required fields is available at https://github.com/cveproject/cve-schema/blob/master/schema/v5.0/docs/full-record-basic-example.json
 
-An advanced example record in 5.0 format is available at https://github.com/cveproject/cve-schema/blob/master/schema/v5.0/docs/advanced-example.json
+An advanced example of a full record in 5.0 format is available at https://github.com/cveproject/cve-schema/blob/master/schema/v5.0/docs/full-record-advanced-example.json
+
+A basic example of a cnaContainer, to be used with CVE Services, is available at https://github.com/cveproject/cve-schema/blob/master/schema/v5.0/docs/cnaContainer-basic-example.json
+
+An advanced example of a cnaContainer, to be used with CVE Services, is available at https://github.com/cveproject/cve-schema/blob/master/schema/v5.0/docs/cnaContainer-advanced-example.json
 
 More details about Product and Version Encodings in CVE JSON 5.0 record is at https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/docs/versions.md
diff --git a/schema/v5.0/docs/cnaContainer-advanced-example.json b/schema/v5.0/docs/cnaContainer-advanced-example.json
@@ -0,0 +1,293 @@
+{
+  "cnaContainer": {
+    "title": "Buffer overflow in Example Enterprise allows Privilege Escalation.",
+    "datePublic": "2021-09-08T16:24:00.000Z",
+    "problemTypes": [
+      {
+        "descriptions": [
+          {
+            "lang": "en",
+            "cweId": "CWE-78",
+            "description": "CWE-78 OS Command Injection",
+            "type": "CWE"
+          }
+        ]
+      }
+    ],
+    "impacts": [
+      {
+        "capecId": "CAPEC-233",
+        "descriptions": [
+          {
+            "lang": "en",
+            "value": "CAPEC-233 Privilege Escalation"
+          }
+        ]
+      }
+    ],
+    "affected": [
+      {
+        "vendor": "Example.org",
+        "product": "Example Enterprise",
+        "platforms": [
+          "Windows",
+          "MacOS",
+          "XT-4500"
+        ],
+        "collectionURL": "https://example.org/packages",
+        "packageName": "example_enterprise",
+        "repo": "git://example.org/source/example_enterprise",
+        "modules": [
+          "Web-Management-Interface"
+        ],
+        "programFiles": [
+          "http://example_enterprise/example.php"
+        ],
+        "programRoutines": [
+          {
+            "name": "parseFilename"
+          }
+        ],
+        "versions": [
+          {
+            "version": "1.0.0",
+            "status": "affected",
+            "lessThan": "1.0.6",
+            "versionType": "semver"
+          },
+          {
+            "version": "2.1.0",
+            "status": "unaffected",
+            "lessThan": "2.1.*",
+            "changes": [
+              {
+                "at": "2.1.6",
+                "status": "affected"
+              },
+              {
+                "at": "2.1.9",
+                "status": "unaffected"
+              }
+            ],
+            "versionType": "semver"
+          },
+          {
+            "version": "3.0.0",
+            "status": "unaffected",
+            "lessThan": "*",
+            "versionType": "semver"
+          }
+        ],
+        "defaultStatus": "unaffected"
+      }
+    ],
+    "descriptions": [
+      {
+        "lang": "en",
+        "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, macOS, and XT-4500 allows remote unauthenticated attackers to escalate privileges. This issue affects: 1.0 versions before 1.0.6, 2.1 versions from 2.16 until 2.1.9.",
+        "supportingMedia": [
+          {
+            "type": "text/html",
+            "base64": false,
+            "value": "OS Command Injection vulnerability <tt>parseFilename</tt> function of <tt>example.php</tt> in the Web Management Interface of Example.org Example Enterprise on Windows, macOS, and XT-4500 allows remote unauthenticated attackers to escalate privileges.<br><br>This issue affects:<br><ul><li>1.0 versions before 1.0.6</li><li>2.1 versions from 2.16 until 2.1.9.</li></ul>"
+          }
+        ]
+      },
+      {
+        "lang": "eo",
+        "value": "OS-komand-injekta vundebleco parseFilename funkcio de example.php en la Web Administrado-Interfaco de Example.org Example Enterprise ĉe Windows, macOS kaj XT-4500 permesas al malproksimaj neaŭtentikigitaj atakantoj eskaladi privilegiojn. Ĉi tiu afero efikas: 1.0-versioj antaŭ 1.0.6, 2.1-versioj de 2.16 ĝis 2.1.9.",
+        "supportingMedia": [
+          {
+            "type": "text/html",
+            "base64": false,
+            "value": "OS-komand-injekta vundebleco <tt>parseFilename</tt> funkcio de <tt>example.php</tt> en la Web Administrado-Interfaco de Example.org Example Enterprise ĉe Windows, macOS kaj XT-4500 permesas al malproksimaj neaŭtentikigitaj atakantoj eskaladi privilegiojn.<br><br> Ĉi tiu afero efikas:<br><ul><li>1.0-versioj antaŭ 1.0.6</li><li>2.1-versioj de 2.16 ĝis 2.1.9.</li></ul>"
+          }
+        ]
+      }          
+    ],
+    "metrics": [
+      {
+        "format": "CVSS",
+        "scenarios": [
+          {
+            "lang": "en",
+            "value": "GENERAL"
+          }
+        ],
+        "cvssV3_1": {
+          "version": "3.1",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "NONE",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "HIGH",
+          "integrityImpact": "HIGH",
+          "availabilityImpact": "HIGH",
+          "baseScore": 9.8,
+          "baseSeverity": "CRITICAL",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+        }
+      },
+      {
+        "format": "CVSS",
+        "scenarios": [
+          {
+            "lang": "en",
+            "value": "If the enhanced host protection mode is turned on, this vulnerability can only be exploited to run os commands as user 'nobody'. Privilege escalation is not possible."
+          }
+        ],
+        "cvssV3_1": {
+          "version": "3.1",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "NONE",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "LOW",
+          "integrityImpact": "LOW",
+          "availabilityImpact": "LOW",
+          "baseScore": 7.3,
+          "baseSeverity": "HIGH",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+        }
+      }
+    ],
+    "solutions": [
+      {
+        "lang": "en",
+        "value": "This issue is fixed in 1.0.6, 2.1.9, and 3.0.0 and all later versions.",
+        "supportingMedia": [
+          {
+            "type": "text/html",
+            "base64": false,
+            "value": "This issue is fixed in 1.0.6, 2.1.9, and 3.0.0 and all later versions."
+          }
+        ]
+      }
+    ],
+    "workarounds": [
+      {
+        "lang": "en",
+        "value": "Disable the web management interface with the command\n> service disable webmgmt",
+        "supportingMedia": [
+          {
+            "type": "text/html",
+            "base64": false,
+            "value": "Disable the web management interface with the command<br><pre>&gt; <b>service disable webmgmt</b></pre>"
+          }
+        ]
+      }
+    ],
+    "configurations": [
+      {
+        "lang": "en",
+        "value": "Web management interface should be enabled.\n> service status webmgmt\nwebmgmt running",
+        "supportingMedia": [
+          {
+            "type": "text/html",
+            "base64": false,
+            "value": "Web management interface should be enabled.<br><pre>&gt; <b>service status webmgmt</b><br>webmgmt running</pre>"
+          }
+        ]
+      }
+    ],
+    "exploits": [
+      {
+        "lang": "en",
+        "value": "Example.org is not aware of any malicious exploitation of the issue however exploits targeting this issue are publicly available.",
+        "supportingMedia": [
+          {
+            "type": "text/html",
+            "base64": false,
+            "value": "Example.org is not aware of any malicious exploitation of the issue however exploits targeting this issue are publicly available."
+          }
+        ]
+      }
+    ],
+    "timeline": [
+      {
+        "time": "2001-09-01T07:31:00.000Z",
+        "lang": "en",
+        "value": "Issue discovered by Alice using Acme Autofuzz"
+      },
+      {
+        "time": "2021-09-02T16:36:00.000Z",
+        "lang": "en",
+        "value": "Confirmed by Bob"
+      },
+      {
+        "time": "2021-09-07T16:37:00.000Z",
+        "lang": "en",
+        "value": "Fixes released"
+      }
+    ],
+    "credits": [
+      {
+        "lang": "en",
+        "value": "Alice",
+        "type": "finder"
+      },
+      {
+        "lang": "en",
+        "value": "Bob",
+        "type": "analyst"
+      },
+      {
+        "lang": "en",
+        "value": "Acme Autofuzz",
+        "type": "tool"
+      }
+    ],
+    "references": [
+      {
+        "url": "https://example.org/ESA-22-11-CVE-1337-1234",
+        "name": "ESA-22-11",
+        "tags": [
+          "vendor-advisory"
+        ]
+      },
+      {
+        "url": "https://example.com/blog/alice/pwning_example_enterprise",
+        "name": "Pwning Example Enterprise",
+        "tags": [
+          "technical-description",
+          "third-party-advisory"
+        ]
+      },
+      {
+        "url": "https://example.org/bugs/EXAMPLE-1234",
+        "name": "EXAMPLE-1234",
+        "tags": [
+          "issue-tracking"
+        ]
+      },
+      {
+        "url": "https://example.org/ExampleEnterprise",
+        "tags": [
+          "product"
+        ]
+      }
+    ],
+    "source": {
+      "defects": [
+        "EXAMPLE-1234"
+      ],
+      "advisory": "ESA-22-11",
+      "discovery": "EXTERNAL"
+    },
+    "taxonomyMappings": [
+      {
+        "taxonomyName": "ATT&CK",
+        "taxonomyVersion": "v9",
+        "taxonomyRelations": [
+          {
+            "taxonomyId": "T1190",
+            "relationshipName": "mitigated by",
+            "relationshipValue": "M1048"
+          }
+        ]
+      }
+    ]
+  }
+}
diff --git a/schema/v5.0/docs/cnaContainer-basic-example.json b/schema/v5.0/docs/cnaContainer-basic-example.json
@@ -0,0 +1,40 @@
+{
+  "cnaContainer": {
+    "problemTypes": [
+      {
+        "descriptions": [
+          {
+            "lang": "en",
+            "description": "CWE-78 OS Command Injection"
+          }
+        ]
+      }
+    ],
+    "affected": [
+      {
+        "vendor": "Example.org",
+        "product": "Example Enterprise",
+        "versions": [
+          {
+            "version": "1.0.0",
+            "status": "affected",
+            "lessThan": "1.0.6",
+            "versionType": "semver"
+          }
+        ],
+        "defaultStatus": "unaffected"
+      }
+    ],
+    "descriptions": [
+      {
+        "lang": "en",
+        "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n  *  1.0 versions before 1.0.6\n  *  2.1 versions from 2.16 until 2.1.9."
+      }
+    ],
+    "references": [
+      {
+        "url": "https://example.org/ESA-22-11-CVE-1337-1234"
+      }
+    ]
+  }
+}
diff --git a/schema/v5.0/docs/full-record-advanced-example.json b/schema/v5.0/docs/full-record-advanced-example.json
diff --git a/schema/v5.0/docs/full-record-basic-example.json b/schema/v5.0/docs/full-record-basic-example.json
