Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

5.1.0 accepts lessThan 0 (seen in inverted ranges) #324

Open
ElectricNroff opened this issue Jun 7, 2024 · 1 comment
Open

5.1.0 accepts lessThan 0 (seen in inverted ranges) #324

ElectricNroff opened this issue Jun 7, 2024 · 1 comment
Labels
bug Something isn't working Needs Discussion Discuss in a future QWG meeting or on mailing list section:affected_product Schema location is affected or product

Comments

@ElectricNroff
Copy link

There are four CVE Records with:

"lessThan":"0"

For all four, it seems that the lessThan value and the version value were swapped:

"cveId": "CVE-2021-28500" ...
"lessThan":"0","status":"affected","version":"4.20"

"cveId":"CVE-2022-4554" ...
"lessThan":"0","status":"affected","version":"1.0.0.347"

"cveId":"CVE-2023-5914" ...
"lessThan":"0","status":"affected","version":"2311 Current Release"

"cveId":"CVE-2023-6184" ...
"lessThan":"0","status":"affected","version":"2311 Current Release"

Negative version numbers are not normally seen, and thus "lessThan":"0" ranges are probably only used by accident.

This could be prevented by a schema that has a new definition such as versionButNotZero that is similar to:

cve-schema/schema/CVE_Record_Format.json

Lines 81 to 85 in 30f59c7

"version": {
"description": "A single version of a product, as expressed in its own version numbering scheme.",
"type": "string",
"minLength": 1,
"maxLength": 1024

but with a negative lookahead:

"pattern": "^(?!0$)",

and use this for:

cve-schema/schema/CVE_Record_Format.json

Lines 320 to 327 in 30f59c7

"lessThan": {
"description": "The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk `(*)`, indicating an arbitrarily large number in the version ordering. For example, `{version: 1.0 lessThan: 1.*}` would describe the entire 1.X branch for most range kinds, and `{version: 2.0, lessThan: *}` describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified.",
"$ref": "#/definitions/version"
},
"lessThanOrEqual": {
"description": "The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, `{version: 1.0, lessThanOrEqual: 1.3}` covers all versions from 1.0 up to and including 1.3.",
"$ref": "#/definitions/version"
},

(but not for version where 0 is meaningful)
@jayjacobs jayjacobs added the bug Something isn't working label Oct 18, 2024
@jayjacobs jayjacobs added the section:affected_product Schema location is affected or product label Oct 31, 2024
@ccoffin
Copy link
Collaborator

ccoffin commented Jan 17, 2025

also a possible schema validation change. Let's discuss in meeting as a possible update

@ccoffin ccoffin added the Needs Discussion Discuss in a future QWG meeting or on mailing list label Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Needs Discussion Discuss in a future QWG meeting or on mailing list section:affected_product Schema location is affected or product
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jayjacobs @ccoffin @ElectricNroff