Merge pull request #97 from RedHatProductSecurity/release-1.7.0

Update for 1.7.0 release

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## [1.7.0](https://github.com/RedHatProductSecurity/cvelib/compare/1.6.0...1.7.0) (Dec 5, 2024)
+
+* Updated CVE record schemas to version 5.1.1 (#96).
+* Added a new subcommand, `validate`, to verify that a CVE record (or a specific container of a record) is valid 
+  against a specific CVE v5 schema (#95).
+* Switched to a stricter version of the CVE ID matching regex (6f18918).
+
 ## [1.6.0](https://github.com/RedHatProductSecurity/cvelib/compare/1.5.0...1.6.0) (Oct 11, 2024)
 
 * Subcommands that not require authentication credentials no longer require `-u/-o/-a` options to be set (#93).

README.md

@@ -2,7 +2,7 @@
 
 A library and a command line interface for the CVE Services API.
 
-**Note**: version 1.4.0 of cvelib is compatible with CVE Services 2.3.1 and CVE JSON schema 5.1.0.
+**Note**: version 1.7.0 of cvelib is compatible with CVE Services 2.5.0 and CVE JSON schema 5.1.1.
 
 ## Requirements
 
@@ -239,7 +239,7 @@ For more information, see the individual methods defined in the
 ```bash
 git clone https://github.com/RedHatProductSecurity/cvelib.git
 cd cvelib
-python3 -m venv venv  # Must be Python 3.6 or later
+python3 -m venv venv
 source venv/bin/activate
 pip install --upgrade pip
 pip install -e .
@@ -275,10 +275,10 @@ Running tests and linters:
 tox
 # Run format check only
 tox -e black
-# Run tests against Python 3.6 only
-tox -e py36
-# Run a single test against Python 3.6 only
-tox -e py36 -- tests/test_cli.py::test_cve_show
+# Run tests using a specific version of Python
+tox -e py313
+# Run a single test using a specific version of Python
+tox -e py313 -- tests/test_cli.py::test_cve_show
 ```
 
 Any changes in the commands, their options, or help texts must be reflected in the generated man pages. To refresh

cvelib/__init__.py

@@ -1 +1 @@
-__version__ = "1.6.0"
+__version__ = "1.7.0"

man/cve-list.1

@@ -1,4 +1,4 @@
-.TH "CVE LIST" "1" "2024-10-11" "1.6.0" "cve list Manual"
+.TH "CVE LIST" "1" "2024-12-05" "1.6.0" "cve list Manual"
 .SH NAME
 cve\-list \- Filter and list reserved CVE IDs owned by...
 .SH SYNOPSIS

man/cve-org-users.1

@@ -1,4 +1,4 @@
-.TH "CVE ORG USERS" "1" "2024-10-11" "1.6.0" "cve org users Manual"
+.TH "CVE ORG USERS" "1" "2024-12-05" "1.6.0" "cve org users Manual"
 .SH NAME
 cve\-org\-users \- List all users in your organization.
 .SH SYNOPSIS

man/cve-org.1

@@ -1,4 +1,4 @@
-.TH "CVE ORG" "1" "2024-10-11" "1.6.0" "cve org Manual"
+.TH "CVE ORG" "1" "2024-12-05" "1.6.0" "cve org Manual"
 .SH NAME
 cve\-org \- Show information about your organization.
 .SH SYNOPSIS

man/cve-ping.1

@@ -1,4 +1,4 @@
-.TH "CVE PING" "1" "2024-10-11" "1.6.0" "cve ping Manual"
+.TH "CVE PING" "1" "2024-12-05" "1.6.0" "cve ping Manual"
 .SH NAME
 cve\-ping \- Ping the CVE Services API to see if it is up.
 .SH SYNOPSIS

man/cve-publish-adp.1

@@ -1,4 +1,4 @@
-.TH "CVE PUBLISH-ADP" "1" "2024-10-11" "1.6.0" "cve publish-adp Manual"
+.TH "CVE PUBLISH-ADP" "1" "2024-12-05" "1.6.0" "cve publish-adp Manual"
 .SH NAME
 cve\-publish-adp \- Add or update an ADP container in a CVE...
 .SH SYNOPSIS
@@ -7,26 +7,25 @@ cve\-publish-adp \- Add or update an ADP container in a CVE...
 .SH DESCRIPTION
 Add or update an ADP container in a CVE record for a published CVE ID.
 .PP
-    NOTE: a published ADP container cannot be removed, only updated with new data.
+NOTE: a published ADP container cannot be removed, only updated with new data.
 .PP
-    The ADP container can be specified as a string:
+The ADP container can be specified as a string:
 .PP
-      cve publish-adp CVE-2022-1234 -j '{"affected": [], "descriptions": [], "references": {}, ...}'
+  cve publish-adp CVE-2022-1234 -j '{"affected": [], "descriptions": [], "references": {}, ...}'
 .PP
-    Or passed in a file:
+Or passed in a file:
 .PP
-      cve publish-adp CVE-2022-1234 -f adp.json
+  cve publish-adp CVE-2022-1234 -f adp.json
 .PP
-    For information on the required properties in a given ADP container of a CVE record,
-    see the schema in:
+For information on the required properties in a given ADP container of a CVE record,
+see the schema in:
 .PP
-    https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json
-    https://cveproject.github.io/cve-schema/schema/v5.0/docs/#oneOf_i0_containers_adp
+https://cveproject.github.io/cve-schema/schema/docs/
+.PP
+Because the CVE Services API only expects the ADP container contents of the full CVE v5 record,
+the data you pass to this command can specify just the attributes defined by the adpContainer
+subschema.
 .PP
-    Because the CVE Services API only expects the ADP container contents of the full CVE v5 record,
-    the data you pass to this command can specify just the attributes defined by the adpContainer
-    subschema.
-
 .SH OPTIONS
 .TP
 \fB\-j,\fP \-\-adp\-json TEXT

man/cve-publish.1

@@ -1,4 +1,4 @@
-.TH "CVE PUBLISH" "1" "2024-10-11" "1.6.0" "cve publish Manual"
+.TH "CVE PUBLISH" "1" "2024-12-05" "1.6.0" "cve publish Manual"
 .SH NAME
 cve\-publish \- Publish a CNA container of a CVE record...
 .SH SYNOPSIS
@@ -7,28 +7,27 @@ cve\-publish \- Publish a CNA container of a CVE record...
 .SH DESCRIPTION
 Publish a CNA container of a CVE record for a reserved (or rejected) CVE ID.
 .PP
-    If the CVE is already published, this action will update the CNA container in its record. A
-    published CVE can only be moved to the rejected state with an appropriate reject record (see
-    `cve reject`). A published CVE cannot be moved back to the reserved state.
+If the CVE is already published, this action will update the CNA container in its record. A
+published CVE can only be moved to the rejected state with an appropriate reject record (see
+`cve reject`). A published CVE cannot be moved back to the reserved state.
 .PP
-    The CNA container can be specified as a string:
+The CNA container can be specified as a string:
 .PP
-      cve publish CVE-2022-1234 -j '{"affected": [], "descriptions": [], "references": {}, ...}'
+  cve publish CVE-2022-1234 -j '{"affected": [], "descriptions": [], "references": {}, ...}'
 .PP
-    Or passed in a file:
+Or passed in a file:
 .PP
-      cve publish CVE-2022-1234 -f cve.json
+  cve publish CVE-2022-1234 -f cve.json
 .PP
-    For information on the required properties in a given CNA container of a CVE record,
-    see the schema in:
+For information on the required properties in a given CNA container of a CVE record,
+see the schema in:
 .PP
-    https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json
-    https://cveproject.github.io/cve-schema/schema/v5.0/docs/#oneOf_i0_containers_cna
+https://cveproject.github.io/cve-schema/schema/docs/
+.PP
+Because the CVE Services API only expects the CNA container contents of the full CVE v5 record,
+the data you pass to this command can specify just the attributes defined by the
+cnaPublishedContainer or cnaRejectedContainer subschemas, and not the full schema record.
 .PP
-    Because the CVE Services API only expects the CNA container contents of the full CVE v5 record,
-    the data you pass to this command can specify just the attributes defined by the
-    cnaPublishedContainer or cnaRejectedContainer subschemas, and not the full schema record.
-
 .SH OPTIONS
 .TP
 \fB\-j,\fP \-\-cve\-json TEXT

man/cve-quota.1

@@ -1,4 +1,4 @@
-.TH "CVE QUOTA" "1" "2024-10-11" "1.6.0" "cve quota Manual"
+.TH "CVE QUOTA" "1" "2024-12-05" "1.6.0" "cve quota Manual"
 .SH NAME
 cve\-quota \- Display the available CVE ID quota for...
 .SH SYNOPSIS
@@ -7,11 +7,11 @@ cve\-quota \- Display the available CVE ID quota for...
 .SH DESCRIPTION
 Display the available CVE ID quota for your CNA.
 .PP
-    
-    - "Limit": how many CVE IDs your organization can have in the RESERVED state at once.
-    - "Reserved": the number of CVE IDs that are in the RESERVED state across all years.
-    - "Available": the number of CVE IDs that can be reserved (that is, "Limit" - "Reserved")
-    
+
+- "Limit": how many CVE IDs your organization can have in the RESERVED state at once.
+- "Reserved": the number of CVE IDs that are in the RESERVED state across all years.
+- "Available": the number of CVE IDs that can be reserved (that is, "Limit" - "Reserved")
+.PP
 .SH OPTIONS
 .TP
 \fB\-\-raw\fP

man/cve-reject.1

@@ -1,4 +1,4 @@
-.TH "CVE REJECT" "1" "2024-10-11" "1.6.0" "cve reject Manual"
+.TH "CVE REJECT" "1" "2024-12-05" "1.6.0" "cve reject Manual"
 .SH NAME
 cve\-reject \- Reject a CVE record for a reserved or...
 .SH SYNOPSIS
@@ -7,28 +7,28 @@ cve\-reject \- Reject a CVE record for a reserved or...
 .SH DESCRIPTION
 Reject a CVE record for a reserved or published CVE ID.
 .PP
-    If the CVE is already rejected, this action will update its record if one is supplied.
-    A rejected CVE with a record can only be moved to the published state (see `cve publish`).
-    A rejected CVE without a record can be moved to the reserved state. A published CVE can only
-    be rejected with an accompanying record. Reserved CVEs can be rejected with or without a record.
+If the CVE is already rejected, this action will update its record if one is supplied.
+A rejected CVE with a record can only be moved to the published state (see `cve publish`).
+A rejected CVE without a record can be moved to the reserved state. A published CVE can only
+be rejected with an accompanying record. Reserved CVEs can be rejected with or without a record.
 .PP
-    Note: Rejecting a published CVE removes both the CNA and ADP data of that record.
+Note: Rejecting a published CVE removes both the CNA and ADP data of that record.
 .PP
-    The CVE reject record can be specified as a string:
+The CVE reject record can be specified as a string:
 .PP
-      cve reject CVE-2022-1234 -j '{"rejectedReasons": [{"lang": "en", "value": "A reason."}]}'
+  cve reject CVE-2022-1234 -j '{"rejectedReasons": [{"lang": "en", "value": "A reason."}]}'
 .PP
-    Or passed in a file:
+Or passed in a file:
 .PP
-      cve reject CVE-2022-1234 -f v5_reject_record.json
+  cve reject CVE-2022-1234 -f v5_reject_record.json
 .PP
-    For information on the required properties in a given CVE JSON record, see the schema in:
+For information on the required properties in a given CVE JSON record, see the schema in:
 .PP
-    https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json
+https://cveproject.github.io/cve-schema/schema/docs/
+.PP
+Because the CVE Services API only expects the cnaRejectedContainer contents of the full record,
+the record you pass to this command can specify just that data, and not the full record.
 .PP
-    Because the CVE Services API only expects the cnaRejectedContainer contents of the full record,
-    the record you pass to this command can specify just that data, and not the full record.
-
 .SH OPTIONS
 .TP
 \fB\-j,\fP \-\-cve\-json TEXT

man/cve-reserve.1

@@ -1,4 +1,4 @@
-.TH "CVE RESERVE" "1" "2024-10-11" "1.6.0" "cve reserve Manual"
+.TH "CVE RESERVE" "1" "2024-12-05" "1.6.0" "cve reserve Manual"
 .SH NAME
 cve\-reserve \- Reserve one or more CVE IDs.
 .SH SYNOPSIS
@@ -7,15 +7,15 @@ cve\-reserve \- Reserve one or more CVE IDs.
 .SH DESCRIPTION
 Reserve one or more CVE IDs. COUNT is the number of CVEs to reserve; defaults to 1.
 .PP
-    CVE IDs can be reserved one by one (the lowest IDs are reserved first) or in batches of
-    multiple IDs per single request. When reserving multiple IDs, you can request those IDs to be
-    generated sequentially (default) or non-sequentially (random IDs are selected from your CVE ID
-    range).
+CVE IDs can be reserved one by one (the lowest IDs are reserved first) or in batches of
+multiple IDs per single request. When reserving multiple IDs, you can request those IDs to be
+generated sequentially (default) or non-sequentially (random IDs are selected from your CVE ID
+range).
+.PP
+
+For more information, see the "Developer Guide to CVE Services API":
+https://github.com/CVEProject/cve-services/wiki/Developer-Guide-to-CVE-Services-API#different-reservation-types
 .PP
-    
-    For more information, see the "Developer Guide to CVE Services API":
-    https://github.com/CVEProject/cve-services/wiki/Developer-Guide-to-CVE-Services-API#different-reservation-types
-
 .SH OPTIONS
 .TP
 \fB\-r,\fP \-\-random

man/cve-show.1

@@ -1,11 +1,11 @@
-.TH "CVE SHOW" "1" "2024-10-11" "1.6.0" "cve show Manual"
+.TH "CVE SHOW" "1" "2024-12-05" "1.6.0" "cve show Manual"
 .SH NAME
 cve\-show \- Display a specific CVE ID (and optionally...
 .SH SYNOPSIS
 .B cve show
 [OPTIONS] CVE_ID
 .SH DESCRIPTION
-Display a specific CVE ID (and optionally its record) owned by your CNA.
+Display a specific CVE ID (and optionally its record).
 .SH OPTIONS
 .TP
 \fB\-r,\fP \-\-show\-record

man/cve-undo-reject.1

@@ -1,4 +1,4 @@
-.TH "CVE UNDO-REJECT" "1" "2024-10-11" "1.6.0" "cve undo-reject Manual"
+.TH "CVE UNDO-REJECT" "1" "2024-12-05" "1.6.0" "cve undo-reject Manual"
 .SH NAME
 cve\-undo-reject \- Move a rejected CVE ID without a record...
 .SH SYNOPSIS

man/cve-user-create.1

@@ -1,4 +1,4 @@
-.TH "CVE USER CREATE" "1" "2024-10-11" "1.6.0" "cve user create Manual"
+.TH "CVE USER CREATE" "1" "2024-12-05" "1.6.0" "cve user create Manual"
 .SH NAME
 cve\-user\-create \- Create a user in your organization.
 .SH SYNOPSIS
@@ -7,11 +7,11 @@ cve\-user\-create \- Create a user in your organization.
 .SH DESCRIPTION
 Create a user in your organization.
 .PP
-    This action is restricted to users with the ADMIN role.
+This action is restricted to users with the ADMIN role.
+.PP
+Note: Once a user is created, they cannot be removed, only marked as inactive. Only create
+users when you really need them.
 .PP
-    Note: Once a user is created, they cannot be removed, only marked as inactive. Only create
-    users when you really need them.
-
 .SH OPTIONS
 .TP
 \fB\-u,\fP \-\-username TEXT

man/cve-user-reset-key.1

@@ -1,4 +1,4 @@
-.TH "CVE USER RESET-KEY" "1" "2024-10-11" "1.6.0" "cve user reset-key Manual"
+.TH "CVE USER RESET-KEY" "1" "2024-12-05" "1.6.0" "cve user reset-key Manual"
 .SH NAME
 cve\-user\-reset-key \- Reset a user's personal access token (API...
 .SH SYNOPSIS
@@ -7,10 +7,10 @@ cve\-user\-reset-key \- Reset a user's personal access token (API...
 .SH DESCRIPTION
 Reset a user's personal access token (API key).
 .PP
-    You must explicitly specify the user being updated using the `-u` option.
+You must explicitly specify the user being updated using the `-u` option.
+.PP
+This API key is used to authenticate each request to the CVE API.
 .PP
-    This API key is used to authenticate each request to the CVE API.
-
 .SH OPTIONS
 .TP
 \fB\-u,\fP \-\-username TEXT

man/cve-user-update.1

@@ -1,4 +1,4 @@
-.TH "CVE USER UPDATE" "1" "2024-10-11" "1.6.0" "cve user update Manual"
+.TH "CVE USER UPDATE" "1" "2024-12-05" "1.6.0" "cve user update Manual"
 .SH NAME
 cve\-user\-update \- Update a user.
 .SH SYNOPSIS
@@ -7,10 +7,10 @@ cve\-user\-update \- Update a user.
 .SH DESCRIPTION
 Update a user.
 .PP
-    You must explicitly specify the user being updated using the `-u` option.
+You must explicitly specify the user being updated using the `-u` option.
+.PP
+To reset a user's API key, use `cve user reset-key`.
 .PP
-    To reset a user's API key, use `cve user reset-key`.
-
 .SH OPTIONS
 .TP
 \fB\-u,\fP \-\-username TEXT

man/cve-user.1

@@ -1,4 +1,4 @@
-.TH "CVE USER" "1" "2024-10-11" "1.6.0" "cve user Manual"
+.TH "CVE USER" "1" "2024-12-05" "1.6.0" "cve user Manual"
 .SH NAME
 cve\-user \- Show information about a user.
 .SH SYNOPSIS

man/cve-validate.1

@@ -0,0 +1,18 @@
+.TH "CVE VALIDATE" "1" "2024-12-05" "1.6.0" "cve validate Manual"
+.SH NAME
+cve\-validate \- Validate a CVE record against the 5.1.1...
+.SH SYNOPSIS
+.B cve validate
+[OPTIONS]
+.SH DESCRIPTION
+Validate a CVE record against the 5.1.1 CVE JSON (sub)schema.
+.SH OPTIONS
+.TP
+\fB\-j,\fP \-\-cve\-json TEXT
+JSON body of CVE record.
+.TP
+\fB\-f,\fP \-\-cve\-json\-file FILENAME
+File containing JSON body of a CVE record.
+.TP
+\fB\-s,\fP \-\-schema\-type [full|cna\-published|cna\-rejected|adp]
+Specific type of schema to validate against  [default: cna-published]

man/cve.1

@@ -1,4 +1,4 @@
-.TH "CVE" "1" "2024-10-11" "1.6.0" "cve Manual"
+.TH "CVE" "1" "2024-12-05" "1.6.0" "cve Manual"
 .SH NAME
 cve \- A CLI interface for the CVE Services API.
 .SH SYNOPSIS
@@ -70,6 +70,10 @@ Show the version and exit.
   Show information about your organization.
   See \fBcve-org(1)\fP for full documentation on the \fBorg\fP command.
 .PP
+\fBvalidate\fP
+  Validate a CVE record against the 5.1.1...
+  See \fBcve-validate(1)\fP for full documentation on the \fBvalidate\fP command.
+.PP
 \fBping\fP
   Ping the CVE Services API to see if it is up.
   See \fBcve-ping(1)\fP for full documentation on the \fBping\fP command.