{ "$defs": { "severity": { "items": { "properties": { "score": { "type": "string" }, "type": { "enum": [ "CVSS_V2", "CVSS_V3", "CVSS_V4" ], "type": "string" } }, "required": [ "type", "score" ], "type": "object" }, "type": [ "array", "null" ] }, "timestamp": { "format": "date-time", "pattern": "[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(\\.[0-9]+)?Z", "type": "string" } }, "$id": "https://raw.githubusercontent.com/ossf/osv-schema/main/validation/schema.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "additionalProperties": false, "description": "A schema for describing a vulnerability in an open source package.", "properties": { "affected": { "items": { "properties": { "database_specific": { "type": "object" }, "ecosystem_specific": { "type": "object" }, "package": { "properties": { "ecosystem": { "type": "string" }, "name": { "type": "string" }, "purl": { "type": "string" } }, "required": [ "ecosystem", "name" ], "type": "object" }, "ranges": { "items": { "allOf": [ { "if": { "properties": { "type": { "const": "GIT" } } }, "then": { "required": [ "repo" ] } }, { "if": { "properties": { "events": { "contains": { "required": [ "last_affected" ] } } } }, "then": { "not": { "properties": { "events": { "contains": { "required": [ "fixed" ] } } } } } } ], "properties": { "database_specific": { "type": "object" }, "events": { "contains": { "required": [ "introduced" ] }, "items": { "oneOf": [ { "properties": { "introduced": { "type": "string" } }, "required": [ "introduced" ], "type": "object" }, { "properties": { "fixed": { "type": "string" } }, "required": [ "fixed" ], "type": "object" }, { "properties": { "last_affected": { "type": "string" } }, "required": [ "last_affected" ], "type": "object" }, { "properties": { "limit": { "type": "string" } }, "required": [ "limit" ], "type": "object" } ], "type": "object" }, "minItems": 1, "type": "array" }, "repo": { "type": "string" }, "type": { "enum": [ "GIT", "SEMVER", "ECOSYSTEM" ], "type": "string" } }, "required": [ "type", "events" ], "type": "object" }, "type": "array" }, "severity": { "$ref": "#/$defs/severity" }, "versions": { "items": { "type": "string" }, "type": "array" } }, "type": "object" }, "type": [ "array", "null" ] }, "aliases": { "items": { "type": "string" }, "type": [ "array", "null" ] }, "credits": { "items": { "properties": { "contact": { "items": { "type": "string" }, "type": "array" }, "name": { "type": "string" }, "type": { "enum": [ "FINDER", "REPORTER", "ANALYST", "COORDINATOR", "REMEDIATION_DEVELOPER", "REMEDIATION_REVIEWER", "REMEDIATION_VERIFIER", "TOOL", "SPONSOR", "OTHER" ], "type": "string" } }, "required": [ "name" ], "type": "object" }, "type": "array" }, "database_specific": { "type": "object" }, "details": { "type": "string" }, "id": { "type": "string" }, "modified": { "$ref": "#/$defs/timestamp" }, "published": { "$ref": "#/$defs/timestamp" }, "references": { "items": { "properties": { "type": { "enum": [ "ADVISORY", "ARTICLE", "DETECTION", "DISCUSSION", "REPORT", "FIX", "INTRODUCED", "GIT", "PACKAGE", "EVIDENCE", "WEB" ], "type": "string" }, "url": { "format": "uri", "type": "string" } }, "required": [ "type", "url" ], "type": "object" }, "type": [ "array", "null" ] }, "related": { "items": { "type": "string" }, "type": "array" }, "schema_version": { "type": "string" }, "severity": { "$ref": "#/$defs/severity" }, "summary": { "type": "string" }, "withdrawn": { "$ref": "#/$defs/timestamp" } }, "required": [ "id", "modified" ], "title": "Open Source Vulnerability", "type": "object" }