5.1.0 accepts versionType semver for non-semver lessThan
ElectricNroff opened this issue · comments
(this is similar to #263 but is intended to capture the CVE Records and CNAs that use semver such that the "version" field is correct but a "lessThan" field is incorrect, e.g., version=1.2.3 but lessThan=5.6 or lessThanOrEqual=7.8.9.0)
At the 2023-12-14 TWG meeting, the discussion suggested that, during testing of the 5.1.0 schema, any CVE Record that validated even though the record format was not "intended" would be considered a "loophole."
As far as I know, it was not intended that a provider use "versionType":"semver" if the value of the lessThan or lessThanOrEqual property does not comply with the https://semver.org/ specification. The one exception is that the value of a lessThan/lessThanOrEqual property can have an asterisk because this is defined by https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/docs/versions.md to convey information about unbounded upper limits.
minimal/plausible test case (the CNA uses "2" where "2.0.0" is required by the semver specification)
{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-0001",
"assignerOrgId":"b3476cb9-2e3d-41a6-98d0-0f47421a65b6","state":"PUBLISHED"},
"containers":{"cna":{"providerMetadata":{"orgId":"b3476cb9-2e3d-41a6-98d0-0f47421a65b6"},
"affected":[{"vendor":"v","product":"p",
"versions":[{"versionType":"semver","version":"1.0.0","lessThan":"2","status":"affected"}],
"defaultStatus":"affected"}],
"descriptions":[{"lang":"en","value":"d"}],"references":[{"url":"https://a.ai"}]}}}
possible solution: if the versionType is semver, set the patterns for lessThan and lessThanOrEqual to the bottom regular expression on https://semver.org/ with the exception that "*" is allowed in some or all positions, e.g., add this:
"allOf": [
{
"if": {
"properties": {
"versionType": {
"const": "semver"
}
},
"required": ["versionType"]
},
"then": {
"properties": {
"lessThan": {
"type": "string",
"pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|\\*"
},
"lessThanOrEqual": {
"type": "string",
"pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|\\*"
}
}
}
}],
issues on the current CVE List (many CNAs use "semver" with a "lessThan" or "lessThanOrEqual" field that doesn't comply with the semver specification - for convenience, this only lists CVE IDs that were not already mentioned in the #263 issue)
CVE-2017-20184 CERTVDE
CVE-2019-16470 adobe
CVE-2019-16471 adobe
CVE-2019-7819 adobe
CVE-2021-21088 adobe
CVE-2021-23166 odoo
CVE-2021-23176 odoo
CVE-2021-23178 odoo
CVE-2021-23186 odoo
CVE-2021-26947 odoo
CVE-2021-28644 adobe
CVE-2021-3429 canonical
CVE-2021-35980 adobe
CVE-2021-36060 adobe
CVE-2021-39859 adobe
CVE-2021-40698 adobe
CVE-2021-40699 adobe
CVE-2021-40723 adobe
CVE-2021-42079 DIVD
CVE-2021-42080 DIVD
CVE-2021-42081 DIVD
CVE-2021-42082 DIVD
CVE-2021-42083 DIVD
CVE-2021-43753 adobe
CVE-2021-43754 adobe
CVE-2021-4406 DIVD
CVE-2021-44460 odoo
CVE-2021-44465 odoo
CVE-2021-44476 odoo
CVE-2021-44696 adobe
CVE-2021-44775 odoo
CVE-2021-45071 odoo
CVE-2021-45111 odoo
CVE-2022-2084 canonical
CVE-2022-22512 CERTVDE
CVE-2022-24942 Silabs
CVE-2022-28733 canonical
CVE-2022-28734 canonical
CVE-2022-28735 canonical
CVE-2022-28736 canonical
CVE-2022-28737 canonical
CVE-2022-28831 adobe
CVE-2022-28832 adobe
CVE-2022-28833 adobe
CVE-2022-28834 adobe
CVE-2022-28835 adobe
CVE-2022-28836 adobe
CVE-2022-32752 ibm
CVE-2022-32757 ibm
CVE-2022-33159 ibm
CVE-2022-33166 ibm
CVE-2022-3320 cloudflare
CVE-2022-3321 cloudflare
CVE-2022-3322 cloudflare
CVE-2022-3337 cloudflare
CVE-2022-34224 adobe
CVE-2022-34227 adobe
CVE-2022-34238 adobe
CVE-2022-34351 ibm
CVE-2022-3461 CERTVDE
CVE-2022-3616 cloudflare
CVE-2022-3737 CERTVDE
CVE-2022-4098 CERTVDE
CVE-2022-43440 Tribe29
CVE-2022-4428 cloudflare
CVE-2022-4457 cloudflare
CVE-2022-44732 Acronis
CVE-2022-44733 Acronis
CVE-2022-44744 Acronis
CVE-2022-44745 Acronis
CVE-2022-44746 Acronis
CVE-2022-44747 Acronis
CVE-2022-45454 Acronis
CVE-2022-46302 Tribe29
CVE-2022-46303 Tribe29
CVE-2022-46825 JetBrains
CVE-2022-46826 JetBrains
CVE-2022-46827 JetBrains
CVE-2022-46828 JetBrains
CVE-2022-46829 JetBrains
CVE-2022-46836 Tribe29
CVE-2022-47909 Tribe29
CVE-2022-48317 Tribe29
CVE-2022-48318 Tribe29
CVE-2022-48319 Tribe29
CVE-2022-48320 Tribe29
CVE-2022-48321 Tribe29
CVE-2022-48429 JetBrains
CVE-2022-48430 JetBrains
CVE-2022-48431 JetBrains
CVE-2022-48432 JetBrains
CVE-2022-48433 JetBrains
CVE-2022-48435 JetBrains
CVE-2022-48481 JetBrains
CVE-2022-4884 Tribe29
CVE-2023-0284 Tribe29
CVE-2023-1150 CERTVDE
CVE-2023-1258 ABB
CVE-2023-1421 Mattermost
CVE-2023-1731 CERTVDE
CVE-2023-1732 cloudflare
CVE-2023-1768 Tribe29
CVE-2023-2020 Tribe29
CVE-2023-22281 f5
CVE-2023-22283 f5
CVE-2023-22288 Tribe29
CVE-2023-22323 f5
CVE-2023-22326 f5
CVE-2023-22340 f5
CVE-2023-22341 f5
CVE-2023-22348 Tribe29
CVE-2023-22358 f5
CVE-2023-22359 Tribe29
CVE-2023-22372 f5
CVE-2023-22418 f5
CVE-2023-22422 f5
CVE-2023-22593 ibm
CVE-2023-22664 f5
CVE-2023-2281 Mattermost
CVE-2023-22839 f5
CVE-2023-22842 f5
CVE-2023-23468 ibm
CVE-2023-23476 ibm
CVE-2023-23548 Tribe29
CVE-2023-23552 f5
CVE-2023-23555 f5
CVE-2023-24461 f5
CVE-2023-24491 Citrix
CVE-2023-24998 apache
CVE-2023-25933 facebook
CVE-2023-26268 apache
CVE-2023-26302 canonical
CVE-2023-26303 canonical
CVE-2023-26369 adobe
CVE-2023-26370 adobe
CVE-2023-26428 OX
CVE-2023-26429 OX
CVE-2023-26430 OX
CVE-2023-26431 OX
CVE-2023-26432 OX
CVE-2023-26433 OX
CVE-2023-26438 OX
CVE-2023-26439 OX
CVE-2023-26440 OX
CVE-2023-26441 OX
CVE-2023-26442 OX
CVE-2023-26443 OX
CVE-2023-26446 OX
CVE-2023-26451 OX
CVE-2023-26452 OX
CVE-2023-26453 OX
CVE-2023-26454 OX
CVE-2023-26455 OX
CVE-2023-27378 f5
CVE-2023-28084 hpe
CVE-2023-28085 hpe
CVE-2023-28086 hpe
CVE-2023-28087 hpe
CVE-2023-28088 hpe
CVE-2023-28089 hpe
CVE-2023-28090 hpe
CVE-2023-28406 f5
CVE-2023-28501 rapid7
CVE-2023-28502 rapid7
CVE-2023-28503 rapid7
CVE-2023-28504 rapid7
CVE-2023-28505 rapid7
CVE-2023-28506 rapid7
CVE-2023-28507 rapid7
CVE-2023-28508 rapid7
CVE-2023-28509 rapid7
CVE-2023-28742 f5
CVE-2023-29046 OX
CVE-2023-29047 OX
CVE-2023-29298 adobe
CVE-2023-29299 adobe
CVE-2023-29300 adobe
CVE-2023-29301 adobe
CVE-2023-29303 adobe
CVE-2023-29305 adobe
CVE-2023-29306 adobe
CVE-2023-29308 adobe
CVE-2023-29309 adobe
CVE-2023-29310 adobe
CVE-2023-29311 adobe
CVE-2023-29312 adobe
CVE-2023-29313 adobe
CVE-2023-29314 adobe
CVE-2023-29315 adobe
CVE-2023-29316 adobe
CVE-2023-29317 adobe
CVE-2023-29318 adobe
CVE-2023-29319 adobe
CVE-2023-29320 adobe
CVE-2023-2989 rapid7
CVE-2023-2990 rapid7
CVE-2023-30908 hpe
CVE-2023-30909 hpe
CVE-2023-30911 hpe
CVE-2023-30912 hpe
CVE-2023-31207 Tribe29
CVE-2023-31208 Tribe29
CVE-2023-31209 Checkmk
CVE-2023-34150 apache
CVE-2023-34218 JetBrains
CVE-2023-34219 JetBrains
CVE-2023-34220 JetBrains
CVE-2023-34221 JetBrains
CVE-2023-34222 JetBrains
CVE-2023-34223 JetBrains
CVE-2023-34224 JetBrains
CVE-2023-34225 JetBrains
CVE-2023-34226 JetBrains
CVE-2023-34227 JetBrains
CVE-2023-34228 JetBrains
CVE-2023-34229 JetBrains
CVE-2023-3485 Temporal
CVE-2023-3526 CERTVDE
CVE-2023-3569 CERTVDE
CVE-2023-35900 ibm
CVE-2023-35901 ibm
CVE-2023-36858 f5
CVE-2023-3710 Honeywell
CVE-2023-3711 Honeywell
CVE-2023-3712 Honeywell
CVE-2023-37545 CERTVDE
CVE-2023-37546 CERTVDE
CVE-2023-37547 CERTVDE
CVE-2023-37548 CERTVDE
CVE-2023-37549 CERTVDE
CVE-2023-37550 CERTVDE
CVE-2023-37551 CERTVDE
CVE-2023-37552 CERTVDE
CVE-2023-37553 CERTVDE
CVE-2023-37554 CERTVDE
CVE-2023-37555 CERTVDE
CVE-2023-37556 CERTVDE
CVE-2023-37557 CERTVDE
CVE-2023-37558 CERTVDE
CVE-2023-37559 CERTVDE
CVE-2023-38061 JetBrains
CVE-2023-38062 JetBrains
CVE-2023-38063 JetBrains
CVE-2023-38064 JetBrains
CVE-2023-38065 JetBrains
CVE-2023-38066 JetBrains
CVE-2023-38067 JetBrains
CVE-2023-38138 f5
CVE-2023-38203 adobe
CVE-2023-38204 adobe
CVE-2023-38205 adobe
CVE-2023-38206 adobe
CVE-2023-38210 adobe
CVE-2023-38214 adobe
CVE-2023-38215 adobe
CVE-2023-38222 adobe
CVE-2023-38223 adobe
CVE-2023-38224 adobe
CVE-2023-38225 adobe
CVE-2023-38226 adobe
CVE-2023-38227 adobe
CVE-2023-38228 adobe
CVE-2023-38229 adobe
CVE-2023-38230 adobe
CVE-2023-38231 adobe
CVE-2023-38232 adobe
CVE-2023-38233 adobe
CVE-2023-38234 adobe
CVE-2023-38235 adobe
CVE-2023-38236 adobe
CVE-2023-38237 adobe
CVE-2023-38238 adobe
CVE-2023-38239 adobe
CVE-2023-38240 adobe
CVE-2023-38241 adobe
CVE-2023-38242 adobe
CVE-2023-38243 adobe
CVE-2023-38244 adobe
CVE-2023-38245 adobe
CVE-2023-38246 adobe
CVE-2023-38247 adobe
CVE-2023-38248 adobe
CVE-2023-38418 f5
CVE-2023-38419 f5
CVE-2023-38423 f5
CVE-2023-38537 facebook
CVE-2023-38538 facebook
CVE-2023-38718 ibm
CVE-2023-38733 ibm
CVE-2023-38734 ibm
CVE-2023-39173 JetBrains
CVE-2023-39174 JetBrains
CVE-2023-39175 JetBrains
CVE-2023-39261 JetBrains
CVE-2023-39441 apache
CVE-2023-40370 ibm
CVE-2023-40534 f5
CVE-2023-40743 apache
CVE-2023-41248 JetBrains
CVE-2023-41249 JetBrains
CVE-2023-41250 JetBrains
CVE-2023-41373 f5
CVE-2023-41964 f5
CVE-2023-42658 ProgressSoftware
CVE-2023-42793 JetBrains
CVE-2023-43485 f5
CVE-2023-43566 JetBrains
CVE-2023-43611 f5
CVE-2023-44323 adobe
CVE-2023-4481 juniper
CVE-2023-45685 rapid7
CVE-2023-45686 rapid7
CVE-2023-45687 rapid7
CVE-2023-45688 rapid7
CVE-2023-45689 rapid7
CVE-2023-45690 rapid7
CVE-2023-4759 eclipse
CVE-2023-5182 canonical
CVE-2023-5450 f5