U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

1.1 - 2019-09-09

  • The nvd_cve_feed_json_1.0.schema renamed nvd_cve_feed_json_1.1.schema.
  • The cvss-v3.0.json schema renamed to cvss-v3.x.json to convey support for both CVSS V3.0 and V3.1.
  • In cvss-v3.x.json the version enumeration has been expanded to include 3.1.
                               "version": {
                               "description": "CVSS Version",
                               "type": "string",
                               "enum": [ "3.0", "3.1" ]
  • In cvss-v3.x.json the vectorString pattern (regex) has been modified to allow for the CVSS:3.1 prefix.
                                "vectorString": {
                                 "type": "string",
                                "pattern": "^CVSS:3.[01]/((AV:[NALP]...
  • In CVE_JSON_4.0_min.schema, the affects element has been removed from the required properties.
                                "required": [ "data_type", "data_format", "data_version", "CVE_data_meta", "affects", "problemtype", "references", "description" ],
  • In nvd_cve_feed_json_1.1.schema, the last_modified property was added to def_cpe_name.

1.0 - 2018-10-30

  • All paths for referenced schemas updated to ../1.0/.. 
    • https://scap.nist.gov/schema/nvd/feed/1.0/nvd_cve_feed_json_1.0.schema
    • https://csrc.nist.gov/schema/nvd/feed/1.0/CVE_JSON_4.0_min.schema
    • https://csrc.nist.gov/schema/nvd/feed/1.0/cvss-v2.0.json
    • https://csrc.nist.gov/schema/nvd/feed/1.0/cvss-v3.0.json
  • In the CVSS v2.0 section, the "vectorString" property is no longer encapsulated in parenthesis ()
  • Changed "minItems" to 0 for vendor_data, problemtype_data, description, reference_data, and description_data 
  • Fixed an issue where "version_affected" was not being populated in certain circumstances
  • Added a new boolean property "acInsufInfo": {"type": "boolean"} to the "baseMetricV2" section
  • "cpe" property in the configuration section is now named "cpe_match"
  • Added optional array "cpe_name" property to schema for future support
  • No longer populate the "cpe2.2Uri", however, it remains in the schema

0.1_beta - 2018-08-06

  • Added a property to reference to track which tags have been supplied.
       "type": "array",   
       "items": {   
                "type": "string"   
       Ex: "tags" : [ "Third Party Advisory", "VDB Entry"  ]

0.1_beta - 2017-12-18

  • Changed "cpeMatchString" property name to "cpe22Uri"
  • Removed "lang" and "value" from required in "cpe" object
  • Added "vulnerable", "cpe22Uri", and "cpe23Uri" as required to "cpe" object
  • Removed "CVE_configuration_data" from required in "def_configurations" object

0.1_beta - 2017-11-01

  • Removed the following property from the "cpe" object
  • Added four new properties to the "cpe" object to assist in defining ranges

0.1_beta - 2017-07-05