CVSS JSON representation updates and CVE schema compatability

[nickleali]

The CVSS SIG is currently evaluating updates to the CVSS JSON representation to ensure better validation, which is a blocker for CVSS v4.0 inclusion in CSAF 2.1.

The new draft representation is here: https://www.first.org/cvss/cvss-v4.0.rev.json

I wanted to ensure that moving the CVSS JSON representation to this form wouldn't break existing data in the CVE JSON schema. Can someone from the CVE side check?

Thanks!

[domachine]

Hi,

I just checked this schema by loading it via AJV and tested it against the following json document:

{
  "version": "4.0",
  "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
  "baseScore": 2.1,
  "baseSeverity": "LOW"
}

It compiled and used the schema successfully.

@tschmidtb51

[nickleali]

Thanks Dominik. My simple tests have shown the same. CVE-2026-2000 is a good example with well-formatted CVSS v4.0 data and that block validates against the proposed schema.

I'm also following up with Mitre and CVE to ensure compatibility with existing data. My hope is that there aren't too many data sources out there that have used values other than baseScore. Probably something that can be determined programmatically. Something to check.

[jgamblin]

I’m in favor of this proposal. As someone focused on the automation and quality of CVE data, I see this reworked representation as a major step forward. Moving to the JSON Schema 2020-12 dialect provides the technical rigor and strict validation necessary for CSAF 2.1, ensuring that vulnerability data remains both machine-readable and reliable across the entire ecosystem. This is a significant win for long-term data integrity.

[jayjacobs]

Maybe @ccoffin knows the logistics, but I think the CVE schema leverages the local CVSS schema at https://github.com/CVEProject/cve-schema/tree/main/schema/imports/cvss. They are imported directly from there in the Separate files version.

Not to derail Nick's original question, but should we consider shifting the CVE schema from the draft-07 JSON schema? Looks like there may be considerable changes (not complicated changes, just many small changes).

[tschmidtb51]

Not to derail Nick's original question, but should we consider shifting the CVE schema from the draft-07 JSON schema? Looks like there may be considerable changes (not complicated changes, just many small changes).

This should be discussed in a separate issue. But IMHO the benefits (not only in the schema but also compatibility with OpenAPI) are big.

[nickleali]

I'm also curious about moving CVE schema overall to 2020-12 and will ask about it.

[nickleali]

For awareness, I've updated the CVSS JSON schema on first.org and updated our data representations page to match.

Data in Vulnogram matches with new schema structures so likely most data in CVE is also compliant with the new CVSS JSON schema. See Vulnogram/Vulnogram#285.

[zmanion]

Is this summary correct?

1. Updated JSON format to 2020-12, which caused some non-material changes (like .definitions --> .$defs and .allOf[].anyOf[] structure).
2. Added "unevaluatedProperties": false (which might have been enabled by the update to 2020-12).

[sei-vsarvepalli]

Is this summary correct?

1. Updated JSON format to 2020-12, which caused some non-material changes (like .definitions --> .$defs and .allOf[].anyOf[] structure).
2. Added "unevaluatedProperties": false (which might have been enabled by the update to 2020-12).

Is there a related PR? Where is this test. Currently there are no test cases setup in the schema repository. It is probably much needed for changes like this.