4f536a2 has superfluous contains constraint #426
Description
Relative to 5.1.1, https://github.com/CVEProject/cve-schema/blob/4f536a2518e7a4acc28c615798e49dc287169edd/schema/CVE_Record_Format.json is described by the JSON Patch:
[
{
"op": "add",
"path": "/definitions/affected/contains",
"value": {
"anyOf": [
{
"required": [
"vendor",
"product"
]
},
{
"required": [
"collectionURL",
"packageName"
]
}
]
}
},
{
"op": "add",
"path": "/definitions/product/properties/artifactID",
"value": {
"type": "string",
"pattern": "^gitoid:blob:sha256:[0-9a-f]{64}$",
"description": "The OmniBOR Artifact ID of the artifact to be matched against.",
"examples": [
"gitoid:blob:sha256:9f64df92367881be21e23567a31a8ce01994d98b69d28917b5c132ce32a8e6c8",
"gitoid:blob:sha256:09c825ac02df9150e4f93d12ba1da5d1ff5846c3e62503c814aa3a300c535772",
"gitoid:blob:sha256:230f3515d1306690815bd9c3da0d15d8b6fcf43894d17100eb44b6d329a92f61"
]
}
},
{
"op": "add",
"path": "/definitions/product/properties/artifactType",
"value": {
"type": "string",
"enum": [
"artifact",
"buildInput"
],
"description": "Specifies how consumers of the Artifact ID should search for matches. If the 'target' is 'artifact', then the Artifact ID is identifying an artifact which should be searched for directly (for example, within a file system by matching against Artifact IDs for files). If the 'target' is 'build_input' then the Artifact ID is identifying a build input, and consumers should match the Artifact ID against IDs found in OmniBOR Input Manifests for their software."
}
}
]
Here, /definitions/affected/contains currently has no effect on what documents are valid according to the schema. Because every element of the affected array must have either vendor/product or collectionURL/packageName and minItems is 1, it is already true that "at least one" element of the affected array has either vendor/product or collectionURL/packageName.