feat: Add support for OmniBOR Artifact IDs

alilleybrinker · alilleybrinker · commit 3c80750e4ab8 · 2025-04-17T14:59:55.000-07:00
Signed-off-by: Andrew Lilley Brinker &lt;abrinker@mitre.org&gt;
diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json
@@ -539,17 +539,46 @@
                     "items": {
                         "$ref": "#/definitions/cpe_match"
                     }
+                },
+                "omniborMatch": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/omnibor_match"
+                    }
                 }
             },
             "allOf": [
                 { "required": ["operator"] },
                 {
                     "anyOf": [
-                        { "required": ["cpeMatch"] }
+                        { "required": ["cpeMatch"] },
+                        { "required": ["omniborMatch"] }
                     ]
                 }
             ]
         },
+        "omnibor_match": {
+            "description": "OmniBOR match string",
+            "type": "object",
+            "properties": {
+                "vulnerable": {
+                    "type": "boolean",
+                    "description": "Indicates whether the Artifact ID is being used to specify a vulnerable or not-vulnerable artifact."
+                },
+                "artifactId": {
+                    "type": "string",
+                    "pattern": "^gitoid:blob:sha256:[0-9a-f]{64}$",
+                    "description": "The Artifact ID of the artifact to be matched against."
+                },
+                "target": {
+                    "type": "string",
+                    "enum": ["artifact", "build_input"],
+                    "description": "Specifies how consumers of the Artifact ID should search for matches. If the 'target' is 'artifact', then the Artifact ID is identifying an artifact which should be searched for directly (for example, within a file system by matching against Artifact IDs for files). If the 'target' is 'build_input' then the Artifact ID is identifying a build input, and consumers should match the Artifact ID against IDs found in OmniBOR Input Manifests for their software."
+                }
+            },
+            "required": ["vulnerable", "artifactId", "target"],
+            "additionalProperties": false
+        },
         "cpeApplicabilityElement": {
             "description": "Affected products defined using an implementation of the CPE Applicability Language, mostly copied/forked from the NIST NVD CVE API v2.0 schema (optional). An operator property allows AND or OR logic between CPEs or combinations of CPEs. The negate and vulnerable Boolean properties allow CPEs to be inverted and/or defined as vulnerable or not. Multiple version fields are provided for capturing ranges of products when defining a CPE Match String Range. NOTE: When defining a cpeApplicability block, it is recommended that it align with (as much as possible) the product data provided within the affected block.",
             "properties": {
