Thoughts based on the following mapping:
- No fields are required
- The score is always base/impact/exploitability, and always 0-10, so only compatible with CVSS
- A vulnerability refers to a BOM ref, which means if multiple components have the same vulnerability then it needs to be inlcuded multiple times
- No provision for multiple identifiers
- Although
method
on ratings can be set to"Other"
, their is no way of specifying what method/source the information is coming from - Are advisories intended to always be URLs, or can they be arbitrary strings? The schema says the latter, although all the examples are the former. This would impact someone writing a parser.
- In the case of multiple ratings with the same method, but different scores/vectors, what are the hueristics? Is this valid?
- Additional properties are allowed as per the JSON Schema. Is this purposeful? What is the expected parser behaviour for attributes outside the schema? Should there be a formal extension mechanism?
- The description is a string. Are there are rules here, ie. SARIF has plain text and markdown properties explitily, rather than leaving up to the producer
- No provision for multiple vulnerability identifiers, ie. CVE-2009-5155 is also SNYK-DEBIAN9-GLIBC-338103
ie. Should advisories be defined as:
{
"type": "string",
"format": "uri",
"pattern": "^(https?|http?)://"
}