Showing:

Annotations
Attributes
Diagrams
Facets
Identity Constraints
Source
Used by
Imported schema vuln.xsd
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
This is the XML schema for the Common Vulnerability Reporting Framework's Vulnerability model.  For more information, see the CVRF whitepaper.
Element vuln:Vulnerability
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
This is a meta-container for the aggregation of all fields that are related to a single vulnerability within the document.
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Ordinal vuln_xsd.tmp#Vulnerability_Title vuln_xsd.tmp#Vulnerability_ID vuln_xsd.tmp#Vulnerability_Notes vuln_xsd.tmp#Vulnerability_DiscoveryDate vuln_xsd.tmp#Vulnerability_ReleaseDate vuln_xsd.tmp#Vulnerability_Involvements vuln_xsd.tmp#Vulnerability_CVE vuln_xsd.tmp#Vulnerability_CWE vuln_xsd.tmp#Vulnerability_ProductStatuses vuln_xsd.tmp#Vulnerability_Threats vuln_xsd.tmp#Vulnerability_CVSSScoreSets vuln_xsd.tmp#Vulnerability_Remediations vuln_xsd.tmp#Vulnerability_References vuln_xsd.tmp#Vulnerability_Acknowledgments
Used by
Element cvrf:cvrfdoc
Children vuln:Acknowledgments, vuln:CVE, vuln:CVSSScoreSets, vuln:CWE, vuln:DiscoveryDate, vuln:ID, vuln:Involvements, vuln:Notes, vuln:ProductStatuses, vuln:References, vuln:ReleaseDate, vuln:Remediations, vuln:Threats, vuln:Title
Attributes
QName Type Use Annotation
Ordinal xs:positiveInteger required 
Locally significant numeric value to track vulnerabilities within a CVRF document.  This enables vulnerabilities to be referenced from elsewhere inside the document (often at the document-level)
Source
 
<xs:element name="Vulnerability">
  <xs:annotation>
    <xs:documentation xml:lang="en">This is a meta-container for the aggregation of all fields that are related to a single vulnerability within the document.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element name="Title" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">Vulnerability Title gives the document producer the ability to apply a canonical name or title to the vulnerability.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="cvrf-common:localizedString"/>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
      <xs:element name="ID" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">Vulnerability ID gives the document producer a place to publish a unique label or tracking ID for the vulnerability (if such information exists).</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="xs:token">
              <xs:attribute name="SystemName" type="xs:token" use="required">
                <xs:annotation>
                  <xs:documentation xml:lang="en">System Name indicates the name of the vulnerability tracking or numbering system that this vulnerability ID comes from.</xs:documentation>
                </xs:annotation>
              </xs:attribute>
            </xs:extension>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
      <xs:element name="Notes" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">The Notes container holds all individual notes concerning this vulnerability.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:sequence>
            <xs:element name="Note" minOccurs="0" maxOccurs="unbounded">
              <xs:annotation>
                <xs:documentation xml:lang="en">The Notes text contains all of the content necessary to provide different types of low-level discussions of a given vulnerability to various audiences.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:simpleContent>
                  <xs:extension base="cvrf-common:localizedString">
                    <xs:attribute name="Title" type="xs:string">
                      <xs:annotation>
                        <xs:documentation xml:lang="en">Title should be a concise description of what is contained in Vulnerability Notes.</xs:documentation>
                      </xs:annotation>
                    </xs:attribute>
                    <xs:attribute name="Audience" type="xs:string">
                      <xs:annotation>
                        <xs:documentation xml:lang="en">Audience will indicate who is intended to read the note.</xs:documentation>
                      </xs:annotation>
                    </xs:attribute>
                    <xs:attribute name="Type" type="cvrf-common:NoteTypeEnumType" use="required">
                      <xs:annotation>
                        <xs:documentation xml:lang="en">Type of content within this note.</xs:documentation>
                      </xs:annotation>
                    </xs:attribute>
                    <xs:attribute name="Ordinal" type="xs:positiveInteger" use="required">
                      <xs:annotation>
                        <xs:documentation xml:lang="en">Ordinal is a locally significant integral counter indexed from 1 used to track notes.</xs:documentation>
                      </xs:annotation>
                    </xs:attribute>
                  </xs:extension>
                </xs:simpleContent>
              </xs:complexType>
            </xs:element>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
      <xs:element name="DiscoveryDate" type="xs:dateTime" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">Date vulnerability was initially discovered by its original discoverer.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="ReleaseDate" type="xs:dateTime" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">Date vulnerability was initially released to the public.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="Involvements" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">The Involvements container lists any number of vendor or third party interactions related to this vulnerability.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:sequence>
            <xs:element name="Involvement" minOccurs="1" maxOccurs="unbounded">
              <xs:annotation>
                <xs:documentation xml:lang="en">Involvement contains a specific set of interaction details.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:sequence>
                  <xs:element name="Description" minOccurs="0" maxOccurs="1">
                    <xs:annotation>
                      <xs:documentation xml:lang="en">The description of the Involvement.</xs:documentation>
                    </xs:annotation>
                    <xs:complexType>
                      <xs:simpleContent>
                        <xs:extension base="cvrf-common:localizedString"/>
                      </xs:simpleContent>
                    </xs:complexType>
                  </xs:element>
                </xs:sequence>
                <xs:attribute name="Party" type="cvrf-common:PublisherEnumType" use="required">
                  <xs:annotation>
                    <xs:documentation xml:lang="en">Type of party with whom the involvement is taking place.</xs:documentation>
                  </xs:annotation>
                </xs:attribute>
                <xs:attribute name="Status" type="vuln:InvolvementStatusEnumType" use="required">
                  <xs:annotation>
                    <xs:documentation xml:lang="en">Status of the involvement with the specified party.</xs:documentation>
                  </xs:annotation>
                </xs:attribute>
              </xs:complexType>
            </xs:element>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
      <xs:element name="CVE" type="vuln:cvePattern" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">The CVE string refers to the MITRE standard Common Vulnerabilities Enumeration (CVE) tracking number for the vulnerability.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="CWE" minOccurs="0" maxOccurs="unbounded">
        <xs:annotation>
          <xs:documentation xml:lang="en">Detailed description of the referrenced Common Weakness Enumeration (CWE) identifier.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="cvrf-common:localizedString">
              <xs:attribute name="ID" type="vuln:cwePattern" use="required">
                <xs:annotation>
                  <xs:documentation xml:lang="en">The MITRE-assigned CWE identifier.</xs:documentation>
                </xs:annotation>
              </xs:attribute>
            </xs:extension>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
      <xs:element name="ProductStatuses" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">The ProductStatuses container holds the list of all the products affected by the vulnerability in question.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:sequence>
            <xs:element name="Status" minOccurs="1" maxOccurs="unbounded">
              <xs:annotation>
                <xs:documentation xml:lang="en">The Status element holds an enumerated value based on available Product Name Entry items as constructed from the Product Tree container.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:sequence>
                  <xs:element ref="vuln:ProductID" minOccurs="1" maxOccurs="unbounded"/>
                </xs:sequence>
                <xs:attribute name="Type" type="vuln:AffectedStatusEnumType" use="required">
                  <xs:annotation>
                    <xs:documentation xml:lang="en">Affected status for the product or products defined in this container.</xs:documentation>
                  </xs:annotation>
                </xs:attribute>
              </xs:complexType>
            </xs:element>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
      <xs:element name="Threats" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">Contains all Threat containers</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:sequence>
            <xs:element name="Threat" minOccurs="1" maxOccurs="unbounded">
              <xs:annotation>
                <xs:documentation xml:lang="en">Threat contains the "kinetic" information associated with a vulnerability.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:sequence>
                  <xs:element name="Description" minOccurs="1" maxOccurs="1">
                    <xs:annotation>
                      <xs:documentation xml:lang="en">The description of the Threat.</xs:documentation>
                    </xs:annotation>
                    <xs:complexType>
                      <xs:simpleContent>
                        <xs:extension base="cvrf-common:localizedString"/>
                      </xs:simpleContent>
                    </xs:complexType>
                  </xs:element>
                  <xs:element ref="vuln:ProductID" minOccurs="0" maxOccurs="unbounded"/>
                  <xs:element ref="vuln:GroupID" minOccurs="0" maxOccurs="unbounded"/>
                </xs:sequence>
                <xs:attribute name="Type" type="vuln:ThreatTypeEnumType" use="required">
                  <xs:annotation>
                    <xs:documentation xml:lang="en">The type of the Threat.</xs:documentation>
                  </xs:annotation>
                </xs:attribute>
                <xs:attribute name="Date" type="xs:dateTime">
                  <xs:annotation>
                    <xs:documentation xml:lang="en">The date this Threat item was last updated; if omitted it is deemed to be unknown, irrelevant, or unimportant.</xs:documentation>
                  </xs:annotation>
                </xs:attribute>
              </xs:complexType>
            </xs:element>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
      <xs:element name="CVSSScoreSets" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">The CVSS Score Set meta-container holds one or more CVSS score sets to describe vulnerable products.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:sequence>
            <xs:element name="ScoreSet" minOccurs="1" maxOccurs="unbounded">
              <xs:annotation>
                <xs:documentation xml:lang="en">CVSS scores for a given product ID.  If the ProductID attribute is omitted, the score applies to all vulnerable products.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:sequence>
                  <xs:element name="BaseScore" type="cvssv2:zeroToTenDecimalType" minOccurs="1" maxOccurs="1">
                    <xs:annotation>
                      <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Base Score which should be a float from 0 – 10.0.</xs:documentation>
                    </xs:annotation>
                  </xs:element>
                  <xs:element name="TemporalScore" type="cvssv2:zeroToTenDecimalType" minOccurs="0" maxOccurs="1">
                    <xs:annotation>
                      <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Temporal Score which should be a float from 0 – 10.0.</xs:documentation>
                    </xs:annotation>
                  </xs:element>
                  <xs:element name="EnvironmentalScore" type="cvssv2:zeroToTenDecimalType" minOccurs="0" maxOccurs="1">
                    <xs:annotation>
                      <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Environmental Score which should be a float from 0 – 10.0.</xs:documentation>
                    </xs:annotation>
                  </xs:element>
                  <xs:element name="Vector" type="vuln:cvssVector" minOccurs="0" maxOccurs="1">
                    <xs:annotation>
                      <xs:documentation xml:lang="en">The CVSS Vector string is the official notation that contains all of the values used to compute the Base, Temporal, and Environmental scores.</xs:documentation>
                    </xs:annotation>
                  </xs:element>
                  <xs:element ref="vuln:ProductID" minOccurs="0" maxOccurs="unbounded"/>
                </xs:sequence>
              </xs:complexType>
            </xs:element>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
      <xs:element name="Remediations" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">The Remediation meta-container tag holds all related Workaround, Mitigation, Vendor Fix, and Entitlement entries that are associated with the specific vulnerability.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:sequence>
            <xs:element name="Remediation" minOccurs="1" maxOccurs="unbounded">
              <xs:annotation>
                <xs:documentation xml:lang="en">Holds all of the specific details on how to handle (and presumably, fix) the vulnerability, tied to Product ID.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:sequence>
                  <xs:element name="Description" minOccurs="1" maxOccurs="1">
                    <xs:annotation>
                      <xs:documentation xml:lang="en">Textual description of this remedy.</xs:documentation>
                    </xs:annotation>
                    <xs:complexType>
                      <xs:simpleContent>
                        <xs:extension base="cvrf-common:localizedString"/>
                      </xs:simpleContent>
                    </xs:complexType>
                  </xs:element>
                  <xs:element name="Entitlement" minOccurs="0" maxOccurs="unbounded">
                    <xs:annotation>
                      <xs:documentation xml:lang="en">The Entitlement string will contain any possible vendor-defined constraints for obtaining fixed software or hardware that fully resolves the vulnerability.</xs:documentation>
                    </xs:annotation>
                    <xs:complexType>
                      <xs:simpleContent>
                        <xs:extension base="cvrf-common:localizedString"/>
                      </xs:simpleContent>
                    </xs:complexType>
                  </xs:element>
                  <xs:element name="URL" type="xs:anyURI" minOccurs="0" maxOccurs="1">
                    <xs:annotation>
                      <xs:documentation xml:lang="en">URL from which the remedy can be obtained.</xs:documentation>
                    </xs:annotation>
                  </xs:element>
                  <xs:element ref="vuln:ProductID" minOccurs="0" maxOccurs="unbounded"/>
                  <xs:element ref="vuln:GroupID" minOccurs="0" maxOccurs="unbounded"/>
                </xs:sequence>
                <xs:attribute name="Type" type="vuln:RemedyTypeEnumType" use="required">
                  <xs:annotation>
                    <xs:documentation xml:lang="en">Specific type of remedy.</xs:documentation>
                  </xs:annotation>
                </xs:attribute>
                <xs:attribute name="Date" type="xs:dateTime">
                  <xs:annotation>
                    <xs:documentation xml:lang="en">The date Remedy was last updated, if omitted it is deemed to be unknown, unimportant, or irrelevant.</xs:documentation>
                  </xs:annotation>
                </xs:attribute>
              </xs:complexType>
            </xs:element>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
      <xs:element name="References" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">This meta-container should include references to any conferences, papers, advisories, and other resources that are related to this vulnerability.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:sequence>
            <xs:element name="Reference" minOccurs="1" maxOccurs="unbounded">
              <xs:annotation>
                <xs:documentation xml:lang="en">This meta-container contains an orthogonally related document, background info, whitepaper, etc. to the specific vulnerability.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:sequence>
                  <xs:element name="URL" type="xs:anyURI" minOccurs="1" maxOccurs="1">
                    <xs:annotation>
                      <xs:documentation xml:lang="en">The URL of the related document.</xs:documentation>
                    </xs:annotation>
                  </xs:element>
                  <xs:element name="Description" minOccurs="1" maxOccurs="1">
                    <xs:annotation>
                      <xs:documentation xml:lang="en">The description of the related document.</xs:documentation>
                    </xs:annotation>
                    <xs:complexType>
                      <xs:simpleContent>
                        <xs:extension base="cvrf-common:localizedString"/>
                      </xs:simpleContent>
                    </xs:complexType>
                  </xs:element>
                </xs:sequence>
                <xs:attribute name="Type" type="cvrf-common:ReferenceTypeEnum" default="External">
                  <xs:annotation>
                    <xs:documentation xml:lang="en">Enumerated type value of reference relative to this document.</xs:documentation>
                  </xs:annotation>
                </xs:attribute>
              </xs:complexType>
            </xs:element>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
      <xs:element name="Acknowledgments" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">The Acknowledgments container holds one or more Acknowledgement containers for vulnerability-level acknowledgements.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:sequence>
            <xs:element name="Acknowledgment" minOccurs="1" maxOccurs="unbounded">
              <xs:annotation>
                <xs:documentation xml:lang="en">The Acknowledgment container holds recognition for external parties who were instrumental in the discovery of, reporting of, and response to the vulnerability.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:sequence>
                  <xs:element name="Name" minOccurs="0" maxOccurs="unbounded">
                    <xs:annotation>
                      <xs:documentation xml:lang="en">The name (i.e., individual name) of the party being acknowledged.</xs:documentation>
                    </xs:annotation>
                    <xs:complexType>
                      <xs:simpleContent>
                        <xs:extension base="cvrf-common:localizedString"/>
                      </xs:simpleContent>
                    </xs:complexType>
                  </xs:element>
                  <xs:element name="Organization" minOccurs="0" maxOccurs="unbounded">
                    <xs:annotation>
                      <xs:documentation xml:lang="en">The organization of the party being acknowledged or the organization itself being acknowledged.</xs:documentation>
                    </xs:annotation>
                    <xs:complexType>
                      <xs:simpleContent>
                        <xs:extension base="cvrf-common:localizedString"/>
                      </xs:simpleContent>
                    </xs:complexType>
                  </xs:element>
                  <xs:element name="Description" minOccurs="0" maxOccurs="1">
                    <xs:annotation>
                      <xs:documentation xml:lang="en">The details of the acknowledgment that address the recognition of external parties who were instrumental in the discovery, reporting and response of this document.</xs:documentation>
                    </xs:annotation>
                    <xs:complexType>
                      <xs:simpleContent>
                        <xs:extension base="cvrf-common:localizedString"/>
                      </xs:simpleContent>
                    </xs:complexType>
                  </xs:element>
                  <xs:element name="URL" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded">
                    <xs:annotation>
                      <xs:documentation xml:lang="en">The optional URL to the person, place, or thing being acknowledged.</xs:documentation>
                    </xs:annotation>
                  </xs:element>
                </xs:sequence>
              </xs:complexType>
            </xs:element>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
    <xs:attribute name="Ordinal" type="xs:positiveInteger" use="required">
      <xs:annotation>
        <xs:documentation xml:lang="en">Locally significant numeric value to track vulnerabilities within a CVRF document. This enables vulnerabilities to be referenced from elsewhere inside the document (often at the document-level)</xs:documentation>
      </xs:annotation>
    </xs:attribute>
  </xs:complexType>
  <xs:unique name="UniqueProductProductID">
    <xs:annotation>
      <xs:documentation xml:lang="en">This is to ensure that each product mentions a given ProductID only one.</xs:documentation>
    </xs:annotation>
    <xs:selector xpath=".//vuln:ProductStatuses/vuln:Status/vuln:ProductID"/>
    <xs:field xpath="."/>
  </xs:unique>
  <xs:unique name="UniqueScoreSetProductID">
    <xs:annotation>
      <xs:documentation xml:lang="en">This is to ensure that each CVSS score set mentions a given ProductID only one.</xs:documentation>
    </xs:annotation>
    <xs:selector xpath=".//vuln:CVSSScoreSets/vuln:ScoreSet/vuln:ProductID"/>
    <xs:field xpath="."/>
  </xs:unique>
  <xs:unique name="UniqueNotesOrdinal">
    <xs:annotation>
      <xs:documentation xml:lang="en">This is to ensure that each note has a unique ordinal value.</xs:documentation>
    </xs:annotation>
    <xs:selector xpath=".//vuln:Notes/vuln:Note"/>
    <xs:field xpath="@Ordinal"/>
  </xs:unique>
</xs:element>
Element vuln:Vulnerability / vuln:Title
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
Vulnerability Title gives the document producer the ability to apply a canonical name or title to the vulnerability.
Diagram
Diagram common_xsd.tmp#nonEmptyString xml_xsd.tmp#lang common_xsd.tmp#localizedString
Type extension of cvrf-common:localizedString
Type hierarchy
Attributes
QName Type Default Use Annotation
xml:lang union of(xs:language, restriction of xs:string) en optional 
<div>
  <h3>lang (as an attribute name)</h3>
  <p>denotes an attribute whose value is a language code for the natural language of the content of any element; its value is inherited. This name is reserved by virtue of its definition in the XML specification.</p>
</div>
<div>
  <h4>Notes</h4>
  <p>Attempting to install the relevant ISO 2- and 3-letter codes as the enumerated possible values is probably never going to be a realistic possibility.</p>
  <p>See BCP 47 at
    <a href="http://www.rfc-editor.org/rfc/bcp/bcp47.txt">http://www.rfc-editor.org/rfc/bcp/bcp47.txt</a>and the IANA language subtag registry at
    <a href="http://www.iana.org/assignments/language-subtag-registry">http://www.iana.org/assignments/language-subtag-registry</a>for further information.</p>
  <p>The union allows for the 'un-declaration' of xml:lang with the empty string.</p>
</div>
Source
 
<xs:element name="Title" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">Vulnerability Title gives the document producer the ability to apply a canonical name or title to the vulnerability.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:simpleContent>
      <xs:extension base="cvrf-common:localizedString"/>
    </xs:simpleContent>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:ID
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
Vulnerability ID gives the document producer a place to publish a unique label or tracking ID for the vulnerability (if such information exists).
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Vulnerability_ID_SystemName
Type extension of xs:token
Attributes
QName Type Use Annotation
SystemName xs:token required 
System Name indicates the name of the vulnerability tracking or numbering system that this vulnerability ID comes from.
Source
 
<xs:element name="ID" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">Vulnerability ID gives the document producer a place to publish a unique label or tracking ID for the vulnerability (if such information exists).</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:simpleContent>
      <xs:extension base="xs:token">
        <xs:attribute name="SystemName" type="xs:token" use="required">
          <xs:annotation>
            <xs:documentation xml:lang="en">System Name indicates the name of the vulnerability tracking or numbering system that this vulnerability ID comes from.</xs:documentation>
          </xs:annotation>
        </xs:attribute>
      </xs:extension>
    </xs:simpleContent>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:Notes
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The Notes container holds all individual notes concerning this vulnerability.
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Vulnerability_Notes_Note
Children vuln:Note
Source
 
<xs:element name="Notes" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">The Notes container holds all individual notes concerning this vulnerability.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element name="Note" minOccurs="0" maxOccurs="unbounded">
        <xs:annotation>
          <xs:documentation xml:lang="en">The Notes text contains all of the content necessary to provide different types of low-level discussions of a given vulnerability to various audiences.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="cvrf-common:localizedString">
              <xs:attribute name="Title" type="xs:string">
                <xs:annotation>
                  <xs:documentation xml:lang="en">Title should be a concise description of what is contained in Vulnerability Notes.</xs:documentation>
                </xs:annotation>
              </xs:attribute>
              <xs:attribute name="Audience" type="xs:string">
                <xs:annotation>
                  <xs:documentation xml:lang="en">Audience will indicate who is intended to read the note.</xs:documentation>
                </xs:annotation>
              </xs:attribute>
              <xs:attribute name="Type" type="cvrf-common:NoteTypeEnumType" use="required">
                <xs:annotation>
                  <xs:documentation xml:lang="en">Type of content within this note.</xs:documentation>
                </xs:annotation>
              </xs:attribute>
              <xs:attribute name="Ordinal" type="xs:positiveInteger" use="required">
                <xs:annotation>
                  <xs:documentation xml:lang="en">Ordinal is a locally significant integral counter indexed from 1 used to track notes.</xs:documentation>
                </xs:annotation>
              </xs:attribute>
            </xs:extension>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:Notes / vuln:Note
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The Notes text contains all of the content necessary to provide different types of low-level discussions of a given vulnerability to various audiences.
Diagram
Diagram common_xsd.tmp#nonEmptyString xml_xsd.tmp#lang common_xsd.tmp#localizedString vuln_xsd.tmp#Vulnerability_Vulnerability_Notes_Vulnerability_Vulnerability_Notes_Note_Title vuln_xsd.tmp#Vulnerability_Vulnerability_Notes_Vulnerability_Vulnerability_Notes_Note_Audience vuln_xsd.tmp#Vulnerability_Vulnerability_Notes_Vulnerability_Vulnerability_Notes_Note_Type vuln_xsd.tmp#Vulnerability_Vulnerability_Notes_Vulnerability_Vulnerability_Notes_Note_Ordinal
Type extension of cvrf-common:localizedString
Type hierarchy
Attributes
QName Type Default Use Annotation
Audience xs:string optional 
Audience will indicate who is intended to read the note.
Ordinal xs:positiveInteger required 
Ordinal is a locally significant integral counter indexed from 1 used to track notes.
Title xs:string optional 
Title should be a concise description of what is contained in Vulnerability Notes.
Type cvrf-common:NoteTypeEnumType required 
Type of content within this note.
xml:lang union of(xs:language, restriction of xs:string) en optional 
<div>
  <h3>lang (as an attribute name)</h3>
  <p>denotes an attribute whose value is a language code for the natural language of the content of any element; its value is inherited. This name is reserved by virtue of its definition in the XML specification.</p>
</div>
<div>
  <h4>Notes</h4>
  <p>Attempting to install the relevant ISO 2- and 3-letter codes as the enumerated possible values is probably never going to be a realistic possibility.</p>
  <p>See BCP 47 at
    <a href="http://www.rfc-editor.org/rfc/bcp/bcp47.txt">http://www.rfc-editor.org/rfc/bcp/bcp47.txt</a>and the IANA language subtag registry at
    <a href="http://www.iana.org/assignments/language-subtag-registry">http://www.iana.org/assignments/language-subtag-registry</a>for further information.</p>
  <p>The union allows for the 'un-declaration' of xml:lang with the empty string.</p>
</div>
Source
 
<xs:element name="Note" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation xml:lang="en">The Notes text contains all of the content necessary to provide different types of low-level discussions of a given vulnerability to various audiences.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:simpleContent>
      <xs:extension base="cvrf-common:localizedString">
        <xs:attribute name="Title" type="xs:string">
          <xs:annotation>
            <xs:documentation xml:lang="en">Title should be a concise description of what is contained in Vulnerability Notes.</xs:documentation>
          </xs:annotation>
        </xs:attribute>
        <xs:attribute name="Audience" type="xs:string">
          <xs:annotation>
            <xs:documentation xml:lang="en">Audience will indicate who is intended to read the note.</xs:documentation>
          </xs:annotation>
        </xs:attribute>
        <xs:attribute name="Type" type="cvrf-common:NoteTypeEnumType" use="required">
          <xs:annotation>
            <xs:documentation xml:lang="en">Type of content within this note.</xs:documentation>
          </xs:annotation>
        </xs:attribute>
        <xs:attribute name="Ordinal" type="xs:positiveInteger" use="required">
          <xs:annotation>
            <xs:documentation xml:lang="en">Ordinal is a locally significant integral counter indexed from 1 used to track notes.</xs:documentation>
          </xs:annotation>
        </xs:attribute>
      </xs:extension>
    </xs:simpleContent>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:DiscoveryDate
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
Date vulnerability was initially discovered by its original discoverer.
Diagram
Diagram
Type xs:dateTime
Source
 
<xs:element name="DiscoveryDate" type="xs:dateTime" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">Date vulnerability was initially discovered by its original discoverer.</xs:documentation>
  </xs:annotation>
</xs:element>
Element vuln:Vulnerability / vuln:ReleaseDate
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
Date vulnerability was initially released to the public.
Diagram
Diagram
Type xs:dateTime
Source
 
<xs:element name="ReleaseDate" type="xs:dateTime" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">Date vulnerability was initially released to the public.</xs:documentation>
  </xs:annotation>
</xs:element>
Element vuln:Vulnerability / vuln:Involvements
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The Involvements container lists any number of vendor or third party interactions related to this vulnerability.
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Vulnerability_Involvements_Involvement
Children vuln:Involvement
Source
 
<xs:element name="Involvements" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">The Involvements container lists any number of vendor or third party interactions related to this vulnerability.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element name="Involvement" minOccurs="1" maxOccurs="unbounded">
        <xs:annotation>
          <xs:documentation xml:lang="en">Involvement contains a specific set of interaction details.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:sequence>
            <xs:element name="Description" minOccurs="0" maxOccurs="1">
              <xs:annotation>
                <xs:documentation xml:lang="en">The description of the Involvement.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:simpleContent>
                  <xs:extension base="cvrf-common:localizedString"/>
                </xs:simpleContent>
              </xs:complexType>
            </xs:element>
          </xs:sequence>
          <xs:attribute name="Party" type="cvrf-common:PublisherEnumType" use="required">
            <xs:annotation>
              <xs:documentation xml:lang="en">Type of party with whom the involvement is taking place.</xs:documentation>
            </xs:annotation>
          </xs:attribute>
          <xs:attribute name="Status" type="vuln:InvolvementStatusEnumType" use="required">
            <xs:annotation>
              <xs:documentation xml:lang="en">Status of the involvement with the specified party.</xs:documentation>
            </xs:annotation>
          </xs:attribute>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:Involvements / vuln:Involvement
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
Involvement contains a specific set of interaction details.
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Vulnerability_Involvements_Vulnerability_Vulnerability_Involvements_Involvement_Party vuln_xsd.tmp#Vulnerability_Vulnerability_Involvements_Vulnerability_Vulnerability_Involvements_Involvement_Status vuln_xsd.tmp#Vulnerability_Vulnerability_Involvements_Vulnerability_Vulnerability_Involvements_Involvement_Description
Children vuln:Description
Attributes
QName Type Use Annotation
Party cvrf-common:PublisherEnumType required 
Type of party with whom the involvement is taking place.
Status vuln:InvolvementStatusEnumType required 
Status of the involvement with the specified party.
Source
 
<xs:element name="Involvement" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation xml:lang="en">Involvement contains a specific set of interaction details.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element name="Description" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">The description of the Involvement.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="cvrf-common:localizedString"/>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
    <xs:attribute name="Party" type="cvrf-common:PublisherEnumType" use="required">
      <xs:annotation>
        <xs:documentation xml:lang="en">Type of party with whom the involvement is taking place.</xs:documentation>
      </xs:annotation>
    </xs:attribute>
    <xs:attribute name="Status" type="vuln:InvolvementStatusEnumType" use="required">
      <xs:annotation>
        <xs:documentation xml:lang="en">Status of the involvement with the specified party.</xs:documentation>
      </xs:annotation>
    </xs:attribute>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:Involvements / vuln:Involvement / vuln:Description
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The description of the Involvement.
Diagram
Diagram common_xsd.tmp#nonEmptyString xml_xsd.tmp#lang common_xsd.tmp#localizedString
Type extension of cvrf-common:localizedString
Type hierarchy
Attributes
QName Type Default Use Annotation
xml:lang union of(xs:language, restriction of xs:string) en optional 
<div>
  <h3>lang (as an attribute name)</h3>
  <p>denotes an attribute whose value is a language code for the natural language of the content of any element; its value is inherited. This name is reserved by virtue of its definition in the XML specification.</p>
</div>
<div>
  <h4>Notes</h4>
  <p>Attempting to install the relevant ISO 2- and 3-letter codes as the enumerated possible values is probably never going to be a realistic possibility.</p>
  <p>See BCP 47 at
    <a href="http://www.rfc-editor.org/rfc/bcp/bcp47.txt">http://www.rfc-editor.org/rfc/bcp/bcp47.txt</a>and the IANA language subtag registry at
    <a href="http://www.iana.org/assignments/language-subtag-registry">http://www.iana.org/assignments/language-subtag-registry</a>for further information.</p>
  <p>The union allows for the 'un-declaration' of xml:lang with the empty string.</p>
</div>
Source
 
<xs:element name="Description" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">The description of the Involvement.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:simpleContent>
      <xs:extension base="cvrf-common:localizedString"/>
    </xs:simpleContent>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:CVE
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The CVE string refers to the MITRE standard Common Vulnerabilities Enumeration (CVE) tracking number for the vulnerability.
Diagram
Diagram vuln_xsd.tmp#cvePattern
Type vuln:cvePattern
Facets
pattern CVE-[0-9\-]+
Source
 
<xs:element name="CVE" type="vuln:cvePattern" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">The CVE string refers to the MITRE standard Common Vulnerabilities Enumeration (CVE) tracking number for the vulnerability.</xs:documentation>
  </xs:annotation>
</xs:element>
Element vuln:Vulnerability / vuln:CWE
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
Detailed description of the referrenced Common Weakness Enumeration (CWE) identifier.
Diagram
Diagram common_xsd.tmp#nonEmptyString xml_xsd.tmp#lang common_xsd.tmp#localizedString vuln_xsd.tmp#Vulnerability_Vulnerability_CWE_ID
Type extension of cvrf-common:localizedString
Type hierarchy
Attributes
QName Type Default Use Annotation
ID vuln:cwePattern required 
The MITRE-assigned CWE identifier.
xml:lang union of(xs:language, restriction of xs:string) en optional 
<div>
  <h3>lang (as an attribute name)</h3>
  <p>denotes an attribute whose value is a language code for the natural language of the content of any element; its value is inherited. This name is reserved by virtue of its definition in the XML specification.</p>
</div>
<div>
  <h4>Notes</h4>
  <p>Attempting to install the relevant ISO 2- and 3-letter codes as the enumerated possible values is probably never going to be a realistic possibility.</p>
  <p>See BCP 47 at
    <a href="http://www.rfc-editor.org/rfc/bcp/bcp47.txt">http://www.rfc-editor.org/rfc/bcp/bcp47.txt</a>and the IANA language subtag registry at
    <a href="http://www.iana.org/assignments/language-subtag-registry">http://www.iana.org/assignments/language-subtag-registry</a>for further information.</p>
  <p>The union allows for the 'un-declaration' of xml:lang with the empty string.</p>
</div>
Source
 
<xs:element name="CWE" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation xml:lang="en">Detailed description of the referrenced Common Weakness Enumeration (CWE) identifier.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:simpleContent>
      <xs:extension base="cvrf-common:localizedString">
        <xs:attribute name="ID" type="vuln:cwePattern" use="required">
          <xs:annotation>
            <xs:documentation xml:lang="en">The MITRE-assigned CWE identifier.</xs:documentation>
          </xs:annotation>
        </xs:attribute>
      </xs:extension>
    </xs:simpleContent>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:ProductStatuses
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The ProductStatuses container holds the list of all the products affected by the vulnerability in question.
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Vulnerability_ProductStatuses_Status
Children vuln:Status
Source
 
<xs:element name="ProductStatuses" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">The ProductStatuses container holds the list of all the products affected by the vulnerability in question.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element name="Status" minOccurs="1" maxOccurs="unbounded">
        <xs:annotation>
          <xs:documentation xml:lang="en">The Status element holds an enumerated value based on available Product Name Entry items as constructed from the Product Tree container.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:sequence>
            <xs:element ref="vuln:ProductID" minOccurs="1" maxOccurs="unbounded"/>
          </xs:sequence>
          <xs:attribute name="Type" type="vuln:AffectedStatusEnumType" use="required">
            <xs:annotation>
              <xs:documentation xml:lang="en">Affected status for the product or products defined in this container.</xs:documentation>
            </xs:annotation>
          </xs:attribute>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:ProductStatuses / vuln:Status
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The Status element holds an enumerated value based on available Product Name Entry items as constructed from the Product Tree container.
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Vulnerability_ProductStatuses_Vulnerability_Vulnerability_ProductStatuses_Status_Type vuln_xsd.tmp#ProductID
Children vuln:ProductID
Attributes
QName Type Use Annotation
Type vuln:AffectedStatusEnumType required 
Affected status for the product or products defined in this container.
Source
 
<xs:element name="Status" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation xml:lang="en">The Status element holds an enumerated value based on available Product Name Entry items as constructed from the Product Tree container.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element ref="vuln:ProductID" minOccurs="1" maxOccurs="unbounded"/>
    </xs:sequence>
    <xs:attribute name="Type" type="vuln:AffectedStatusEnumType" use="required">
      <xs:annotation>
        <xs:documentation xml:lang="en">Affected status for the product or products defined in this container.</xs:documentation>
      </xs:annotation>
    </xs:attribute>
  </xs:complexType>
</xs:element>
Element vuln:ProductID
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
Existing product ID from the product tree.
Diagram
Diagram
Type xs:token
Used by
Source
 
<xs:element name="ProductID" type="xs:token">
  <xs:annotation>
    <xs:documentation xml:lang="en">Existing product ID from the product tree.</xs:documentation>
  </xs:annotation>
</xs:element>
Element vuln:Vulnerability / vuln:Threats
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
Contains all Threat containers
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Vulnerability_Threats_Threat
Children vuln:Threat
Source
 
<xs:element name="Threats" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">Contains all Threat containers</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element name="Threat" minOccurs="1" maxOccurs="unbounded">
        <xs:annotation>
          <xs:documentation xml:lang="en">Threat contains the "kinetic" information associated with a vulnerability.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:sequence>
            <xs:element name="Description" minOccurs="1" maxOccurs="1">
              <xs:annotation>
                <xs:documentation xml:lang="en">The description of the Threat.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:simpleContent>
                  <xs:extension base="cvrf-common:localizedString"/>
                </xs:simpleContent>
              </xs:complexType>
            </xs:element>
            <xs:element ref="vuln:ProductID" minOccurs="0" maxOccurs="unbounded"/>
            <xs:element ref="vuln:GroupID" minOccurs="0" maxOccurs="unbounded"/>
          </xs:sequence>
          <xs:attribute name="Type" type="vuln:ThreatTypeEnumType" use="required">
            <xs:annotation>
              <xs:documentation xml:lang="en">The type of the Threat.</xs:documentation>
            </xs:annotation>
          </xs:attribute>
          <xs:attribute name="Date" type="xs:dateTime">
            <xs:annotation>
              <xs:documentation xml:lang="en">The date this Threat item was last updated; if omitted it is deemed to be unknown, irrelevant, or unimportant.</xs:documentation>
            </xs:annotation>
          </xs:attribute>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:Threats / vuln:Threat
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
Threat contains the "kinetic" information associated with a vulnerability.
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Vulnerability_Threats_Vulnerability_Vulnerability_Threats_Threat_Type vuln_xsd.tmp#Vulnerability_Vulnerability_Threats_Vulnerability_Vulnerability_Threats_Threat_Date vuln_xsd.tmp#Vulnerability_Vulnerability_Threats_Vulnerability_Vulnerability_Threats_Threat_Description vuln_xsd.tmp#ProductID vuln_xsd.tmp#GroupID
Children vuln:Description, vuln:GroupID, vuln:ProductID
Attributes
QName Type Use Annotation
Date xs:dateTime optional 
The date this Threat item was last updated; if omitted it is deemed to be unknown, irrelevant, or unimportant.
Type vuln:ThreatTypeEnumType required 
The type of the Threat.
Source
 
<xs:element name="Threat" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation xml:lang="en">Threat contains the "kinetic" information associated with a vulnerability.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element name="Description" minOccurs="1" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">The description of the Threat.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="cvrf-common:localizedString"/>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
      <xs:element ref="vuln:ProductID" minOccurs="0" maxOccurs="unbounded"/>
      <xs:element ref="vuln:GroupID" minOccurs="0" maxOccurs="unbounded"/>
    </xs:sequence>
    <xs:attribute name="Type" type="vuln:ThreatTypeEnumType" use="required">
      <xs:annotation>
        <xs:documentation xml:lang="en">The type of the Threat.</xs:documentation>
      </xs:annotation>
    </xs:attribute>
    <xs:attribute name="Date" type="xs:dateTime">
      <xs:annotation>
        <xs:documentation xml:lang="en">The date this Threat item was last updated; if omitted it is deemed to be unknown, irrelevant, or unimportant.</xs:documentation>
      </xs:annotation>
    </xs:attribute>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:Threats / vuln:Threat / vuln:Description
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The description of the Threat.
Diagram
Diagram common_xsd.tmp#nonEmptyString xml_xsd.tmp#lang common_xsd.tmp#localizedString
Type extension of cvrf-common:localizedString
Type hierarchy
Attributes
QName Type Default Use Annotation
xml:lang union of(xs:language, restriction of xs:string) en optional 
<div>
  <h3>lang (as an attribute name)</h3>
  <p>denotes an attribute whose value is a language code for the natural language of the content of any element; its value is inherited. This name is reserved by virtue of its definition in the XML specification.</p>
</div>
<div>
  <h4>Notes</h4>
  <p>Attempting to install the relevant ISO 2- and 3-letter codes as the enumerated possible values is probably never going to be a realistic possibility.</p>
  <p>See BCP 47 at
    <a href="http://www.rfc-editor.org/rfc/bcp/bcp47.txt">http://www.rfc-editor.org/rfc/bcp/bcp47.txt</a>and the IANA language subtag registry at
    <a href="http://www.iana.org/assignments/language-subtag-registry">http://www.iana.org/assignments/language-subtag-registry</a>for further information.</p>
  <p>The union allows for the 'un-declaration' of xml:lang with the empty string.</p>
</div>
Source
 
<xs:element name="Description" minOccurs="1" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">The description of the Threat.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:simpleContent>
      <xs:extension base="cvrf-common:localizedString"/>
    </xs:simpleContent>
  </xs:complexType>
</xs:element>
Element vuln:GroupID
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
Existing product group ID from the product tree.
Diagram
Diagram
Type xs:token
Used by
Source
 
<xs:element name="GroupID" type="xs:token">
  <xs:annotation>
    <xs:documentation xml:lang="en">Existing product group ID from the product tree.</xs:documentation>
  </xs:annotation>
</xs:element>
Element vuln:Vulnerability / vuln:CVSSScoreSets
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The CVSS Score Set meta-container holds one or more CVSS score sets to describe vulnerable products.
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Vulnerability_CVSSScoreSets_ScoreSet
Children vuln:ScoreSet
Source
 
<xs:element name="CVSSScoreSets" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">The CVSS Score Set meta-container holds one or more CVSS score sets to describe vulnerable products.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element name="ScoreSet" minOccurs="1" maxOccurs="unbounded">
        <xs:annotation>
          <xs:documentation xml:lang="en">CVSS scores for a given product ID.  If the ProductID attribute is omitted, the score applies to all vulnerable products.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:sequence>
            <xs:element name="BaseScore" type="cvssv2:zeroToTenDecimalType" minOccurs="1" maxOccurs="1">
              <xs:annotation>
                <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Base Score which should be a float from 0 – 10.0.</xs:documentation>
              </xs:annotation>
            </xs:element>
            <xs:element name="TemporalScore" type="cvssv2:zeroToTenDecimalType" minOccurs="0" maxOccurs="1">
              <xs:annotation>
                <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Temporal Score which should be a float from 0 – 10.0.</xs:documentation>
              </xs:annotation>
            </xs:element>
            <xs:element name="EnvironmentalScore" type="cvssv2:zeroToTenDecimalType" minOccurs="0" maxOccurs="1">
              <xs:annotation>
                <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Environmental Score which should be a float from 0 – 10.0.</xs:documentation>
              </xs:annotation>
            </xs:element>
            <xs:element name="Vector" type="vuln:cvssVector" minOccurs="0" maxOccurs="1">
              <xs:annotation>
                <xs:documentation xml:lang="en">The CVSS Vector string is the official notation that contains all of the values used to compute the Base, Temporal, and Environmental scores.</xs:documentation>
              </xs:annotation>
            </xs:element>
            <xs:element ref="vuln:ProductID" minOccurs="0" maxOccurs="unbounded"/>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:CVSSScoreSets / vuln:ScoreSet
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
CVSS scores for a given product ID.  If the ProductID attribute is omitted, the score applies to all vulnerable products.
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Vulnerability_CVSSScoreSets_Vulnerability_Vulnerability_CVSSScoreSets_ScoreSet_BaseScore vuln_xsd.tmp#Vulnerability_Vulnerability_CVSSScoreSets_Vulnerability_Vulnerability_CVSSScoreSets_ScoreSet_TemporalScore vuln_xsd.tmp#Vulnerability_Vulnerability_CVSSScoreSets_Vulnerability_Vulnerability_CVSSScoreSets_ScoreSet_EnvironmentalScore vuln_xsd.tmp#Vulnerability_Vulnerability_CVSSScoreSets_Vulnerability_Vulnerability_CVSSScoreSets_ScoreSet_Vector vuln_xsd.tmp#ProductID
Children vuln:BaseScore, vuln:EnvironmentalScore, vuln:ProductID, vuln:TemporalScore, vuln:Vector
Source
 
<xs:element name="ScoreSet" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation xml:lang="en">CVSS scores for a given product ID.  If the ProductID attribute is omitted, the score applies to all vulnerable products.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element name="BaseScore" type="cvssv2:zeroToTenDecimalType" minOccurs="1" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Base Score which should be a float from 0 – 10.0.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="TemporalScore" type="cvssv2:zeroToTenDecimalType" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Temporal Score which should be a float from 0 – 10.0.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="EnvironmentalScore" type="cvssv2:zeroToTenDecimalType" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Environmental Score which should be a float from 0 – 10.0.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="Vector" type="vuln:cvssVector" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">The CVSS Vector string is the official notation that contains all of the values used to compute the Base, Temporal, and Environmental scores.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element ref="vuln:ProductID" minOccurs="0" maxOccurs="unbounded"/>
    </xs:sequence>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:CVSSScoreSets / vuln:ScoreSet / vuln:BaseScore
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The CVSS Base Score is the numeric value of the computed CVSS Base Score which should be a float from 0 – 10.0.
Diagram
Diagram cvss-v2_0_9_xsd.tmp#zeroToTenDecimalType
Type zeroToTenDecimalType
Facets
fractionDigits 1
maxInclusive 10
minInclusive 0
Source
 
<xs:element name="BaseScore" type="cvssv2:zeroToTenDecimalType" minOccurs="1" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Base Score which should be a float from 0 – 10.0.</xs:documentation>
  </xs:annotation>
</xs:element>
Element vuln:Vulnerability / vuln:CVSSScoreSets / vuln:ScoreSet / vuln:TemporalScore
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The CVSS Base Score is the numeric value of the computed CVSS Temporal Score which should be a float from 0 – 10.0.
Diagram
Diagram cvss-v2_0_9_xsd.tmp#zeroToTenDecimalType
Type zeroToTenDecimalType
Facets
fractionDigits 1
maxInclusive 10
minInclusive 0
Source
 
<xs:element name="TemporalScore" type="cvssv2:zeroToTenDecimalType" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Temporal Score which should be a float from 0 – 10.0.</xs:documentation>
  </xs:annotation>
</xs:element>
Element vuln:Vulnerability / vuln:CVSSScoreSets / vuln:ScoreSet / vuln:EnvironmentalScore
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The CVSS Base Score is the numeric value of the computed CVSS Environmental Score which should be a float from 0 – 10.0.
Diagram
Diagram cvss-v2_0_9_xsd.tmp#zeroToTenDecimalType
Type zeroToTenDecimalType
Facets
fractionDigits 1
maxInclusive 10
minInclusive 0
Source
 
<xs:element name="EnvironmentalScore" type="cvssv2:zeroToTenDecimalType" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Environmental Score which should be a float from 0 – 10.0.</xs:documentation>
  </xs:annotation>
</xs:element>
Element vuln:Vulnerability / vuln:CVSSScoreSets / vuln:ScoreSet / vuln:Vector
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The CVSS Vector string is the official notation that contains all of the values used to compute the Base, Temporal, and Environmental scores.
Diagram
Diagram vuln_xsd.tmp#cvssVector
Type vuln:cvssVector
Facets
maxLength 76
Source
 
<xs:element name="Vector" type="vuln:cvssVector" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">The CVSS Vector string is the official notation that contains all of the values used to compute the Base, Temporal, and Environmental scores.</xs:documentation>
  </xs:annotation>
</xs:element>
Element vuln:Vulnerability / vuln:Remediations
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The Remediation meta-container tag holds all related Workaround, Mitigation, Vendor Fix, and Entitlement entries that are associated with the specific vulnerability.
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Vulnerability_Remediations_Remediation
Children vuln:Remediation
Source
 
<xs:element name="Remediations" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">The Remediation meta-container tag holds all related Workaround, Mitigation, Vendor Fix, and Entitlement entries that are associated with the specific vulnerability.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element name="Remediation" minOccurs="1" maxOccurs="unbounded">
        <xs:annotation>
          <xs:documentation xml:lang="en">Holds all of the specific details on how to handle (and presumably, fix) the vulnerability, tied to Product ID.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:sequence>
            <xs:element name="Description" minOccurs="1" maxOccurs="1">
              <xs:annotation>
                <xs:documentation xml:lang="en">Textual description of this remedy.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:simpleContent>
                  <xs:extension base="cvrf-common:localizedString"/>
                </xs:simpleContent>
              </xs:complexType>
            </xs:element>
            <xs:element name="Entitlement" minOccurs="0" maxOccurs="unbounded">
              <xs:annotation>
                <xs:documentation xml:lang="en">The Entitlement string will contain any possible vendor-defined constraints for obtaining fixed software or hardware that fully resolves the vulnerability.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:simpleContent>
                  <xs:extension base="cvrf-common:localizedString"/>
                </xs:simpleContent>
              </xs:complexType>
            </xs:element>
            <xs:element name="URL" type="xs:anyURI" minOccurs="0" maxOccurs="1">
              <xs:annotation>
                <xs:documentation xml:lang="en">URL from which the remedy can be obtained.</xs:documentation>
              </xs:annotation>
            </xs:element>
            <xs:element ref="vuln:ProductID" minOccurs="0" maxOccurs="unbounded"/>
            <xs:element ref="vuln:GroupID" minOccurs="0" maxOccurs="unbounded"/>
          </xs:sequence>
          <xs:attribute name="Type" type="vuln:RemedyTypeEnumType" use="required">
            <xs:annotation>
              <xs:documentation xml:lang="en">Specific type of remedy.</xs:documentation>
            </xs:annotation>
          </xs:attribute>
          <xs:attribute name="Date" type="xs:dateTime">
            <xs:annotation>
              <xs:documentation xml:lang="en">The date Remedy was last updated, if omitted it is deemed to be unknown, unimportant, or irrelevant.</xs:documentation>
            </xs:annotation>
          </xs:attribute>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:Remediations / vuln:Remediation
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
Holds all of the specific details on how to handle (and presumably, fix) the vulnerability, tied to Product ID.
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Vulnerability_Remediations_Vulnerability_Vulnerability_Remediations_Remediation_Type vuln_xsd.tmp#Vulnerability_Vulnerability_Remediations_Vulnerability_Vulnerability_Remediations_Remediation_Date vuln_xsd.tmp#Vulnerability_Vulnerability_Remediations_Vulnerability_Vulnerability_Remediations_Remediation_Description vuln_xsd.tmp#Vulnerability_Vulnerability_Remediations_Vulnerability_Vulnerability_Remediations_Remediation_Entitlement vuln_xsd.tmp#Vulnerability_Vulnerability_Remediations_Vulnerability_Vulnerability_Remediations_Remediation_URL vuln_xsd.tmp#ProductID vuln_xsd.tmp#GroupID
Children vuln:Description, vuln:Entitlement, vuln:GroupID, vuln:ProductID, vuln:URL
Attributes
QName Type Use Annotation
Date xs:dateTime optional 
The date Remedy was last updated, if omitted it is deemed to be unknown, unimportant, or irrelevant.
Type vuln:RemedyTypeEnumType required 
Specific type of remedy.
Source
 
<xs:element name="Remediation" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation xml:lang="en">Holds all of the specific details on how to handle (and presumably, fix) the vulnerability, tied to Product ID.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element name="Description" minOccurs="1" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">Textual description of this remedy.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="cvrf-common:localizedString"/>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
      <xs:element name="Entitlement" minOccurs="0" maxOccurs="unbounded">
        <xs:annotation>
          <xs:documentation xml:lang="en">The Entitlement string will contain any possible vendor-defined constraints for obtaining fixed software or hardware that fully resolves the vulnerability.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="cvrf-common:localizedString"/>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
      <xs:element name="URL" type="xs:anyURI" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">URL from which the remedy can be obtained.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element ref="vuln:ProductID" minOccurs="0" maxOccurs="unbounded"/>
      <xs:element ref="vuln:GroupID" minOccurs="0" maxOccurs="unbounded"/>
    </xs:sequence>
    <xs:attribute name="Type" type="vuln:RemedyTypeEnumType" use="required">
      <xs:annotation>
        <xs:documentation xml:lang="en">Specific type of remedy.</xs:documentation>
      </xs:annotation>
    </xs:attribute>
    <xs:attribute name="Date" type="xs:dateTime">
      <xs:annotation>
        <xs:documentation xml:lang="en">The date Remedy was last updated, if omitted it is deemed to be unknown, unimportant, or irrelevant.</xs:documentation>
      </xs:annotation>
    </xs:attribute>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:Remediations / vuln:Remediation / vuln:Description
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
Textual description of this remedy.
Diagram
Diagram common_xsd.tmp#nonEmptyString xml_xsd.tmp#lang common_xsd.tmp#localizedString
Type extension of cvrf-common:localizedString
Type hierarchy
Attributes
QName Type Default Use Annotation
xml:lang union of(xs:language, restriction of xs:string) en optional 
<div>
  <h3>lang (as an attribute name)</h3>
  <p>denotes an attribute whose value is a language code for the natural language of the content of any element; its value is inherited. This name is reserved by virtue of its definition in the XML specification.</p>
</div>
<div>
  <h4>Notes</h4>
  <p>Attempting to install the relevant ISO 2- and 3-letter codes as the enumerated possible values is probably never going to be a realistic possibility.</p>
  <p>See BCP 47 at
    <a href="http://www.rfc-editor.org/rfc/bcp/bcp47.txt">http://www.rfc-editor.org/rfc/bcp/bcp47.txt</a>and the IANA language subtag registry at
    <a href="http://www.iana.org/assignments/language-subtag-registry">http://www.iana.org/assignments/language-subtag-registry</a>for further information.</p>
  <p>The union allows for the 'un-declaration' of xml:lang with the empty string.</p>
</div>
Source
 
<xs:element name="Description" minOccurs="1" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">Textual description of this remedy.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:simpleContent>
      <xs:extension base="cvrf-common:localizedString"/>
    </xs:simpleContent>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:Remediations / vuln:Remediation / vuln:Entitlement
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The Entitlement string will contain any possible vendor-defined constraints for obtaining fixed software or hardware that fully resolves the vulnerability.
Diagram
Diagram common_xsd.tmp#nonEmptyString xml_xsd.tmp#lang common_xsd.tmp#localizedString
Type extension of cvrf-common:localizedString
Type hierarchy
Attributes
QName Type Default Use Annotation
xml:lang union of(xs:language, restriction of xs:string) en optional 
<div>
  <h3>lang (as an attribute name)</h3>
  <p>denotes an attribute whose value is a language code for the natural language of the content of any element; its value is inherited. This name is reserved by virtue of its definition in the XML specification.</p>
</div>
<div>
  <h4>Notes</h4>
  <p>Attempting to install the relevant ISO 2- and 3-letter codes as the enumerated possible values is probably never going to be a realistic possibility.</p>
  <p>See BCP 47 at
    <a href="http://www.rfc-editor.org/rfc/bcp/bcp47.txt">http://www.rfc-editor.org/rfc/bcp/bcp47.txt</a>and the IANA language subtag registry at
    <a href="http://www.iana.org/assignments/language-subtag-registry">http://www.iana.org/assignments/language-subtag-registry</a>for further information.</p>
  <p>The union allows for the 'un-declaration' of xml:lang with the empty string.</p>
</div>
Source
 
<xs:element name="Entitlement" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation xml:lang="en">The Entitlement string will contain any possible vendor-defined constraints for obtaining fixed software or hardware that fully resolves the vulnerability.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:simpleContent>
      <xs:extension base="cvrf-common:localizedString"/>
    </xs:simpleContent>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:Remediations / vuln:Remediation / vuln:URL
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
URL from which the remedy can be obtained.
Diagram
Diagram
Type xs:anyURI
Source
 
<xs:element name="URL" type="xs:anyURI" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">URL from which the remedy can be obtained.</xs:documentation>
  </xs:annotation>
</xs:element>
Element vuln:Vulnerability / vuln:References
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
This meta-container should include references to any conferences, papers, advisories, and other resources that are related to this vulnerability.
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Vulnerability_References_Reference
Children vuln:Reference
Source
 
<xs:element name="References" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">This meta-container should include references to any conferences, papers, advisories, and other resources that are related to this vulnerability.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element name="Reference" minOccurs="1" maxOccurs="unbounded">
        <xs:annotation>
          <xs:documentation xml:lang="en">This meta-container contains an orthogonally related document, background info, whitepaper, etc. to the specific vulnerability.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:sequence>
            <xs:element name="URL" type="xs:anyURI" minOccurs="1" maxOccurs="1">
              <xs:annotation>
                <xs:documentation xml:lang="en">The URL of the related document.</xs:documentation>
              </xs:annotation>
            </xs:element>
            <xs:element name="Description" minOccurs="1" maxOccurs="1">
              <xs:annotation>
                <xs:documentation xml:lang="en">The description of the related document.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:simpleContent>
                  <xs:extension base="cvrf-common:localizedString"/>
                </xs:simpleContent>
              </xs:complexType>
            </xs:element>
          </xs:sequence>
          <xs:attribute name="Type" type="cvrf-common:ReferenceTypeEnum" default="External">
            <xs:annotation>
              <xs:documentation xml:lang="en">Enumerated type value of reference relative to this document.</xs:documentation>
            </xs:annotation>
          </xs:attribute>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:References / vuln:Reference
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
This meta-container contains an orthogonally related document, background info, whitepaper, etc. to the specific vulnerability.
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Vulnerability_References_Vulnerability_Vulnerability_References_Reference_Type vuln_xsd.tmp#Vulnerability_Vulnerability_References_Vulnerability_Vulnerability_References_Reference_URL vuln_xsd.tmp#Vulnerability_Vulnerability_References_Vulnerability_Vulnerability_References_Reference_Description
Children vuln:Description, vuln:URL
Attributes
QName Type Default Use Annotation
Type cvrf-common:ReferenceTypeEnum External optional 
Enumerated type value of reference relative to this document.
Source
 
<xs:element name="Reference" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation xml:lang="en">This meta-container contains an orthogonally related document, background info, whitepaper, etc. to the specific vulnerability.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element name="URL" type="xs:anyURI" minOccurs="1" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">The URL of the related document.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="Description" minOccurs="1" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">The description of the related document.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="cvrf-common:localizedString"/>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
    <xs:attribute name="Type" type="cvrf-common:ReferenceTypeEnum" default="External">
      <xs:annotation>
        <xs:documentation xml:lang="en">Enumerated type value of reference relative to this document.</xs:documentation>
      </xs:annotation>
    </xs:attribute>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:References / vuln:Reference / vuln:URL
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The URL of the related document.
Diagram
Diagram
Type xs:anyURI
Source
 
<xs:element name="URL" type="xs:anyURI" minOccurs="1" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">The URL of the related document.</xs:documentation>
  </xs:annotation>
</xs:element>
Element vuln:Vulnerability / vuln:References / vuln:Reference / vuln:Description
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The description of the related document.
Diagram
Diagram common_xsd.tmp#nonEmptyString xml_xsd.tmp#lang common_xsd.tmp#localizedString
Type extension of cvrf-common:localizedString
Type hierarchy
Attributes
QName Type Default Use Annotation
xml:lang union of(xs:language, restriction of xs:string) en optional 
<div>
  <h3>lang (as an attribute name)</h3>
  <p>denotes an attribute whose value is a language code for the natural language of the content of any element; its value is inherited. This name is reserved by virtue of its definition in the XML specification.</p>
</div>
<div>
  <h4>Notes</h4>
  <p>Attempting to install the relevant ISO 2- and 3-letter codes as the enumerated possible values is probably never going to be a realistic possibility.</p>
  <p>See BCP 47 at
    <a href="http://www.rfc-editor.org/rfc/bcp/bcp47.txt">http://www.rfc-editor.org/rfc/bcp/bcp47.txt</a>and the IANA language subtag registry at
    <a href="http://www.iana.org/assignments/language-subtag-registry">http://www.iana.org/assignments/language-subtag-registry</a>for further information.</p>
  <p>The union allows for the 'un-declaration' of xml:lang with the empty string.</p>
</div>
Source
 
<xs:element name="Description" minOccurs="1" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">The description of the related document.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:simpleContent>
      <xs:extension base="cvrf-common:localizedString"/>
    </xs:simpleContent>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:Acknowledgments
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The Acknowledgments container holds one or more Acknowledgement containers for vulnerability-level acknowledgements.
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Vulnerability_Acknowledgments_Acknowledgment
Children vuln:Acknowledgment
Source
 
<xs:element name="Acknowledgments" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">The Acknowledgments container holds one or more Acknowledgement containers for vulnerability-level acknowledgements.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element name="Acknowledgment" minOccurs="1" maxOccurs="unbounded">
        <xs:annotation>
          <xs:documentation xml:lang="en">The Acknowledgment container holds recognition for external parties who were instrumental in the discovery of, reporting of, and response to the vulnerability.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:sequence>
            <xs:element name="Name" minOccurs="0" maxOccurs="unbounded">
              <xs:annotation>
                <xs:documentation xml:lang="en">The name (i.e., individual name) of the party being acknowledged.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:simpleContent>
                  <xs:extension base="cvrf-common:localizedString"/>
                </xs:simpleContent>
              </xs:complexType>
            </xs:element>
            <xs:element name="Organization" minOccurs="0" maxOccurs="unbounded">
              <xs:annotation>
                <xs:documentation xml:lang="en">The organization of the party being acknowledged or the organization itself being acknowledged.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:simpleContent>
                  <xs:extension base="cvrf-common:localizedString"/>
                </xs:simpleContent>
              </xs:complexType>
            </xs:element>
            <xs:element name="Description" minOccurs="0" maxOccurs="1">
              <xs:annotation>
                <xs:documentation xml:lang="en">The details of the acknowledgment that address the recognition of external parties who were instrumental in the discovery, reporting and response of this document.</xs:documentation>
              </xs:annotation>
              <xs:complexType>
                <xs:simpleContent>
                  <xs:extension base="cvrf-common:localizedString"/>
                </xs:simpleContent>
              </xs:complexType>
            </xs:element>
            <xs:element name="URL" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded">
              <xs:annotation>
                <xs:documentation xml:lang="en">The optional URL to the person, place, or thing being acknowledged.</xs:documentation>
              </xs:annotation>
            </xs:element>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:Acknowledgments / vuln:Acknowledgment
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The Acknowledgment container holds recognition for external parties who were instrumental in the discovery of, reporting of, and response to the vulnerability.
Diagram
Diagram vuln_xsd.tmp#Vulnerability_Vulnerability_Acknowledgments_Vulnerability_Vulnerability_Acknowledgments_Acknowledgment_Name vuln_xsd.tmp#Vulnerability_Vulnerability_Acknowledgments_Vulnerability_Vulnerability_Acknowledgments_Acknowledgment_Organization vuln_xsd.tmp#Vulnerability_Vulnerability_Acknowledgments_Vulnerability_Vulnerability_Acknowledgments_Acknowledgment_Description vuln_xsd.tmp#Vulnerability_Vulnerability_Acknowledgments_Vulnerability_Vulnerability_Acknowledgments_Acknowledgment_URL
Children vuln:Description, vuln:Name, vuln:Organization, vuln:URL
Source
 
<xs:element name="Acknowledgment" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation xml:lang="en">The Acknowledgment container holds recognition for external parties who were instrumental in the discovery of, reporting of, and response to the vulnerability.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:sequence>
      <xs:element name="Name" minOccurs="0" maxOccurs="unbounded">
        <xs:annotation>
          <xs:documentation xml:lang="en">The name (i.e., individual name) of the party being acknowledged.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="cvrf-common:localizedString"/>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
      <xs:element name="Organization" minOccurs="0" maxOccurs="unbounded">
        <xs:annotation>
          <xs:documentation xml:lang="en">The organization of the party being acknowledged or the organization itself being acknowledged.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="cvrf-common:localizedString"/>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
      <xs:element name="Description" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation xml:lang="en">The details of the acknowledgment that address the recognition of external parties who were instrumental in the discovery, reporting and response of this document.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="cvrf-common:localizedString"/>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
      <xs:element name="URL" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded">
        <xs:annotation>
          <xs:documentation xml:lang="en">The optional URL to the person, place, or thing being acknowledged.</xs:documentation>
        </xs:annotation>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:Acknowledgments / vuln:Acknowledgment / vuln:Name
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The name (i.e., individual name) of the party being acknowledged.
Diagram
Diagram common_xsd.tmp#nonEmptyString xml_xsd.tmp#lang common_xsd.tmp#localizedString
Type extension of cvrf-common:localizedString
Type hierarchy
Attributes
QName Type Default Use Annotation
xml:lang union of(xs:language, restriction of xs:string) en optional 
<div>
  <h3>lang (as an attribute name)</h3>
  <p>denotes an attribute whose value is a language code for the natural language of the content of any element; its value is inherited. This name is reserved by virtue of its definition in the XML specification.</p>
</div>
<div>
  <h4>Notes</h4>
  <p>Attempting to install the relevant ISO 2- and 3-letter codes as the enumerated possible values is probably never going to be a realistic possibility.</p>
  <p>See BCP 47 at
    <a href="http://www.rfc-editor.org/rfc/bcp/bcp47.txt">http://www.rfc-editor.org/rfc/bcp/bcp47.txt</a>and the IANA language subtag registry at
    <a href="http://www.iana.org/assignments/language-subtag-registry">http://www.iana.org/assignments/language-subtag-registry</a>for further information.</p>
  <p>The union allows for the 'un-declaration' of xml:lang with the empty string.</p>
</div>
Source
 
<xs:element name="Name" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation xml:lang="en">The name (i.e., individual name) of the party being acknowledged.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:simpleContent>
      <xs:extension base="cvrf-common:localizedString"/>
    </xs:simpleContent>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:Acknowledgments / vuln:Acknowledgment / vuln:Organization
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The organization of the party being acknowledged or the organization itself being acknowledged.
Diagram
Diagram common_xsd.tmp#nonEmptyString xml_xsd.tmp#lang common_xsd.tmp#localizedString
Type extension of cvrf-common:localizedString
Type hierarchy
Attributes
QName Type Default Use Annotation
xml:lang union of(xs:language, restriction of xs:string) en optional 
<div>
  <h3>lang (as an attribute name)</h3>
  <p>denotes an attribute whose value is a language code for the natural language of the content of any element; its value is inherited. This name is reserved by virtue of its definition in the XML specification.</p>
</div>
<div>
  <h4>Notes</h4>
  <p>Attempting to install the relevant ISO 2- and 3-letter codes as the enumerated possible values is probably never going to be a realistic possibility.</p>
  <p>See BCP 47 at
    <a href="http://www.rfc-editor.org/rfc/bcp/bcp47.txt">http://www.rfc-editor.org/rfc/bcp/bcp47.txt</a>and the IANA language subtag registry at
    <a href="http://www.iana.org/assignments/language-subtag-registry">http://www.iana.org/assignments/language-subtag-registry</a>for further information.</p>
  <p>The union allows for the 'un-declaration' of xml:lang with the empty string.</p>
</div>
Source
 
<xs:element name="Organization" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation xml:lang="en">The organization of the party being acknowledged or the organization itself being acknowledged.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:simpleContent>
      <xs:extension base="cvrf-common:localizedString"/>
    </xs:simpleContent>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:Acknowledgments / vuln:Acknowledgment / vuln:Description
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The details of the acknowledgment that address the recognition of external parties who were instrumental in the discovery, reporting and response of this document.
Diagram
Diagram common_xsd.tmp#nonEmptyString xml_xsd.tmp#lang common_xsd.tmp#localizedString
Type extension of cvrf-common:localizedString
Type hierarchy
Attributes
QName Type Default Use Annotation
xml:lang union of(xs:language, restriction of xs:string) en optional 
<div>
  <h3>lang (as an attribute name)</h3>
  <p>denotes an attribute whose value is a language code for the natural language of the content of any element; its value is inherited. This name is reserved by virtue of its definition in the XML specification.</p>
</div>
<div>
  <h4>Notes</h4>
  <p>Attempting to install the relevant ISO 2- and 3-letter codes as the enumerated possible values is probably never going to be a realistic possibility.</p>
  <p>See BCP 47 at
    <a href="http://www.rfc-editor.org/rfc/bcp/bcp47.txt">http://www.rfc-editor.org/rfc/bcp/bcp47.txt</a>and the IANA language subtag registry at
    <a href="http://www.iana.org/assignments/language-subtag-registry">http://www.iana.org/assignments/language-subtag-registry</a>for further information.</p>
  <p>The union allows for the 'un-declaration' of xml:lang with the empty string.</p>
</div>
Source
 
<xs:element name="Description" minOccurs="0" maxOccurs="1">
  <xs:annotation>
    <xs:documentation xml:lang="en">The details of the acknowledgment that address the recognition of external parties who were instrumental in the discovery, reporting and response of this document.</xs:documentation>
  </xs:annotation>
  <xs:complexType>
    <xs:simpleContent>
      <xs:extension base="cvrf-common:localizedString"/>
    </xs:simpleContent>
  </xs:complexType>
</xs:element>
Element vuln:Vulnerability / vuln:Acknowledgments / vuln:Acknowledgment / vuln:URL
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
The optional URL to the person, place, or thing being acknowledged.
Diagram
Diagram
Type xs:anyURI
Source
 
<xs:element name="URL" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation xml:lang="en">The optional URL to the person, place, or thing being acknowledged.</xs:documentation>
  </xs:annotation>
</xs:element>
Simple Type vuln:InvolvementStatusEnumType
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
Types enumerating a party's current engagement status for this vulnerability.
Diagram
Diagram
Type restriction of xs:token
Facets
enumeration Open 
The party has acknowledged that they are aware of the vulnerability report.
enumeration Disputed 
The party disputes the vulnerability report in its entirety
enumeration In Progress 
Some hot-fixes, permanent fixes, or patches have been made available by the party, but more fixes or patches are going to be released in the future.
enumeration Completed 
The party asserts that they have completed remediation of the vulnerability.
enumeration Contact Attempted 
The party has been contacted, but was unresponsive or unavailable.
enumeration Not Contacted 
No contact has been attempted with the party.
Used by
Source
 
<xs:simpleType name="InvolvementStatusEnumType">
  <xs:annotation>
    <xs:documentation xml:lang="en">Types enumerating a party's current engagement status for this vulnerability.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:token">
    <xs:enumeration value="Open">
      <xs:annotation>
        <xs:documentation xml:lang="en">The party has acknowledged that they are aware of the vulnerability report.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="Disputed">
      <xs:annotation>
        <xs:documentation xml:lang="en">The party disputes the vulnerability report in its entirety</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="In Progress">
      <xs:annotation>
        <xs:documentation xml:lang="en">Some hot-fixes, permanent fixes, or patches have been made available by the party, but more fixes or patches are going to be released in the future.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="Completed">
      <xs:annotation>
        <xs:documentation xml:lang="en">The party asserts that they have completed remediation of the vulnerability.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="Contact Attempted">
      <xs:annotation>
        <xs:documentation xml:lang="en">The party has been contacted, but was unresponsive or unavailable.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="Not Contacted">
      <xs:annotation>
        <xs:documentation xml:lang="en">No contact has been attempted with the party.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Simple Type vuln:cvePattern
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
String type to match CVE IDs
Diagram
Diagram
Type restriction of xs:token
Facets
pattern CVE-[0-9\-]+
Used by
Source
 
<xs:simpleType name="cvePattern">
  <xs:annotation>
    <xs:documentation xml:lang="en">String type to match CVE IDs</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:token">
    <xs:pattern value="CVE-[0-9\-]+"/>
  </xs:restriction>
</xs:simpleType>
Simple Type vuln:cwePattern
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
String type to match CWE IDs
Diagram
Diagram
Type restriction of xs:token
Facets
pattern CWE-[1-9]\d{0,5}
Used by
Source
 
<xs:simpleType name="cwePattern">
  <xs:annotation>
    <xs:documentation xml:lang="en">String type to match CWE IDs</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:token">
    <xs:pattern value="CWE-[1-9]\d{0,5}"/>
  </xs:restriction>
</xs:simpleType>
Simple Type vuln:AffectedStatusEnumType
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
Types enumerating the affected statuses described by a vulnerability
Diagram
Diagram
Type restriction of xs:token
Facets
enumeration First Affected 
The first version known to be affected by this vulnerability.
enumeration First Fixed 
This version is the first fixed version for the vulnerability but may not be the recommended fixed version.
enumeration Fixed 
This version is contains a fix for the vulnerability but may not be the recommended fixed version.
enumeration Known Affected 
This version is known to be affected by the vulnerability.
enumeration Known Not Affected 
This version is known NOT to be affected by the vulnerability.
enumeration Last Affected 
This is the last version in a train known to be affected.  Versions released after this would contain a fix for this vulnerability.
enumeration Recommended 
This version has a fix for the vulnerability and is the vendor-recommended version for fixing the vulnerability.
Used by
Source
 
<xs:simpleType name="AffectedStatusEnumType">
  <xs:annotation>
    <xs:documentation xml:lang="en">Types enumerating the affected statuses described by a vulnerability</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:token">
    <xs:enumeration value="First Affected">
      <xs:annotation>
        <xs:documentation xml:lang="en">The first version known to be affected by this vulnerability.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="First Fixed">
      <xs:annotation>
        <xs:documentation xml:lang="en">This version is the first fixed version for the vulnerability but may not be the recommended fixed version.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="Fixed">
      <xs:annotation>
        <xs:documentation xml:lang="en">This version is contains a fix for the vulnerability but may not be the recommended fixed version.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="Known Affected">
      <xs:annotation>
        <xs:documentation xml:lang="en">This version is known to be affected by the vulnerability.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="Known Not Affected">
      <xs:annotation>
        <xs:documentation xml:lang="en">This version is known NOT to be affected by the vulnerability.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="Last Affected">
      <xs:annotation>
        <xs:documentation xml:lang="en">This is the last version in a train known to be affected. Versions released after this would contain a fix for this vulnerability.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="Recommended">
      <xs:annotation>
        <xs:documentation xml:lang="en">This version has a fix for the vulnerability and is the vendor-recommended version for fixing the vulnerability.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Simple Type vuln:ThreatTypeEnumType
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
Types enumerating the Threat type described by the vulnerability
Diagram
Diagram
Type restriction of xs:token
Facets
enumeration Impact 
Impact contains an assessment of the impact on the user or the target set if the vulnerability is successful exploited.
enumeration Exploit Status 
Exploit Status contains a description of the degree to which an exploit for the vulnerability is known.
enumeration Target Set 
Target Set contains a description of the currently known victim population in whatever terms are appropriate.
Used by
Source
 
<xs:simpleType name="ThreatTypeEnumType">
  <xs:annotation>
    <xs:documentation xml:lang="en">Types enumerating the Threat type described by the vulnerability</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:token">
    <xs:enumeration value="Impact">
      <xs:annotation>
        <xs:documentation xml:lang="en">Impact contains an assessment of the impact on the user or the target set if the vulnerability is successful exploited.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="Exploit Status">
      <xs:annotation>
        <xs:documentation xml:lang="en">Exploit Status contains a description of the degree to which an exploit for the vulnerability is known.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="Target Set">
      <xs:annotation>
        <xs:documentation xml:lang="en">Target Set contains a description of the currently known victim population in whatever terms are appropriate.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Simple Type vuln:cvssVector
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
String representing the components needed to compute the various CVSS scores
Diagram
Diagram
Type restriction of xs:token
Facets
maxLength 76
Used by
Source
 
<xs:simpleType name="cvssVector">
  <xs:annotation>
    <xs:documentation xml:lang="en">String representing the components needed to compute the various CVSS scores</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:token">
    <xs:maxLength value="76"/>
  </xs:restriction>
</xs:simpleType>
Simple Type vuln:RemedyTypeEnumType
Namespace http://www.icasi.org/CVRF/schema/vuln/1.1
Annotations
 
Types enumerating the Remedy type described by the vulnerability.
Diagram
Diagram
Type restriction of xs:token
Facets
enumeration Workaround 
Workaround contains information about a configuration or specific deployment scenario that can be used to avoid exposure to the vulnerability.
enumeration Mitigation 
Mitigation contains information about a configuration or deployment scenario that helps to reduce the risk of the vulnerability but that does not resolve the vulnerability on the affected product.
enumeration Vendor Fix 
Vendor Fix contains information about an official fix that is issued by the original author of the affected product.
enumeration None Available 
Currently there is no fix available.
enumeration Will Not Fix 
There is no fix for the vulnerability and there never will be one.
Used by
Source
 
<xs:simpleType name="RemedyTypeEnumType">
  <xs:annotation>
    <xs:documentation xml:lang="en">Types enumerating the Remedy type described by the vulnerability.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:token">
    <xs:enumeration value="Workaround">
      <xs:annotation>
        <xs:documentation xml:lang="en">Workaround contains information about a configuration or specific deployment scenario that can be used to avoid exposure to the vulnerability.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="Mitigation">
      <xs:annotation>
        <xs:documentation xml:lang="en">Mitigation contains information about a configuration or deployment scenario that helps to reduce the risk of the vulnerability but that does not resolve the vulnerability on the affected product.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="Vendor Fix">
      <xs:annotation>
        <xs:documentation xml:lang="en">Vendor Fix contains information about an official fix that is issued by the original author of the affected product.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="None Available">
      <xs:annotation>
        <xs:documentation xml:lang="en">Currently there is no fix available.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="Will Not Fix">
      <xs:annotation>
        <xs:documentation xml:lang="en">There is no fix for the vulnerability and there never will be one.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Attribute vuln:Vulnerability / vuln:ID / @SystemName
Namespace No namespace
Annotations
 
System Name indicates the name of the vulnerability tracking or numbering system that this vulnerability ID comes from.
Type xs:token
Used by
Source
 
<xs:attribute name="SystemName" type="xs:token" use="required">
  <xs:annotation>
    <xs:documentation xml:lang="en">System Name indicates the name of the vulnerability tracking or numbering system that this vulnerability ID comes from.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute vuln:Vulnerability / vuln:Notes / vuln:Note / @Title
Namespace No namespace
Annotations
 
Title should be a concise description of what is contained in Vulnerability Notes.
Type xs:string
Used by
Source
 
<xs:attribute name="Title" type="xs:string">
  <xs:annotation>
    <xs:documentation xml:lang="en">Title should be a concise description of what is contained in Vulnerability Notes.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute vuln:Vulnerability / vuln:Notes / vuln:Note / @Audience
Namespace No namespace
Annotations
 
Audience will indicate who is intended to read the note.
Type xs:string
Used by
Source
 
<xs:attribute name="Audience" type="xs:string">
  <xs:annotation>
    <xs:documentation xml:lang="en">Audience will indicate who is intended to read the note.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute vuln:Vulnerability / vuln:Notes / vuln:Note / @Type
Namespace No namespace
Annotations
 
Type of content within this note.
Type cvrf-common:NoteTypeEnumType
Facets
enumeration General 
A general, high-level note (Title may have more information).
enumeration Details 
A low-level detailed discussion (Title may have more information).
enumeration Description 
A description of something (Title may have more information).
enumeration Summary 
A summary of something (Title may have more information).
enumeration FAQ 
A list of frequently asked questions.
enumeration Legal Disclaimer 
Any possible legal discussion, including constraints, surrounding the document.
enumeration Other 
Something that doesn’t fit (Title should have more information).
Used by
Source
 
<xs:attribute name="Type" type="cvrf-common:NoteTypeEnumType" use="required">
  <xs:annotation>
    <xs:documentation xml:lang="en">Type of content within this note.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute vuln:Vulnerability / vuln:Notes / vuln:Note / @Ordinal
Namespace No namespace
Annotations
 
Ordinal is a locally significant integral counter indexed from 1 used to track notes.
Type xs:positiveInteger
Used by
Source
 
<xs:attribute name="Ordinal" type="xs:positiveInteger" use="required">
  <xs:annotation>
    <xs:documentation xml:lang="en">Ordinal is a locally significant integral counter indexed from 1 used to track notes.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute vuln:Vulnerability / vuln:Involvements / vuln:Involvement / @Party
Namespace No namespace
Annotations
 
Type of party with whom the involvement is taking place.
Type cvrf-common:PublisherEnumType
Facets
enumeration Vendor 
Developers or maintainers of information system products or services.
enumeration Discoverer 
Individuals or organizations that find vulnerabilities or security weaknesses.
enumeration Coordinator 
Individuals or organizations that manage a single vendor's response or multiple vendors' responses to a vulnerability, a security flaw, or an incident.
enumeration User 
Everyone using a vendor's product.
enumeration Other 
Catchall for everyone else. Currently this includes forwarders, re-publishers, language translators and miscellaneous contributors.
Used by
Source
 
<xs:attribute name="Party" type="cvrf-common:PublisherEnumType" use="required">
  <xs:annotation>
    <xs:documentation xml:lang="en">Type of party with whom the involvement is taking place.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute vuln:Vulnerability / vuln:Involvements / vuln:Involvement / @Status
Namespace No namespace
Annotations
 
Status of the involvement with the specified party.
Type vuln:InvolvementStatusEnumType
Facets
enumeration Open 
The party has acknowledged that they are aware of the vulnerability report.
enumeration Disputed 
The party disputes the vulnerability report in its entirety
enumeration In Progress 
Some hot-fixes, permanent fixes, or patches have been made available by the party, but more fixes or patches are going to be released in the future.
enumeration Completed 
The party asserts that they have completed remediation of the vulnerability.
enumeration Contact Attempted 
The party has been contacted, but was unresponsive or unavailable.
enumeration Not Contacted 
No contact has been attempted with the party.
Used by
Source
 
<xs:attribute name="Status" type="vuln:InvolvementStatusEnumType" use="required">
  <xs:annotation>
    <xs:documentation xml:lang="en">Status of the involvement with the specified party.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute vuln:Vulnerability / vuln:CWE / @ID
Namespace No namespace
Annotations
 
The MITRE-assigned CWE identifier.
Type vuln:cwePattern
Facets
pattern CWE-[1-9]\d{0,5}
Used by
Source
 
<xs:attribute name="ID" type="vuln:cwePattern" use="required">
  <xs:annotation>
    <xs:documentation xml:lang="en">The MITRE-assigned CWE identifier.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute vuln:Vulnerability / vuln:ProductStatuses / vuln:Status / @Type
Namespace No namespace
Annotations
 
Affected status for the product or products defined in this container.
Type vuln:AffectedStatusEnumType
Facets
enumeration First Affected 
The first version known to be affected by this vulnerability.
enumeration First Fixed 
This version is the first fixed version for the vulnerability but may not be the recommended fixed version.
enumeration Fixed 
This version is contains a fix for the vulnerability but may not be the recommended fixed version.
enumeration Known Affected 
This version is known to be affected by the vulnerability.
enumeration Known Not Affected 
This version is known NOT to be affected by the vulnerability.
enumeration Last Affected 
This is the last version in a train known to be affected.  Versions released after this would contain a fix for this vulnerability.
enumeration Recommended 
This version has a fix for the vulnerability and is the vendor-recommended version for fixing the vulnerability.
Used by
Source
 
<xs:attribute name="Type" type="vuln:AffectedStatusEnumType" use="required">
  <xs:annotation>
    <xs:documentation xml:lang="en">Affected status for the product or products defined in this container.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute vuln:Vulnerability / vuln:Threats / vuln:Threat / @Type
Namespace No namespace
Annotations
 
The type of the Threat.
Type vuln:ThreatTypeEnumType
Facets
enumeration Impact 
Impact contains an assessment of the impact on the user or the target set if the vulnerability is successful exploited.
enumeration Exploit Status 
Exploit Status contains a description of the degree to which an exploit for the vulnerability is known.
enumeration Target Set 
Target Set contains a description of the currently known victim population in whatever terms are appropriate.
Used by
Source
 
<xs:attribute name="Type" type="vuln:ThreatTypeEnumType" use="required">
  <xs:annotation>
    <xs:documentation xml:lang="en">The type of the Threat.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute vuln:Vulnerability / vuln:Threats / vuln:Threat / @Date
Namespace No namespace
Annotations
 
The date this Threat item was last updated; if omitted it is deemed to be unknown, irrelevant, or unimportant.
Type xs:dateTime
Used by
Source
 
<xs:attribute name="Date" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation xml:lang="en">The date this Threat item was last updated; if omitted it is deemed to be unknown, irrelevant, or unimportant.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute vuln:Vulnerability / vuln:Remediations / vuln:Remediation / @Type
Namespace No namespace
Annotations
 
Specific type of remedy.
Type vuln:RemedyTypeEnumType
Facets
enumeration Workaround 
Workaround contains information about a configuration or specific deployment scenario that can be used to avoid exposure to the vulnerability.
enumeration Mitigation 
Mitigation contains information about a configuration or deployment scenario that helps to reduce the risk of the vulnerability but that does not resolve the vulnerability on the affected product.
enumeration Vendor Fix 
Vendor Fix contains information about an official fix that is issued by the original author of the affected product.
enumeration None Available 
Currently there is no fix available.
enumeration Will Not Fix 
There is no fix for the vulnerability and there never will be one.
Used by
Source
 
<xs:attribute name="Type" type="vuln:RemedyTypeEnumType" use="required">
  <xs:annotation>
    <xs:documentation xml:lang="en">Specific type of remedy.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute vuln:Vulnerability / vuln:Remediations / vuln:Remediation / @Date
Namespace No namespace
Annotations
 
The date Remedy was last updated, if omitted it is deemed to be unknown, unimportant, or irrelevant.
Type xs:dateTime
Used by
Source
 
<xs:attribute name="Date" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation xml:lang="en">The date Remedy was last updated, if omitted it is deemed to be unknown, unimportant, or irrelevant.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute vuln:Vulnerability / vuln:References / vuln:Reference / @Type
Namespace No namespace
Annotations
 
Enumerated type value of reference relative to this document.
Type cvrf-common:ReferenceTypeEnum
Facets
enumeration External 
This document is an external reference to the current vulnerability.
enumeration Self 
This document is a reference to this same vulnerability.
Used by
Source
 
<xs:attribute name="Type" type="cvrf-common:ReferenceTypeEnum" default="External">
  <xs:annotation>
    <xs:documentation xml:lang="en">Enumerated type value of reference relative to this document.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute vuln:Vulnerability / @Ordinal
Namespace No namespace
Annotations
 
Locally significant numeric value to track vulnerabilities within a CVRF document.  This enables vulnerabilities to be referenced from elsewhere inside the document (often at the document-level)
Type xs:positiveInteger
Used by
Source
 
<xs:attribute name="Ordinal" type="xs:positiveInteger" use="required">
  <xs:annotation>
    <xs:documentation xml:lang="en">Locally significant numeric value to track vulnerabilities within a CVRF document. This enables vulnerabilities to be referenced from elsewhere inside the document (often at the document-level)</xs:documentation>
  </xs:annotation>
</xs:attribute>
XML Schema documentation generated by ® XML Editor.