From ae2f650e6b0e85a73fbec3049d54b1526b319c06 Mon Sep 17 00:00:00 2001 From: Rich Lander <2608468+richlander@users.noreply.github.com> Date: Wed, 29 Oct 2025 15:35:05 -0700 Subject: [PATCH 1/4] Add link to schema Added schema and example sections to CVE schema documentation. --- accepted/2025/cve-schema/cve_schema.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/accepted/2025/cve-schema/cve_schema.md b/accepted/2025/cve-schema/cve_schema.md index 1aeda43c4..782fdc3c9 100644 --- a/accepted/2025/cve-schema/cve_schema.md +++ b/accepted/2025/cve-schema/cve_schema.md @@ -15,6 +15,11 @@ Additional documents: - [.NET CVE Schema Implementation Guidance](./dotnet-guidance.md) provides insight and guidance on how this schema will be used by the .NET Team at Microsoft. - [CVE Query Catalog](./cve_queries.md) provices a extensive list of `jq` queries. +## Schema + +- [Schema](./dotnet-cves-schema.json) +- [Example](./cve.json) + ## Design philosophy We've taken a significant departure with this schema design, battle-testing it with `jq` and some other tools as part of the development process. This approach has resulted in significant schema evolution relative to a more conventional fully normalized approach. The typically fully-normalized approach has production and aesthetic purity as goals, while the philosophy adopted here is more focused on consumption while continuing to appreciate [DRY principles](https://en.wikipedia.org/wiki/Don%27t_repeat_yourself). @@ -401,10 +406,6 @@ The schema attempts to offer clear currency for queries, with well-defined prima This property suffers from not knowing the complete set and some accompanying prose to describe any required detail or nuance. -## Schema example - -See [cve.json](./cve.json) for a complete example demonstrating all schema features. - ## Query Design Proof Points The following queries demonstrate how the schema design successfully achieves its primary goal: **exceptional jq ergonomics for security operations**. These examples showcase clean snake_case dot notation, pre-computed indices, and table-ready output. From d04418991ff55ede47ce1b8d854acc7a30cc9041 Mon Sep 17 00:00:00 2001 From: Richard Lander Date: Wed, 7 Jan 2026 13:56:01 -0800 Subject: [PATCH 2/4] Update spec --- accepted/2025/cve-schema/cve.json | 263 ++++-- accepted/2025/cve-schema/cve_queries.md | 110 +-- accepted/2025/cve-schema/cve_schema.md | 161 +++- .../2025/cve-schema/dotnet-cves-schema.json | 786 ++++++++++-------- accepted/2025/cve-schema/dotnet-guidance.md | 74 +- 5 files changed, 920 insertions(+), 474 deletions(-) diff --git a/accepted/2025/cve-schema/cve.json b/accepted/2025/cve-schema/cve.json index 19aa927b0..54816abb3 100644 --- a/accepted/2025/cve-schema/cve.json +++ b/accepted/2025/cve-schema/cve.json @@ -1,87 +1,193 @@ { "last_updated": "2024-07-09", "title": ".NET Security Updates for July 2024 (2024-07-09)", - "cves": [ + "disclosures": [ { "id": "CVE-2024-30105", "problem": ".NET Denial of Service Vulnerability", - "severity": "critical", - "timeline": {"disclosed": "2024-07-09", "fixed": "2024-07-09"}, - "cvss": {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C"}, "description": [ "A vulnerability exists in .NET when calling the JsonSerializer.DeserializeAsyncEnumerable method against an untrusted input using System.Text.Json may result in Denial of Service." ], + "cvss": { + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C", + "score": 7.5, + "severity": "HIGH" + }, + "timeline": { + "disclosure": { + "date": "2024-07-09", + "description": "Publicly disclosed" + }, + "fixed": { + "date": "2024-07-09", + "description": "Fix released" + } + }, "platforms": [ "all" ], "architectures": [ "all" ], - "cna": "microsoft", "references": [ "https://github.com/dotnet/announcements/issues/315" - ] + ], + "weakness": "CWE-400", + "cna": { + "name": "microsoft", + "severity": "Important", + "impact": "Denial of Service" + } }, { "id": "CVE-2024-35264", "problem": ".NET Remote Code Execution Vulnerability", - "severity": "critical", - "timeline": {"disclosed": "2024-07-09", "fixed": "2024-07-09"}, - "cvss": {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "description": [ "A Vulnerability exists in ASP.NET Core 8 where Data Corruption in Kestrel HTTP/3 can result in remote code execution.", "Note: HTTP/3 is experimental in .NET 6.0. If you are on .NET 6.0 and using HTTP/3, please upgrade to .NET 8.0.7" ], + "cvss": { + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", + "score": 8.1, + "severity": "HIGH" + }, + "timeline": { + "disclosure": { + "date": "2024-07-09", + "description": "Publicly disclosed" + }, + "fixed": { + "date": "2024-07-09", + "description": "Fix released" + } + }, "platforms": [ "all" ], "architectures": [ "all" ], - "cna": "microsoft", "references": [ "https://github.com/dotnet/announcements/issues/314" - ] + ], + "weakness": "CWE-416", + "cna": { + "name": "microsoft", + "severity": "Important", + "impact": "Remote Code Execution", + "acknowledgments": [ + "Radek Zikmund of Microsoft Corporation" + ], + "faq": [ + { + "question": "According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?", + "answer": "Successful exploitation of this vulnerability requires an attacker to win a race condition." + }, + { + "question": "How could an attacker exploit this vulnerability?", + "answer": "An attacker could exploit this by closing an http/3 stream while the request body is being processed leading to a race condition. This could result in remote code execution." + }, + { + "question": ".NET 6.0 was added to the Security Updates table on October 31, 2024 because it is also affected by this vulnerability. Why are the Download and Article links missing for .NET 6.0?", + "answer": "HTTP/3 support was only experimental in .NET 6.0. If you are using .NET 6 you must update your application to .NET 8 to be protected. Experimental features will not be patched if a later runtime includes the feature as non-experimental." + } + ] + } }, { "id": "CVE-2024-38081", - "problem": ".NET Denial of Service Vulnerability", - "severity": "critical", - "timeline": {"disclosed": "2024-07-09", "fixed": "2024-07-09"}, - "cvss": {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, + "problem": ".NET Elevation of Privilege Vulnerability", "description": [ - "A vulnerability exists in Visual Studio installer on Windows where an unprivileged user is allowed to manipulate the Visual Studio installation resulting in elevation of privilege." + "A vulnerability exists in Visual Studio installer on Windowswhere an unprivileged user is allowed to manipulate the Visual Studio installation resulting in elevation of privilege." ], + "cvss": { + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", + "score": 7.3, + "severity": "HIGH" + }, + "timeline": { + "disclosure": { + "date": "2024-07-09", + "description": "Publicly disclosed" + }, + "fixed": { + "date": "2024-07-09", + "description": "Fix released" + } + }, "platforms": [ "windows" ], "architectures": [ "all" ], - "cna": "microsoft", "references": [ "https://github.com/dotnet/announcements/issues/313" - ] + ], + "weakness": "CWE-59", + "cna": { + "name": "microsoft", + "severity": "Important", + "impact": "Elevation of Privilege", + "acknowledgments": [ + "goodbyeselene" + ], + "faq": [ + { + "question": "What privileges could be gained by an attacker who successfully exploited this vulnerability?", + "answer": "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges." + }, + { + "question": "According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?", + "answer": "Exploitation of this vulnerability requires that a local user executes the Visual Studio installer" + }, + { + "question": "According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?", + "answer": "The attacker must have permissions to access the target domain environment to be able to exploit this vulnerability." + } + ] + } }, { "id": "CVE-2024-38095", "problem": ".NET Denial of Service Vulnerability", - "severity": "critical", - "timeline": {"disclosed": "2024-07-09", "fixed": "2024-07-09"}, - "cvss": {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C"}, "description": [ "A vulnerability exists when System.Formats.Asn1 in .NET parses an X.509 certificate or collection of certificates, a malicious certificate can result in excessive CPU consumption on all platforms result in Denial of Service." ], + "cvss": { + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C", + "score": 7.5, + "severity": "HIGH" + }, + "timeline": { + "disclosure": { + "date": "2024-07-09", + "description": "Publicly disclosed" + }, + "fixed": { + "date": "2024-07-09", + "description": "Fix released" + } + }, "platforms": [ "all" ], "architectures": [ "all" ], - "cna": "microsoft", "references": [ "https://github.com/dotnet/announcements/issues/312" - ] + ], + "weakness": "CWE-20", + "cna": { + "name": "microsoft", + "severity": "Important", + "impact": "Denial of Service" + } } ], "products": [ @@ -93,7 +199,7 @@ "fixed": "6.0.32", "release": "6.0", "commits": [ - "0a0dd0e27560e692e11ee286ed9f45471b2131fa" + "runtime@0a0dd0e" ] }, { @@ -104,7 +210,7 @@ "fixed": "6.0.32", "release": "6.0", "commits": [ - "979135d5ca4efaf6436ee13539cc3f1e039d570a" + "runtime@979135d" ] }, { @@ -115,7 +221,7 @@ "fixed": "8.0.7", "release": "8.0", "commits": [ - "fa5b0d8f4a8b424732cc992158aa92842f8a2846" + "runtime@fa5b0d8" ] }, { @@ -126,7 +232,7 @@ "fixed": "8.0.7", "release": "8.0", "commits": [ - "c5721fb7a65ddc13d1b445c2c08c27b72ab57cdc" + "aspnetcore@c5721fb" ] }, { @@ -137,7 +243,7 @@ "fixed": "8.0.7", "release": "8.0", "commits": [ - "4a8d5a007971d19f389ca17f7b8eb4f9bb199991" + "runtime@4a8d5a0" ] } ], @@ -150,7 +256,7 @@ "fixed": "6.0.1", "release": "", "commits": [ - "0a0dd0e27560e692e11ee286ed9f45471b2131fa" + "runtime@0a0dd0e" ] }, { @@ -161,7 +267,7 @@ "fixed": "6.0.1", "release": "6.0", "commits": [ - "979135d5ca4efaf6436ee13539cc3f1e039d570a" + "runtime@979135d" ] }, { @@ -172,7 +278,7 @@ "fixed": "8.0.1", "release": "8.0", "commits": [ - "4a8d5a007971d19f389ca17f7b8eb4f9bb199991" + "runtime@4a8d5a0" ] }, { @@ -183,40 +289,40 @@ "fixed": "8.0.4", "release": "8.0", "commits": [ - "fa5b0d8f4a8b424732cc992158aa92842f8a2846" + "runtime@fa5b0d8" ] } ], "commits": { - "fa5b0d8f4a8b424732cc992158aa92842f8a2846": { + "runtime@fa5b0d8": { "repo": "runtime", "branch": "release/8.0", "hash": "fa5b0d8f4a8b424732cc992158aa92842f8a2846", "org": "dotnet", "url": "https://github.com/dotnet/runtime/commit/fa5b0d8f4a8b424732cc992158aa92842f8a2846.diff" }, - "c5721fb7a65ddc13d1b445c2c08c27b72ab57cdc": { + "aspnetcore@c5721fb": { "repo": "aspnetcore", "branch": "release/8.0", "hash": "c5721fb7a65ddc13d1b445c2c08c27b72ab57cdc", "org": "dotnet", "url": "https://github.com/dotnet/aspnetcore/commit/c5721fb7a65ddc13d1b445c2c08c27b72ab57cdc.diff" }, - "0a0dd0e27560e692e11ee286ed9f45471b2131fa": { + "runtime@0a0dd0e": { "repo": "runtime", "branch": "release/6.0", "hash": "0a0dd0e27560e692e11ee286ed9f45471b2131fa", "org": "dotnet", "url": "https://github.com/dotnet/runtime/commit/0a0dd0e27560e692e11ee286ed9f45471b2131fa.diff" }, - "4a8d5a007971d19f389ca17f7b8eb4f9bb199991": { + "runtime@4a8d5a0": { "repo": "runtime", "branch": "release/8.0", "hash": "4a8d5a007971d19f389ca17f7b8eb4f9bb199991", "org": "dotnet", "url": "https://github.com/dotnet/runtime/commit/4a8d5a007971d19f389ca17f7b8eb4f9bb199991.diff" }, - "979135d5ca4efaf6436ee13539cc3f1e039d570a": { + "runtime@979135d": { "repo": "runtime", "branch": "release/6.0", "hash": "979135d5ca4efaf6436ee13539cc3f1e039d570a", @@ -225,27 +331,80 @@ } }, "product_name": { - "dotnet-runtime": ".NET Runtime Libraries", - "dotnet-aspnetcore": "ASP.NET Core Runtime" + "dotnet-aspnetcore": "ASP.NET Core Runtime", + "dotnet-runtime": ".NET Runtime Libraries" }, "product_cves": { - "dotnet-runtime": ["CVE-2024-30105", "CVE-2024-38081", "CVE-2024-38095"], - "dotnet-aspnetcore": ["CVE-2024-35264"] + "dotnet-aspnetcore": [ + "CVE-2024-35264" + ], + "dotnet-runtime": [ + "CVE-2024-30105", + "CVE-2024-38081", + "CVE-2024-38095" + ] + }, + "package_cves": { + "Microsoft.IO.Redist": [ + "CVE-2024-38081" + ], + "System.Formats.Asn1": [ + "CVE-2024-38095" + ], + "System.Text.Json": [ + "CVE-2024-30105" + ] }, "release_cves": { - "6.0": ["CVE-2024-38081", "CVE-2024-38095"], - "8.0": ["CVE-2024-30105", "CVE-2024-35264", "CVE-2024-38095"] + "6.0": [ + "CVE-2024-38081", + "CVE-2024-38095" + ], + "8.0": [ + "CVE-2024-30105", + "CVE-2024-35264", + "CVE-2024-38095" + ] + }, + "severity_cves": { + "CRITICAL": [], + "HIGH": [ + "CVE-2024-30105", + "CVE-2024-35264", + "CVE-2024-38081", + "CVE-2024-38095" + ], + "MEDIUM": [], + "LOW": [] }, "cve_releases": { - "CVE-2024-30105": ["8.0"], - "CVE-2024-35264": ["8.0"], - "CVE-2024-38081": ["6.0"], - "CVE-2024-38095": ["6.0", "8.0"] + "CVE-2024-30105": [ + "8.0" + ], + "CVE-2024-35264": [ + "8.0" + ], + "CVE-2024-38081": [ + "6.0" + ], + "CVE-2024-38095": [ + "6.0", + "8.0" + ] }, "cve_commits": { - "CVE-2024-30105": ["fa5b0d8f4a8b424732cc992158aa92842f8a2846"], - "CVE-2024-35264": ["c5721fb7a65ddc13d1b445c2c08c27b72ab57cdc"], - "CVE-2024-38081": ["0a0dd0e27560e692e11ee286ed9f45471b2131fa"], - "CVE-2024-38095": ["979135d5ca4efaf6436ee13539cc3f1e039d570a", "4a8d5a007971d19f389ca17f7b8eb4f9bb199991"] + "CVE-2024-30105": [ + "runtime@fa5b0d8" + ], + "CVE-2024-35264": [ + "aspnetcore@c5721fb" + ], + "CVE-2024-38081": [ + "runtime@0a0dd0e" + ], + "CVE-2024-38095": [ + "runtime@4a8d5a0", + "runtime@979135d" + ] } -} +} \ No newline at end of file diff --git a/accepted/2025/cve-schema/cve_queries.md b/accepted/2025/cve-schema/cve_queries.md index b14404df7..e9a878f22 100644 --- a/accepted/2025/cve-schema/cve_queries.md +++ b/accepted/2025/cve-schema/cve_queries.md @@ -13,7 +13,7 @@ The following scripts run the queries: ### Get all CVE IDs ```bash -$ jq -r '.cves[].id' cve.json +$ jq -r '.disclosures[].id' cve.json CVE-2024-30105 CVE-2024-35264 CVE-2024-38081 @@ -23,7 +23,7 @@ CVE-2024-38095 ### Get CVEs by severity ```bash -$ jq -r '.cves[] | select(.severity == "critical") | .id' cve.json +$ jq -r '.disclosures[] | select(.cvss.severity == "HIGH") | .id' cve.json CVE-2024-30105 CVE-2024-35264 CVE-2024-38081 @@ -35,7 +35,7 @@ CVE-2024-38095 ```bash $ jq -r '(["| CVE ID | Problem |", "| ------ | ------- |"] + - [.cves[] | "| \(.id) | \(.problem) |"]) | + [.disclosures[] | "| \(.id) | \(.problem) |"]) | .[]' cve.json | CVE ID | Problem | | ------ | ------- | @@ -166,19 +166,19 @@ $ jq -r '. as $root | ### CVEs with release impact ```bash -$ jq -r '. as $root | +$ jq -r '. as $root | (["| CVE ID | Severity | Releases | Problem |", "| ------------- | -------- | -------- | ------- |"] + - [$root.cves[] | - .id as $cve | - "| \($cve) | \(.severity) | \(($root.cve_releases[$cve] // []) | join(", ")) | \(.problem) |"]) | + [$root.disclosures[] | + .id as $cve | + "| \($cve) | \(.cvss.severity) | \(($root.cve_releases[$cve] // []) | join(", ")) | \(.problem) |"]) | .[]' cve.json | CVE ID | Severity | Releases | Problem | | ------------- | -------- | -------- | ------- | -| CVE-2024-30105 | critical | 8.0 | .NET Denial of Service Vulnerability | -| CVE-2024-35264 | critical | 8.0 | .NET Remote Code Execution Vulnerability | -| CVE-2024-38081 | critical | 6.0 | .NET Denial of Service Vulnerability | -| CVE-2024-38095 | critical | 6.0, 8.0 | .NET Denial of Service Vulnerability | +| CVE-2024-30105 | HIGH | 8.0 | .NET Denial of Service Vulnerability | +| CVE-2024-35264 | HIGH | 8.0 | .NET Remote Code Execution Vulnerability | +| CVE-2024-38081 | HIGH | 6.0 | .NET Elevation of Privilege Vulnerability | +| CVE-2024-38095 | HIGH | 6.0, 8.0 | .NET Denial of Service Vulnerability | ``` [πŸ“ cves_with_release_impact.jq](jq_queries/cves_with_release_impact.jq) @@ -223,15 +223,15 @@ $ jq -r '. as $root | ```bash $ jq -r '(["| CVE ID | Disclosed | Days Since Disclosure |", "| ------ | --------- | -------------------- |"] + - [.cves[] | - "| \(.id) | \(.disclosed) | \(((now | strftime(\"%Y-%m-%d\") | strptime(\"%Y-%m-%d\") | mktime) - (.disclosed | strptime(\"%Y-%m-%d\") | mktime)) / 86400 | floor) |"]) | + [.disclosures[] | + "| \(.id) | \(.timeline.disclosure.date) | \(((now | strftime(\"%Y-%m-%d\") | strptime(\"%Y-%m-%d\") | mktime) - (.timeline.disclosure.date | strptime(\"%Y-%m-%d\") | mktime)) / 86400 | floor) |"]) | .[]' cve.json | CVE ID | Disclosed | Days Since Disclosure | | ------ | --------- | -------------------- | -| CVE-2024-30105 | 2024-07-09 | 419 | -| CVE-2024-35264 | 2024-07-09 | 419 | -| CVE-2024-38081 | 2024-07-09 | 419 | -| CVE-2024-38095 | 2024-07-09 | 419 | +| CVE-2024-30105 | 2024-07-09 | 547 | +| CVE-2024-35264 | 2024-07-09 | 547 | +| CVE-2024-38081 | 2024-07-09 | 547 | +| CVE-2024-38095 | 2024-07-09 | 547 | ``` [πŸ“ age_of_vulnerabilities.jq](jq_queries/age_of_vulnerabilities.jq) @@ -280,8 +280,8 @@ $ jq -r --arg release "8.0" ' ```bash $ jq -r '(["| CVE ID | Platforms |", "| ------------- | --------- |"] + - [.cves[] | - "| \(.id) | \(.platforms | join(", ")) |"]) | + [.disclosures[] | + "| \(.id) | \(.platforms | join(", ")) |"]) | .[]' cve.json | CVE ID | Platforms | | ------------- | --------- | @@ -296,13 +296,13 @@ $ jq -r '(["| CVE ID | Platforms |", ### Packages requiring immediate attention ```bash -$ jq -r '. as $root | - [$root.cves[] | select(.severity == "critical") | .id] as $critical_cves | +$ jq -r '. as $root | + .severity_cves["HIGH"] as $high_cves | (["| CVE ID | Package |", "| ------------- | ------- |"] + - [$root.packages[] | - select(.cve_id as $cve | $critical_cves | contains([$cve])) | - "| \(.cve_id) | \(.name) |"]) | + [$root.packages[] | + select(.cve_id as $cve | $high_cves | contains([$cve])) | + "| \(.cve_id) | \(.name) |"]) | .[]' cve.json | CVE ID | Package | | ------------- | ------- | @@ -375,15 +375,15 @@ $ jq -r '(.release_cves["9.0"] // []) | length' cve.json ```bash $ jq -r '(["| CVE ID | Severity | Problem |", "| ------ | -------- | ------- |"] + - [.cves[] | select(.severity == "critical") | - "| \(.id) | 🚨 CRITICAL | \(.problem) |"]) | + [.disclosures[] | select(.cvss.severity == "HIGH") | + "| \(.id) | \(.cvss.severity) | \(.problem) |"]) | .[]' cve.json | CVE ID | Severity | Problem | | ------ | -------- | ------- | -| CVE-2024-30105 | 🚨 CRITICAL | .NET Denial of Service Vulnerability | -| CVE-2024-35264 | 🚨 CRITICAL | .NET Remote Code Execution Vulnerability | -| CVE-2024-38081 | 🚨 CRITICAL | .NET Denial of Service Vulnerability | -| CVE-2024-38095 | 🚨 CRITICAL | .NET Denial of Service Vulnerability | +| CVE-2024-30105 | HIGH | .NET Denial of Service Vulnerability | +| CVE-2024-35264 | HIGH | .NET Remote Code Execution Vulnerability | +| CVE-2024-38081 | HIGH | .NET Elevation of Privilege Vulnerability | +| CVE-2024-38095 | HIGH | .NET Denial of Service Vulnerability | ``` [πŸ“ immediate_risk_assessment.jq](jq_queries/immediate_risk_assessment.jq) @@ -409,15 +409,15 @@ Combine CVE data with severity and platform taxonomies: ```bash $ jq -r '(["| CVE ID | Severity | Platforms | Problem |", "| ------ | -------- | --------- | ------- |"] + - [.cves[] | - "| \(.id) | \(.severity) | \(.platforms | join(\", \")) | \(.problem) |"]) | + [.disclosures[] | + "| \(.id) | \(.cvss.severity) | \(.platforms | join(\", \")) | \(.problem) |"]) | .[]' cve.json | CVE ID | Severity | Platforms | Problem | | ------ | -------- | --------- | ------- | -| CVE-2024-30105 | critical | all | .NET Denial of Service Vulnerability | -| CVE-2024-35264 | critical | all | .NET Remote Code Execution Vulnerability | -| CVE-2024-38081 | critical | windows | .NET Denial of Service Vulnerability | -| CVE-2024-38095 | critical | all | .NET Denial of Service Vulnerability | +| CVE-2024-30105 | HIGH | all | .NET Denial of Service Vulnerability | +| CVE-2024-35264 | HIGH | all | .NET Remote Code Execution Vulnerability | +| CVE-2024-38081 | HIGH | windows | .NET Elevation of Privilege Vulnerability | +| CVE-2024-38095 | HIGH | all | .NET Denial of Service Vulnerability | ``` [πŸ“ cve_report_with_display_names.jq](jq_queries/cve_report_with_display_names.jq) @@ -445,8 +445,8 @@ Complete security report using all taxonomy files: ```bash $ jq -r '(["| Metric | Value |", "| ------ | ----- |", - "| Total CVEs | \(.cves | length) |", - "| Critical CVEs | 4 |"] + + "| Total CVEs | \(.disclosures | length) |", + "| HIGH Severity CVEs | \(.severity_cves["HIGH"] | length) |"] + [""] + ["| Product | CVE Count |", "| ------- | --------- |"] + @@ -455,25 +455,25 @@ $ jq -r '(["| Metric | Value |", [""] + ["| CVE ID | Severity | Problem | Platforms | Disclosed |", "| ------ | -------- | ------- | --------- | --------- |"] + - [.cves[] | - "| \(.id) | \(.severity) | \(.problem) | \(.platforms | join(\", \")) | \(.disclosed) |"]) | + [.disclosures[] | + "| \(.id) | \(.cvss.severity) | \(.problem) | \(.platforms | join(\", \")) | \(.timeline.disclosure.date) |"]) | .[]' cve.json | Metric | Value | | ------ | ----- | | Total CVEs | 4 | -| Critical CVEs | 4 | +| HIGH Severity CVEs | 4 | | Product | CVE Count | | ------- | --------- | -| dotnet-runtime | 3 | | dotnet-aspnetcore | 1 | +| dotnet-runtime | 3 | | CVE ID | Severity | Problem | Platforms | Disclosed | | ------ | -------- | ------- | --------- | --------- | -| CVE-2024-30105 | critical | .NET Denial of Service Vulnerability | all | 2024-07-09 | -| CVE-2024-35264 | critical | .NET Remote Code Execution Vulnerability | all | 2024-07-09 | -| CVE-2024-38081 | critical | .NET Denial of Service Vulnerability | windows | 2024-07-09 | -| CVE-2024-38095 | critical | .NET Denial of Service Vulnerability | all | 2024-07-09 | +| CVE-2024-30105 | HIGH | .NET Denial of Service Vulnerability | all | 2024-07-09 | +| CVE-2024-35264 | HIGH | .NET Remote Code Execution Vulnerability | all | 2024-07-09 | +| CVE-2024-38081 | HIGH | .NET Elevation of Privilege Vulnerability | windows | 2024-07-09 | +| CVE-2024-38095 | HIGH | .NET Denial of Service Vulnerability | all | 2024-07-09 | ``` [πŸ“ security_advisory_full_taxonomy.jq](jq_queries/security_advisory_full_taxonomy.jq) @@ -488,8 +488,8 @@ $ jq -r --slurpfile platforms platforms.json ' ($platforms[0].items | map({(.string): .display_name}) | add) as $platform_names | (["| CVE ID | Platforms |", "| ------------- | --------- |"] + - [.cves[] | - "| \(.id) | \((.platforms | map($platform_names[.] // .)) | join(", ")) |"]) | + [.disclosures[] | + "| \(.id) | \((.platforms | map($platform_names[.] // .)) | join(", ")) |"]) | .[]' cve.json | CVE ID | Platforms | | ------------- | --------- | @@ -507,16 +507,16 @@ $ jq -r --slurpfile severity severity.json ' ($severity[0].items | map({(.string): .display_name}) | add) as $severity_names | (["| CVE ID | Severity | Releases | Problem |", "| ------------- | -------- | -------- | ------- |"] + - [$root.cves[] | - .id as $cve | - "| \($cve) | \($severity_names[.severity] // .severity) | \(($root.cve_releases[$cve] // []) | join(", ")) | \(.problem) |"]) | + [$root.disclosures[] | + .id as $cve | + "| \($cve) | \($severity_names[.cvss.severity] // .cvss.severity) | \(($root.cve_releases[$cve] // []) | join(", ")) | \(.problem) |"]) | .[]' cve.json | CVE ID | Severity | Releases | Problem | | ------------- | -------- | -------- | ------- | -| CVE-2024-30105 | Critical | 8.0 | .NET Denial of Service Vulnerability | -| CVE-2024-35264 | Critical | 8.0 | .NET Remote Code Execution Vulnerability | -| CVE-2024-38081 | Critical | 6.0 | .NET Denial of Service Vulnerability | -| CVE-2024-38095 | Critical | 6.0, 8.0 | .NET Denial of Service Vulnerability | +| CVE-2024-30105 | High | 8.0 | .NET Denial of Service Vulnerability | +| CVE-2024-35264 | High | 8.0 | .NET Remote Code Execution Vulnerability | +| CVE-2024-38081 | High | 6.0 | .NET Elevation of Privilege Vulnerability | +| CVE-2024-38095 | High | 6.0, 8.0 | .NET Denial of Service Vulnerability | ``` [πŸ“ cves_with_release_impact_enhanced.jq](jq_queries/cves_with_release_impact_enhanced.jq) diff --git a/accepted/2025/cve-schema/cve_schema.md b/accepted/2025/cve-schema/cve_schema.md index 782fdc3c9..39de1f902 100644 --- a/accepted/2025/cve-schema/cve_schema.md +++ b/accepted/2025/cve-schema/cve_schema.md @@ -6,7 +6,7 @@ We expect that many if not most users consume the CVE information we publish thr This schema has been designed around a "product + packages" model that reflects how many modern developer-focused platforms are structured - with product components and an ecosystem of packages. This pattern is prevalent across the industry (editors with extensions, runtimes with packages, apps with plugins), making this schema broadly applicable beyond its initial .NET use case. -We are adopting this schema over CSAF because it enables us to tailor the schema to our goals, without giving up on interchange with CSAF. We're happy if security professionals use the CVE information that we publish in this new schema, however, it is primarily intended to be consumed by our broad user base that wants straightforward access for operational security. It also makes sense for the MSRC organization to the sole publisher of official CSAF files at Microsoft. +We are adopting this schema over CSAF because it enables us to tailor the schema to our goals, without giving up on interchange with CSAF. We're happy if security professionals use the CVE information that we publish in this new schema, however, it is primarily intended to be consumed by our broad user base that wants straightforward access for operational security. It also makes sense for the MSRC organization to be the sole publisher of official CSAF files at Microsoft. This new CVE format will be part of a larger queryable information graph that we'll document soon. For now, we'll focus on the CVE format. @@ -36,7 +36,7 @@ We intend to design all schemas with `jq` battle-testing going forward. Common queries answered by this schema: -- "Which CVEs were reported this month?" β†’ `.cves[].id` +- "Which CVEs were reported this month?" β†’ `.disclosures[].id` - "Which CVEs affect .NET 8.0?" β†’ `release_cves["8.0"]` - "Which commits fix CVE-2024-38095?" β†’ `cve_commits["CVE-2024-38095"]` - "Which products need updates?" β†’ Browse `products[]` array @@ -55,7 +55,7 @@ The vocabulary of the cve.org schema and the proposed one (per this spec) match - `[PROBLEMTYPE]` maps to our `problem` field - `[REFERENCES]` maps to our `references` array - `[DESCRIPTION]` maps to our `description` array -- `[ASSIGNINGCNA]` maps to our optional `cna` field +- `[ASSIGNINGCNA]` maps to our optional `cna` object That means that interchange should be trivial. @@ -85,7 +85,7 @@ The design successfully balances: Data structures are chosen based on access patterns: -- **Arrays for data (discovery)**: `cves[]`, `products[]`, and `packages[]` contain the actual CVE and affected component data as arrays because users discover this information rather than knowing it a priori. The naming directly reflects the "products + packages" model. +- **Arrays for data (discovery)**: `disclosures[]`, `products[]`, and `packages[]` contain the actual CVE and affected component data as arrays because users discover this information rather than knowing it a priori. The naming directly reflects the "products + packages" model. - **Dictionaries for indices (lookup)**: `commits{}`, `cve_commits{}`, and `release_cves{}` provide fast lookups for known keys. "known keys" refers to information that would be known ahead of time (like a version number) or that would be discovered by navigating one of the arrays. @@ -94,7 +94,7 @@ This clear separation - arrays for what happened, dictionaries for finding thing ### 2. Commit Data -Commit details are stored once in a top-level `commits{}` dictionary, with other sections referencing commits by hash. +Commit details are stored once in a top-level `commits{}` dictionary, with other sections referencing commits by key. Benefits: @@ -116,12 +116,16 @@ Human-facing tools (web dashboards, docs generators) that prefer the rich HTML c Policy: -- All `commits[hash].url` values SHOULD use the `.diff` form. +- All `commits[key].url` values SHOULD use the `.diff` form. - Downstream tools MAY normalize to the HTML form by stripping `.diff` for end-user hyperlinks. - If a hosting forge provides multiple raw formats (e.g., `.patch`), `.diff` is chosen for minimal size and sufficient context; `.patch` includes mail-style headers that only add value for niche analysis. This pattern exemplifies a broader principle: if a resource is intended to be machine-consumed, publish the machine-optimized representation directly instead of assuming transformation steps the consumer might be unable to perform. +#### Commit Key Format + +The schema does not prescribe a specific format for commit dictionary keys, allowing flexibility for different repository structures. The full 40-character commit hash is an obvious choice. However, Microsoft uses a compact `repo@shortcommit` format that is both smaller and more informativeβ€”see [.NET CVE Schema Implementation Guidance](./dotnet-guidance.md#commits) for details on this approach and its benefits. + ### 3. Two-Layer Denormalization Strategy The schema employs a two-layer approach to denormalization: @@ -130,7 +134,7 @@ The schema employs a two-layer approach to denormalization: The fundamental data lives in four structures: -- `cves[]` - The CVE metadata (array) +- `disclosures[]` - The CVE metadata (array) - `products[]` - Product vulnerabilities (flat, denormalized array) - `packages[]` - Package vulnerabilities (flat, denormalized array) - `commits{}` - Commit details (normalized dictionary) @@ -145,11 +149,11 @@ On top of the core data, we provide pre-computed indices that serve as "join as #### `cve_commits` -Maps CVE IDs to commit hashes: +Maps CVE IDs to commit keys: ```json "cve_commits": { - "CVE-2024-38095": ["979135d5...", "4a8d5a0..."] + "CVE-2024-38095": ["runtime@979135d", "runtime@4a8d5a0"] } ``` @@ -205,16 +209,45 @@ Maps canonical product slugs (used in `products[].name` and related indices) to This index serves a different purpose than the others - it's not about relationships but about presentation. Many queries work fine with just the product identifiers (dotnet-runtime, dotnet-aspnetcore), but when generating human-readable reports or markdown tables, this lookup provides the properly formatted names. +#### `package_cves` + +Maps package names to CVE IDs: + +```json +"package_cves": { + "System.Text.Json": ["CVE-2024-30105"], + "System.Formats.Asn1": ["CVE-2024-38095"], + "Microsoft.IO.Redist": ["CVE-2024-38081"] +} +``` + +Answers: "Which CVEs affect package X?" This complements `product_cves` for package-level vulnerability tracking. + +#### `severity_cves` + +Maps CVSS severity levels to CVE IDs: + +```json +"severity_cves": { + "CRITICAL": [], + "HIGH": ["CVE-2024-30105", "CVE-2024-35264", "CVE-2024-38081", "CVE-2024-38095"], + "MEDIUM": [], + "LOW": [] +} +``` + +Answers: "Which CVEs have HIGH severity?" This enables quick filtering by severity without scanning all disclosures. + ### 4. Indices as Extensible Value-Adds The indices are distinct from the core schema in important ways: -1. **Optional but Valuable**: The core schema (cves, products, packages, commits) contains all the source data. The indices are computed projections that accelerate common queries. A consumer could use the schema without the indices by computing the lookups themselves. +1. **Optional but Valuable**: The core schema (disclosures, products, packages, commits) contains all the source data. The indices are computed projections that accelerate common queries. A consumer could use the schema without the indices by computing the lookups themselves. 2. **Extensible by Design**: New indices can be added in a backward-compatible way as new query patterns emerge. For example: - - `severity_cves`: Map severity levels to CVE lists - `date_cves`: Map dates/months to CVEs for temporal queries for cve.json files that describe longer time periods - `commit_products`: Map commits to affected products + - `weakness_cves`: Map CWE identifiers to CVE lists 3. **Implementation Flexibility**: While we provide these indices in the JSON, consumers could: - Build them dynamically on ingestion @@ -232,7 +265,7 @@ The `products[]` and `packages[]` arrays have **identical structure** - every fi - `cve_id`: CVE identifier this entry relates to (primary / foreign key model) - `name`: Component identifier for lookup and grouping - `min_vulnerable`, `max_vulnerable`, `fixed`: Version range fields -- `commits`: Array of commit hashes referencing the commits dictionary (optional) +- `commits`: Array of commit keys referencing the commits dictionary (optional) - `release`: Release family like "8.0" (optional for some packages) **Query Benefits:** @@ -254,7 +287,7 @@ The schema prioritizes common query patterns and uses **snake_case_lower** field ```bash # Simple CVE lookup -jq -r '.cves[] | select(.severity == "critical")' +jq -r '.disclosures[] | select(.cvss.severity == "HIGH")' # Direct version access jq -r '.products[] | select(.release == "8.0")' @@ -324,13 +357,16 @@ The slight ergonomic cost for index-based queries is outweighed by ecosystem con The schema aligns with official CVSS standards for maximum interoperability with security tooling and databases. **CVSS Field Structure:** -- **Field name**: `vector` (follows CVSS JSON standard, not custom naming) -- **Version field**: `version` specifies CVSS version ("3.1", "4.0", etc.) -- **Format**: Standard CVSS vector string format (e.g., "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H") +- **`version`**: CVSS version ("3.1", "4.0", etc.) +- **`vector`**: Standard CVSS vector string format (e.g., "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H") +- **`score`**: Numeric base score (e.g., 7.5) +- **`severity`**: Qualitative severity rating derived from score ("CRITICAL", "HIGH", "MEDIUM", "LOW") + +The `score` and `severity` fields provide pre-computed values that would otherwise require parsing and calculating from the vector string. This follows the schema's principle of making common data immediately accessible rather than requiring client-side computation. **Standards Compliance:** - Follows [CVSS v3.1 Specification](https://www.first.org/cvss/specification-document) field naming -- Compatible with NVD JSON schema and CVE Project standards +- Compatible with NVD JSON schema and CVE Project standards - Enables seamless integration with CVSS calculators and risk assessment tools - Future-compatible with CVSS v4.0 when adopted @@ -339,12 +375,86 @@ The schema aligns with official CVSS standards for maximum interoperability with { "cvss": { "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "score": 7.5, + "severity": "HIGH" + } +} +``` + +This alignment ensures the schema integrates seamlessly with existing vulnerability management workflows and security tools that expect standard CVSS formatting. + +#### Timeline Structure + +The `timeline` field captures key dates in the vulnerability lifecycle with structured event objects: + +```json +{ + "timeline": { + "disclosure": { + "date": "2024-07-09", + "description": "Publicly disclosed" + }, + "fixed": { + "date": "2024-07-09", + "description": "Fix released" + } } } ``` -This alignment ensures the schema integrates seamlessly with existing vulnerability management workflows and security tools that expect standard CVSS formatting. We can add more CVSS properties over time, as needed. +Each timeline event contains: +- **`date`**: ISO 8601 date string +- **`description`**: Human-readable description of what occurred + +This structured approach (versus simple date strings) allows for richer metadata and supports future timeline events beyond disclosure and fix dates. + +#### CNA (CVE Numbering Authority) Structure + +The `cna` field captures information from the CVE Numbering Authority that assigned the CVE: + +```json +{ + "cna": { + "name": "microsoft", + "severity": "Important", + "impact": "Denial of Service", + "acknowledgments": ["Researcher Name"], + "faq": [ + { + "question": "How could an attacker exploit this vulnerability?", + "answer": "An attacker could..." + } + ] + } +} +``` + +**Fields:** +- **`name`**: CNA identifier (e.g., "microsoft") +- **`severity`**: CNA's severity rating (may differ from CVSS severity) +- **`impact`**: Brief impact description (e.g., "Remote Code Execution", "Denial of Service") +- **`acknowledgments`**: Optional array of credited researchers/reporters +- **`faq`**: Optional array of Q&A pairs providing additional context + +The `faq` field is particularly valuable for complex vulnerabilities where additional context helps users understand exploitation scenarios and mitigation steps. + +**Why record CNA classifications separately?** CNA severity and impact assessments don't always align with industry databases like cve.org or NVD. Different organizations may evaluate the same vulnerability differently based on their specific context, threat models, or assessment methodologies. Recording both the CNA's view (in `cna.severity` and `cna.impact`) and the standardized CVSS assessment (in `cvss`) preserves both perspectives. This is valuable whether the assessments agree (providing corroboration) or disagree (highlighting differing interpretations that users may want to investigate). + +#### Weakness (CWE) Field + +The `weakness` field provides the Common Weakness Enumeration (CWE) identifier: + +```json +{ + "weakness": "CWE-400" +} +``` + +This links the vulnerability to the standardized weakness taxonomy, enabling: +- Classification-based analysis across vulnerabilities +- Integration with tools that consume CWE identifiers +- Trend analysis of weakness types over time ### 7. Explicit Value Requirements @@ -418,7 +528,7 @@ Snake_case field names enable elegant dot notation throughout: ```bash # Simple field access - no bracket notation needed -$ jq -r '.cves[] | select(.severity == "critical") | .id' cve.json +$ jq -r '.disclosures[] | select(.cvss.severity == "HIGH") | .id' cve.json CVE-2024-30105 CVE-2024-35264 CVE-2024-38081 @@ -646,10 +756,16 @@ The schema includes pre-computed join indices that further optimize queries: "CVE-2024-38095": ["6.0", "8.0"] }, "release_cves": { - "8.0": ["CVE-2024-30105", "CVE-2024-35264", "CVE-2024-38095"] + "8.0": ["CVE-2024-30105", "CVE-2024-35264", "CVE-2024-38095"] }, "cve_commits": { - "CVE-2024-38095": ["979135d5...", "4a8d5a0..."] + "CVE-2024-38095": ["runtime@979135d", "runtime@4a8d5a0"] + }, + "package_cves": { + "System.Formats.Asn1": ["CVE-2024-38095"] + }, + "severity_cves": { + "HIGH": ["CVE-2024-30105", "CVE-2024-35264", "CVE-2024-38095"] } } ``` @@ -732,4 +848,3 @@ The current schema prioritizes **queryability over normalization** because: This represents a **pragmatic over pure** approach - choosing usability over textbook normalization principles. The small storage overhead buys significant simplification in the queries that security teams run daily, making this a worthwhile trade-off for a security-focused analytical schema. - diff --git a/accepted/2025/cve-schema/dotnet-cves-schema.json b/accepted/2025/cve-schema/dotnet-cves-schema.json index b4a9ba2f6..5a73a5349 100644 --- a/accepted/2025/cve-schema/dotnet-cves-schema.json +++ b/accepted/2025/cve-schema/dotnet-cves-schema.json @@ -1,371 +1,499 @@ { - "description": "A set of CVEs with affected products, packages, and commit information.", - "type": [ - "object", - "null" - ], - "properties": { - "last_updated": { - "description": "Date when the CVE set was last updated.", + "description": "A set of CVEs with affected products, packages, and commit information.", + "type": [ + "object", + "null" + ], + "properties": { + "last_updated": { + "description": "Date when the CVE set was last updated.", + "type": "string" + }, + "title": { + "description": "Title of the CVE disclosure.", + "type": "string" + }, + "disclosures": { + "description": "Set of CVEs disclosed.", + "type": "array", + "items": { + "description": "A disclosed vulnerability (CVE).", + "type": [ + "object", + "null" + ], + "properties": { + "id": { + "description": "The CVE ID.", "type": "string" - }, - "title": { - "description": "Title of the CVE disclosure.", + }, + "problem": { + "description": "Brief description of the vulnerability type.", "type": "string" - }, - "cves": { - "description": "Set of CVEs disclosed.", + }, + "description": { + "description": "Detailed description of the vulnerability.", "type": "array", "items": { - "description": "A disclosed vulnerability (CVE).", + "type": [ + "string", + "null" + ] + } + }, + "cvss": { + "description": "CVSS score and vector string.", + "type": "object", + "properties": { + "version": { + "description": "CVSS version used for scoring.", + "type": "string" + }, + "vector": { + "description": "CVSS vector string.", + "type": "string" + }, + "score": { + "description": "CVSS base score.", + "type": "number", + "default": 0.0 + }, + "severity": { + "description": "CVSS severity rating (low/medium/high/critical) derived from base score.", + "type": "string", + "default": "" + }, + "source": { + "description": "Source of the CVSS score calculation (e.g., \u0027microsoft\u0027, \u0027nvd\u0027).", "type": [ - "object", - "null" + "string", + "null" ], - "properties": { - "id": { - "description": "The CVE ID.", - "type": "string" - }, - "problem": { - "description": "Brief description of the vulnerability type.", - "type": "string" - }, - "severity": { - "description": "Severity level of the CVE.", - "type": "string" - }, - "timeline": { - "description": "Timeline of when the CVE was disclosed and fixed.", - "type": "object", - "properties": { - "disclosed": { - "description": "Date when the CVE was publicly disclosed.", - "type": "string" - }, - "fixed": { - "description": "Date when the CVE fix was released.", - "type": "string" - } - }, - "required": [ - "disclosed", - "fixed" - ], - "additionalProperties": false - }, - "cvss": { - "description": "CVSS score and vector string.", - "type": "object", - "properties": { - "version": { - "description": "CVSS version used for scoring.", - "type": "string" - }, - "vector": { - "description": "CVSS vector string.", - "type": "string" - } - }, - "required": [ - "version", - "vector" - ], - "additionalProperties": false - }, - "description": { - "description": "Detailed description of the vulnerability.", - "type": "array", - "items": { - "type": [ - "string", - "null" - ] - } - }, - "platforms": { - "description": "Platforms affected by the CVE.", - "type": "array", - "items": { - "type": [ - "string", - "null" - ] - } - }, - "architectures": { - "description": "Architectures affected by the CVE.", - "type": "array", - "items": { - "type": [ - "string", - "null" - ] - } - }, - "cna": { - "description": "CVE Numbering Authority that assigned the CVE.", - "type": "string" - }, - "references": { - "description": "Reference URLs for the CVE.", - "type": "array", - "items": { - "type": [ - "string", - "null" - ] - } - } - }, - "required": [ - "id", - "problem", - "severity", - "timeline", - "cvss", - "description", - "platforms", - "architectures", - "cna", - "references" - ], - "additionalProperties": false - } - }, - "products": { - "description": "Set of products affected by CVEs.", - "type": "array", - "items": { - "description": "A product affected by a CVE.", + "default": null + }, + "temporal_score": { + "description": "CVSS temporal score, adjusted for exploit maturity, remediation level, and report confidence.", "type": [ - "object", - "null" + "number", + "null" ], + "default": null + } + }, + "required": [ + "version", + "vector" + ], + "additionalProperties": false + }, + "timeline": { + "description": "Timeline of when the CVE was disclosed and fixed.", + "type": "object", + "properties": { + "disclosure": { + "description": "Date when the CVE was publicly disclosed.", + "type": "object", "properties": { - "cve_id": { - "description": "The CVE ID affecting this product.", - "type": "string" - }, - "name": { - "description": "Name of the affected product.", - "type": "string" - }, - "min_vulnerable": { - "description": "Minimum vulnerable version of the product.", - "type": "string" - }, - "max_vulnerable": { - "description": "Maximum vulnerable version of the product.", - "type": "string" - }, - "fixed": { - "description": "Version of the product that contains the fix.", - "type": "string" - }, - "release": { - "description": "Major release version affected.", - "type": "string" - }, - "commits": { - "description": "List of commit hashes that fix the vulnerability.", - "type": "array", - "items": { - "type": [ - "string", - "null" - ] - } - } + "date": { + "description": "Date of the event.", + "type": "string", + "format": "date" + }, + "description": { + "description": "Description of what occurred on this date.", + "type": "string" + } }, "required": [ - "cve_id", - "name", - "min_vulnerable", - "max_vulnerable", - "fixed", - "release", - "commits" + "date", + "description" ], "additionalProperties": false - } - }, - "packages": { - "description": "Set of packages affected by CVEs.", - "type": "array", - "items": { - "description": "A package affected by a CVE.", + }, + "fixed": { + "description": "Date when the CVE fix was released.", "type": [ - "object", - "null" + "object", + "null" ], "properties": { - "cve_id": { - "description": "The CVE ID affecting this package.", - "type": "string" - }, - "name": { - "description": "Name of the affected package.", - "type": "string" - }, - "min_vulnerable": { - "description": "Minimum vulnerable version of the package.", - "type": "string" - }, - "max_vulnerable": { - "description": "Maximum vulnerable version of the package.", - "type": "string" - }, - "fixed": { - "description": "Version of the package that contains the fix.", - "type": "string" - }, - "release": { - "description": "Major release version affected.", - "type": "string" - }, - "commits": { - "description": "List of commit hashes that fix the vulnerability.", - "type": "array", - "items": { - "type": [ - "string", - "null" - ] - } - } + "date": { + "description": "Date of the event.", + "type": "string", + "format": "date" + }, + "description": { + "description": "Description of what occurred on this date.", + "type": "string" + } }, "required": [ - "cve_id", - "name", - "min_vulnerable", - "max_vulnerable", - "fixed", - "release", - "commits" + "date", + "description" ], - "additionalProperties": false - } - }, - "commits": { - "description": "Dictionary of commit information, keyed by commit hash.", - "type": [ - "object", - "null" - ], - "additionalProperties": { - "description": "Information about a commit that fixes a CVE.", + "additionalProperties": false, + "default": null + }, + "other": { + "description": "Additional timeline events (e.g., reported, embargo start, validation).", "type": [ + "array", + "null" + ], + "items": { + "description": "A dated event in the CVE lifecycle.", + "type": [ "object", "null" - ], - "properties": { - "repo": { - "description": "Repository name where the commit exists.", - "type": "string" - }, - "branch": { - "description": "Branch name where the commit exists.", - "type": "string" - }, - "hash": { - "description": "Commit hash (SHA).", - "type": "string" + ], + "properties": { + "date": { + "description": "Date of the event.", + "type": "string", + "format": "date" }, - "org": { - "description": "Organization that owns the repository.", - "type": "string" - }, - "url": { - "description": "URL to the commit diff.", - "type": "string" + "description": { + "description": "Description of what occurred on this date.", + "type": "string" } + }, + "required": [ + "date", + "description" + ], + "additionalProperties": false }, - "required": [ - "repo", - "branch", - "hash", - "org", - "url" - ], - "additionalProperties": false + "default": null + } }, - "default": null - }, - "product_name": { - "description": "Dictionary of product display names, keyed by product name.", - "type": [ - "object", - "null" + "required": [ + "disclosure" ], - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "default": null - }, - "product_cves": { - "description": "Dictionary of CVE IDs affecting each product, keyed by product name.", - "type": [ - "object", + "additionalProperties": false + }, + "platforms": { + "description": "Platforms affected by the CVE.", + "type": "array", + "items": { + "type": [ + "string", + "null" + ] + } + }, + "architectures": { + "description": "Architectures affected by the CVE.", + "type": "array", + "items": { + "type": [ + "string", + "null" + ] + } + }, + "references": { + "description": "Reference URLs for the CVE.", + "type": "array", + "items": { + "type": [ + "string", "null" + ] + } + }, + "mitigation": { + "description": "Mitigation information for the CVE.", + "type": [ + "array", + "null" ], - "additionalProperties": { - "type": [ - "array", - "null" - ], - "items": { - "type": [ - "string", - "null" - ] - } + "items": { + "type": [ + "string", + "null" + ] }, "default": null - }, - "release_cves": { - "description": "Dictionary of CVE IDs affecting each release, keyed by release version.", + }, + "weakness": { + "description": "CWE (Common Weakness Enumeration) identifier.", "type": [ - "object", - "null" + "string", + "null" ], - "additionalProperties": { - "$ref": "#/properties/product_cves/additionalProperties" - }, "default": null + }, + "cna": { + "default": null + } }, - "cve_releases": { - "description": "Dictionary of release versions affected by each CVE, keyed by CVE ID.", - "type": [ - "object", + "required": [ + "id", + "problem", + "description", + "cvss", + "timeline", + "platforms", + "architectures", + "references" + ] + } + }, + "products": { + "description": "Set of products affected by CVEs.", + "type": "array", + "items": { + "description": "A product affected by a CVE.", + "type": [ + "object", + "null" + ], + "properties": { + "cve_id": { + "description": "The CVE ID affecting this product.", + "type": "string" + }, + "name": { + "description": "Name of the affected product.", + "type": "string" + }, + "min_vulnerable": { + "description": "Minimum vulnerable version of the product.", + "type": "string" + }, + "max_vulnerable": { + "description": "Maximum vulnerable version of the product.", + "type": "string" + }, + "fixed": { + "description": "Version of the product that contains the fix.", + "type": "string" + }, + "release": { + "description": "Major release version affected.", + "type": "string" + }, + "commits": { + "description": "List of commit hashes that fix the vulnerability.", + "type": "array", + "items": { + "type": [ + "string", "null" - ], - "additionalProperties": { - "$ref": "#/properties/product_cves/additionalProperties" - }, - "default": null + ] + } + } }, - "cve_commits": { - "description": "Dictionary of commit hashes that fix each CVE, keyed by CVE ID.", - "type": [ - "object", + "required": [ + "cve_id", + "name", + "min_vulnerable", + "max_vulnerable", + "fixed", + "release", + "commits" + ], + "additionalProperties": false + } + }, + "packages": { + "description": "Set of packages affected by CVEs.", + "type": "array", + "items": { + "description": "A package affected by a CVE.", + "type": [ + "object", + "null" + ], + "properties": { + "cve_id": { + "description": "The CVE ID affecting this package.", + "type": "string" + }, + "name": { + "description": "Name of the affected package.", + "type": "string" + }, + "min_vulnerable": { + "description": "Minimum vulnerable version of the package.", + "type": "string" + }, + "max_vulnerable": { + "description": "Maximum vulnerable version of the package.", + "type": "string" + }, + "fixed": { + "description": "Version of the package that contains the fix.", + "type": "string" + }, + "release": { + "description": "Major release version affected.", + "type": "string" + }, + "commits": { + "description": "List of commit hashes that fix the vulnerability.", + "type": "array", + "items": { + "type": [ + "string", "null" - ], - "additionalProperties": { - "$ref": "#/properties/product_cves/additionalProperties" - }, - "default": null + ] + } + } + }, + "required": [ + "cve_id", + "name", + "min_vulnerable", + "max_vulnerable", + "fixed", + "release", + "commits" + ], + "additionalProperties": false + } + }, + "commits": { + "description": "Dictionary of commit information, keyed by commit hash.", + "type": [ + "object", + "null" + ], + "additionalProperties": { + "description": "Information about a commit that fixes a CVE.", + "type": [ + "object", + "null" + ], + "properties": { + "repo": { + "description": "Repository name where the commit exists.", + "type": "string" + }, + "branch": { + "description": "Branch name where the commit exists.", + "type": "string" + }, + "hash": { + "description": "Commit hash (SHA).", + "type": "string" + }, + "org": { + "description": "Organization that owns the repository.", + "type": "string" + }, + "url": { + "description": "URL to the commit diff.", + "type": "string" + } + }, + "required": [ + "repo", + "branch", + "hash", + "org", + "url" + ], + "additionalProperties": false + }, + "default": null + }, + "product_name": { + "description": "Dictionary of product display names, keyed by product name.", + "type": [ + "object", + "null" + ], + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "default": null + }, + "product_cves": { + "description": "Dictionary of CVE IDs affecting each product, keyed by product name.", + "type": [ + "object", + "null" + ], + "additionalProperties": { + "type": [ + "array", + "null" + ], + "items": { + "type": [ + "string", + "null" + ] } + }, + "default": null + }, + "package_cves": { + "description": "Dictionary of CVE IDs affecting each package, keyed by package name.", + "type": [ + "object", + "null" + ], + "additionalProperties": { + "$ref": "#/properties/product_cves/additionalProperties" + }, + "default": null + }, + "release_cves": { + "description": "Dictionary of CVE IDs affecting each release, keyed by release version.", + "type": [ + "object", + "null" + ], + "additionalProperties": { + "$ref": "#/properties/product_cves/additionalProperties" + }, + "default": null + }, + "severity_cves": { + "description": "Dictionary of CVE IDs grouped by severity threshold. Each key includes CVEs with that severity or higher (CRITICAL, HIGH, MEDIUM, LOW).", + "type": [ + "object", + "null" + ], + "additionalProperties": { + "$ref": "#/properties/product_cves/additionalProperties" + }, + "default": null }, - "required": [ - "last_updated", - "title", - "cves", - "products", - "packages" - ], - "additionalProperties": false + "cve_releases": { + "description": "Dictionary of release versions affected by each CVE, keyed by CVE ID.", + "type": [ + "object", + "null" + ], + "additionalProperties": { + "$ref": "#/properties/product_cves/additionalProperties" + }, + "default": null + }, + "cve_commits": { + "description": "Dictionary of commit hashes that fix each CVE, keyed by CVE ID.", + "type": [ + "object", + "null" + ], + "additionalProperties": { + "$ref": "#/properties/product_cves/additionalProperties" + }, + "default": null + } + }, + "required": [ + "last_updated", + "title", + "disclosures", + "products", + "packages" + ], + "additionalProperties": false } \ No newline at end of file diff --git a/accepted/2025/cve-schema/dotnet-guidance.md b/accepted/2025/cve-schema/dotnet-guidance.md index 34127d396..afff988ab 100644 --- a/accepted/2025/cve-schema/dotnet-guidance.md +++ b/accepted/2025/cve-schema/dotnet-guidance.md @@ -15,7 +15,15 @@ These "taxonomy" strings will always use kebab-case-lower format. It is importan ## CNA -The CNA for .NET CVEs is Microsoft. The CVE JSON files that Microsoft publishes will always attribute Microsoft as the CNA. +The CNA for .NET CVEs is Microsoft. The CVE JSON files that Microsoft publishes will always attribute Microsoft as the CNA. The `cna` field is an object containing: + +- `name`: The CNA identifier (`"microsoft"`) +- `severity`: Microsoft's severity rating (e.g., "Important", "Critical") +- `impact`: The impact type (e.g., "Denial of Service", "Remote Code Execution") +- `acknowledgments`: Optional array of credited researchers +- `faq`: Optional array of Q&A pairs with additional context + +Note that the CNA's `severity` rating may differ from the CVSS `severity` in the `cvss` object. Both are recorded to preserve each organization's assessment. ## Products @@ -55,6 +63,28 @@ There is no addordance for specifying a architecture version, for example descri Each CVE will include one or more references, in a `string[]`. The first reference will be the `dotnet/announcements` issue that is the primary GitHub disclosure. +## Commits + +The schema stores commit details in a `commits{}` dictionary, with products and packages referencing commits by key. The schema does not prescribe a specific key formatβ€”the full 40-character commit hash would be an obvious choice. However, Microsoft uses a compact `repo@shortcommit` format: + +```json +"commits": { + "runtime@979135d": { "url": "https://github.com/dotnet/runtime/commit/979135d5ca4efaf6436ee13539cc3f1e039d570a.diff" }, + "aspnetcore@c5721fb": { "url": "https://github.com/dotnet/aspnetcore/commit/c5721fb7a65ddc13d1b445c2c08c27b72ab57cdc.diff" } +} +``` + +This format provides several benefits: + +- **Smaller file size**: 7-character short hashes vs 40-character full hashes reduce storage and bandwidth +- **GitHub alignment**: Matches GitHub's native short-commit display format used in UI and URLs +- **Uniqueness through repo qualification**: Short commits are not guaranteed unique across repositories; prefixing with the repository name (`runtime@`, `aspnetcore@`) ensures global uniqueness within the dataset +- **Human readability**: Easier to scan and reference in documentation and discussions + +The `repo@shortcommit` pattern treats the combination as a composite key where the repository provides namespace scoping. This mirrors how developers naturally reference commits in conversation ("the runtime fix at 979135d"). + +Note that while the key uses a short hash, the URL in the commit object contains the full hash to ensure reliable resolution. + ## Annotated JSON This following schema segments and annotations provide more detailed and contextual information on how the schema is used. @@ -65,22 +95,36 @@ The following CVE object describes a CVE that affects all platforms and architec { "id": "CVE-2024-30105", "problem": ".NET Denial of Service Vulnerability", - "severity": "critical", - "disclosed": "2024-07-09", - "cvss": {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C"}, "description": [ "A vulnerability exists in .NET when calling the JsonSerializer.DeserializeAsyncEnumerable method against an untrusted input using System.Text.Json may result in Denial of Service." ], - "platforms": [ - "all" - ], - "architectures": [ - "all" - ], - "cna": "microsoft", + "cvss": { + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C", + "score": 7.5, + "severity": "HIGH" + }, + "timeline": { + "disclosure": { + "date": "2024-07-09", + "description": "Publicly disclosed" + }, + "fixed": { + "date": "2024-07-09", + "description": "Fix released" + } + }, + "platforms": ["all"], + "architectures": ["all"], "references": [ "https://github.com/dotnet/announcements/issues/315" - ] + ], + "weakness": "CWE-400", + "cna": { + "name": "microsoft", + "severity": "Important", + "impact": "Denial of Service" + } } ``` @@ -89,13 +133,13 @@ The following product object describes a CVE affecting `dotnet-runtime`. The `mi ```json { "cve_id": "CVE-2024-38081", - "name": "dotnet-runtime", + "name": "dotnet-runtime", "min_vulnerable": "6.0.0", "max_vulnerable": "6.0.31", "fixed": "6.0.32", "release": "6.0", "commits": [ - "0a0dd0e27560e692e11ee286ed9f45471b2131fa" + "runtime@0a0dd0e" ] } ``` @@ -111,7 +155,7 @@ The following extension pobject describes a package affecting [`System.Text.Json "fixed": "8.0.4", "release": "8.0", "commits": [ - "fa5b0d8f4a8b424732cc992158aa92842f8a2846" + "runtime@fa5b0d8" ] } ``` From 0a734dbed4d1f70d97fab9eb61815868d727f599 Mon Sep 17 00:00:00 2001 From: Richard Lander Date: Wed, 7 Jan 2026 13:56:21 -0800 Subject: [PATCH 3/4] Delete unnecessary files --- accepted/2025/cve-schema/jq_queries.sh | 155 ------------------ .../jq_queries/age_of_vulnerabilities.jq | 5 - .../check_product_version_vulnerable.jq | 5 - .../check_release_packages_vulnerable.jq | 5 - .../jq_queries/check_version_vulnerable.jq | 7 - ...omponents_with_multiple_vulnerabilities.jq | 8 - .../cross_component_impact_analysis.jq | 8 - .../cve_report_with_display_names.jq | 5 - .../cve-schema/jq_queries/cves_by_platform.jq | 5 - .../jq_queries/cves_by_platform_enhanced.jq | 6 - .../cve-schema/jq_queries/cves_by_product.jq | 5 - .../cve-schema/jq_queries/cves_by_release.jq | 5 - .../jq_queries/cves_with_release_impact.jq | 7 - .../cves_with_release_impact_enhanced.jq | 8 - .../jq_queries/defensive_cve_lookup.jq | 3 - .../jq_queries/get_all_affected_products.jq | 4 - .../cve-schema/jq_queries/get_all_cve_ids.jq | 1 - .../jq_queries/get_commits_for_cve.jq | 1 - .../jq_queries/get_commits_for_release.jq | 1 - .../cve-schema/jq_queries/get_cve_details.jq | 4 - .../jq_queries/get_cves_by_severity.jq | 1 - .../jq_queries/get_fixed_versions_packages.jq | 4 - .../jq_queries/get_fixed_versions_products.jq | 4 - .../jq_queries/immediate_risk_assessment.jq | 5 - .../jq_queries/most_vulnerable_component.jq | 8 - .../packages_requiring_immediate_attention.jq | 8 - .../jq_queries/patch_deployment_summary.jq | 12 -- .../jq_queries/platform_display_names.jq | 1 - .../jq_queries/product_descriptions.jq | 1 - .../jq_queries/product_report_with_names.jq | 5 - .../product_report_with_names_enhanced.jq | 6 - .../release_independent_packages.jq | 7 - .../cve-schema/jq_queries/releases_by_cve.jq | 5 - .../jq_queries/repository_commit_summary.jq | 13 -- .../jq_queries/safe_version_queries.jq | 1 - .../security_advisory_full_taxonomy.jq | 15 -- .../severity_display_name_lookup.jq | 1 - .../cve_report_with_display_names.jq | 9 - .../product_report_with_names.jq | 8 - .../validate_severity_mappings.jq | 6 - .../jq_queries/validate_platform_mappings.jq | 3 - .../jq_queries/validate_product_mappings.jq | 3 - .../jq_queries/validate_severity_mappings.jq | 3 - .../cve-schema/jq_queries_with_taxonomy.sh | 87 ---------- 44 files changed, 464 deletions(-) delete mode 100755 accepted/2025/cve-schema/jq_queries.sh delete mode 100644 accepted/2025/cve-schema/jq_queries/age_of_vulnerabilities.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/check_product_version_vulnerable.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/check_release_packages_vulnerable.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/check_version_vulnerable.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/components_with_multiple_vulnerabilities.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/cross_component_impact_analysis.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/cve_report_with_display_names.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/cves_by_platform.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/cves_by_platform_enhanced.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/cves_by_product.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/cves_by_release.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/cves_with_release_impact.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/cves_with_release_impact_enhanced.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/defensive_cve_lookup.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/get_all_affected_products.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/get_all_cve_ids.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/get_commits_for_cve.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/get_commits_for_release.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/get_cve_details.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/get_cves_by_severity.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/get_fixed_versions_packages.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/get_fixed_versions_products.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/immediate_risk_assessment.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/most_vulnerable_component.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/packages_requiring_immediate_attention.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/patch_deployment_summary.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/platform_display_names.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/product_descriptions.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/product_report_with_names.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/product_report_with_names_enhanced.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/release_independent_packages.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/releases_by_cve.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/repository_commit_summary.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/safe_version_queries.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/security_advisory_full_taxonomy.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/severity_display_name_lookup.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/taxonomy_originals/cve_report_with_display_names.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/taxonomy_originals/product_report_with_names.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/taxonomy_originals/validate_severity_mappings.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/validate_platform_mappings.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/validate_product_mappings.jq delete mode 100644 accepted/2025/cve-schema/jq_queries/validate_severity_mappings.jq delete mode 100755 accepted/2025/cve-schema/jq_queries_with_taxonomy.sh diff --git a/accepted/2025/cve-schema/jq_queries.sh b/accepted/2025/cve-schema/jq_queries.sh deleted file mode 100755 index 938ab2e48..000000000 --- a/accepted/2025/cve-schema/jq_queries.sh +++ /dev/null @@ -1,155 +0,0 @@ -#!/bin/bash - -# CVE Query Runner Script -# Runs all jq queries from the jq_queries directory against cve.json -# -# This script demonstrates how to use parameterized jq queries by passing -# hard-coded demo values for testing and demonstration purposes. -# In production use, you would replace these demo values with actual parameters. - -set -e - -CVE_FILE="cve.json" -QUERIES_DIR="jq_queries" - -# Demo parameter values - change these to test different scenarios -# These values are intentionally hard-coded for demonstration purposes -DEMO_CVE="CVE-2024-38095" # Primary CVE for demonstrations -DEMO_RELEASE="8.0" # .NET release version for testing -DEMO_VERSION="8.0.5" # Specific version to check for vulnerabilities -DEMO_TEST_CVE="CVE-2024-99999" # Non-existent CVE for error handling demos -DEMO_TEST_RELEASE="9.0" # Release that may not exist in data - -# Check if cve.json exists -if [[ ! -f "$CVE_FILE" ]]; then - echo "Error: $CVE_FILE not found in current directory" - exit 1 -fi - -# Check if queries directory exists -if [[ ! -d "$QUERIES_DIR" ]]; then - echo "Error: $QUERIES_DIR directory not found" - exit 1 -fi - -echo "Running CVE queries against $CVE_FILE" -echo "========================================" - -# Function to run a query with proper error handling -run_query() { - local query_file="$1" - local query_name=$(basename "$query_file" .jq) - local extra_flags="$2" - - echo - echo "--- $query_name ---" - - if jq -r $extra_flags -f "$query_file" "$CVE_FILE" 2>/dev/null; then - echo "βœ… Query completed successfully" - else - echo "❌ Query failed or returned no results" - fi -} - -# Function to run a parameterized query -run_param_query() { - local query_file="$1" - local query_name=$(basename "$query_file" .jq) - local params="$2" - - echo - echo "--- $query_name ---" - - if jq -r $params -f "$query_file" "$CVE_FILE" 2>/dev/null; then - echo "βœ… Query completed successfully" - else - echo "❌ Query failed or returned no results" - fi -} - -# Run basic queries first -echo "=== BASIC LOOKUPS ===" -run_query "$QUERIES_DIR/get_all_cve_ids.jq" -run_query "$QUERIES_DIR/get_cves_by_severity.jq" -run_query "$QUERIES_DIR/get_cve_details.jq" - -echo -echo "=== INDEX-BASED QUERIES ===" -# Demo: Looking up CVEs for .NET release -run_param_query "$QUERIES_DIR/cves_by_release.jq" "--arg release \"$DEMO_RELEASE\"" -# Demo: Looking up releases affected by primary demo CVE -run_param_query "$QUERIES_DIR/releases_by_cve.jq" "--arg cve \"$DEMO_CVE\"" -run_query "$QUERIES_DIR/cves_by_product.jq" - -echo -echo "=== COMPONENT ANALYSIS ===" -run_query "$QUERIES_DIR/get_all_affected_products.jq" -run_query "$QUERIES_DIR/get_fixed_versions_products.jq" -run_query "$QUERIES_DIR/get_fixed_versions_packages.jq" - -echo -echo "=== COMMIT ANALYSIS ===" -# Demo: Get commit URLs for primary demo CVE -run_param_query "$QUERIES_DIR/get_commits_for_cve.jq" "--arg cve \"$DEMO_CVE\"" -# Demo: Get commit URLs for demo release CVEs -run_param_query "$QUERIES_DIR/get_commits_for_release.jq" "--arg release \"$DEMO_RELEASE\"" -run_query "$QUERIES_DIR/repository_commit_summary.jq" - -echo -echo "=== RISK ASSESSMENT ===" -run_query "$QUERIES_DIR/cves_with_release_impact.jq" -run_query "$QUERIES_DIR/components_with_multiple_vulnerabilities.jq" -run_query "$QUERIES_DIR/cross_component_impact_analysis.jq" - -echo -echo "=== TEMPORAL ANALYSIS ===" -run_query "$QUERIES_DIR/age_of_vulnerabilities.jq" - -echo -echo "=== VERSION VULNERABILITY ASSESSMENT ===" -# Demo: Check if demo version is vulnerable -run_param_query "$QUERIES_DIR/check_version_vulnerable.jq" "--arg release \"$DEMO_RELEASE\" --arg version \"$DEMO_VERSION\"" -# Demo: Check release-specific packages for vulnerabilities -run_param_query "$QUERIES_DIR/check_release_packages_vulnerable.jq" "--arg release \"$DEMO_RELEASE\"" -# Demo: Check product vulnerabilities for specific version -run_param_query "$QUERIES_DIR/check_product_version_vulnerable.jq" "--arg version \"$DEMO_VERSION\"" - -echo -echo "=== PLATFORM-SPECIFIC ANALYSIS ===" -run_query "$QUERIES_DIR/cves_by_platform.jq" - -echo -echo "=== ADVANCED QUERIES ===" -run_query "$QUERIES_DIR/packages_requiring_immediate_attention.jq" -run_query "$QUERIES_DIR/patch_deployment_summary.jq" -run_query "$QUERIES_DIR/release_independent_packages.jq" - -echo -echo "=== EMERGENCY RESPONSE QUERIES ===" -run_query "$QUERIES_DIR/immediate_risk_assessment.jq" -run_query "$QUERIES_DIR/most_vulnerable_component.jq" - -echo -echo "=== REPORTING AND DISPLAY ===" -run_query "$QUERIES_DIR/cve_report_with_display_names.jq" -run_query "$QUERIES_DIR/product_report_with_names.jq" -run_query "$QUERIES_DIR/security_advisory_full_taxonomy.jq" - -echo -echo "=== ERROR HANDLING & VALIDATION ===" -# Demo: Test error handling with non-existent CVE -run_param_query "$QUERIES_DIR/defensive_cve_lookup.jq" "--arg cve \"$DEMO_TEST_CVE\"" -# Demo: Check release that may not exist in data -run_param_query "$QUERIES_DIR/safe_version_queries.jq" "--arg release \"$DEMO_TEST_RELEASE\"" -run_query "$QUERIES_DIR/validate_severity_mappings.jq" -run_query "$QUERIES_DIR/validate_product_mappings.jq" -run_query "$QUERIES_DIR/validate_platform_mappings.jq" - - -echo -echo "========================================" -echo "All queries completed!" - -# Summary information -total_queries=$(find "$QUERIES_DIR" -name "*.jq" | wc -l) -echo "Total queries available: $total_queries" \ No newline at end of file diff --git a/accepted/2025/cve-schema/jq_queries/age_of_vulnerabilities.jq b/accepted/2025/cve-schema/jq_queries/age_of_vulnerabilities.jq deleted file mode 100644 index e80e94d6b..000000000 --- a/accepted/2025/cve-schema/jq_queries/age_of_vulnerabilities.jq +++ /dev/null @@ -1,5 +0,0 @@ -(["| CVE ID | Disclosed | Days Since Disclosure |", - "| ------ | --------- | -------------------- |"] + - [.cves[] | - "| \(.id) | \(.disclosed) | \(((now | strftime("%Y-%m-%d") | strptime("%Y-%m-%d") | mktime) - (.disclosed | strptime("%Y-%m-%d") | mktime)) / 86400 | floor) |"]) | -.[] diff --git a/accepted/2025/cve-schema/jq_queries/check_product_version_vulnerable.jq b/accepted/2025/cve-schema/jq_queries/check_product_version_vulnerable.jq deleted file mode 100644 index f8451cf4e..000000000 --- a/accepted/2025/cve-schema/jq_queries/check_product_version_vulnerable.jq +++ /dev/null @@ -1,5 +0,0 @@ -[.products[] | select(.min_vulnerable <= $version and .max_vulnerable >= $version)] | - (["| CVE ID | Product |", - "| ------------- | ------- |"] + - [.[] | "| \(.cve_id) | \(.name) |"]) | - .[] \ No newline at end of file diff --git a/accepted/2025/cve-schema/jq_queries/check_release_packages_vulnerable.jq b/accepted/2025/cve-schema/jq_queries/check_release_packages_vulnerable.jq deleted file mode 100644 index 65271ce15..000000000 --- a/accepted/2025/cve-schema/jq_queries/check_release_packages_vulnerable.jq +++ /dev/null @@ -1,5 +0,0 @@ -[.packages[] | select(.release == $release)] | - (["| CVE ID | Package | Vulnerable Range |", - "| ------------- | ------- | ---------------- |"] + - [.[] | "| \(.cve_id) | \(.name) | \(.min_vulnerable) - \(.max_vulnerable) |"]) | - .[] \ No newline at end of file diff --git a/accepted/2025/cve-schema/jq_queries/check_version_vulnerable.jq b/accepted/2025/cve-schema/jq_queries/check_version_vulnerable.jq deleted file mode 100644 index b1c7fa4c6..000000000 --- a/accepted/2025/cve-schema/jq_queries/check_version_vulnerable.jq +++ /dev/null @@ -1,7 +0,0 @@ -.products -| map(select(.release == $release)) -| map(select(.min_vulnerable <= $version and .max_vulnerable >= $version)) -| (["| CVE ID | Component |", - "| ------------- | --------- |"] + - [.[] | "| \(.cve_id) | \(.name) |"]) -| .[] diff --git a/accepted/2025/cve-schema/jq_queries/components_with_multiple_vulnerabilities.jq b/accepted/2025/cve-schema/jq_queries/components_with_multiple_vulnerabilities.jq deleted file mode 100644 index 6a0f51cbd..000000000 --- a/accepted/2025/cve-schema/jq_queries/components_with_multiple_vulnerabilities.jq +++ /dev/null @@ -1,8 +0,0 @@ -[.products[], .packages[]] | - group_by(.name) | - map({name: .[0].name, cves: [.[] | .cve_id] | unique}) | - map(select(.cves | length > 1)) | - (["| Component | CVEs |", - "| --------- | ---- |"] + - [.[] | "| \(.name) | \(.cves | join(", ")) |"]) | - .[] diff --git a/accepted/2025/cve-schema/jq_queries/cross_component_impact_analysis.jq b/accepted/2025/cve-schema/jq_queries/cross_component_impact_analysis.jq deleted file mode 100644 index 8031ad128..000000000 --- a/accepted/2025/cve-schema/jq_queries/cross_component_impact_analysis.jq +++ /dev/null @@ -1,8 +0,0 @@ -. as $root | - [.products[], .packages[]] | - group_by(.cve_id) | - (["| CVE ID | Count | Components |", - "| ------------- | ----- | ---------- |"] + - [.[] | - "| \(.[0].cve_id) | \([.[] | .name] | unique | length) | \([.[] | .name] | unique | join(", ")) |"]) | - .[] diff --git a/accepted/2025/cve-schema/jq_queries/cve_report_with_display_names.jq b/accepted/2025/cve-schema/jq_queries/cve_report_with_display_names.jq deleted file mode 100644 index 0b5d6f10c..000000000 --- a/accepted/2025/cve-schema/jq_queries/cve_report_with_display_names.jq +++ /dev/null @@ -1,5 +0,0 @@ -(["| CVE ID | Severity | Platforms | Problem |", - "| ------ | -------- | --------- | ------- |"] + - [.cves[] | - "| \(.id) | \(.severity) | \(.platforms | join(", ")) | \(.problem) |"]) | -.[] diff --git a/accepted/2025/cve-schema/jq_queries/cves_by_platform.jq b/accepted/2025/cve-schema/jq_queries/cves_by_platform.jq deleted file mode 100644 index 9f6a77355..000000000 --- a/accepted/2025/cve-schema/jq_queries/cves_by_platform.jq +++ /dev/null @@ -1,5 +0,0 @@ -(["| CVE ID | Platforms |", - "| ------------- | --------- |"] + - [.cves[] | - "| \(.id) | \(.platforms | join(", ")) |"]) | - .[] diff --git a/accepted/2025/cve-schema/jq_queries/cves_by_platform_enhanced.jq b/accepted/2025/cve-schema/jq_queries/cves_by_platform_enhanced.jq deleted file mode 100644 index f2094c772..000000000 --- a/accepted/2025/cve-schema/jq_queries/cves_by_platform_enhanced.jq +++ /dev/null @@ -1,6 +0,0 @@ -($platforms[0].items | map({(.string): .display_name}) | add) as $platform_names | -(["| CVE ID | Platforms |", - "| ------------- | --------- |"] + - [.cves[] | - "| \(.id) | \((.platforms | map($platform_names[.] // .)) | join(", ")) |"]) | -.[] \ No newline at end of file diff --git a/accepted/2025/cve-schema/jq_queries/cves_by_product.jq b/accepted/2025/cve-schema/jq_queries/cves_by_product.jq deleted file mode 100644 index db3934fa2..000000000 --- a/accepted/2025/cve-schema/jq_queries/cves_by_product.jq +++ /dev/null @@ -1,5 +0,0 @@ -( ["| Product | CVE ID |", - "| ------- | ------ |"] + -[.product_cves["dotnet-aspnetcore"][] | - "| dotnet-aspnetcore | \(.) |"]) | -.[] diff --git a/accepted/2025/cve-schema/jq_queries/cves_by_release.jq b/accepted/2025/cve-schema/jq_queries/cves_by_release.jq deleted file mode 100644 index 682e70641..000000000 --- a/accepted/2025/cve-schema/jq_queries/cves_by_release.jq +++ /dev/null @@ -1,5 +0,0 @@ -(["| Release | CVE ID |", - "| ------- | ------ |"] + - [.release_cves[$release][] | - "| \($release) | \(.) |"]) | -.[] \ No newline at end of file diff --git a/accepted/2025/cve-schema/jq_queries/cves_with_release_impact.jq b/accepted/2025/cve-schema/jq_queries/cves_with_release_impact.jq deleted file mode 100644 index ed4117b24..000000000 --- a/accepted/2025/cve-schema/jq_queries/cves_with_release_impact.jq +++ /dev/null @@ -1,7 +0,0 @@ -. as $root | - (["| CVE ID | Severity | Releases | Problem |", - "| ------------- | -------- | -------- | ------- |"] + - [$root.cves[] | - .id as $cve | - "| \($cve) | \(.severity) | \(($root.cve_releases[$cve] // []) | join(", ")) | \(.problem) |"]) | - .[] diff --git a/accepted/2025/cve-schema/jq_queries/cves_with_release_impact_enhanced.jq b/accepted/2025/cve-schema/jq_queries/cves_with_release_impact_enhanced.jq deleted file mode 100644 index 16123c40a..000000000 --- a/accepted/2025/cve-schema/jq_queries/cves_with_release_impact_enhanced.jq +++ /dev/null @@ -1,8 +0,0 @@ -. as $root | -($severity[0].items | map({(.string): .display_name}) | add) as $severity_names | -(["| CVE ID | Severity | Releases | Problem |", - "| ------------- | -------- | -------- | ------- |"] + - [$root.cves[] | - .id as $cve | - "| \($cve) | \($severity_names[.severity] // .severity) | \(($root.cve_releases[$cve] // []) | join(", ")) | \(.problem) |"]) | -.[] \ No newline at end of file diff --git a/accepted/2025/cve-schema/jq_queries/defensive_cve_lookup.jq b/accepted/2025/cve-schema/jq_queries/defensive_cve_lookup.jq deleted file mode 100644 index d3347cf0a..000000000 --- a/accepted/2025/cve-schema/jq_queries/defensive_cve_lookup.jq +++ /dev/null @@ -1,3 +0,0 @@ -(.cve_releases[$cve] // ["Not found"]) | - if . == ["Not found"] then "CVE \($cve) not in database" - else "CVE \($cve) affects releases: \(join(", "))" end diff --git a/accepted/2025/cve-schema/jq_queries/get_all_affected_products.jq b/accepted/2025/cve-schema/jq_queries/get_all_affected_products.jq deleted file mode 100644 index 6b6d1bace..000000000 --- a/accepted/2025/cve-schema/jq_queries/get_all_affected_products.jq +++ /dev/null @@ -1,4 +0,0 @@ -(["| Product | Release |", - "| ------- | ------- |"] + - ([.products[] | "| \(.name) | \(.release) |"] | unique)) | -.[] diff --git a/accepted/2025/cve-schema/jq_queries/get_all_cve_ids.jq b/accepted/2025/cve-schema/jq_queries/get_all_cve_ids.jq deleted file mode 100644 index 3563ef3c6..000000000 --- a/accepted/2025/cve-schema/jq_queries/get_all_cve_ids.jq +++ /dev/null @@ -1 +0,0 @@ -.cves[].id \ No newline at end of file diff --git a/accepted/2025/cve-schema/jq_queries/get_commits_for_cve.jq b/accepted/2025/cve-schema/jq_queries/get_commits_for_cve.jq deleted file mode 100644 index ec0eba079..000000000 --- a/accepted/2025/cve-schema/jq_queries/get_commits_for_cve.jq +++ /dev/null @@ -1 +0,0 @@ -. as $root | .cve_commits[$cve][] | $root.commits[.].url diff --git a/accepted/2025/cve-schema/jq_queries/get_commits_for_release.jq b/accepted/2025/cve-schema/jq_queries/get_commits_for_release.jq deleted file mode 100644 index 6aabb7711..000000000 --- a/accepted/2025/cve-schema/jq_queries/get_commits_for_release.jq +++ /dev/null @@ -1 +0,0 @@ -. as $root | .release_cves[$release][] as $cve | $root.cve_commits[$cve][] | $root.commits[.].url diff --git a/accepted/2025/cve-schema/jq_queries/get_cve_details.jq b/accepted/2025/cve-schema/jq_queries/get_cve_details.jq deleted file mode 100644 index 360a4734e..000000000 --- a/accepted/2025/cve-schema/jq_queries/get_cve_details.jq +++ /dev/null @@ -1,4 +0,0 @@ -(["| CVE ID | Problem |", - "| ------ | ------- |"] + - [.cves[] | "| \(.id) | \(.problem) |"]) | -.[] \ No newline at end of file diff --git a/accepted/2025/cve-schema/jq_queries/get_cves_by_severity.jq b/accepted/2025/cve-schema/jq_queries/get_cves_by_severity.jq deleted file mode 100644 index 32ce9aa20..000000000 --- a/accepted/2025/cve-schema/jq_queries/get_cves_by_severity.jq +++ /dev/null @@ -1 +0,0 @@ -.cves[] | select(.severity == "critical") | .id \ No newline at end of file diff --git a/accepted/2025/cve-schema/jq_queries/get_fixed_versions_packages.jq b/accepted/2025/cve-schema/jq_queries/get_fixed_versions_packages.jq deleted file mode 100644 index b73b6d673..000000000 --- a/accepted/2025/cve-schema/jq_queries/get_fixed_versions_packages.jq +++ /dev/null @@ -1,4 +0,0 @@ -(["| CVE ID | Package | Fixed |", - "| ------ | ------- | ----- |"] + - [.packages[] | "| \(.cve_id) | \(.name) | \(.fixed) |"]) | - .[] diff --git a/accepted/2025/cve-schema/jq_queries/get_fixed_versions_products.jq b/accepted/2025/cve-schema/jq_queries/get_fixed_versions_products.jq deleted file mode 100644 index abbc31053..000000000 --- a/accepted/2025/cve-schema/jq_queries/get_fixed_versions_products.jq +++ /dev/null @@ -1,4 +0,0 @@ -(["| CVE ID | Product | Fixed |", - "| ------ | ------- | ----- |"] + - [.products[] | "| \(.cve_id) | \(.name) | \(.fixed) |"]) | - .[] diff --git a/accepted/2025/cve-schema/jq_queries/immediate_risk_assessment.jq b/accepted/2025/cve-schema/jq_queries/immediate_risk_assessment.jq deleted file mode 100644 index fbda50492..000000000 --- a/accepted/2025/cve-schema/jq_queries/immediate_risk_assessment.jq +++ /dev/null @@ -1,5 +0,0 @@ -(["| CVE ID | Severity | Problem |", - "| ------ | -------- | ------- |"] + - [.cves[] | select(.severity == "critical") | - "| \(.id) | 🚨 CRITICAL | \(.problem) |"]) | -.[] diff --git a/accepted/2025/cve-schema/jq_queries/most_vulnerable_component.jq b/accepted/2025/cve-schema/jq_queries/most_vulnerable_component.jq deleted file mode 100644 index 6ff3db66d..000000000 --- a/accepted/2025/cve-schema/jq_queries/most_vulnerable_component.jq +++ /dev/null @@ -1,8 +0,0 @@ -(["| Component | CVE Count | CVEs |", - "| --------- | --------- | ---- |"] + -[[.products[], .packages[]] | - group_by(.name) | - map({name: .[0].name, count: length, cves: map(.cve_id) | unique}) | - sort_by(.count) | reverse | - .[] | "| \(.name) | \(.count) | \(.cves | join(", ")) |"]) | -.[] diff --git a/accepted/2025/cve-schema/jq_queries/packages_requiring_immediate_attention.jq b/accepted/2025/cve-schema/jq_queries/packages_requiring_immediate_attention.jq deleted file mode 100644 index 9eff3117b..000000000 --- a/accepted/2025/cve-schema/jq_queries/packages_requiring_immediate_attention.jq +++ /dev/null @@ -1,8 +0,0 @@ -. as $root | - [$root.cves[] | select(.severity == "critical") | .id] as $critical_cves | - (["| CVE ID | Package |", - "| ------------- | ------- |"] + - [$root.packages[] | - select(.cve_id as $cve | $critical_cves | contains([$cve])) | - "| \(.cve_id) | \(.name) |"]) | - .[] diff --git a/accepted/2025/cve-schema/jq_queries/patch_deployment_summary.jq b/accepted/2025/cve-schema/jq_queries/patch_deployment_summary.jq deleted file mode 100644 index 34ee524de..000000000 --- a/accepted/2025/cve-schema/jq_queries/patch_deployment_summary.jq +++ /dev/null @@ -1,12 +0,0 @@ -. as $root | - [.products[], .packages[]] | - map(select(.release == "8.0")) | - group_by(.name) | - map({ - id: .[0].name, - name: ($root.product_name[.[0].name] // .[0].name), - versions: [.[] | .fixed] | unique | sort - }) | - (["| Version | Component |", "| ------- | --------- |"] + - map("| \(.versions | last) | \(.name) |")) | - .[] diff --git a/accepted/2025/cve-schema/jq_queries/platform_display_names.jq b/accepted/2025/cve-schema/jq_queries/platform_display_names.jq deleted file mode 100644 index 13b4a3f3d..000000000 --- a/accepted/2025/cve-schema/jq_queries/platform_display_names.jq +++ /dev/null @@ -1 +0,0 @@ -"Available platforms: all" diff --git a/accepted/2025/cve-schema/jq_queries/product_descriptions.jq b/accepted/2025/cve-schema/jq_queries/product_descriptions.jq deleted file mode 100644 index fe29aa3f8..000000000 --- a/accepted/2025/cve-schema/jq_queries/product_descriptions.jq +++ /dev/null @@ -1 +0,0 @@ -.product_name["dotnet-runtime"] // "dotnet-runtime" diff --git a/accepted/2025/cve-schema/jq_queries/product_report_with_names.jq b/accepted/2025/cve-schema/jq_queries/product_report_with_names.jq deleted file mode 100644 index e5849a223..000000000 --- a/accepted/2025/cve-schema/jq_queries/product_report_with_names.jq +++ /dev/null @@ -1,5 +0,0 @@ -(["| Product | CVEs |", - "| ------- | ---- |"] + - [.product_cves | to_entries[] | - "| \(.key) | \(.value | length) |"]) | -.[] diff --git a/accepted/2025/cve-schema/jq_queries/product_report_with_names_enhanced.jq b/accepted/2025/cve-schema/jq_queries/product_report_with_names_enhanced.jq deleted file mode 100644 index f0fcc28a3..000000000 --- a/accepted/2025/cve-schema/jq_queries/product_report_with_names_enhanced.jq +++ /dev/null @@ -1,6 +0,0 @@ -($products[0].items | map({(.string): .display_name}) | add) as $product_names | -(["| Product | CVEs |", - "| ------- | ---- |"] + - [.product_cves | to_entries[] | - "| \($product_names[.key] // .key) | \(.value | length) |"]) | -.[] \ No newline at end of file diff --git a/accepted/2025/cve-schema/jq_queries/release_independent_packages.jq b/accepted/2025/cve-schema/jq_queries/release_independent_packages.jq deleted file mode 100644 index ce960c564..000000000 --- a/accepted/2025/cve-schema/jq_queries/release_independent_packages.jq +++ /dev/null @@ -1,7 +0,0 @@ -.packages[] | - select(.release == "") | - [{cve: .cve_id, version: .fixed, name: .name}] | - (["| CVE ID | Version | Package |", - "| ------------- | ------- | ------- |"] + - [.[] | "| \(.cve) | \(.version) | \(.name) |"]) | - .[] diff --git a/accepted/2025/cve-schema/jq_queries/releases_by_cve.jq b/accepted/2025/cve-schema/jq_queries/releases_by_cve.jq deleted file mode 100644 index 3e197408d..000000000 --- a/accepted/2025/cve-schema/jq_queries/releases_by_cve.jq +++ /dev/null @@ -1,5 +0,0 @@ -(["| CVE ID | Release |", - "| ------ | ------- |"] + - [.cve_releases[$cve][] | - "| \($cve) | \(.) |"]) | -.[] \ No newline at end of file diff --git a/accepted/2025/cve-schema/jq_queries/repository_commit_summary.jq b/accepted/2025/cve-schema/jq_queries/repository_commit_summary.jq deleted file mode 100644 index 169803cbb..000000000 --- a/accepted/2025/cve-schema/jq_queries/repository_commit_summary.jq +++ /dev/null @@ -1,13 +0,0 @@ -. as $root | - .commits | - to_entries | - group_by(.value.repo) | - map({ - repo: .[0].value.repo, - commits: [.[] | .key] | length, - cves: ([.[] | .key as $hash | $root.cve_commits | to_entries[] | select(.value[] == $hash) | .key] | unique | length) - }) | - (["| Repository | Commits | CVEs |", - "| ---------- | ------- | ---- |"] + - [.[] | "| \(.repo) | \(.commits) | \(.cves) |"]) | - .[] diff --git a/accepted/2025/cve-schema/jq_queries/safe_version_queries.jq b/accepted/2025/cve-schema/jq_queries/safe_version_queries.jq deleted file mode 100644 index 16d5eb201..000000000 --- a/accepted/2025/cve-schema/jq_queries/safe_version_queries.jq +++ /dev/null @@ -1 +0,0 @@ -(.release_cves[$release] // []) | length diff --git a/accepted/2025/cve-schema/jq_queries/security_advisory_full_taxonomy.jq b/accepted/2025/cve-schema/jq_queries/security_advisory_full_taxonomy.jq deleted file mode 100644 index 05a901200..000000000 --- a/accepted/2025/cve-schema/jq_queries/security_advisory_full_taxonomy.jq +++ /dev/null @@ -1,15 +0,0 @@ -(["| Metric | Value |", - "| ------ | ----- |", - "| Total CVEs | \(.cves | length) |", - "| Critical CVEs | \(.cves | map(select(.severity == "critical")) | length) |"] + - [""] + - ["| Product | CVE Count |", - "| ------- | --------- |"] + - [.product_cves | to_entries[] | - "| \(.key) | \(.value | length) |"] + - [""] + - ["| CVE ID | Severity | Problem | Platforms | Disclosed |", - "| ------ | -------- | ------- | --------- | --------- |"] + - [.cves[] | - "| \(.id) | \(.severity) | \(.problem) | \(.platforms | join(", ")) | \(.disclosed) |"]) | -.[] diff --git a/accepted/2025/cve-schema/jq_queries/severity_display_name_lookup.jq b/accepted/2025/cve-schema/jq_queries/severity_display_name_lookup.jq deleted file mode 100644 index 275f7d69a..000000000 --- a/accepted/2025/cve-schema/jq_queries/severity_display_name_lookup.jq +++ /dev/null @@ -1 +0,0 @@ -"critical severity level found in data" diff --git a/accepted/2025/cve-schema/jq_queries/taxonomy_originals/cve_report_with_display_names.jq b/accepted/2025/cve-schema/jq_queries/taxonomy_originals/cve_report_with_display_names.jq deleted file mode 100644 index 9bd03aa78..000000000 --- a/accepted/2025/cve-schema/jq_queries/taxonomy_originals/cve_report_with_display_names.jq +++ /dev/null @@ -1,9 +0,0 @@ -. as $cve_data | - ($severity[0].items | map({(.string): .display_name}) | add) as $severity_names | - ($platforms[0].items | map({(.string): .display_name}) | add) as $platform_names | - - (["| CVE ID | Enhanced Severity | Enhanced Platforms | Problem |", - "| ------ | ---------------- | ------------------ | ------- |"] + - [$cve_data.cves[] | - "| \(.id) | \($severity_names[.severity] // .severity) | \((.platforms | map($platform_names[.] // .)) | join(", ")) | \(.problem) |"]) | - .[] diff --git a/accepted/2025/cve-schema/jq_queries/taxonomy_originals/product_report_with_names.jq b/accepted/2025/cve-schema/jq_queries/taxonomy_originals/product_report_with_names.jq deleted file mode 100644 index 6ea736205..000000000 --- a/accepted/2025/cve-schema/jq_queries/taxonomy_originals/product_report_with_names.jq +++ /dev/null @@ -1,8 +0,0 @@ -. as $cve_data | - ($products[0].items | map({(.string): .display_name}) | add) as $product_names | - - (["| Product Code | Full Display Name | CVEs |", - "| ------------ | ----------------- | ---- |"] + - [$cve_data.product_cves | to_entries[] | - "| \(.key) | \($product_names[.key] // .key) | \(.value | length) |"]) | - .[] diff --git a/accepted/2025/cve-schema/jq_queries/taxonomy_originals/validate_severity_mappings.jq b/accepted/2025/cve-schema/jq_queries/taxonomy_originals/validate_severity_mappings.jq deleted file mode 100644 index a2ee8109a..000000000 --- a/accepted/2025/cve-schema/jq_queries/taxonomy_originals/validate_severity_mappings.jq +++ /dev/null @@ -1,6 +0,0 @@ -. as $cve_data | - ($severity[0].items | map(.string)) as $valid_severities | - [$cve_data.cves[].severity] | unique | - map(select(. as $s | $valid_severities | contains([$s]) | not)) | - if length > 0 then "❌ Missing severity mappings: \(join(", "))" - else "βœ… All severities have taxonomy entries" end diff --git a/accepted/2025/cve-schema/jq_queries/validate_platform_mappings.jq b/accepted/2025/cve-schema/jq_queries/validate_platform_mappings.jq deleted file mode 100644 index ce9e932f9..000000000 --- a/accepted/2025/cve-schema/jq_queries/validate_platform_mappings.jq +++ /dev/null @@ -1,3 +0,0 @@ -[.cves[].platforms[] // empty] | unique | -if length > 0 then "βœ… Found platforms: \(join(", "))" -else "❌ No platform data found" end diff --git a/accepted/2025/cve-schema/jq_queries/validate_product_mappings.jq b/accepted/2025/cve-schema/jq_queries/validate_product_mappings.jq deleted file mode 100644 index 2d08b2afa..000000000 --- a/accepted/2025/cve-schema/jq_queries/validate_product_mappings.jq +++ /dev/null @@ -1,3 +0,0 @@ -[.products[].name] | unique | -if length > 0 then "βœ… Found products: \(join(", "))" -else "❌ No product data found" end diff --git a/accepted/2025/cve-schema/jq_queries/validate_severity_mappings.jq b/accepted/2025/cve-schema/jq_queries/validate_severity_mappings.jq deleted file mode 100644 index 332c0ce62..000000000 --- a/accepted/2025/cve-schema/jq_queries/validate_severity_mappings.jq +++ /dev/null @@ -1,3 +0,0 @@ -[.cves[].severity] | unique | -if length > 0 then "βœ… Found severity levels: \(join(", "))" -else "❌ No severity data found" end diff --git a/accepted/2025/cve-schema/jq_queries_with_taxonomy.sh b/accepted/2025/cve-schema/jq_queries_with_taxonomy.sh deleted file mode 100755 index d27f77557..000000000 --- a/accepted/2025/cve-schema/jq_queries_with_taxonomy.sh +++ /dev/null @@ -1,87 +0,0 @@ -#!/bin/bash - -# CVE Advanced Taxonomy Query Runner Script -# This script demonstrates how to use external taxonomy JSON files for enhanced display names -# The main jq_query.sh script runs all queries with the data available in cve.json -# This script is optional and shows how queries would work with external taxonomy files - -set -e - -CVE_FILE="cve.json" - -# Check if cve.json exists -if [[ ! -f "$CVE_FILE" ]]; then - echo "Error: $CVE_FILE not found in current directory" - exit 1 -fi - -echo "Running enhanced CVE taxonomy queries with external files" -echo "========================================================" -echo "This script uses taxonomy integration queries that require external JSON files" -echo "for enhanced display names: severity.json, platforms.json, products.json" -echo - -# Check if required taxonomy files exist -if [[ ! -f "severity.json" ]]; then - echo "Error: severity.json not found in current directory" - exit 1 -fi - -if [[ ! -f "platforms.json" ]]; then - echo "Error: platforms.json not found in current directory" - exit 1 -fi - -if [[ ! -f "products.json" ]]; then - echo "Error: products.json not found in current directory" - exit 1 -fi - -echo "βœ… Using existing taxonomy files: severity.json, platforms.json, products.json" - -echo - -echo "=== PLATFORM-SPECIFIC ANALYSIS ===" - -echo -echo "--- cves_by_platform ---" -jq -r --slurpfile platforms platforms.json ' -($platforms[0].items | map({(.string): .display_name}) | add) as $platform_names | -(["| CVE ID | Platforms |", - "| ------------- | --------- |"] + - [.cves[] | - "| \(.id) | \((.platforms | map($platform_names[.] // .)) | join(", ")) |"]) | -.[]' "$CVE_FILE" - -echo -echo "=== RISK ASSESSMENT ===" - -echo -echo "--- cves_with_release_impact ---" -jq -r --slurpfile severity severity.json ' -. as $root | -($severity[0].items | map({(.string): .display_name}) | add) as $severity_names | -(["| CVE ID | Severity | Releases | Problem |", - "| ------------- | -------- | -------- | ------- |"] + - [$root.cves[] | - .id as $cve | - "| \($cve) | \($severity_names[.severity] // .severity) | \(($root.cve_releases[$cve] // []) | join(", ")) | \(.problem) |"]) | -.[]' "$CVE_FILE" - - -echo -echo "=== COMPONENT ANALYSIS ===" - -echo -echo "--- product_report_with_names ---" -jq -r --slurpfile products products.json ' -($products[0].items | map({(.string): .display_name}) | add) as $product_names | -(["| Product | CVEs |", - "| ------- | ---- |"] + - [.product_cves | to_entries[] | - "| \($product_names[.key] // .key) | \(.value | length) |"]) | -.[]' "$CVE_FILE" - -echo -echo "========================================" -echo "βœ… Taxonomy queries completed using existing files!" \ No newline at end of file From f4d9745b2a5aaa83ded570b00bca913a18cdf08a Mon Sep 17 00:00:00 2001 From: Rich Lander <2608468+richlander@users.noreply.github.com> Date: Thu, 8 Jan 2026 12:53:51 -0800 Subject: [PATCH 4/4] Update per feedback --- accepted/2025/cve-schema/cve_schema.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/accepted/2025/cve-schema/cve_schema.md b/accepted/2025/cve-schema/cve_schema.md index 39de1f902..8ba65bc6d 100644 --- a/accepted/2025/cve-schema/cve_schema.md +++ b/accepted/2025/cve-schema/cve_schema.md @@ -473,22 +473,11 @@ The `platforms` field in CVE entries demonstrates this principle. Rather than al This approach ensures consistent queryability - tools can reliably filter platform-specific CVEs without needing to interpret missing fields as implicit "all platforms" assumptions. -#### 7.3. Architecture Specification - -The `architectures` field in CVE entries follows the same explicit specification principle as platforms: - -- **Explicit specification required**: All CVE entries MUST include an `architectures` field -- **Use "all" for cross-architecture vulnerabilities**: When a vulnerability affects all supported architectures, use `["all"]` rather than omitting the field -- **Specific architectures when limited**: Use specific architecture names (e.g., `["x64"]`, `["arm64"]`, `["x86"]`) when the vulnerability affects only those architectures -- **Multiple specific architectures**: Use arrays like `["x64", "arm64"]` when affecting multiple but not all architectures - -This ensures consistent queryability for architecture-specific vulnerability analysis and deployment planning. - #### 7.2. Release Field Specification The `release` field in products and packages entries follows the same principle to simplify query patterns: -- **Always present**: All product and package entries MUST include a `release` field +- **Always present**: All product entries MUST include a `release` field (optional on package entries) - **Empty string for release-independent components**: Packages not tied to a specific .NET release family use `""` rather than `null` - **Specific release families**: Use standard release identifiers like `"6.0"`, `"8.0"` for components tied to those releases @@ -508,6 +497,17 @@ With explicit empty strings: jq -r '.packages[] | select(.release == "") | .name' ``` +#### 7.3. Architecture Specification + +The `architectures` field in CVE entries follows the same explicit specification principle as platforms: + +- **Explicit specification required**: All CVE entries MUST include an `architectures` field +- **Use "all" for cross-architecture vulnerabilities**: When a vulnerability affects all supported architectures, use `["all"]` rather than omitting the field +- **Specific architectures when limited**: Use specific architecture names (e.g., `["x64"]`, `["arm64"]`, `["x86"]`) when the vulnerability affects only those architectures +- **Multiple specific architectures**: Use arrays like `["x64", "arm64"]` when affecting multiple but not all architectures + +This ensures consistent queryability for architecture-specific vulnerability analysis and deployment planning. + ### 8. Challenges The schema attempts to offer clear currency for queries, with well-defined primary/foreign key relationships. `cve[].id` is a good example. There are some properties in the schema that don't work as well and may cause problems..