From 57fe404e717536a8a531e4ac8b35c18e9c20f057 Mon Sep 17 00:00:00 2001 From: fahed dorgaa Date: Fri, 14 Nov 2025 14:28:47 +0100 Subject: [PATCH 1/5] Update ratings descriptions in schema files for clarity on VEX usage Signed-off-by: fahed dorgaa --- schema/bom-1.6.schema.json | 2 +- schema/bom-1.7.schema.json | 2 +- schema/ext/vulnerability-1.0-SNAPSHOT.schema.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 8bc9d3d6..9aa94372 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2681,7 +2681,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings", + "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" } diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 785acacb..d9311c03 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -2841,7 +2841,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings", + "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" } diff --git a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json index 378bd498..efb95c16 100644 --- a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json +++ b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json @@ -146,7 +146,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of the vulnerability ratings as defined by various risk rating methodologies.", + "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", "items": {"$ref": "#/definitions/rating"} }, "cwes": { From a114ff7b9faf50a82331307ad67f445e5f4d6d86 Mon Sep 17 00:00:00 2001 From: fahed dorgaa Date: Fri, 26 Dec 2025 22:23:22 +0100 Subject: [PATCH 2/5] Update vulnerability ratings description in XML and Protobuf schemas, and revert extension changes Signed-off-by: fahed dorgaa --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.xsd | 2 +- schema/bom-1.7.proto | 2 +- schema/bom-1.7.xsd | 2 +- schema/ext/vulnerability-1.0-SNAPSHOT.schema.json | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index ddcfc3f7..e7b7a0b1 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -888,7 +888,7 @@ message Vulnerability { optional Source source = 3; // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Oftentimes, the same vulnerability may exist in multiple sources of vulnerability intelligence but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. repeated VulnerabilityReference references = 4; - // List of vulnerability ratings + // List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. repeated VulnerabilityRating ratings = 5; // List of Common Weaknesses Enumerations (CWEs) codes that describe this vulnerability. For example, 399 (of https://cwe.mitre.org/data/definitions/399.html) repeated int32 cwes = 6; diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 847c5261..bbe6e536 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -4218,7 +4218,7 @@ limitations under the License. - List of vulnerability ratings. + List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 6def360f..1b507781 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -990,7 +990,7 @@ message Vulnerability { optional Source source = 3; // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Oftentimes, the same vulnerability may exist in multiple sources of vulnerability intelligence but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. repeated VulnerabilityReference references = 4; - // List of vulnerability ratings + // List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. repeated VulnerabilityRating ratings = 5; // List of Common Weaknesses Enumerations (CWEs) codes that describe this vulnerability. For example, 399 (of https://cwe.mitre.org/data/definitions/399.html) repeated int32 cwes = 6; diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index deba3de2..2d110b9a 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -4461,7 +4461,7 @@ limitations under the License. - List of vulnerability ratings. + List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. diff --git a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json index efb95c16..378bd498 100644 --- a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json +++ b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json @@ -146,7 +146,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", + "description": "List of the vulnerability ratings as defined by various risk rating methodologies.", "items": {"$ref": "#/definitions/rating"} }, "cwes": { From 6c2b90c52d27892c72007a07732d843df33473cf Mon Sep 17 00:00:00 2001 From: fahed dorgaa Date: Sat, 17 Jan 2026 14:38:10 +0100 Subject: [PATCH 3/5] fix(spec): improve ratings descriptions in schema files for clarity on VEX usage Signed-off-by: Fahed Dorgaa --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.schema.json | 2 +- schema/bom-1.6.xsd | 2 +- schema/bom-1.7.proto | 2 +- schema/bom-1.7.schema.json | 2 +- schema/bom-1.7.xsd | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index e7b7a0b1..97a28dab 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -888,7 +888,7 @@ message Vulnerability { optional Source source = 3; // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Oftentimes, the same vulnerability may exist in multiple sources of vulnerability intelligence but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. repeated VulnerabilityReference references = 4; - // List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. + // List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization. repeated VulnerabilityRating ratings = 5; // List of Common Weaknesses Enumerations (CWEs) codes that describe this vulnerability. For example, 399 (of https://cwe.mitre.org/data/definitions/399.html) repeated int32 cwes = 6; diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 9aa94372..ced928cf 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2681,7 +2681,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", + "description": "List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" } diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index bbe6e536..f4d6eb37 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -4218,7 +4218,7 @@ limitations under the License. - List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. + List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization. diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 1b507781..ac905b93 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -990,7 +990,7 @@ message Vulnerability { optional Source source = 3; // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Oftentimes, the same vulnerability may exist in multiple sources of vulnerability intelligence but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. repeated VulnerabilityReference references = 4; - // List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. + // List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization. repeated VulnerabilityRating ratings = 5; // List of Common Weaknesses Enumerations (CWEs) codes that describe this vulnerability. For example, 399 (of https://cwe.mitre.org/data/definitions/399.html) repeated int32 cwes = 6; diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index d9311c03..4d509e99 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -2841,7 +2841,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", + "description": "List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" } diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 2d110b9a..4549d6fd 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -4461,7 +4461,7 @@ limitations under the License. - List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. + List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization. From d0010efcddb3c5862aef5018cb4b0739dc0d68f2 Mon Sep 17 00:00:00 2001 From: fahed dorgaa Date: Fri, 14 Nov 2025 14:28:47 +0100 Subject: [PATCH 4/5] Update ratings descriptions in schema files for clarity on VEX usage Signed-off-by: fahed dorgaa --- schema/bom-1.6.schema.json | 2 +- schema/bom-1.7.schema.json | 2 +- schema/ext/vulnerability-1.0-SNAPSHOT.schema.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index ced928cf..9aa94372 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2681,7 +2681,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.", + "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" } diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 4d509e99..d9311c03 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -2841,7 +2841,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.", + "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" } diff --git a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json index 378bd498..efb95c16 100644 --- a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json +++ b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json @@ -146,7 +146,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of the vulnerability ratings as defined by various risk rating methodologies.", + "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", "items": {"$ref": "#/definitions/rating"} }, "cwes": { From a075955ee358c4a5bf0f872d418a16f5e8bce93a Mon Sep 17 00:00:00 2001 From: fahed dorgaa Date: Fri, 26 Dec 2025 22:23:22 +0100 Subject: [PATCH 5/5] Update vulnerability ratings description in XML and Protobuf schemas, and revert extension changes Signed-off-by: fahed dorgaa --- schema/ext/vulnerability-1.0-SNAPSHOT.schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json index efb95c16..378bd498 100644 --- a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json +++ b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json @@ -146,7 +146,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", + "description": "List of the vulnerability ratings as defined by various risk rating methodologies.", "items": {"$ref": "#/definitions/rating"} }, "cwes": {