ashcrow/current.json.txt

## current.json.txt
// Current format from the v2 api. There is no file name as it comes in a stream
{
  "date": "2013-03-24T15:42:09.966-04:00", // Date stamp; redundant
  "createdon": "0001-01-01T00:00:00Z", // Date the record was created on
  "name": "fake-1.0.jar", // File name of the package
  "version": "1.0.0", // Version of the package
  "coordinates": {  // Related maven coordinates
   "artifactId": "jar",
   "groupId": "fake",
   "version": "1.0.0"
  },
  "group": "java", // Language type
  "format": "Jar", // Package type
  "hashes": {      // hashes
   "sha512": {     // sha512 hashes
    "combined": "..", // Full, combined hash of the vulnerable item. What is used when querying the API
    "files": {  // Specific hashes of files
     "..": "org/test/file.class"
    }
   }
  },
  "vendor": "Unknown",                           // The project/product owning entity
  "cves": [                                      // List of related CVEs
   {
    "addedon": "2013-03-24T15:42:09.966-04:00",  // When the CVE as added to the database
    "id": "CVE-1969-0001"                        // The id of the CVE
   }
  ],
  "status": "RELEASED",                          // RELEASED if the hash has been deemed good for use; Could be removed
  "metadata": null,                              // unused (was reserved); Could be removed
  "submitter": "user",                           // user who submitted; Could be removed
  "submittedon": "2013-03-24T15:42:03.976-04:00" // date of record submission; Could be removed
 }

## update.yaml
# We no longer require the quering from the server so hash as the original ID is no longer needed.
# Updating the db becomes git based and can be pulled down and used in other tools without the
# need for external APIs.
# filename: 1969-0001-fake.jar.yaml ({cve}-{name}.yaml)
---
cve: 1969-0001                # Generally would be considered the ID
cvss:                         # List would be required, but null's would be OK
  v1: null,
  v2: 5.0,
  v3: 4.0
name: fake.jar                # The official file name as provided by the vendor
title: quick blurb about cve  # Quick online description
description: >                # Slightly more detailed description
    A longer description
references:                   # Links to the CVE and other information
  - http://...
vendor: Unknown               # The vendor of the product/project
affected:                     # Affected versions of the product/project
  - "<=1.0.0"
fixedin:                      # Fixed versions of the product/project
  - ">=1.1.0"
meta: {                       # Language specific items as different languages have different info that would be helpful
    coordinates: {            # For java, Maven coordinates
      artifactId: jar,
      groupId: fake,
      version: '1.0.0'
    }
}
format: Jar                   # Format of the file
group: java                   # Language the file belongs in
hashes:                       # Hashes (all sha512)
    original: ..              # Unmodified hash from the official build
    combined: ..              # Modified hash (if still relevant to users)
    files: {                  # Specific hashes of files (if still relevant to users)
      ..: org/test/file.class
    }
	// Current format from the v2 api. There is no file name as it comes in a stream
	{
	"date": "2013-03-24T15:42:09.966-04:00", // Date stamp; redundant
	"createdon": "0001-01-01T00:00:00Z", // Date the record was created on
	"name": "fake-1.0.jar", // File name of the package
	"version": "1.0.0", // Version of the package
	"coordinates": { // Related maven coordinates
	"artifactId": "jar",
	"groupId": "fake",
	"version": "1.0.0"
	},
	"group": "java", // Language type
	"format": "Jar", // Package type
	"hashes": { // hashes
	"sha512": { // sha512 hashes
	"combined": "..", // Full, combined hash of the vulnerable item. What is used when querying the API
	"files": { // Specific hashes of files
	"..": "org/test/file.class"
	}
	}
	},
	"vendor": "Unknown", // The project/product owning entity
	"cves": [ // List of related CVEs
	{
	"addedon": "2013-03-24T15:42:09.966-04:00", // When the CVE as added to the database
	"id": "CVE-1969-0001" // The id of the CVE
	}
	],
	"status": "RELEASED", // RELEASED if the hash has been deemed good for use; Could be removed
	"metadata": null, // unused (was reserved); Could be removed
	"submitter": "user", // user who submitted; Could be removed
	"submittedon": "2013-03-24T15:42:03.976-04:00" // date of record submission; Could be removed
	}
	# We no longer require the quering from the server so hash as the original ID is no longer needed.
	# Updating the db becomes git based and can be pulled down and used in other tools without the
	# need for external APIs.
	# filename: 1969-0001-fake.jar.yaml ({cve}-{name}.yaml)
	---
	cve: 1969-0001 # Generally would be considered the ID
	cvss: # List would be required, but null's would be OK
	v1: null,
	v2: 5.0,
	v3: 4.0
	name: fake.jar # The official file name as provided by the vendor
	title: quick blurb about cve # Quick online description
	description: > # Slightly more detailed description
	A longer description
	references: # Links to the CVE and other information
	- http://...
	vendor: Unknown # The vendor of the product/project
	affected: # Affected versions of the product/project
	- "<=1.0.0"
	fixedin: # Fixed versions of the product/project
	- ">=1.1.0"
	meta: { # Language specific items as different languages have different info that would be helpful
	coordinates: { # For java, Maven coordinates
	artifactId: jar,
	groupId: fake,
	version: '1.0.0'
	}
	}
	format: Jar # Format of the file
	group: java # Language the file belongs in
	hashes: # Hashes (all sha512)
	original: .. # Unmodified hash from the official build
	combined: .. # Modified hash (if still relevant to users)
	files: { # Specific hashes of files (if still relevant to users)
	..: org/test/file.class
	}