Last active
June 9, 2017 18:43
-
-
Save ashcrow/df238b1cc1e8a2f4bba94a6bb310805e to your computer and use it in GitHub Desktop.
victi.ms current and possible replacement format
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Current format from the v2 api. There is no file name as it comes in a stream | |
{ | |
"date": "2013-03-24T15:42:09.966-04:00", // Date stamp; redundant | |
"createdon": "0001-01-01T00:00:00Z", // Date the record was created on | |
"name": "fake-1.0.jar", // File name of the package | |
"version": "1.0.0", // Version of the package | |
"coordinates": { // Related maven coordinates | |
"artifactId": "jar", | |
"groupId": "fake", | |
"version": "1.0.0" | |
}, | |
"group": "java", // Language type | |
"format": "Jar", // Package type | |
"hashes": { // hashes | |
"sha512": { // sha512 hashes | |
"combined": "..", // Full, combined hash of the vulnerable item. What is used when querying the API | |
"files": { // Specific hashes of files | |
"..": "org/test/file.class" | |
} | |
} | |
}, | |
"vendor": "Unknown", // The project/product owning entity | |
"cves": [ // List of related CVEs | |
{ | |
"addedon": "2013-03-24T15:42:09.966-04:00", // When the CVE as added to the database | |
"id": "CVE-1969-0001" // The id of the CVE | |
} | |
], | |
"status": "RELEASED", // RELEASED if the hash has been deemed good for use; Could be removed | |
"metadata": null, // unused (was reserved); Could be removed | |
"submitter": "user", // user who submitted; Could be removed | |
"submittedon": "2013-03-24T15:42:03.976-04:00" // date of record submission; Could be removed | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# We no longer require the quering from the server so hash as the original ID is no longer needed. | |
# Updating the db becomes git based and can be pulled down and used in other tools without the | |
# need for external APIs. | |
# filename: 1969-0001-fake.jar.yaml ({cve}-{name}.yaml) | |
--- | |
cve: 1969-0001 # Generally would be considered the ID | |
cvss: # List would be required, but null's would be OK | |
v1: null, | |
v2: 5.0, | |
v3: 4.0 | |
name: fake.jar # The official file name as provided by the vendor | |
title: quick blurb about cve # Quick online description | |
description: > # Slightly more detailed description | |
A longer description | |
references: # Links to the CVE and other information | |
- http://... | |
vendor: Unknown # The vendor of the product/project | |
affected: # Affected versions of the product/project | |
- "<=1.0.0" | |
fixedin: # Fixed versions of the product/project | |
- ">=1.1.0" | |
meta: { # Language specific items as different languages have different info that would be helpful | |
coordinates: { # For java, Maven coordinates | |
artifactId: jar, | |
groupId: fake, | |
version: '1.0.0' | |
} | |
} | |
format: Jar # Format of the file | |
group: java # Language the file belongs in | |
hashes: # Hashes (all sha512) | |
original: .. # Unmodified hash from the official build | |
combined: .. # Modified hash (if still relevant to users) | |
files: { # Specific hashes of files (if still relevant to users) | |
..: org/test/file.class | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment