Fix CVE schema taxonomy violations: lowercase severity, document product_name index, add repos.json

accepted/2025/cve-schema/cve.json

@@ -12,7 +12,7 @@
         "version": "3.1",
         "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C",
         "score": 7.5,
-        "severity": "HIGH"
+        "severity": "high"
       },
       "timeline": {
         "disclosure": {
@@ -51,7 +51,7 @@
         "version": "3.1",
         "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
         "score": 8.1,
-        "severity": "HIGH"
+        "severity": "high"
       },
       "timeline": {
         "disclosure": {
@@ -106,7 +106,7 @@
         "version": "3.1",
         "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
         "score": 7.3,
-        "severity": "HIGH"
+        "severity": "high"
       },
       "timeline": {
         "disclosure": {
@@ -161,7 +161,7 @@
         "version": "3.1",
         "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C",
         "score": 7.5,
-        "severity": "HIGH"
+        "severity": "high"
       },
       "timeline": {
         "disclosure": {
@@ -367,15 +367,15 @@
     ]
   },
   "severity_cves": {
-    "CRITICAL": [],
-    "HIGH": [
+    "critical": [],
+    "high": [
       "CVE-2024-30105",
       "CVE-2024-35264",
       "CVE-2024-38081",
       "CVE-2024-38095"
     ],
-    "MEDIUM": [],
-    "LOW": []
+    "medium": [],
+    "low": []
   },
   "cve_releases": {
     "CVE-2024-30105": [

accepted/2025/cve-schema/dotnet-cves-schema.json

@@ -59,7 +59,7 @@
                 "default": 0.0
               },
               "severity": {
-                "description": "CVSS severity rating (low/medium/high/critical) derived from base score.",
+                "description": "CVSS severity rating derived from base score, using lowercase taxonomy strings matching severity.json (low/medium/high/critical).",
                 "type": "string",
                 "default": ""
               },
@@ -399,7 +399,7 @@
       "default": null
     },
     "product_name": {
-      "description": "Dictionary of product display names, keyed by product name.",
+      "description": "Computed projection of products.json mapping product slugs to display names, generated at file-creation time. The authoritative source is products.json.",
       "type": [
         "object",
         "null"
@@ -455,7 +455,7 @@
       "default": null
     },
     "severity_cves": {
-      "description": "Dictionary of CVE IDs grouped by severity threshold. Each key includes CVEs with that severity or higher (CRITICAL, HIGH, MEDIUM, LOW).",
+      "description": "Dictionary of CVE IDs grouped by severity. Keys use lowercase taxonomy strings (critical, high, medium, low) matching severity.json.",
       "type": [
         "object",
         "null"

accepted/2025/cve-schema/dotnet-guidance.md

@@ -10,6 +10,7 @@ The taxonomy is organized into separate JSON files by category:
 - [architectures.json](architectures.json) - Supported processor architectures
 - [severity.json](severity.json) - CVE severity levels
 - [cnas.json](cnas.json) - CVE Numbering Authorities
+- [repos.json](repos.json) - GitHub repositories containing .NET source code
 
 These "taxonomy" strings will always use kebab-case-lower format. It is important that they are in a consistent format to enable them to be used as convenient query currency. Brand names, like macOS or Windows, will also use kebab-case-lower. The JSON file mentioned above will include display names to bridge the divide between query currency and expected display format. An exception is package names. They will be recorded with the official casing as displayed on nuget.org.
 
@@ -59,10 +60,35 @@ There is no affordance for specifying an OS version, for example describing a .N
 
 There is no addordance for specifying a architecture version, for example describing a .NET vulnerability specific to Armv8.2 and not Armv8.1. Such a scenario would be very unique and unnecessarily complicate the schema and schema readers. If such a scenario ever occurs, the `description` property will be used to clarify this nuance.
 
+## Repos
+
+The `repo` field in the `commits{}` dictionary uses short repository names (e.g., `runtime`, `aspnetcore`). These names are formally defined in `repos.json`, which maps each repo identifier to its owning organization and the product it belongs to.
+
+The `product` field in each `repos.json` entry bridges the commit key namespace (e.g., `runtime@979135d`) to the products taxonomy, enabling consumers to resolve a commit to a product slug without hardcoding the mapping.
+
+- `runtime` -- The .NET runtime (`dotnet-runtime`)
+- `aspnetcore` -- The ASP.NET Core runtime (`dotnet-aspnetcore`)
+- `sdk` -- The .NET SDK (`dotnet-sdk`)
+- `winforms` -- Windows Forms (`dotnet-windows-desktop`)
+- `wpf` -- WPF (`dotnet-windows-desktop`)
+
 ## References
 
 Each CVE will include one or more references, in a `string[]`. The first reference will be the `dotnet/announcements` issue that is the primary GitHub disclosure.
 
+## Indexes
+
+The CVE JSON file includes several pre-computed index dictionaries to simplify lookups without requiring consumers to traverse the full `disclosures`, `products`, and `packages` arrays. These are generated at file-creation time and should not be maintained separately from the source data.
+
+The `product_name{}` index is a computed projection of `products.json`, mapping product slugs to their display names. It is included as a convenience so consumers do not need to load a separate taxonomy file to render human-readable product names. The authoritative source for product slugs and display names is `products.json`.
+
+```json
+"product_name": {
+  "dotnet-aspnetcore": "ASP.NET Core Runtime",
+  "dotnet-runtime": ".NET Runtime Libraries"
+}
+```
+
 ## Commits
 
 The schema stores commit details in a `commits{}` dictionary, with products and packages referencing commits by key. The schema does not prescribe a specific key format—the full 40-character commit hash would be an obvious choice. However, Microsoft uses a compact `repo@shortcommit` format:
@@ -102,7 +128,7 @@ The following CVE object describes a CVE that affects all platforms and architec
         "version": "3.1",
         "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C",
         "score": 7.5,
-        "severity": "HIGH"
+        "severity": "high"
       },
       "timeline": {
         "disclosure": {

accepted/2025/cve-schema/repos.json

@@ -0,0 +1,36 @@
+{
+  "category": "repos",
+  "description": "GitHub repositories that contain .NET source code",
+  "items": [
+    {
+      "string": "runtime",
+      "org": "dotnet",
+      "display_name": ".NET Runtime",
+      "product": "dotnet-runtime"
+    },
+    {
+      "string": "aspnetcore",
+      "org": "dotnet",
+      "display_name": "ASP.NET Core",
+      "product": "dotnet-aspnetcore"
+    },
+    {
+      "string": "sdk",
+      "org": "dotnet",
+      "display_name": ".NET SDK",
+      "product": "dotnet-sdk"
+    },
+    {
+      "string": "winforms",
+      "org": "dotnet",
+      "display_name": "Windows Forms",
+      "product": "dotnet-windows-desktop"
+    },
+    {
+      "string": "wpf",
+      "org": "dotnet",
+      "display_name": "WPF",
+      "product": "dotnet-windows-desktop"
+    }
+  ]
+}