From 51e7b1d99a7458de208b23b6703dbddc87c1add2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 26 Mar 2026 23:29:22 +0000 Subject: [PATCH] Fix CVE schema taxonomy issues: lowercase severity, document product_name, add repos.json Agent-Logs-Url: https://github.com/dotnet/designs/sessions/612d843a-1a1e-4fe0-b48b-0f5908597717 Co-authored-by: richlander <2608468+richlander@users.noreply.github.com> --- accepted/2025/cve-schema/cve.json | 16 ++++----- .../2025/cve-schema/dotnet-cves-schema.json | 6 ++-- accepted/2025/cve-schema/dotnet-guidance.md | 28 ++++++++++++++- accepted/2025/cve-schema/repos.json | 36 +++++++++++++++++++ 4 files changed, 74 insertions(+), 12 deletions(-) create mode 100644 accepted/2025/cve-schema/repos.json diff --git a/accepted/2025/cve-schema/cve.json b/accepted/2025/cve-schema/cve.json index 54816abb3..799d00de1 100644 --- a/accepted/2025/cve-schema/cve.json +++ b/accepted/2025/cve-schema/cve.json @@ -12,7 +12,7 @@ "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C", "score": 7.5, - "severity": "HIGH" + "severity": "high" }, "timeline": { "disclosure": { @@ -51,7 +51,7 @@ "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", "score": 8.1, - "severity": "HIGH" + "severity": "high" }, "timeline": { "disclosure": { @@ -106,7 +106,7 @@ "version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", "score": 7.3, - "severity": "HIGH" + "severity": "high" }, "timeline": { "disclosure": { @@ -161,7 +161,7 @@ "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C", "score": 7.5, - "severity": "HIGH" + "severity": "high" }, "timeline": { "disclosure": { @@ -367,15 +367,15 @@ ] }, "severity_cves": { - "CRITICAL": [], - "HIGH": [ + "critical": [], + "high": [ "CVE-2024-30105", "CVE-2024-35264", "CVE-2024-38081", "CVE-2024-38095" ], - "MEDIUM": [], - "LOW": [] + "medium": [], + "low": [] }, "cve_releases": { "CVE-2024-30105": [ diff --git a/accepted/2025/cve-schema/dotnet-cves-schema.json b/accepted/2025/cve-schema/dotnet-cves-schema.json index 5a73a5349..2f3feb30f 100644 --- a/accepted/2025/cve-schema/dotnet-cves-schema.json +++ b/accepted/2025/cve-schema/dotnet-cves-schema.json @@ -59,7 +59,7 @@ "default": 0.0 }, "severity": { - "description": "CVSS severity rating (low/medium/high/critical) derived from base score.", + "description": "CVSS severity rating derived from base score, using lowercase taxonomy strings matching severity.json (low/medium/high/critical).", "type": "string", "default": "" }, @@ -399,7 +399,7 @@ "default": null }, "product_name": { - "description": "Dictionary of product display names, keyed by product name.", + "description": "Computed projection of products.json mapping product slugs to display names, generated at file-creation time. The authoritative source is products.json.", "type": [ "object", "null" @@ -455,7 +455,7 @@ "default": null }, "severity_cves": { - "description": "Dictionary of CVE IDs grouped by severity threshold. Each key includes CVEs with that severity or higher (CRITICAL, HIGH, MEDIUM, LOW).", + "description": "Dictionary of CVE IDs grouped by severity. Keys use lowercase taxonomy strings (critical, high, medium, low) matching severity.json.", "type": [ "object", "null" diff --git a/accepted/2025/cve-schema/dotnet-guidance.md b/accepted/2025/cve-schema/dotnet-guidance.md index afff988ab..98736fe19 100644 --- a/accepted/2025/cve-schema/dotnet-guidance.md +++ b/accepted/2025/cve-schema/dotnet-guidance.md @@ -10,6 +10,7 @@ The taxonomy is organized into separate JSON files by category: - [architectures.json](architectures.json) - Supported processor architectures - [severity.json](severity.json) - CVE severity levels - [cnas.json](cnas.json) - CVE Numbering Authorities +- [repos.json](repos.json) - GitHub repositories containing .NET source code These "taxonomy" strings will always use kebab-case-lower format. It is important that they are in a consistent format to enable them to be used as convenient query currency. Brand names, like macOS or Windows, will also use kebab-case-lower. The JSON file mentioned above will include display names to bridge the divide between query currency and expected display format. An exception is package names. They will be recorded with the official casing as displayed on nuget.org. @@ -59,10 +60,35 @@ There is no affordance for specifying an OS version, for example describing a .N There is no addordance for specifying a architecture version, for example describing a .NET vulnerability specific to Armv8.2 and not Armv8.1. Such a scenario would be very unique and unnecessarily complicate the schema and schema readers. If such a scenario ever occurs, the `description` property will be used to clarify this nuance. +## Repos + +The `repo` field in the `commits{}` dictionary uses short repository names (e.g., `runtime`, `aspnetcore`). These names are formally defined in `repos.json`, which maps each repo identifier to its owning organization and the product it belongs to. + +The `product` field in each `repos.json` entry bridges the commit key namespace (e.g., `runtime@979135d`) to the products taxonomy, enabling consumers to resolve a commit to a product slug without hardcoding the mapping. + +- `runtime` -- The .NET runtime (`dotnet-runtime`) +- `aspnetcore` -- The ASP.NET Core runtime (`dotnet-aspnetcore`) +- `sdk` -- The .NET SDK (`dotnet-sdk`) +- `winforms` -- Windows Forms (`dotnet-windows-desktop`) +- `wpf` -- WPF (`dotnet-windows-desktop`) + ## References Each CVE will include one or more references, in a `string[]`. The first reference will be the `dotnet/announcements` issue that is the primary GitHub disclosure. +## Indexes + +The CVE JSON file includes several pre-computed index dictionaries to simplify lookups without requiring consumers to traverse the full `disclosures`, `products`, and `packages` arrays. These are generated at file-creation time and should not be maintained separately from the source data. + +The `product_name{}` index is a computed projection of `products.json`, mapping product slugs to their display names. It is included as a convenience so consumers do not need to load a separate taxonomy file to render human-readable product names. The authoritative source for product slugs and display names is `products.json`. + +```json +"product_name": { + "dotnet-aspnetcore": "ASP.NET Core Runtime", + "dotnet-runtime": ".NET Runtime Libraries" +} +``` + ## Commits The schema stores commit details in a `commits{}` dictionary, with products and packages referencing commits by key. The schema does not prescribe a specific key format—the full 40-character commit hash would be an obvious choice. However, Microsoft uses a compact `repo@shortcommit` format: @@ -102,7 +128,7 @@ The following CVE object describes a CVE that affects all platforms and architec "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C", "score": 7.5, - "severity": "HIGH" + "severity": "high" }, "timeline": { "disclosure": { diff --git a/accepted/2025/cve-schema/repos.json b/accepted/2025/cve-schema/repos.json new file mode 100644 index 000000000..d5ff08481 --- /dev/null +++ b/accepted/2025/cve-schema/repos.json @@ -0,0 +1,36 @@ +{ + "category": "repos", + "description": "GitHub repositories that contain .NET source code", + "items": [ + { + "string": "runtime", + "org": "dotnet", + "display_name": ".NET Runtime", + "product": "dotnet-runtime" + }, + { + "string": "aspnetcore", + "org": "dotnet", + "display_name": "ASP.NET Core", + "product": "dotnet-aspnetcore" + }, + { + "string": "sdk", + "org": "dotnet", + "display_name": ".NET SDK", + "product": "dotnet-sdk" + }, + { + "string": "winforms", + "org": "dotnet", + "display_name": "Windows Forms", + "product": "dotnet-windows-desktop" + }, + { + "string": "wpf", + "org": "dotnet", + "display_name": "WPF", + "product": "dotnet-windows-desktop" + } + ] +}