Merge pull request #753 from tschmidtb51/schema

Schema identifier added to JSONs

csaf_2.1/examples/csaf/bsi-2022-0001.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "aggregate_severity": {
       "text": "Moderate"

csaf_2.1/examples/csaf/cisco-sa-20180328-smi2.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "title": "Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability",
     "category": "Cisco Security Advisory",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-01-a-001.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-01-f-001.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-01-na-001.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-01-ui-001.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-02-na-001.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-03-ms-001.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-04-001.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-05-001.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-06-001.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-07-001.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-08-001.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",

csaf_2.1/examples/csaf/csaf_vex/2022-evd-uc-09-001.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",

csaf_2.1/examples/csaf/csaf_vex/sec-vex-2022-0001.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_vex",
     "csaf_version": "2.1",

csaf_2.1/examples/csaf/rhsa-2019_1862.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "aggregate_severity": {
       "namespace": "https://access.redhat.com/security/updates/classification/",

csaf_2.1/examples/csaf/rhsa-2021_5186.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "aggregate_severity": {
       "namespace": "https://access.redhat.com/security/updates/classification/",

csaf_2.1/examples/csaf/rhsa-2021_5217.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "aggregate_severity": {
       "namespace": "https://access.redhat.com/security/updates/classification/",

csaf_2.1/examples/csaf/rhsa-2022_0011.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "aggregate_severity": {
       "namespace": "https://access.redhat.com/security/updates/classification/",

csaf_2.1/json_schema/csaf_json_schema.json

@@ -494,9 +494,19 @@
     }
   },
   "required": [
+    "$schema",
     "document"
   ],
   "properties": {
+    "$schema": {
+      "title": "JSON schema",
+      "description": "Contains the URL of the CSAF JSON schema which the document promises to be valid for.",
+      "type": "string",
+      "enum": [
+        "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json"
+      ],
+      "format": "uri"
+    },
     "document": {
       "title": "Document level meta-data",
       "description": "Captures the meta-data about this document describing a particular set of security advisories.",

csaf_2.1/prose/edit/src/conformance.md

@@ -264,7 +264,8 @@ A CSAF content management system satisfies the "CSAF content management system"
   new advisories for that group. He might also do the user management for the group up to a configured level.
 * prefills the following fields in new CSAF documents with the values given below or based on the templates from configuration:
 
-  * `/document/csaf_version` with the value `2.0`
+  * `/$schema` with the value prescribed by the schema
+  * `/document/csaf_version` with the value prescribed by the schema
   * `/document/language`
   * `/document/notes`
     * `legal_disclaimer` (Terms of use from the configuration)
@@ -286,7 +287,8 @@ A CSAF content management system satisfies the "CSAF content management system"
   * prefills all fields which have be present in the existing CSAF document
   * adds a new item in `/document/tracking/revision_history[]`
   * updates the following fields with the values given below or based on the templates from configuration:
-    * `/document/csaf_version` with the value `2.0`
+    * `/$schema` with the value prescribed by the schema
+    * `/document/csaf_version` with the value prescribed by the schema
     * `/document/language`
     * `/document/notes`
       * `legal_disclaimer` (Terms of use from the configuration)
@@ -513,6 +515,8 @@ Secondly, the program fulfills the following for all items of:
 
 * type `/$defs/full_product_name_t/cpe`: If a CPE is invalid, the CSAF 2.0 to CSAF 2.1 converter SHOULD removed the invalid value and output a
   warning that an invalid CPE was detected and removed. Such a warning MUST include the invalid CPE.
+* `/$schema`: The CSAF 2.0 to CSAF 2.1 converter MUST set property with the value prescribed by the schema.
+* `/document/csaf_version`: The CSAF 2.0 to CSAF 2.1 converter MUST update the value to `2.1`.
 * `/document/distribution/tlp/label`: If a TLP label is given, the CSAF 2.0 to CSAF 2.1 converter MUST convert it according to the table below:
   
   | CSAF 2.0 (using TLP v1.0) | CSAF 2.1 (using TLP v2.0) |

csaf_2.1/prose/edit/src/guidance-on-size.md

@@ -282,7 +282,13 @@ A string which is an enum has a fixed maximum length given by its longest value.
 > Later versions of CSAF might add, modify or delete possible value which could change the longest value.
 > Therefore, this sizes should not be implemented as fixed limits if forward compatibility is desired.
 
-It seems to be safe to assume that the length of each value is not greater than 50. This applies to:
+The value of `/$schema` is a fixed URL, currently pointing to the JSON schema location.
+It seems to be safe to assume that the length of this value is not greater than 5. This applies to:
+
+* `/$schema` (64)
+
+For all other values, it seems to be safe to assume that the length of each value is not greater than 50.
+This applies to:
 
 * `/document/csaf_version` (3)
 * `/document/distribution/tlp/label` (12)

csaf_2.1/prose/edit/src/profiles.md

@@ -27,6 +27,7 @@ Furthermore, it is the foundation all other profiles are build on.
 A CSAF document SHALL fulfill the following requirements to satisfy the profile "CSAF Base":
 
 * The following elements MUST exist and be valid:
+  * `/$schema`
   * `/document/category`
   * `/document/csaf_version`
   * `/document/distribution/tlp/label`

csaf_2.1/prose/edit/src/schema-elements-02-properties.md

@@ -1,4 +1,4 @@
 ## Properties
 
-These final three subsections document the three properties of a CSAF document.
-The single mandatory property `document`, as well as the optional properties `product_tree` and `vulnerabilities` in that order.
+These final four subsections document the four properties of a CSAF document.
+The two mandatory properties `$schema` and `document`, as well as the optional properties `product_tree` and `vulnerabilities` in that order.

csaf_2.1/prose/edit/src/schema-elements-02-props-01-schema.md

@@ -0,0 +1,11 @@
+### Schema Property
+
+JSON schema (`$schema`) of value type `string` and `enum` with format `uri` contains the URL of the CSAF JSON schema which the document promises to be valid for.
+The single valid value for this `enum` is:
+
+```
+  https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json
+```
+
+> This value allows for tools to identify that a JSON document is meant to be valid against this schema.
+> Tools can use that to support users by automatically checking whether the CSAF adheres to the JSON schema identified by this URL.

csaf_2.1/test/filenames/data/invalid/OASIS_CSAF_TC-CSAF_2.1-2024-5-1-01.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/filenames/data/invalid/oasis-open_csaf_tc-csaf_21-2024-5-1-02.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/filenames/data/invalid/oasis____csaf_tc-csaf_2_1-2024-5-1-03.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/filenames/data/valid/oasis_csaf_tc-csaf_2_1-2024-5-1-11.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/filenames/data/valid/oasis_csaf_tc-csaf_2_1-2024-5-1-12.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/filenames/data/valid/oasis_csaf_tc-csaf_2_1-2024-5-1-13.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-01.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-02.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-03.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-11.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-12.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-01-13.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-02-01.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-02-02.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-02-11.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-02-12.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-03-01.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-03-02.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-03-11.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-03-12.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-04-01.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-04-02.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-04-11.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-04-12.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-05-01.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-06-01.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-06-02.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "acknowledgments": [
       {

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-06-11.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-07-01.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-07-11.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-08-01.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",

csaf_2.1/test/validator/data/informative/oasis_csaf_tc-csaf_2_1-2024-6-3-08-11.json

@@ -1,4 +1,5 @@
 {
+  "$schema": "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf_json_schema.json",
   "document": {
     "category": "csaf_base",
     "csaf_version": "2.1",