Add a formal semver 2.0.0 version type

[darakian]

First crack at adding a formal version type in response to #362 (comment) Any others which are agreed upon should be spun up in their own PRs so that conversations in the PRs can be kept on topic

Happy to expand this if people think the full semver spec should be in this repo as well. I went back and forth on that.

Another thought is that maybe this should be a retroactive definition of the semver type. That would likely be breaking for some of the current records though.

The goal here is to have strict validation provided by cve services

[sei-vsarvepalli]

I recommend you resubmit the PR with a change in both schema/docs/CVE_Record_Format_bundled_adpContainer.json and schema/docs/CVE_Record_Format_bundled_cnaContainer.json focusing on the version field. This PR with change to just example.md will not be useful without a schema based validation, as example.md is only a human friendly markdown.

It will be best to target a JSON schema validation instead of programmatically verifying versions when they are specific like this scenario with a clear semver-2.0.0 compliance being tested.

Secondly, we should follow/extend the current schema model and extend it to satisfy this need instead of a completely new JSON schema fields like exclusiveUpperBound - it is not really as initiative as lessThan

See the current versions.md document which has some examples

https://github.com/CVEProject/cve-schema/blob/main/schema/docs/versions.md

{
  "version": "2.0.0",
  "versionType": "semver",
  "lessThanOrEqual": "2.5.1",
  "status": "affected"
}

The one we don't current have is the exclusiveLowerBound that you mention. However the other examples can be mapped according to the current schema. Potentially we can add as greaterThan boolean field which when present the version field should be treated as ">" instead of ">=" which is the current default "version" field.

So your Example will actually look like

            {
               "versionType": "semver-2.0.0",
               "version": "1.2.3-alpha",
               "lessThan": "2.3.4+build17"
             }
             {
               "versionType": "semver-2.0.0",
               "version": "3.4.5-beta",
               "greaterThan": true,
               "lessThanOrEqual": "4.5.6+assembly88"
             }
             {
               "versionType": "semver-2.0.0",
               "version": "5.6.7-gamma",
             }
             {
               "versionType": "semver-2.0.0",
               "version": "6.7.8-delta",
             }

You need to build a JSON schema validator to work with such data, with versionType frozen with enum as semver-2.0.0 and valid regex to "version", "lessThanOrEqual" and "lessThan" fields require regex validator
/^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/
Finally provide the additional "greaterThan" boolean field perhaps that will treat version as ">" instead of ">=".

[darakian]

Thank for the comment and I can update the json in this PR once we get to consensus 👍

With respect to the range fields themselves, after seeing you rewrite my example I think it makes sense to simplify and create new fields so that a parser doesn't need to implement conditional logic based on the combination of fields present. I think this will make for simpler and more maintainable code long term. Maybe more people can chime in on this point.

As for the regex it looks like the one you're suggesting is the second of the two provided on semver.org. Albeit with a leading and trailing /.

For documentation's sake here are the two

One with named groups for those systems that support them (PCRE [Perl Compatible Regular Expressions, i.e. Perl, PHP and R], Python and Go).

^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)(?:-(?P<prerelease>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?P<buildmetadata>[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
and

one with numbered capture groups instead (so cg1 = major, cg2 = minor, cg3 = patch, cg4 = prerelease and cg5 = buildmetadata) that is compatible with ECMA Script (JavaScript), PCRE (Perl Compatible Regular Expressions, i.e. Perl, PHP and R), Python and Go.

^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$

[darakian]

Had a thought hit me about one sided ranges, so I added two more examples

            {
              "versionType": "semver-2.0.0",
              "exclusiveUpperBound": "1.0.0",
            }
            {
              "versionType": "semver-2.0.0",
              "inclusiveLowerBound": "9.0.0",
            }

Which allow someone to express the idea of everything under X or everything over Y. The former of those two is reasonably common.

[darakian]

So your Example will actually look like
...

           {
             "versionType": "semver-2.0.0",
             "version": "3.4.5-beta",
             "greaterThan": true,
             "lessThanOrEqual": "4.5.6+assembly88"
           }

@sei-vsarvepalli where does the greaterThan parameter come from? I'm prepping my comparison of the two representations for thursday's QWG and I can't find a reference to this parameter in the docs. Searching the repo for the string brings back only this PR
https://github.com/search?q=repo%3ACVEProject%2Fcve-schema%20greaterThan&type=code
Am I missing something?

[sei-vsarvepalli]

So your Example will actually look like
...

           {
             "versionType": "semver-2.0.0",
             "version": "3.4.5-beta",
             "greaterThan": true,
             "lessThanOrEqual": "4.5.6+assembly88"
           }

@sei-vsarvepalli where does the greaterThan parameter come from? I'm prepping my comparison of the two representations for thursday's QWG and I can't find a reference to this parameter in the docs. Searching the repo for the string brings back only this PR https://github.com/search?q=repo%3ACVEProject%2Fcve-schema%20greaterThan&type=code Am I missing something?

The field greaterThan does not exit today. It could be an option if you want to maintain the other fields as-is and then add something without having to recreate a new field. Appending a not-required field greaterThan is a non-breaking change, allowing other versionType fields to adopt something similar as we move towards enforcing stricter schema checks.

[darakian]

Gotcha. Then I guess the difference between the two approaches in schema terms is to add a greaterThan parameter vs adding the inclusiveLowerBound, exclusiveLowerBound, inclusiveUpperBound, exclusiveUpperBound, and exactly parameters.

I've written a pretty simple parser in python for my proposal. It assumes perfect data (validated) and that the data is semver-2.0.0, but I think it gets the point across on the simplicity of parsing. Feel free to play around with it as well by changing the specific parameters in the test. I think I covered all the cases and it can probably be simplified further.

import json

test_json_string = """
{
    "versionType": "semver-2.0.0", 
    "status": "affected", 
    "exclusiveLowerBound": "1.2.3-alpha",
    "inclusiveUpperBound": "2.3.4+build17"
    }
"""

def parse_decoded_json(json):
	if json.get("exactly"):
		return f'= {json.get("exactly")}'

	if json.get("inclusiveLowerBound"):
		lower = f'{">= "+json.get("inclusiveLowerBound")}'
	elif json.get("exclusiveLowerBound"):
		lower = f'{"> "+json.get("exclusiveLowerBound")}'
	else:
		lower = ""

	if json.get("inclusiveUpperBound"):
		upper = f'{"<= "+json.get("inclusiveUpperBound")}'
	elif json.get("exclusiveUpperBound"):
		upper = f'{"< "+json.get("exclusiveUpperBound")}'
	else:
		upper = ""

	return f'{lower}, {upper}'

the_json = json.loads(test_json_string)
print(parse_decoded_json(the_json))

I initially had

lower = f'{">= "+json.get("inclusiveLowerBound") if json.get("inclusiveLowerBound") else "> "+ json.get("exclusiveLowerBound")}'
upper = f'{"<= "+json.get("inclusiveUpperBound") if json.get("inclusiveUpperBound") else "< "+ json.get("exclusiveUpperBound")}'

However that doesn't handled one sided ranges and I wanted to get some code up before today's qwg meeting. I also haven't had time to make a complete comparison parser, but translating the section

if json.get("exactly"):
	return f'= {json.get("exactly")}'

results in something that needs to look like

if json.get("version") and (not json.get("lessThan") or not json.get("greaterThan") or not json.get("lessThanOrEqual")):
		return f'= {json.get("version")}'

as the code needs to be sure that the parameter version stands alone. Having a new parameter with a single function simplifies that logic.

[darakian]

@sei-vsarvepalli the new properties are in as of commit 62db169, however I'm not sure how to express the valid combinations of parameters for the semver 2.0.0 version type. Do I need to do something like a oneOf for the versions block itself? eg.

"versions": {
                    "oneOf": [
                    "type": "array",
                    "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.",
                    "minItems": 1,
                    "uniqueItems": true,
                    "items": {
                        "type": "object",
                        ...

Where the first option in the one of is the entire current payload and the other is the semver 2.0.0? Maybe you know a simpler approach?

[darakian]

I let this stew for a bit and I think 046dadd is in the right direction. I think its possible to only allow those parameter combinations when the version type is semver 2.0.0, but not sure how to encode that yet.

[darakian]

@sei-vsarvepalli Ok, so I'm trying to run the tests locally and it seems I need to rebuild dist/cve5validator.js. When attempting to do so though I get Error: Cannot find module '../../docs/CVE_JSON_bundled.json'. It looks like that file got renamed here
a3babe8

However that file doesn't seem to reference the CVE schema file that I've been making edits to, so I'm a little confused how this all works for local testing. Am I missing something basic here? Am I editing the wrong file?

[sei-vsarvepalli]

@sei-vsarvepalli Ok, som I'm trying to run the tests locally and it seems I need to rebuild dist/cve5validator.js. When attempting to do so though I get Error: Cannot find module '../../docs/CVE_JSON_bundled.json'. It looks like that file got renamed here a3babe8

However that file doesn't seem to reference the CVE schema file that I've been making edits to, so I'm a little confused how this all works for local testing. Am I missing something basic here? Am I editing the wrong file?

What tests are you running? It looks like the starting point of your repo is main which has diverged quite a bit too. Perhaps start with either the develop branch or feature-144-SSVC seem more that target for 5.2.0 where this semver update is expected to be bundled.

Your JSON file is also mangled, the line 323 is missing a comma. When I run test against your branch I get this error

ParserError: Error parsing ./cve-schema/schema/cve-schema.json: missed comma between flow collection entries (324:29)

 321 |                                     {"required": ["exclusiv ...
 322 |                                 ]
 323 |                             }
 324 |                             {
-----------------------------------^

[darakian]

Thanks for pointing out the comma. Added that in.

I'm trying to run the node validation suite with node validate.js ../tests/valid/semver2-0-0.json. The test is running fwiw. I'm getting the following

jon~/g/!/c/s/s/Node_Validator:add-semver-2.0.0-versionType❯❯❯ node validate.js ../tests/valid/semver2-0-0.json
../tests/valid/semver2-0-0.json is invalid:
[
  {
    instancePath: '/containers/cna/affected/0/versions/0',
    schemaPath: '#/properties/versions/items/oneOf/0/maxProperties',
    keyword: 'maxProperties',
    params: { limit: 2 },
    message: 'must NOT have more than 2 properties'
  },
  {
    instancePath: '/containers/cna/affected/0/versions/0',
    schemaPath: '#/properties/versions/items/oneOf/1/required',
    keyword: 'required',
    params: { missingProperty: 'version' },
    message: "must have required property 'version'"
  },
  {
    instancePath: '/containers/cna/affected/0/versions/0',
    schemaPath: '#/properties/versions/items/oneOf/2/required',
    keyword: 'required',
    params: { missingProperty: 'version' },
    message: "must have required property 'version'"
  },
  {
    instancePath: '/containers/cna/affected/0/versions/0',
    schemaPath: '#/properties/versions/items/oneOf/3/required',
    keyword: 'required',
    params: { missingProperty: 'version' },
    message: "must have required property 'version'"
  },
  {
    instancePath: '/containers/cna/affected/0/versions/0',
    schemaPath: '#/properties/versions/items/oneOf',
    keyword: 'oneOf',
    params: { passingSchemas: null },
    message: 'must match exactly one schema in oneOf'
  },
  {
    instancePath: '/cveMetadata/state',
    schemaPath: '#/properties/state/enum',
    keyword: 'enum',
    params: { allowedValues: [Array] },
    message: 'must be equal to one of the allowed values'
  },
  {
    instancePath: '',
    schemaPath: '#/oneOf',
    keyword: 'oneOf',
    params: { passingSchemas: null },
    message: 'must match exactly one schema in oneOf'
  }
]
Summary: Validation FAILED for 1 out of 1 files!

Which made me think that the validation is failing to match a case on the versions section and hence looking into build.js. I could rebase this branch but it doesn't feel like that's an issue here.

[darakian]

I'll get to the rest of the trailing commas later today. Thanks for the tool 👍

More importantly, a semver-2.0.0 data producer needs to be aware of:

1. if there is no fixed version, then you should use `greaterThanOrEqual` with the value of the earliest affected version

2. if there is a fixed version, then you should specify both the fixed version and the earliest affected version in the same array element. The fixed version goes in the `lessThan` field. The earliest affected version is also entered, just like before, except that you need to spell `greaterThanOrEqual` differently. You need to spell it `version` or else it won't work.

3. if you know the last affected version (e.g., `"lessThanOrEqual": "1.2"`) but don't know the earliest affected version, and want to capture the largest possible range, then you need to enter `0.0.0-0` because that is ordered before all other versions [THIS IS ALREADY ADDRESSED IN TODAY'S COMMITS]

To address these point by point

1. The schema cannot know of the existence of a fixed version for a piece of software and so cannot enforce behavior dependent on the existence of a fixed version. We can at most document best practice which I'm fine with doing.

---

3. If I'm consuming a record to see if it applies to me my task is to do an intersection between the set of versions I use and the set of versions labeled as vulnerable/broken/bad. Intersecting my set 1.2.3 && 1.7.19, && 0.7.3 && 19.1.1 with >= 0.0.0, < 13.3.7 and with < 13.3.7 give the same results. This is an aesthetic difference. If you want to say that we don't allow for ranges which are unbounded from below then I'm ok with that. I believe we discussed this in a QWG meeting and chris commented on using 0.0.0 as a lower bound back here
   Add a formal semver 2.0.0 version type #371 (comment)
   This might be a case where enforcement/normalization can be done via cve services.

---

2. I agree that the current construction is a bit awkward. How would you feel about a construction where lower bounds always use lessThan/lessThanOrEqual and upper bounds always use greaterThan/greaterThanOrEqual?

[ElectricNroff]

For 'How would you feel about a construction where lower bounds always use lessThan/lessThanOrEqual and upper bounds always use greaterThan/greaterThanOrEqual?': I am opposed to this for the 5.x version series of the CVE Record Format.

Consumers today can use the GET /cve/:id API to retrieve one CVE Record. They have built processes that recognize three allowable cases related to an element of the versions array: either a version property exists and is the only affected version, a version property exists and is the beginning of a range, or there is defaultStatus without a versions array at all (meaning that the same status applies to all versions). If any new case is introduced, such as greaterThanOrEqual with neither version (inside the versions array) nor defaultStatus (outside the versions array), then the API is not backward compatible from the perspective of a caller of GET /cve/:id.

Writing a reference implementation of different behavior is not sufficient. If we change the behavior at some future point (in favor of greaterThanOrEqual or other new properties), then we need a communication plan that can effectively reach consumers, and a substantial period of time for consumers to adapt their use cases to new business logic. This would typically be announced as a substantial update, one with breaking changes for GET /cve/:id API consumers, etc.

I believe the correct approach to SemVer is along the lines of what I originally suggested in 2023 at #263 - that:

1. Producers are not entitled to declare their version as (any type of) SemVer unless they comply with the intention of the CVE Record Format.
2. Ability to do that should be considered a "loophole" in the schema, and can be addressed in a way that is similar to how other loopholes were addressed in https://github.com/CVEProject/cve-schema/releases/tag/v5.1.0
3. There is not enough justification to support any differences in how versions are expressed between SemVer 1 and SemVer 2.0.0. Very few CVE Records have version numbers that are valid under SemVer 1 but not valid under SemVer 2.0.0. (Also, many of these are from producers who are using date-based version numbers that begin with a year - they are not following the SemVer semantics of major version, and should not be writing "semver" regardless of whether they have version strings that satisfy the regular expression.)
4. Going forward, when a data item is intended to be a SemVer version number, it should be accepted only if it complies with SemVer 2.0.0. The minimal usage of version numbers that are valid SemVer 1 but not valid SemVer 2.0.0 can be labeled as "custom" without any significant impact to consumers.
5. Finally, in the "when a data item is intended to be a SemVer version number" phrase, I mean that producers can continue to use 0 and * as they do today. These are not intended to be SemVer version numbers and are instead an alternate syntax (that happens to be used within the same fields such as version or lessThan). The alternate syntax can be abandoned in CVE Record Format 6.

I tried to extract every string from every current CVE Record that is intended to be a SemVer version number, and then I compared them to the SemVer 1 regular expression and to the SemVer 2.0.0 regular expression. The result was that 1.4% (see below) of these version numbers were valid for SemVer 1 but not valid for SemVer 2.0.0. A reasonable assessment is that SemVer 2.0.0 is sufficient for the community's needs, and should be what "semver" means in the CVE Record Format going forward.

We should not be considering a complex and controversial semver-2.0.0 proposal to address a 1.4% case.

01.01.2024
04.07.01
06.09.04
09.05.2025
1.0.06
1.0.5-0185
1.0.7-0298
1.01.1
1.1.1-0383
1.12.04
1.2.0-0525
1.4.4-0635
1.4.7-0687
1.6.001
1.7.08
1.8.02
12.15.01
12.4.05
17.012.30205
17.012.30229
19.02.2024
2.0.02
2.05.03
2.7.01
20.005.30514
20.02.2025
22.003.20281
22.01.02
22.02.1
22.03.8
23.003.20244
23.09.1
24.001.30123
24.002.20736
24.002.20991
24.003.20054
24.06.1
25.001.20428
25.001.20521
3.3.03
3.3.07
3.3.08
3.3.091
3.5.04
3.5.07
5.2.02
5.25.08
5.3.01
5.3.02
5.4.01
5.6.06
6.20.01
6.30.03
7.06.013
7.18.03
8.30.01

[ElectricNroff]

There was some discussion in the QWG today about a schema in which there was always a version property in each element of the versions array. I agree that that schema may exist somewhere, and I agree that that schema might resolve some of the differences of opinion. However, as far as I can tell, that is not the schema associated with the latest version of the pull request. The schema file from the latest version of the pull request is https://github.com/CVEProject/cve-schema/blob/46c5293235eaf6908410b0542c5f770f4c1e1abb/schema/CVE_Record_Format.json and has:

         "oneOf": [
                            {
                                "required": ["version", "status"],
                                "maxProperties": 2
                            },
                            {
                                "required": ["version", "status", "versionType"],
                                "maxProperties": 3
                            },
                            {
                                "required": ["status", "versionType", "lessThan"]
                            },
                            {
                                "required": ["status", "versionType", "lessThanOrEqual"]
                            },
                            {
                                "required": ["status", "versionType", "greaterThan"]
                            },
                            {
                                "required": ["status", "versionType", "greaterThanOrEqual"]
                            }
                        ],

With this schema, it is valid to write:

         "versions": [
            {
              "greaterThanOrEqual": "1.0.0",
              "status": "affected",
              "versionType": "semver"
            }
          ]

(i.e., no version property at all). Regardless of when your proposal is adopted by the group, it may be useful if everyone is talking about the same schema.

[darakian]

@ElectricNroff can we dig in on a concern I may not be fully understanding? Let's use the json you just posted

         "versions": [
            {
              "greaterThanOrEqual": "1.0.0",
              "status": "affected",
              "versionType": "semver"
            }
          ]

I see this as an encoding of the expression all versions greater than or equal to 1.0.0 and I don't see lack of the version property as a problem. So

1. Do you think the version property should always be present even if its interpretation will vary versionType to versionType?
2. If I changed the construction such that the version property would always be present would that suffice? Or put another way, what would you want to always be true of a versions block?

Give me a bit more time to parse your longer post above.

[ElectricNroff]

Yes, I want the version property to always be present even if its interpretation will vary versionType to versionType. To me, it is appealing that it always means "the point in the lifecycle of this thing at which the vulnerability was first present." Any consumer today may have a data-processing rule, or an alert system, or even a UI layout that focuses on that specific property. An exception, of course, is OmniBOR, where the thing is immutable, i.e., the sha256 hash itself doesn't have a lifecycle (and thus we currently only use defaultStatus and don't use a versions array at all).

Just having version always required, without no other redesign, isn't an effective solution. For changes within the CVE Record Format 5.x series, I would like to offer the behavior of "if you see an unrecognized data element, and simply ignore it, you are no worse off." For

"versions": [
            {
              "version": "1.0..0",
              "greaterThanOrEqual": "1.0.0",
              "status": "affected",
              "versionType": "semver-2.0.0"
            }
          ]

if you ignore greaterThanOrEqual then you conclude that exactly 1.0.0 (and nothing else) is affected. The consumer thus has a huge misinterpretation of the data, one that could realistically change the picture from "you are unlikely to be vulnerable" to "you are almost certainly vulnerable."

[darakian]

Yes, I want the version property to always be present even if its interpretation will vary versionType to versionType. To me, it is appealing that it always means "the point in the lifecycle of this thing at which the vulnerability was first present."

I think these two sentences are at odds with each other (at least as I read them). If the meaning of version can vary then one could construct another meaning than "first known vulnerable". I do agree that it's appealing to know a first known vulnerable version though and let me get back to you tomorrow with a concrete proposal for a different construction. We can discuss specifics from there 👍

[darakian]

For your larger post, I think we touched on most of those points in the QWG meeting yesterday and noted that the concern is less about the small diff from semver 1 to semver 2 and more about the general inconsistency. Also curious where you found the semver 1 regex. If you think there's a point in there I'm glossing over that I shouldn't be or that wasn't addressed synchronously please call it out.

For the new construction what do you think about this. We keep.

"oneOf": [
    {
        "required": ["version", "status"],
        "maxProperties": 2
    },
    {
        "required": ["version", "status", "versionType"],
        "maxProperties": 3
    },
    {
        "required": ["version", "status", "versionType", "lessThan"]
    },
    {
        "required": ["version", "status", "versionType", "lessThanOrEqual"]
    }
],

and in the case that versionType == semver-2.0.0 we require the semver regex validation on the
version, lessThan, and lessThanOrEqual
parameters. This lets us define
= x as

{
  "version": "x",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

>= x, < y as

{
  "version": "x",
  "lessThan": "y",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

>= x, <= y as

{
  "version": "x",
  "lessThanOrEqual": "y",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

and I'll propose two special cases which would otherwise be invalid ranges so that we can capture < x and <= x
> x as

{
  "version": "x",
  "lessThan": "0.0.0",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

and >= x as

{
  "version": "x",
  "lessThanOrEqual": "0.0.0",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

with the understanding that x != 0.0.0. This lets us represent the concept of "greater than (or equal to)" without introducing new parameters. We could also do 0.0.0-0 or whatever if you like, but some "single special case" so that its easy to write validation/tooling. Unbounded below ranges < x and <= x can be encoded with a lower bound manually set to 0.0.0.
That is
< x as

{
  "version": "0.0.0",
  "lessThan": "x",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

and
<= x as

{
  "version": "0.0.0",
  "lessThanOrEqual": "x",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

This gives us all of our normal mathematical range tools aside from a non-inclusive lower bound
(x, y) / > x, < y
and
(x, y] / > x, <= y
but maybe we can live without that.

With this construction the version parameter is always present in any expression of a semver-2.0.0 range and version is always a lower bound (or only bound). In the case where it is a non-inclusive lower bound it does not imply that it is the "first known vulnerable" but rather the "last known good". In the case where version stands alone (= x) it also doesn't imply "first". If this approach is amicable to you (and the group as a whole) I'll update the tests, docs, etc... in another commit.

[ElectricNroff]

I don't think that typical SemVer implementations would consider it invalid to check whether an observed version number is less than 0.0.0. Consequently, they have no innate knowledge that a range that ends in 0.0.0 is invalid. They would just do the math as defined by the SemVer specification, and conclude that any observed version is simply not inside the range,

Therefore, this is a breaking change because all such code would need to be changed.

Here is one example of SemVer comparison within an Open Source vulnerability scanning product:
https://github.com/wazuh/wazuh/blob/4330cc0020bdcfd19e2f6605a5b2e3886de66b7a/src/wazuh_modules/vulnerability_scanner/src/scanOrchestrator/versionMatcher/versionObjectSemVer.hpp#L117-L170

[darakian]

Indeed it is atypical. It was designed to meet your requirement of the version property being ever present. It was never going to be typical and I'm fairly certain that was well understood. Just to state it, you had asserted that you would be happy with a new construction that always included the version property even if the meaning of it changed
Please see: #371 (comment)

Consequently, they have no innate knowledge that a range that ends in 0.0.0 is invalid.

They have no innate knowledge of anything today. Please see: #362

Therefore, this is a breaking change because all such code would need to be changed.

We have yet to define what is and is not a breaking change 👍. Please see #418

[darakian]

At the request of the QWG meeting today here are the other two constructions. For ease of readability I'll be breaking these into two posts.

The first which was first introduced here e637776 and which was designed to be completely new so that existing parsers would be the least likely to misinterpret the new data. Discussed back around this comment #371 (comment)
Also, to state it clearly the code I shared in that comment should be considered public domain.

Five new properties are introduced.
inclusiveLowerBound, exclusiveLowerBound, inclusiveUpperBound, exclusiveUpperBound, and exactly

Which would allow the construction of

The singleton

= x as

{
  "exactly": "x",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

Two sided ranges

>= x, < y as

{
  "inclusiveLowerBound": "x",
  "exclusiveUpperBound": "y",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

>= x, <= y as

{
  "inclusiveLowerBound": "x",
  "inclusiveUpperBound": "y",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

> x, < y as

{
  "exclusiveLowerBound": "x",
  "exclusiveUpperBound": "y",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

> x, <= y as

{
  "exclusiveLowerBound": "x",
  "inclusiveUpperBound": "y",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

One sided ranges

> x as

{
  "exclusiveLowerBound": "x",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

>= x as

{
  "inclusiveLowerBound": "x",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

< x as

{
  "exclusiveUpperBound": "x",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

<= x as

{
  "inclusiveUpperBound": "x",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

The design is primarily for machines, but I think the wording choice also makes it easy for an uninitiated human with a basic mathematics education to understand the raw data in a pinch. The use of completely new properties is to avoid any interpretation conflict with existing parsers. The choice of breaking out = into a distinct case simplifies parser logic over trying to reuse properties with different interpretation logic dependent on surrounding properties. Otherwise I think this is the simplest and most straight forward choice. It was (and still is) my first choice :)

[darakian]

The second choice which was introduced in a72e5b8 to "avoid bloat" by request
See: #371 (comment)

Two new properties are introduced.
greaterThan, and greaterThanOrEqual which are to be used in conjunction with the prior three (version, lessThan, lessThanOrEqual)

Which are then used in expressions as
= x as

{
  "version": "x",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

Two sided ranges

>= x, < y as

{
  "version": "x",
  "lessThan": "y",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

>= x, <= y as

{
  "version": "x",
  "lessThanOrEqual": "y",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

Two sided ranges with exclusive lower bounds were not implemented and it's unclear how to cleanly implement them with the restrictions that were imposed on this implementation. One could consider something like
> x, < y

{
  "greaterThan": "x",
  "lessThan": "x",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

and omit version. However, the constraint was that version must be present. If there are two special cases that allow it not to be present then why not always allow it. If so this becomes a name swap with the original proposal.

One sided ranges

> x as

{
  "greaterThan": "x",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

>= x as

{
  "greaterThanOrEqual": "x",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

< x as

{
  "lessThan": "x",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

<= x as

{
  "lessThanOrEqual": "x",
  "status": "affected",
  "versionType": "semver-2.0.0"
}

In retrospect I view this construction as something of a halfway house and as such is my least favorable option. The third construction here #371 (comment)
encodes the same ranges without the need for two new properties is a tighter construction imo. I really should have thought of it back in april. C'est la vie.

[andrewpollock]

The third construction here #371 (comment)
encodes the same ranges without the need for two new properties is a tighter construction

So in the interests of having current state at the end of this very long comment trail, what does that mean for the path forward?

[darakian]

@andrewpollock That's a question for the QWG chair's @david-waltermire, @ccoffin, @MrMegaZone and potentially the board.

I see Dave thumbs up'd the original construction
#371 (comment)
which is my preference, but I'd rather not move forward rewriting/reverting this whole thing until I have clarity on which approach (if any) is acceptable.

[rjb4standards]

How would I know which specific versions are between 2.0.0 and 2.5.7 using this approach?

{
"greaterThan": "x",
"lessThan": "x",
"status": "affected",
"versionType": "semver-2.0.0"
}

[darakian]

How would I know which specific versions are between 2.0.0 and 2.5.7 using this approach?

They would be the versions V which when evaluated with the semver ordering/precedence rules
https://semver.org/#spec-item-11
Would be greater than 2.0.0 and lower than 2.5.7
Or V ∈ (2.0.0, 2.5.7)

[rjb4standards]

Got it. So the software producer will know which versions are in the set, but how would a consumer know which versions are in the set.

[darakian]

They would check for whichever version(s) of interest are relevant.

Edit: If the question you're asking is more along the lines of How does one represent a list of discrete versions
then that would be done with multiple version statements. The specific word choice would depend on which construction is chosen but a pseudo example could be

{
"exactly": "x1",
"status": "affected",
"versionType": "semver-2.0.0"
}
{
"exactly": "x2",
"status": "affected",
"versionType": "semver-2.0.0"
}
{
"exactly": "x3",
"status": "affected",
"versionType": "semver-2.0.0"
}
....

[rjb4standards]

Got it, so if they are running version 2.3.4-beta this would be in the set because it's between 2.0.0 and 2.5.7
Do you know if/when NIST NVD will support this VERS range in their search API?

[darakian]

Right. By the rules of semver 2.0.0 < 2.3.4-beta < 2.5.7 and so your version is affected (or unaffected if the record says unaffected instead).

Do you know if/when NIST NVD will support this VERS range in their search API?

after this PR merges at very least. I have no idea if this is even on their radar though to be honest. If there's a tooling related question
https://github.com/CVEProject/automation-working-group
is likely a better place for it.

[alilleybrinker]

@rjb4standards this is distinct from NIST's NVD search API. The Record Format (what we're discussing here), is managed by the CVE project. NVD, maintained by NIST, is a downstream consumer of CVE data. So even if/when this proposal for a new version type is added to CVE, it'll be up to NVD what to do about it.

[rjb4standards]

@alilleybrinker Thanks for clarifying. Does this mean the CVE Foundation will have a searchable API that supports the sem version range? For example, show me all the CVE's for ACME 2.3.4-beta?

[alilleybrinker]

@rjb4standards the CVE Foundation is different from the CVE Project. As for what the CVE Project would do for improving search, I recommend talking to the Automation Working Group and/or the Consumer Working Group. You can find out more about the groups here: https://www.cve.org/ProgramOrganization/WorkingGroups

[rjb4standards]

@alilleybrinker thanks for clarifying. The CVE space is getting very confusing with the looming funding deadline coming fast.

[alilleybrinker]

In today's QWG meeting, the group talked through the open options in detail, producing 7 possible options, which we've narrowed down to 5.

We agreed that @darakian will produce a brief write-up of the 8 options, and then I will put together a ranked choice voting poll for those options, which will be distributed to QWG members.

@ccoffin will also talk to the AWG to figure out what timeline may be doable for a 6.0.0 release, to inform the answer to the question of whether this change should be in a major or minor version.

[darakian]

I'm not sure I understand why this PR is considered breaking in the light of the purl PRs being merged and scheduled for 5.2.0. My understanding leaving the qwg meeting today was that this PR added optional values to a required element and that the group considered such a change breaking. Is my understanding accurate?

[alilleybrinker]

I'm out of office tomorrow but I can write up an answer for the reasoning on why I think this is breaking on Monday.

[alilleybrinker]

Okay, here is my breakdown of why I think all three formulations of the proposal are breaking. This comes after discussion within the QWG, and is particularly influenced by @ElectricNroff's points on this topic.

---

I'll break down my analysis by option. Note that all three proposals include the introduction of a new version type, called semver-2.0.0. This new version type, usable as a value with the versionType field within versions array objects, would not be breaking, so it is excluded from the analyses below.

The semver-2.0.0 version type would not be breaking because to-date, all values in the versionType field are merely hints to CVE consumers about the values within any version-encoding field. While there are documented recommendations on how to handle some common existing version types, there is no enforcement within the CVE Record Format or CVE Services to ensure that version data provided actually matches the expectations set by the versionType field, and consumers must today exercise full caution to handle the complexity of version types regardless of what is present in the versionType field. As such, the introduction of a documented new versionType option, even one that does impose restrictions on version field values going forward, would not introduce a breaking change, as there are no expectations of correctness or stability associated with the versionType field.

While, in theory, the QWG could move forward with a proposal which only adopts the new semver-2.0.0 version type, there is a limitation we'd accept in that case. Today, CVE Records can encode unbounded ranges in two ways. For unbounded range starts, they can use "version": "0". For unbounded range ends, they can use "lessThan": "*" (or, to bound within a major series, use "lessThan": "X.*", replacing X with the major series number). These are documented in versions.md within the cve-schema repository.

The semver-2.0.0 version type, because it restricts version values to comply with the SemVer specification, would not permit the use of either of these constructions (neither "0" or "X.*" are valid versions under SemVer). So, new fields or new semantics are needed to support the full set of range constructions supported by existing version types. Without them, CNAs would be forced to choose between stronger validation on version values with the new semver-2.0.0 version type, or the ability to express unbounded ranges.

On a more general point, the analyses below are complicated by the fact that today, the CVE Record Format has no standardized versioning rules. In the future, with the adoption of SemVer for the Record Format itself, this kind of analysis will hopefully become much easier and clearer. Given the lack of agreed-upon stability standards, I am going to have to be conservative in considering how changes will impact stability expectations for CVE data providers (CNAs, ADPs, the Secretariat) and for CVE data consumers (vulnerability managers, third-party tool vendors, etc.).

Option 1: Five new fields

See here: #371 (comment)

This option proposes the introduction of five new fields into versions array objects, namely:

• inclusiveLowerBound
• exclusiveLowerBound
• inclusiveUpperBound
• exclusiveUpperBound
• exactly

While these would be optional new fields within the versions array object, their use would still be breaking for CVE consumers.

Consider for example, the following versions array:

[
	{
		"versionType": "semver-2.0.0",
		"inclusiveLowerBound": "1.0.0",
		"exclusiveUpperBound": "3.0.0",
		"status": "affected"
	}
]

Semantically, this array is equivalent to the following, with the existing non-validated and non-spec-compliant semver version type:

[
	{
		"versionType": "semver",
		"version": "1.0.0",
		"lessThan": "2.*",
		"status": "affected"
	}
]

However, the construction with the newly-introduced fields would not be usable by an existing CVE consumer. All existing CVE consumers who handle the versions array would need to update their logic to accommodate the new fields. There is also not a way to make the new fields semantically optional, because they do not map 1-to-1 with the existing fields. For example, the existing "version" field will map either to the new field "exactly" (when the versions array object is specifying a single version) or to either "inclusiveLowerBound" or "exclusiveLowerBound" (when the versions array object is specifying a version range).

Given that CVE consumers would need to update their versions array handling logic to work with data produced with these new fields, the introduction of them is breaking even though the use of the fields themselves by CNAs is optional.

Note

This distinction, that fields can be optional for CNAs to use, but may be semantically mandatory for CVE consumers to handle, is the central point that makes Options 1 and 2 breaking. It's also why the recently-merged support for Package URLs is not breaking. The new packageURL field is both optional for CNAs and is semantically optional for CVE consumers, who can freely ignore it with no impact to the correctness of their CVE Record handling code. In that context, existing identifier fields (product and vendor or collectionURL and packageName) will continue to be present and can be used by themselves without any consideration of packageURL.

Option 2: Two new fields

See here: #371 (comment)

This option proposes the introduction of two new fields into versions array objects, namely:

• greaterThan
• greaterThanOrEqual

While these are, like Option 1, optional new fields, they are also breaking for CVE consumers. Take the following example versions array:

[
	{
		"versionType": "semver-2.0.0",
		"greaterThanOrEqual": "1.0.0",
		"lessThan": "2.0.0",
		"status": "affected"
	}
]

This encodes the same range encoded in the example given for Option 1. Same as in that case, because of the missing "version" field, logic written for handling versions array entries by existing CVE consumers would not work for this array. Same as in Option 1, the mapping of fields is also not 1-to-1, so there is no way to make the new fields semantically optional. The existing "version" field can map to either "greaterThan" or "greaterThanOrEqual depending on whether the range being expressed is exclusive or inclusive at its start.

Option 3: No new fields

See here: #371 (comment)

This option does not propose the introduction of new fields into versions array objects, and instead would modify the semantics of existing fields when used with the proposed new version type, semver-2.0.0.

In this case, while no new fields are introduced, two new semantic overloads are proposed to enable addressing range types that would otherwise be impossible to express.

First, to encode a range that is exclusive at its start and unbounded at its end:

[
	{
		"versionType": "semver-2.0.0",
		"version": "1.0.0",
		"lessThan": "0.0.0",
		"status": "affected"
	}
]

Note that this uses "lessThan": "0.0.0" to indicate that the range end is unbounded, and to indicate implicitly that the start of the range is exclusive. Specifically, this encodes the range (1.0.0, ∞) (meaning the range does not include version 1.0.0).

Second, to encode a range that is inclusive at its start and unbounded at its end:

[
	{
		"versionType": "semver-2.0.0",
		"version": "1.0.0",
		"lessThanOrEqual": "0.0.0",
		"status": "affected"
	}
]

This uses "lessThanOrEqual": "0.0.0" to indicate that the range end is unbounded, and to indicate implicitly that the start of the range is inclusive. Specifically, this encodes the range [1.0.0, ∞) (meaning the range does include version 1.0.0).

While this is a creative design which avoids the problems associated with the introduction of technically optional but semantically mandatory fields, it introduces new problems with the interpretation of existing fields.

By introducing a new implicit meaning associated with the use of facially nonsensical values for "lessThan" and "lessThanOrEqual", this change is also likely to break CVE consumers' logic for handling the versions array. We should not expect that any CVE consumers will have logic in place which treats the presence of "0.0.0" values in either of these fields as implying the semantics defined here. Instead, the appearance of CVE Records which use this new pattern are highly likely to be mishandled by existing CVE consumer automation, and thus the introduction of these new semantics must be considered breaking.

---

Final Note

I wish these changes were not breaking. I want the CVE Record Format to be able to do what is proposed here: provide stronger data validation at submission-time, to make life easier and data more actionable for CVE consumers. That said, CVE has an enormous ecosystem of consumers, and breakage should not be done lightly, and it should not be done in a minor version. Even though the Record Format's 5.0.0 series has not officially adopted Semantic Versioning, I believe shipping a breaking change in 5.3.0 would violate CVE stakeholders' expectations of stability, and would be a mistake.

[darakian]

I still disagree that this is breaking and I think the core of my disagreement is captured by

While there are documented recommendations on how to handle some common existing version types, there is no enforcement within the CVE Record Format or CVE Services to ensure that version data provided actually matches the expectations set by the versionType field, and consumers must today exercise full caution to handle the complexity of version types regardless of what is present in the versionType field.

And in the three sub sections where it is asserted that consumers would need to update their parsing logic

1. Given that CVE consumers would need to update their versions array handling logic to work with data produced with these new fields, the introduction of them is breaking even though the use of the fields themselves by CNAs is optional.

2. Same as in that case, because of the missing "version" field, logic written for handling versions array entries by existing CVE consumers would not work for this array. Same as in Option 1, the mapping of fields is also not 1-on-1, so there is no way to make the new fields semantically optional.

3. Instead, the appearance of CVE Records which use this new pattern are highly likely to be mishandled by existing CVE consumer automation, and thus the introduction of these new semantics must be considered breaking.

As I read this the former asserts that CVE consumers must be ready to parse anything and the latter three assert that asking CVE consumers to parse one specific thing is asking too much. This is contradictory.

---

I want to step back too and reassert that I don't really care about when (or if) the cve project wants to formalize semantic versioning. The point of this PR was to construct a minimum viable, meaningful improvement that I thought would be uncontroversial and to actually attempt the improvement process rather than to simply squawk about it. I do feel that there has been broad support for this change in details or at least in spirit and yet there has been a continual moving of goal posts on me from the use of an asterisk, to parameter names, to an assertion of yes interpretation of parameters can change based on version type which flipped to but not like that. This all feels arbitrary, territorial, and lacking in vision, theory of execution, guiding principles, or purpose. It's remarkably frustrating and demoralizing to be given such a run around and to be given arguments which amount to just accept the status quo. This project is too important for this nonsense.

What I do care about is that the cve project adopts a sane approach to data structures. I want the cve project to be introspective and self critical with an eye toward continual, iterative, non-ocean boiling improvement. I want the project to care about how it operates and how it affects the world. Speaking as a recipient of this projects work I want the project to own its outcomes and to improve.

That all said, I also want to express that I have great respect for you as an individual Andy and just to be explicit the comments above are not directed at you the person, but at you the mitre. I want to be mindful of the position you (the person) are in, that the legacy of this project is not yours and that you've put in herculean effort in to help push this project forward. I am skeptical that a 6.0.0 will not be derailed in similar ways as with this PR, but given the undefined/underdefined nature of the current rule set it's clearly not worth continuing with the minor/major logic exercises. If we can define what a versionType requires and provides then maybe that's a philosophy change worthy of a scoped 6.0.0.