You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
one might expect that ajv is a reasonable choice for validating the CVE Records in the official CVE List. Also, although nothing says this directly, a downstream user might reasonably expect that the latest version of ajv should work, and that using the CVE List should not require staying at an older version of ajv.
In the context of ajv, the "format": "date-time" above typically means that one should install the ajv-formats NPM package.
The problem is that the CVE List is not compatible with ajv-formats releases on or after 2024-03-30. There are thousands of CVE Records that have timestamps without a timezone, and validating the entire CVE List will produce literally millions of error messages, e.g.,
{
instancePath:'/cveMetadata/dateUpdated',
schemaPath: '#/definitions/timestamp/format',
keyword: 'format',
params: { format: 'date-time' },
message: 'must match format "date-time"'
},
{
instancePath:'/cveMetadata/dateReserved',
schemaPath:'#/definitions/timestamp/format',
keyword:'format',
params: { format:'date-time' },
message: 'must match format "date-time"'
},
{
instancePath:'/cveMetadata/datePublished',
schemaPath:'#/definitions/timestamp/format',
keyword:'format',
params: { format:'date-time'},
message:'must match format "date-time"'
}
etc.
The ajv-formats behavior change is documented in release notes for a release candidate, but there apparently aren't release notes on GitHub for the official 3.x releases. However, users will get an official 3.x release (with the new behavior) if they simply type npm install ajv-formats
https://github.com/ajv-validator/ajv-formats/releases/tag/v3.0.0-rc.0
Formats time and date-time now require timezone, as per JSON Schema specification / RFC3339
(The timing is somewhat unusual, with the last 3.x release candidate dated 2021-11-07, but no 3.x release until 2024-03-30.)
Anyway, possible courses of action include:
inform downstream users that they must not validate CVE Records with up-to-date ajv/ajv-formats installations, and instead should do something like npm install [email protected]
do a one-time change to the entire CVE List such that 100% of timestamp values have timezones, and then update CVE Services to depend on "ajv-formats": "^3.0.1" so that there are always timezones going forward
ask all CNAs to correct their CVE Records and re-submit with timezones
somehow try to change user behavior or expectations (e.g., construct an explanation for why we didn't initially require timezones and/or advise against ajv)
ignore the problem in the hope that ajv-formats 2.1.1 (or earlier) remains the most popular version
The text was updated successfully, but these errors were encountered:
The 5.1.0 schema has:
cve-schema/schema/v5.0/CVE_JSON_5.1_schema.json
Lines 76 to 78 in 2aa608b
It doesn't suggest preferred JSON schema validation software, but because ajv is used internally in the cve-schema repository:
cve-schema/.github/workflows/validate-schema.yml
Line 35 in 2aa608b
one might expect that ajv is a reasonable choice for validating the CVE Records in the official CVE List. Also, although nothing says this directly, a downstream user might reasonably expect that the latest version of ajv should work, and that using the CVE List should not require staying at an older version of ajv.
In the context of ajv, the
"format": "date-time"
above typically means that one should install theajv-formats
NPM package.The problem is that the CVE List is not compatible with ajv-formats releases on or after 2024-03-30. There are thousands of CVE Records that have timestamps without a timezone, and validating the entire CVE List will produce literally millions of error messages, e.g.,
etc.
The ajv-formats behavior change is documented in release notes for a release candidate, but there apparently aren't release notes on GitHub for the official 3.x releases. However, users will get an official 3.x release (with the new behavior) if they simply type
npm install ajv-formats
(The timing is somewhat unusual, with the last 3.x release candidate dated 2021-11-07, but no 3.x release until 2024-03-30.)
Anyway, possible courses of action include:
npm install [email protected]
"ajv-formats": "^3.0.1"
so that there are always timezones going forward"format": "date-time"
from the schemaThe text was updated successfully, but these errors were encountered: