JSON and XML can be used to store structured data and transfer it between systems. JSON Schemas and XML Schema Definitions (XSDs) are available for CVSS v2.0, v3.0, v3.1, and v4.0 to provide a common data representation when storing and transferring CVSS information. JSON Schemas:
XML Schema Definitions:
JSON Schemas and XSDs define the format and allowed elements of JSON and XML documents respectively. For CVSS, these definitions include elements such as Base Score and individual metric values. Most programming languages have the ability to validate XML data to ensure it meets a particular XSD, and many can also validate JSON data against JSON Schemas.
At the time of writing, JSON Schemas are relatively new. CVSS JSON Schemas use draft 04 of the specification that is available at http://json-schema.org/. XSDs are well established and further information about them can be found in multiple places.
CVSS information can be represented as a JSON document with the following fields:
Field | Mandatory? | CVSS v2.0 Notes | CVSS v3.0 and v3.1 Notes |
---|---|---|---|
CVSS Version | Mandatory | Must be "2.0" | Must be "3.0" or "3.1" |
Vector String | Mandatory | — | Specified with metrics in the preferred order described in the CVSS v3.1 Specification Document |
Base Score | Mandatory | — | — |
Base Severity | Mandatory | — | — |
Individual metrics | Optional | If included must match their respective values specified in the Vector String | As for CVSS v2.0 |
Temporal Score | Optional | Must be included if any Temporal Metrics are set to a non-default value | As for CVSS v2.0 |
Temporal Severity | Optional | Must be included if any Temporal Metrics are set to a non-default value | As for CVSS v2.0 |
Environmental Score | Optional | Must be included if any Environmental Metrics are set to a non-default value | As for CVSS v2.0 |
Environmental Severity | Optional | Must should be included if any Environmental Metrics are set to a non-default value | As for CVSS v2.0 |
The following examples are all for CVSS version 3.1 and are based on CVE-2009-0658 (Adobe Acrobat Buffer Overflow Vulnerability) in the CVSS v3.0 Examples Document.
Minimal CVSS v3.1 information:
{
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"baseScore": 7.8,
"baseSeverity": "HIGH"
}
CVSS information including optional base metrics:
{
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH"
}
CVSS information can be represented as an XML document with the following fields:
Field | Mandatory? | CVSS v2.0 Notes | CVSS v3.0 and v3.1 Notes |
---|---|---|---|
Individual Base Metrics | Mandatory | — | — |
Base Score | Optional | — | — |
Base Severity | Optional | — | — |
Individual Temporal Metrics | Optional | — | — |
Temporal Score | Optional | Must be included if any Temporal Metrics are set to a non-default value | As for CVSS v2.0 |
Temporal Severity | Optional | Must be included if any Temporal Metrics are set to a non-default value | As for CVSS v2.0 |
Individual Environmental Metrics | Optional | — | — |
Environmental Score | Optional | Must be included if any Environmental Metrics are set to a non-default value | As for CVSS v2.0 |
Environmental Severity | Optional | Must should be included if any Environmental Metrics are set to a non-default value | As for CVSS v2.0 |
Minimal CVSS v3.1 information in XML format:
<cvssv3.1>
<base_metrics>
<attack-vector>LOCAL</attack-vector>
<attack-complexity>LOW</attack-complexity>
<privileges-required>NONE</privileges-required>
<user-interaction>REQUIRED</user-interaction>
<scope>UNCHANGED</scope>
<confidentiality-impact>HIGH</confidentiality-impact>
<integrity-impact>HIGH</integrity-impact>
<availability-impact>HIGH</availability-impact>
</base_metrics>
</cvssv3.1>
Minimal CVSS v3.1 information with optional Base Score and Base Severity:
<cvssv3.1>
<base_metrics>
<attack-vector>LOCAL</attack-vector>
<attack-complexity>LOW</attack-complexity>
<privileges-required>NONE</privileges-required>
<user-interaction>REQUIRED</user-interaction>
<scope>UNCHANGED</scope>
<confidentiality-impact>HIGH</confidentiality-impact>
<integrity-impact>HIGH</integrity-impact>
<availability-impact>HIGH</availability-impact>
<base-score>7.8</base-score>
<base-severity>HIGH</base-severity>
</base_metrics>
</cvssv3.1>