Skip to content

cve.json schema: fix naming inconsistencies against taxonomy files #10327

New issue
New issue
Open
Open
cve.json schema: fix naming inconsistencies against taxonomy files#10327
Assignees
richlander
Labels
needs-area-labelNo area label was automatically applied
@richlander

Description

@richlander
richlander
opened on Mar 26, 2026

I'm filing this here because dotnet/designs doesn't have issues.

The taxonomy JSON files (severity.json, products.json, platforms.json, architectures.json) establish a rule from the implementation guidance: all taxonomy strings use kebab-case-lower. Several fields in cve.json currently violate this, and the taxonomy set has one gap.

1. Severity case mismatch

severity.json defines items in lowercase: "critical", "high", "medium", "low". cve.json uses uppercase in two places:

  • disclosures[].cvss.severity — e.g., "HIGH"
  • severity_cves dictionary keys — e.g., "HIGH", "CRITICAL"

Decision: lowercase cve.json to match the taxonomy rule. CVSS spec uses uppercase internally, but the taxonomy file is our authoritative vocabulary layer. This is a breaking change to the data format — small, worth doing now before wider adoption.

2. product_name{} is a redundant partial copy of products.json

cve.json embeds a product_name{} index mapping product slugs to display names. products.json is now the source of truth for exactly this data, with richer description fields as well.

product_name{} should be retained as a pre-computed index (consistent with the schema's index philosophy) but documented in the spec as a computed projection of products.json, generated at file-creation time rather than maintained separately.

3. Missing repos taxonomy

The commits{} structure uses repo (short name, e.g. "runtime") and org ("dotnet"), but there is no repos.json to formally define the set of valid repo identifiers or relate them back to product slugs. This is the one gap in the taxonomy set that leaves commit key namespaces without formal vocabulary backing.

Proposed shape:

{
  "category": "repos",
  "description": "GitHub repositories that contain .NET source code",
  "items": [
    {
      "string": "runtime",
      "org": "dotnet",
      "display_name": ".NET Runtime",
      "product": "dotnet-runtime"
    }
  ]
}

The product field is what makes this file valuable — it bridges commit key namespaces (e.g. runtime@979135d) to the products taxonomy, enabling consumers to resolve a commit key to a product slug without parsing or hardcoding the mapping.

Scope

Items 1 and 3 are schema/data changes. Item 2 is a spec documentation update only. Item 1 is a breaking change; items 2 and 3 are additive.

Metadata

Metadata

Assignees

Labels

needs-area-labelNo area label was automatically applied

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions