5.1.0 accepts versionType git without a Git commit hash #279
Description
https://github.com/CVEProject/cve-schema/blob/2aa608b6733cc2730a43901472ef0e706d0ef2b5/schema/v5.0/docs/versions.md says "ranges using versionType set to git (or hg and so on) can use version control identifiers, such as Git commit hashes" and the examples are of the form:
"version": "0", "versionType": "git", "lessThan": "*"
...
"version": "123abc...", "versionType": "git", "lessThan": "234bcd..."
As far as I know, it was not intended that a provider use "versionType":"git" except with a Git commit hash, 0, or *.
Similar to the #263 situation, some of the unintended ones might be found by inserting something like this into the schema:
"allOf": [
{
"if": {
"properties": {
"versionType": {
"const": "git"
}
},
"required": ["versionType"]
},
"then": {
"properties": {
"version": {
"type": "string",
"pattern": "^[0-9a-fA-F]+$|^\\*$"
},
"lessThan": {
"type": "string",
"pattern": "^[0-9a-fA-F]+$|^\\*$"
},
"lessThanOrEqual": {
"type": "string",
"pattern": "^[0-9a-fA-F]+$|^\\*$"
}
}
}
}],
(This is just an example and doesn't reject all anomalous input because it allows some patterns that don't actually make sense, such as "version":"*" or "version":"12".)
Most of the anomalous data is from CNAs who use digits and dots with "versionType":"git" but there is also:
CVE-2022-39179 "lessThan":" Upgrade to the latest version."
CVE-2023-4540 "lessThan":"commit ddab283"
CVE-2023-2163 "version":"-"
issues on the current CVE List
CVE-2021-33630 openEuler
CVE-2021-33631 openEuler
CVE-2022-39179 INCD
CVE-2022-39180 INCD
CVE-2022-39181 INCD
CVE-2022-46741 Baidu
CVE-2023-0266 Google
CVE-2023-0359 zephyr
CVE-2023-0815 OpenNMS
CVE-2023-0846 OpenNMS
CVE-2023-0847 icscert
CVE-2023-0867 OpenNMS
CVE-2023-0868 OpenNMS
CVE-2023-0869 OpenNMS
CVE-2023-0870 OpenNMS
CVE-2023-1901 zephyr
CVE-2023-1902 zephyr
CVE-2023-2163 Google
CVE-2023-2234 zephyr
CVE-2023-2315 STAR_Labs
CVE-2023-2318 STAR_Labs
CVE-2023-28731 NCSC.ch
CVE-2023-28732 NCSC.ch
CVE-2023-28733 NCSC.ch
CVE-2023-29449 Zabbix
CVE-2023-29450 Zabbix
CVE-2023-29451 Zabbix
CVE-2023-29452 Zabbix
CVE-2023-29453 Zabbix
CVE-2023-29454 Zabbix
CVE-2023-29455 Zabbix
CVE-2023-29456 Zabbix
CVE-2023-29457 Zabbix
CVE-2023-29458 Zabbix
CVE-2023-3036 cloudflare
CVE-2023-32721 Zabbix
CVE-2023-32722 Zabbix
CVE-2023-32723 Zabbix
CVE-2023-32724 Zabbix
CVE-2023-32725 Zabbix
CVE-2023-32726 Zabbix
CVE-2023-32727 Zabbix
CVE-2023-32728 Zabbix
CVE-2023-3316 JFROG
CVE-2023-3725 zephyr
CVE-2023-38669 Baidu
CVE-2023-38670 Baidu
CVE-2023-38671 Baidu
CVE-2023-38672 Baidu
CVE-2023-38673 Baidu
CVE-2023-38674 Baidu
CVE-2023-38675 Baidu
CVE-2023-38676 Baidu
CVE-2023-38677 Baidu
CVE-2023-38678 Baidu
CVE-2023-3896 OpenCloudOS
CVE-2023-40314 OpenNMS
CVE-2023-41268 samsung.tv_appliance
CVE-2023-4257 zephyr
CVE-2023-4258 zephyr
CVE-2023-4259 zephyr
CVE-2023-4260 zephyr
CVE-2023-4262 zephyr
CVE-2023-4263 zephyr
CVE-2023-4264 zephyr
CVE-2023-4265 zephyr
CVE-2023-4424 zephyr
CVE-2023-4540 CERT-PL
CVE-2023-4949 Google
CVE-2023-5055 zephyr
CVE-2023-5139 zephyr
CVE-2023-5184 zephyr
CVE-2023-6881 zephyr
CVE-2023-52302 Baidu
CVE-2023-52303 Baidu
CVE-2023-52304 Baidu
CVE-2023-52305 Baidu
CVE-2023-52306 Baidu
CVE-2023-52307 Baidu
CVE-2023-52308 Baidu
CVE-2023-52309 Baidu
CVE-2023-52310 Baidu
CVE-2023-52311 Baidu
CVE-2023-52312 Baidu
CVE-2023-52313 Baidu
CVE-2023-52314 Baidu
CVE-2023-5563 zephyr
CVE-2023-5753 zephyr
CVE-2023-5779 zephyr
CVE-2023-6249 zephyr
CVE-2023-6749 zephyr
CVE-2024-1638 zephyr
CVE-2024-22119 Zabbix