Vulnerability Description Schema

We would like to output JSON from the cve checker, to be used for a cross check with the IP compliance file and for other possible uses (like querying for updates of our packages). This post describes the proposed schema.

{
    "version": string,
	"layer": string,
	"package": {
                 "name": string,
                 "version": string,
                 "purl": string,
                 "products": [ {
                         "product": string
                 ] },
         },
         "issue":  [ {
                 "id": string,
            	 "summary": string,
                 "score": string,
                 "status": string,
	 ] ],
}

Where:

  • version is the schema version
  • layer is the package layer name
  • name is the name of the package
  • version is the version contained in the package
  • purl is the URL of the package, in the format described at https://github.com/package-url/purl-spec
  • products gives a list of product names contained in the package
  • issue is the table of issues in the package
  • id is the issue package, for example its CVE ID
  • summary is a short summary of the issue
  • score is the CVSS 3.1 base score
  • status is the current status in the package, can be “Patched”/“Unpatched”

Insprirations from: https://github.com/ossf/osv-schema

@Alberto_Pianon et al please comment :slight_smile:
@landgraf might be of interest to you too

makes sense!

Just a couple of questions:

  1. do we need to include also vendor along with product? (see below the metadata included in curl recipe that we currently extract with tinfoilhat)
  2. how do we create a valid purl for each package? (I guess that you are referring to this, right?)
          {
            "vendor": "haxx",
            "product": "curl"
          },
          {
            "vendor": "haxx",
            "product": "libcurl"
          },
          {
            "vendor": "curl",
            "product": "curl"
          },
          {
            "vendor": "curl",
            "product": "libcurl"
          },
          {
            "vendor": "libcurl",
            "product": "libcurl"
          },
          {
            "vendor": "daniel_stenberg",
            "product": "curl"
          }

typo. Should be “} ],”

Shouldn’t “issue” section contain affected product information as well. like “issue” : [{“id”: “CVE-2021-33909”, “product”: “linux”, “summary” : “kernel: size_t-to-int conversion vulnerability in the filesystem layer”, “score”: “CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H”}] ?

Thanks, fixes made. For the vendor, do you think it is useful in practice? We can get it via the CPE

This is a valid point. If we start including the complete score, we could just link to the OSV description that includes the same data. In this case it would be better to re-use OSV for that part. My idea was to include the basic information in our schema and then link for everything else to OSV and similar systems

@marta it seems that vendor is used by cve-check bb class to query the database:

1 Like

Yes, you’re right. We need it.