Common Vulnerability Scoring System Data Representations

JSON and XML can be used to store structured data and transfer it between systems. JSON Schemas and XML Schema Definitions (XSDs) are available for CVSS v2.0, v3.0, v3.1, and v4.0 to provide a common data representation when storing and transferring CVSS information. JSON Schemas:

XML Schema Definitions:

Explanation of Schemas

JSON Schemas and XSDs define the format and allowed elements of JSON and XML documents respectively. For CVSS, these definitions include elements such as Base Score and individual metric values. Most programming languages have the ability to validate XML data to ensure it meets a particular XSD, and many can also validate JSON data against JSON Schemas.

At the time of writing, JSON Schemas are relatively new. CVSS JSON Schemas use draft 04 of the specification that is available at http://json-schema.org/. XSDs are well established and further information about them can be found in multiple places.

JSON

CVSS information can be represented as a JSON document with the following fields:

Field Mandatory?  CVSS v2.0 Notes CVSS v3.0 and v3.1 Notes
CVSS Version Mandatory Must be "2.0" Must be "3.0" or "3.1"
Vector String Mandatory Specified with metrics in the preferred order described in the CVSS v3.1 Specification Document
Base Score Mandatory
Base Severity Mandatory
Individual metrics Optional If included must match their respective values specified in the Vector String As for CVSS v2.0
Temporal Score Optional Must be included if any Temporal Metrics are set to a non-default value As for CVSS v2.0
Temporal Severity Optional Must be included if any Temporal Metrics are set to a non-default value As for CVSS v2.0
Environmental Score Optional Must be included if any Environmental Metrics are set to a non-default value As for CVSS v2.0
Environmental Severity Optional Must should be included if any Environmental Metrics are set to a non-default value As for CVSS v2.0


Examples

The following examples are all for CVSS version 3.1 and are based on CVE-2009-0658 (Adobe Acrobat Buffer Overflow Vulnerability) in the CVSS v3.0 Examples Document.

Minimal CVSS v3.1 information:

{
    "version": "3.1",
    "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "baseScore": 7.8,
    "baseSeverity": "HIGH"
}

CVSS information including optional base metrics:

{
    "version": "3.1",
    "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "attackVector": "LOCAL",
    "attackComplexity": "LOW",
    "privilegesRequired": "NONE",
    "userInteraction": "REQUIRED",
    "scope": "UNCHANGED",
    "confidentialityImpact": "HIGH",
    "integrityImpact": "HIGH",
    "availabilityImpact": "HIGH",
    "baseScore": 7.8,
    "baseSeverity": "HIGH"
}

XML

CVSS information can be represented as an XML document with the following fields:

Field Mandatory?  CVSS v2.0 Notes CVSS v3.0 and v3.1 Notes
Individual Base Metrics Mandatory
Base Score Optional
Base Severity Optional
Individual Temporal Metrics Optional
Temporal Score Optional Must be included if any Temporal Metrics are set to a non-default value As for CVSS v2.0
Temporal Severity Optional Must be included if any Temporal Metrics are set to a non-default value As for CVSS v2.0
Individual Environmental Metrics Optional
Environmental Score Optional Must be included if any Environmental Metrics are set to a non-default value As for CVSS v2.0
Environmental Severity Optional Must should be included if any Environmental Metrics are set to a non-default value As for CVSS v2.0

Examples

Minimal CVSS v3.1 information in XML format:

<cvssv3.1>
    <base_metrics>
        <attack-vector>LOCAL</attack-vector>
        <attack-complexity>LOW</attack-complexity>
        <privileges-required>NONE</privileges-required>
        <user-interaction>REQUIRED</user-interaction>
        <scope>UNCHANGED</scope>
        <confidentiality-impact>HIGH</confidentiality-impact>
        <integrity-impact>HIGH</integrity-impact>
        <availability-impact>HIGH</availability-impact>
    </base_metrics>
</cvssv3.1>

Minimal CVSS v3.1 information with optional Base Score and Base Severity:

<cvssv3.1>
    <base_metrics>
        <attack-vector>LOCAL</attack-vector>
        <attack-complexity>LOW</attack-complexity>
        <privileges-required>NONE</privileges-required>
        <user-interaction>REQUIRED</user-interaction>
        <scope>UNCHANGED</scope>
        <confidentiality-impact>HIGH</confidentiality-impact>
        <integrity-impact>HIGH</integrity-impact>
        <availability-impact>HIGH</availability-impact>
        <base-score>7.8</base-score>
        <base-severity>HIGH</base-severity>
    </base_metrics>
</cvssv3.1>