Skip to content

Commit e2641ea

Browse files
david-waltermiredavid-waltermire
committed
Added patterns to prevent string values from start or ending with whitespace. Resolves CVEProject#232 
1 parent 76a8bb2 commit e2641ea

File tree

1 file changed

+46
-23
lines changed

1 file changed

+46
-23
lines changed

schema/v5.0/CVE_JSON_5.0_schema.json

Lines changed: 46 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,8 @@
2929
"description": "User created name for the reference, often the title of the page.",
3030
"type": "string",
3131
"maxLength": 512,
32-
"minLength": 1
32+
"minLength": 1,
33+
"pattern": "^(?:\\S|\\S.*\\S)$"
3334
},
3435
"tags": {
3536
"description": "An array of one or more tags that describe the resource referenced by 'url'.",
@@ -66,7 +67,8 @@
6667
"description": "A 2-32 character name that can be used to complement an organization's UUID.",
6768
"type": "string",
6869
"minLength": 2,
69-
"maxLength": 32
70+
"maxLength": 32,
71+
"pattern": "^(?:\\S|\\S.*\\S)$"
7072
},
7173
"datestamp": {
7274
"description": "Date/time format based on RFC3339 and ISO ISO8601.",
@@ -84,7 +86,8 @@
8486
"description": "A single version of a product, as expressed in its own version numbering scheme.",
8587
"type": "string",
8688
"minLength": 1,
87-
"maxLength": 1024
89+
"maxLength": 1024,
90+
"pattern": "^(?:\\S|\\S.*\\S)$"
8891
},
8992
"status": {
9093
"description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.",
@@ -119,7 +122,8 @@
119122
"type": "string",
120123
"description": "Name of the affected product.",
121124
"minLength": 1,
122-
"maxLength": 2048
125+
"maxLength": 2048,
126+
"pattern": "^(?:\\S|\\S.*\\S)$"
123127
},
124128
"collectionURL": {
125129
"description": "URL identifying a package collection (determines the meaning of packageName).",
@@ -204,7 +208,7 @@
204208
"title": "CPE Name",
205209
"type": "string",
206210
"description":"Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format",
207-
"pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})",
211+
"pattern": "^([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})$",
208212
"minLength": 1,
209213
"maxLength": 2048
210214
}
@@ -217,7 +221,8 @@
217221
"type": "string",
218222
"description": "Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).",
219223
"minLength": 1,
220-
"maxLength": 4096
224+
"maxLength": 4096,
225+
"pattern": "^(?:\\S|\\S.*\\S)$"
221226
}
222227
},
223228
"programFiles": {
@@ -228,7 +233,8 @@
228233
"description": "Name or path or location of the affected source code file.",
229234
"type": "string",
230235
"minLength": 1,
231-
"maxLength": 1024
236+
"maxLength": 1024,
237+
"pattern": "^(?:\\S|\\S.*\\S)$"
232238
}
233239
},
234240
"programRoutines": {
@@ -246,7 +252,8 @@
246252
"type": "string",
247253
"description": "Name of the affected source code file, function, method, subroutine, or procedure.",
248254
"minLength": 1,
249-
"maxLength": 4096
255+
"maxLength": 4096,
256+
"pattern": "^(?:\\S|\\S.*\\S)$"
250257
}
251258
}
252259
}
@@ -310,6 +317,7 @@
310317
"description": "The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.",
311318
"minLength": 1,
312319
"maxLength": 128,
320+
"pattern": "^(?:\\S|\\S.*\\S)$",
313321
"examples": [
314322
"custom",
315323
"git",
@@ -506,7 +514,8 @@
506514
"type": "string",
507515
"description": "A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.",
508516
"minLength": 1,
509-
"maxLength": 256
517+
"maxLength": 256,
518+
"pattern": "^(?:\\S|\\S.*\\S)$"
510519
},
511520
"descriptions": {
512521
"$ref": "#/definitions/descriptions"
@@ -610,7 +619,8 @@
610619
"type": "string",
611620
"description": "A title, headline, or a brief phrase summarizing the information in an ADP container.",
612621
"minLength": 1,
613-
"maxLength": 256
622+
"maxLength": 256,
623+
"pattern": "^(?:\\S|\\S.*\\S)$"
614624
},
615625
"descriptions": {
616626
"$ref": "#/definitions/descriptions"
@@ -698,6 +708,7 @@
698708
"title": "Media type",
699709
"minLength": 1,
700710
"maxLength": 256,
711+
"pattern": "^(?:\\S|\\S.*\\S)$",
701712
"description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.",
702713
"examples": [
703714
"text/markdown",
@@ -717,7 +728,8 @@
717728
"type": "string",
718729
"description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.",
719730
"minLength": 1,
720-
"maxLength": 16384
731+
"maxLength": 16384,
732+
"pattern": "^(?:\\S|\\S.*\\S)$"
721733
}
722734
},
723735
"required": [
@@ -773,7 +785,8 @@
773785
"type": "string",
774786
"description": "Text description of problemType, or title from CWE or OWASP.",
775787
"minLength": 1,
776-
"maxLength": 4096
788+
"maxLength": 4096,
789+
"pattern": "^(?:\\S|\\S.*\\S)$"
777790
},
778791
"cweId": {
779792
"type": "string",
@@ -786,7 +799,8 @@
786799
"type": "string",
787800
"description": "Problemtype source, text, OWASP, CWE, etc.,",
788801
"minLength": 1,
789-
"maxLength": 128
802+
"maxLength": 128,
803+
"pattern": "^(?:\\S|\\S.*\\S)$"
790804
},
791805
"references": {"$ref": "#/definitions/references"}
792806
},
@@ -862,7 +876,8 @@
862876
"type": "string",
863877
"description": "Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.",
864878
"minLength": 1,
865-
"maxLength": 64
879+
"maxLength": 64,
880+
"pattern": "^(?:\\S|\\S.*\\S)$"
866881
},
867882
"scenarios": {
868883
"type": "array",
@@ -878,7 +893,8 @@
878893
"default": "GENERAL",
879894
"description": "Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.",
880895
"minLength": 1,
881-
"maxLength": 4096
896+
"maxLength": 4096,
897+
"pattern": "^(?:\\S|\\S.*\\S)$"
882898
}
883899
},
884900
"required": [
@@ -902,7 +918,8 @@
902918
"description": "Name of the non-standard impact metrics format used.",
903919
"type": "string",
904920
"minLength": 1,
905-
"maxLength": 128
921+
"maxLength": 128,
922+
"pattern": "^(?:\\S|\\S.*\\S)$"
906923
},
907924
"content": {
908925
"type": "object",
@@ -997,7 +1014,8 @@
9971014
"value": {
9981015
"type": "string",
9991016
"minLength": 1,
1000-
"maxLength": 4096
1017+
"maxLength": 4096,
1018+
"pattern": "^(?:\\S|\\S.*\\S)$"
10011019
},
10021020
"user": {
10031021
"description": "UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.",
@@ -1061,17 +1079,19 @@
10611079
"type": "string",
10621080
"description": "The name of the taxonomy.",
10631081
"minLength": 1,
1064-
"maxLength": 128
1082+
"maxLength": 128,
1083+
"pattern": "^(?:\\S|\\S.*\\S)$"
10651084
},
10661085
"taxonomyVersion": {
10671086
"type": "string",
10681087
"description": "The version of taxonomy the identifiers come from.",
10691088
"minLength": 1,
1070-
"maxLength": 128
1089+
"maxLength": 128,
1090+
"pattern": "^(?:\\S|\\S.*\\S)$"
10711091
},
10721092
"taxonomyRelations": {
10731093
"type": "array",
1074-
"description": "",
1094+
"description": "The taxonomy relationship type.",
10751095
"minItems": 1,
10761096
"uniqueItems": true,
10771097
"items": {
@@ -1087,19 +1107,22 @@
10871107
"type": "string",
10881108
"description": "Identifier of the item in the taxonomy. Used as the subject of the relationship.",
10891109
"minLength": 1,
1090-
"maxLength": 2048
1110+
"maxLength": 2048,
1111+
"pattern": "^(?:\\S|\\S.*\\S)$"
10911112
},
10921113
"relationshipName": {
10931114
"type": "string",
10941115
"description": "A description of the relationship.",
10951116
"minLength": 1,
1096-
"maxLength": 128
1117+
"maxLength": 128,
1118+
"pattern": "^(?:\\S|\\S.*\\S)$"
10971119
},
10981120
"relationshipValue": {
10991121
"type": "string",
11001122
"description": "The target of the relationship. Can be the CVE ID or another taxonomy identifier.",
11011123
"minLength": 1,
1102-
"maxLength": 2048
1124+
"maxLength": 2048,
1125+
"pattern": "^(?:\\S|\\S.*\\S)$"
11031126
}
11041127
}
11051128
}

0 commit comments

Comments
 (0)