-
Notifications
You must be signed in to change notification settings - Fork 207
Add a formal semver 2.0.0 version type #371
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
darakian
wants to merge
63
commits into
CVEProject:feature-PR371-semver2.0
Choose a base branch
from
darakian:add-semver-2.0.0-versionType
base: feature-PR371-semver2.0
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
63 commits
Select commit
Hold shift + click to select a range
c50a136
Add a formal semver 2.0.0 version type
darakian bec099b
Add an example for discussion
darakian 20f9b39
Add some text for the parameters and remove markdown horizontal break
darakian e637776
Expand example to show inclusive/exclusive bounds and single version …
darakian fffd0cd
Add explainer
darakian 16680d2
Add examples of single sided ranges. ex < 1.0.0 or >= 9.0.0 to allow …
darakian 208980b
Add status back as a parameter after sync chat in QWG meeting on 2025…
darakian 0ce6601
Stub new properties
darakian 62db169
Add pattern regex
darakian 34af2ae
and trim newline
darakian 046dadd
Add an attempt at json schema options for semver 2.0.0
darakian 484ca76
Add valid forms of semver-2.0.0 usage
darakian 3527158
trim extra comma
darakian b037e53
Switch from anyOf to oneOf
darakian 226158a
Update build.js to reference current schema location
darakian e264318
Add missing comma
darakian ddf4895
Double slash seems to be the correct approach
darakian 7b77630
Fix typo to allow stand alone inclusive lower bound
darakian bf48730
Add validation of schemas to the workflow
darakian e333f53
Prefer test over validate for symmetry with invalid test to come
darakian 992e9c3
Be strict about versionType value
darakian 9226d60
Add invalid test for missing versionType
darakian 3f33ceb
Break tests out for easier long term managment
darakian eb4fd2f
Add test case for mixing exactly with a range
darakian 36a22ee
Add test case for duplicate upper bounds
darakian fd0d7e1
Add test case for duplicate lower bounds
darakian 745cc6f
Add semver tests to the workflow
darakian a0ff77b
Remove test
darakian 9f839d6
Removing this test for now. Unclear why it fails
darakian 5cc921e
Move semver regex out to a single def and reference it
darakian 9a4ad63
stub idea for changes block
darakian 50d0e12
Add a test to ensure asterisk usage fails
darakian a72e5b8
Update schema with working concept of reusing old parameters. Adds tw…
darakian 9d53824
Update positive tests. IMO they are less readable than before
darakian 30bd0de
Check for invalid format in semver 2.0.0 rather than invalid version …
darakian 10c83ec
Clean up language on usage of the two new parameters
darakian fc8b7b8
Typo fix 🤦
darakian 6135668
Remove missing version test since not specifying is valid and the use…
darakian 43e4f17
Update negative tests
darakian 1e91117
ref instead of duplicate regex
darakian 0dc04e2
remove overconstraint I guess. This lets two tests pass (mixedRange1 …
darakian da94093
Stub rfd from template
darakian 5ac7c5f
Stage draft RFD
darakian a3f5748
Update success metrics
darakian b8b9afd
Update migration
darakian 85af8eb
update impact
darakian 97f14c2
Remove blank line
darakian b800796
typo plus a +
darakian 69aba3f
Better impact
darakian c9fde50
Remove the word new
darakian bc077f5
Update verbiage
darakian 64774b5
Update examples
darakian 4d091a0
Mention that not adopting is an option
darakian 7ba977b
Remove template text for supporting data/research
darakian 1bb151e
Delete some trailing commas
darakian 4427021
Provide symmetry in parameter requirements
darakian c6e12cb
Delete two more trailing commas
darakian 46c5293
Small fix
darakian cffccd7
Restore first construction.
darakian 8a4824a
Convert invalid tests
darakian f7c4fe6
Convert valid tests
darakian 5cfcb16
Convert doc text
darakian 56f7a0e
Convert rfd text
darakian File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| # Add a formal semver 2.0.0 version type | ||
|
|
||
| | Field | Value | | ||
| |:-----------------|:-------| | ||
| | RFD Submitter | Jon Moroney | | ||
| | RFD Pull Request | [RFD #0000](https://github.com/CVEProject/cve-schema/pull/371) | | ||
|
|
||
| ## Summary | ||
| [summary]: #summary | ||
|
|
||
| Introduce a new semantic versioning version type for the machine readable `versions` array. The goal of this addition is to provide consumers of CVE records with version information which is interoperable with off the shelf semantic versioning compatible tools. The proposed change includes schema based validation to ensure submitted records conform to the semver specification as well as tests to ensure conformity. | ||
|
|
||
| ## Problem Statement | ||
| [problem-statement]: #problem-statement | ||
|
|
||
| Today the `versions` array allows for a number of typed version fields which should inform the reader how to interpret the data. Alas, there is no validation that a record producer must conform to and as a result the version types have been used inconsistently. At time of writing a consumer reading the semantic versioning type in particular has about a [44% chance of the data conforming to the semantic versioning specification](https://darakian.github.io/2025/06/04/parsing-semver-from-cve.html). | ||
|
|
||
| As a result consumers of CVE records cannot build reliable automation from the data in the record itself. Multiple sub-patterns do exist, but there is canonical list of them nor is there any guarantee of their stability. This leads to increased operational complexity in vulnerability management and potentially to vulnerabilities going unresolved. | ||
|
|
||
| Failing to adopt stricter datatypes will maintain the status quo which is generally accepted to be lacking. | ||
|
|
||
| ## Proposed Solution | ||
| [proposed-solution]: #proposed-solution | ||
|
|
||
| The proposed change adds a new `semver-2.0.0-version` pattern and five new properties for expressing version ranges. The parameters are `exactly`, `inclusiveLowerBound`, `exclusiveLowerBound`, `inclusiveUpperBound`, and `exclusiveUpperBound` and map to the mathematics operators `=`, `>=`, `>`, `<=`, and `<`. These parameters are only expected to be used with the `semver-2.0.0` version type. Validation is proved in the form of a regular expression which is taken directly from semver.org in order to ensure interoperability. | ||
|
|
||
| ## Examples | ||
| [examples]: #examples | ||
|
|
||
| Examples are provided as tests and may be viewed in the valid and invalid semver-2-0-0 subdirectories here: | ||
| https://github.com/CVEProject/cve-schema/tree/0dc04e2a9adb9e3d50409051ce1d006d79b57a90/schema/support/tests | ||
|
|
||
| ## Impact Assessment | ||
| [impact-assessment]: #impact-assessment | ||
|
|
||
| This proposal has been designed to be very low impact. In the base case both record producers and record consumers can simply ignore the new data type. Adoption of the new data type into systems that process CVE records should be quite straight forward as semantic versioning is well supported across many languages. Once records begin to be produced with `semver-2.0.0` values a record consumer will be able to build reliable vulnerability managment automation based on the data. | ||
|
|
||
| ## Compatibility and Migration | ||
| [compatibility-and-migration]: #compatibility-and-migration | ||
|
|
||
| This change adds one new, optional, value to the `versions` array and should be completely backwards compatible as no prior data formats are altered. The version type is currently arbitrary and so record providers are free to populate anything in that field, however no currently published records have used `semver-2.0.0`. | ||
|
|
||
| Both consumers are producers will need to update their code/process in order to make use of the new field. Should there be a desire to coordinate a migration an addition could be made to this RFD with guidance both for record producer and consumers, but off the shelf, semver compatible tools are expected to work. | ||
|
|
||
| Existence of the new version type should be communicated to stakeholders upon the RFDs acceptance. | ||
|
|
||
| ## Success Metrics | ||
| [success-metrics]: #success-metrics | ||
|
|
||
| 6+ months after the acceptance and adoption of this RFD process, the QWG should conduct a review of published CVE records to assess usage of the new version type. Additionally the QWG should solicit a survey to QWG members and outside CVE stakeholders about the perceived value of the new type. If there is low/no usage as well as a poor qualitative perception then the effort should be considered a failure and discussion of a rollback should be considered. | ||
|
|
||
| If there is consistent measured usage as well as positive qualitative perception then the effort should be considered a success. Anything between these two polls will require more qualitative analysis, but it is the RFD author's opinion that if there is a lack of consensus then the effort should by default be considered a failure. | ||
|
|
||
| A roll back of this RFD would consist of a removal of the `semver-2.0.0` version type and associated tests. | ||
|
|
||
| ## Supporting Data or Research | ||
| [supporting-data-or-research]: #supporting-data-or-research | ||
|
|
||
|
|
||
| ## Related Issues or Proposals | ||
| [related-issues-or-proposals]: #related-issues-or-proposals | ||
|
|
||
| This change originated out of a conversation detailing the shortcomings of the current versioning system here: | ||
| https://github.com/CVEProject/cve-schema/issues/362 | ||
|
|
||
| An alternative to adopting this RFD would be to not adopt it. | ||
|
|
||
| ## Recommended Priority | ||
| [recommended-priority]: #recommended-priority | ||
|
|
||
| Medium | ||
|
|
||
| ## Unresolved Questions | ||
| [unresolved-questions]: #unresolved-questions | ||
|
|
||
| None currently. | ||
|
|
||
| ## Future Possibilities | ||
| [future-possibilities]: #future-possibilities | ||
|
|
||
| Other common versioning types could have new, validated versions provided via subsequent RFDs. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
51 changes: 51 additions & 0 deletions
51
schema/support/tests/invalid/invalid-semver-2-0-0/asterisk-usage.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| { | ||
| "dataType": "CVE_RECORD", | ||
| "dataVersion": "5.1", | ||
| "cveMetadata": { | ||
| "cveId": "CVE-1900-1234", | ||
| "assignerOrgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6", | ||
| "state": "PUBLISHED" | ||
| }, | ||
| "containers": { | ||
| "cna": { | ||
| "providerMetadata": { | ||
| "orgId": "b3476cb9-2e3d-41a6-98d0-0f47421a65b6" | ||
| }, | ||
| "problemTypes": [ | ||
| { | ||
| "descriptions": [ | ||
| { | ||
| "lang": "en", | ||
| "description": "CWE-78 OS Command Injection" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "affected": [ | ||
| { | ||
| "vendor": "Example.org", | ||
| "product": "Example Enterprise", | ||
| "versions": [ | ||
| { | ||
| "versionType": "semver-2.0.0", | ||
| "status": "affected", | ||
| "exactly": "1.2.*" | ||
| } | ||
| ], | ||
| "defaultStatus": "unaffected" | ||
| } | ||
| ], | ||
| "descriptions": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "OS Command Injection vulnerability parseFilename function of example.php in the Web Management Interface of Example.org Example Enterprise on Windows, MacOS and XT-4500 allows remote unauthenticated attackers to escalate privileges.\n\nThis issue affects:\n * 1.0 versions before 1.0.6\n * 2.1 versions from 2.16 until 2.1.9." | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "url": "https://example.org/ESA-22-11-CVE-1900-1234" | ||
| } | ||
| ] | ||
| } | ||
| } | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since a PATCH is backwards compatible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I may be incorrect, but I don't see this definition referenced anywhere. Is this intentional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe we've resolved this point in QWG discussions since this comment was posted. "2.0" is not a valid SemVer version, and it would be awkward to version our SemVer version type with a version which is not itself a valid SemVer version.