Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

schema.json "score" pattern too strict in metric ordering, optional metrics not recognised #168

Closed
frasertweedale opened this issue Jun 27, 2023 · 2 comments · Fixed by #178
Closed

schema.json "score" pattern too strict in metric ordering, optional metrics not recognised #168

frasertweedale opened this issue Jun 27, 2023 · 2 comments · Fixed by #178
Labels
bug Something isn't working

Comments

@frasertweedale
Copy link

frasertweedale commented Jun 27, 2023
edited
Loading

osv-schema/validation/schema.json

Lines 326 to 328 in b3ae8f1

"score": {
"pattern": "CVSS:3\\.[0-9]\\/AV:[NALP]\\/AC:[LH]\\/PR:[NLH]\\/UI:[NR]\\/S:[UC]\\/C:[NLH]\\/I:[NLH]\\/A:[NLH]"
}

Per CVSS v3.1 spec ( https://www.first.org/cvss/specification-document ) - emphasis mine:

A vector string should contain metrics in the order shown in Table 15, though other orderings are valid. All Base metrics must be included in a vector string. Temporal and Environmental metrics are optional, and omitted metrics are considered to have the value of Not Defined (X). Metrics with a value of Not Defined can be explicitly included in a vector string if desired. Programs reading CVSS v3.1 vector strings must accept metrics in any order and treat unspecified Temporal and Environmental as Not Defined. A vector string must not include the same metric more than once.

The JSON schema regex rejects many valid CVSS vector values.
@frasertweedale frasertweedale changed the title schema.json too strict in metric ordering, optional metrics not recognised schema.json "score" pattern too strict in metric ordering, optional metrics not recognised Jun 27, 2023
@frasertweedale frasertweedale mentioned this issue Jun 27, 2023
Open
@oliverchang oliverchang added the bug Something isn't working label Jun 27, 2023
@oliverchang
Copy link
Contributor

Thanks for reporting! Seems like this is very hard to validate with a regex then. @kurtseifried thoughts?

@kurtseifried
Copy link
Contributor

This is why I made CVSS in the CVE schema a series of fields from day one:

https://github.com/CVEProject/cve-schema/blob/master/schema/v1.0/JSON-file-format-v1.md

{
"CVSSv2": {
"VERSION": "1.2",
"BM": {
"AV": "X",
"AC": "X",
"AU": "X",
"C": "X",
"I": "X",
"A": "X",
"SCORE": "N.N",
"NOTES": "string"
},
"TM": {
"E": "X",
"RL": "X",
"RC": "X",
"SCORE": "N.N",
"NOTES": "string"
},
"EM": {
"CDP": "X",
"TD": "X",
"CR": "X",
"IR": "X",
"AR": "X",
"SCORE": "N.N",
"NOTES": "string"
},
"NOTES": "string"
}
}

I guess a regex conditional expression could do the trick

andrewpollock added a commit to andrewpollock/osv-schema that referenced this issue Jul 18, 2023
@andrewpollock
Remove CVSS validation
9e40543 
Based on conversation on ossf#168, the CVSS validation by pure regex is too strict, so remove.

Fixes: ossf#168

Signed-off-by: Andrew Pollock <[email protected]>
@andrewpollock andrewpollock mentioned this issue Jul 18, 2023
Merged
oliverchang pushed a commit that referenced this issue Jul 19, 2023
@andrewpollock
Remove CVSS validation (#178)
a2972fc 
Based on conversation on #168, the CVSS validation by pure regex is too
strict, so remove.

Fixes: #168

Signed-off-by: Andrew Pollock <[email protected]>
@oliverchang oliverchang mentioned this issue Nov 2, 2023
Closed
@andrewpollock andrewpollock mentioned this issue Jul 12, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove CVSS validation andrewpollock/osv-schema
3 participants
@kurtseifried @oliverchang @frasertweedale