5.1.0 allows use of versionType purl with no syntax validation

[ElectricNroff]

The CVE Program is currently sending a public announcement that 5.1.0 supports Package URLs through the use of versionType. This means that a provider can choose to enter

{"version": "pkg:npm/foobar@12.3.1", "versionType": "purl", "status": "affected"}

or any of the other example values from the https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst document. The only validation from the schema is that the value is a string of between 1 and 1024 characters. Also, the CVE Services server does not validate that the value complies with the purl specification. In other words, the level of support is different from, for example,

cve-schema/schema/v5.0/docs/CVE_JSON_bundled.json

Lines 253 to 254 in 2aa608b

	"description": "Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format",
	"pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})",

(CPE is not accepted unless it complies with the CPE syntax.)

cve-schema/schema/v5.0/docs/CVE_JSON_bundled.json

Lines 1303 to 1305 in 2aa608b

	"vectorString": {
	"type": "string",
	"pattern": "^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/E:[XAPU])?(/CR:[XHML])?(/IR:[XHML])?(/AR:[XHML])?(/MAV:[XNALP])?(/MAC:[XLH])?(/MAT:[XNP])?(/MPR:[XNLH])?(/MUI:[XNPA])?(/MVC:[XNLH])?(/MVI:[XNLH])?(/MVA:[XNLH])?(/MSC:[XNLH])?(/MSI:[XNLHS])?(/MSA:[XNLHS])?(/S:[XNP])?(/AU:[XNY])?(/R:[XAUI])?(/V:[XDC])?(/RE:[XLMH])?(/U:(X|Clear|Green|Amber|Red))?$"

(CVSS is not accepted unless it complies with the CVSS syntax.)
etc.

We, of course, don't know whether any provider will ever use "versionType": "purl" with syntactically incorrect data. We might consider whether:

• in the future, syntax validation should be in place before announcing that any new data syntax is supported
• there should be a recommendation that client developers ensure that containers aren't sent to the server with any syntactically invalid "versionType": "purl" data

[ccoffin]

Adding purl to the affected array may or may not be the right place for the data. I think we need to have a larger discussion about how to implement purl within the CVE Record Format.

[alilleybrinker]

Proposal #397 adds support for Package URLs in an applicability structure.

[alilleybrinker]

#397 ended up being superseded by #407, which should be merged soon. When it is, and 5.2.0 comes out, we probably want to encourage this use of PURL (which is validated), rather than the old one (which is not).

I'd also recommend deprecating use of PURLs as a version type, warning on it, and removing it in a future 6.0.0.