Update to cve-schema to provide better support for CPE!! if you have integrations that rely on the cve-schema repo structure, please review the changes here. The latest version of the CVE JSON Record Format is 5.1.1. A single schema file with bundled dependencies is available here.
Note: The CVE Record Format now supports Authorized Data Publisher (ADP) containers there is one active ADP currently. The CVE Program uses a separate ADP container to provide additional CVE information (e.g., references) for some records. Access this README.md page here for more information about the CVE Program Container.
Note: Please refer to the CVE Services page here for known issues with the schema.
cve-schema specifies the CVE Record Format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit.
Learn more about the CVE program at: https://www.cve.org/
This CVE Record Format is defined using JSON Schema. Learn more about JSON Schema at: https://json-schema.org/ .
The latest version of the CVE Record Format is 5.1.1. It is specified in the JSON schema at https://github.com/CVEProject/cve-schema/blob/master/schema/CVE_Record_Format.json
A single schema file with bundled dependencies is at https://github.com/CVEProject/cve-schema/blob/master/schema/docs/CVE_Record_Format_bundled.json
Documentation about this format is available at https://cveproject.github.io/cve-schema/schema/docs/
A mindmap version of the CVE Record structure is at https://cveproject.github.io/cve-schema/schema/docs/mindmap.html
More details about Product and Version Encodings in the CVE Record Format are at https://github.com/CVEProject/cve-schema/blob/master/schema/docs/versions.md
A basic example of a full record in the 5.1.1 format with minimally required fields is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/full-record-basic-example.json
An advanced example of a full record in the 5.1.1 format is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/full-record-advanced-example.json
A basic example of a cnaContainer, to be used with CVE Services, is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/cnaContainer-basic-example.json
An advanced example of a cnaContainer, to be used with CVE Services, is available at https://github.com/cveproject/cve-schema/blob/master/schema/docs/cnaContainer-advanced-example.json
Before submitting a Pull Request (PR) with your proposed schema changes, it is recommended to run the tools/cve-schema-test.sh script (written in Bash) to ensure there are no errors. This helps prevent your PR from being rejected due to formatting issues when GitHub's workflow tools are executed.
Please note that any files created by this script will be overwritten when GitHub's workflow runs on the PR. This step is mandatory before the CVE Schema Working Group can review your suggestions.
