Add support for CVSS vectors in the security report schemas
Why are we doing this work?
We want to be able to ingest CVSS vectors into the database if present, as such, we have to extend the schema to allow for CVSS field
Implementation plan
- Extend the security report format so that it includes a
cvss
field. It has the following properties:"type": "array"
"items": { "oneOf": [ { "$ref": "#/definitions/cvss_v2" }, { "$ref": "#/definitions/cvss_v3" } }
- Reuse the CVSS vector strings regex validations
- Add a max length validation of
128
(the longest valid cvss vector string is 117 chars this is the closest power of 2) - Add a min length validation of
32
(the smallest valid cvss vector string is 35 chars this is the closest power of 2)
- Add a max length validation of
- The CVSS scores in the schema will have the structure below. See #422031 (comment 1558290268)
{
"type": "object",
"properties": [
"vendor": {
"type": "string",
},
"vector_string": {
"type": "string",
}
],
"required": [ "vendor", "vector_string" ]
}
Edited by Oscar Tovar