From a77af537318f88ecfe9eed457bf58c813481ee8f Mon Sep 17 00:00:00 2001 From: fahed dorgaa Date: Fri, 14 Nov 2025 14:28:47 +0100 Subject: [PATCH 1/6] Update ratings descriptions in schema files for clarity on VEX usage Signed-off-by: fahed dorgaa --- schema/bom-1.6.schema.json | 2 +- schema/bom-1.7.schema.json | 2 +- schema/ext/vulnerability-1.0-SNAPSHOT.schema.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 8bc9d3d6..9aa94372 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2681,7 +2681,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings", + "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" } diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 785acacb..d9311c03 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -2841,7 +2841,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings", + "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" } diff --git a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json index 378bd498..efb95c16 100644 --- a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json +++ b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json @@ -146,7 +146,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of the vulnerability ratings as defined by various risk rating methodologies.", + "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", "items": {"$ref": "#/definitions/rating"} }, "cwes": { From adf8f165d2603c5a2385468a8cbed534029a09f6 Mon Sep 17 00:00:00 2001 From: fahed dorgaa Date: Fri, 26 Dec 2025 22:23:22 +0100 Subject: [PATCH 2/6] Update vulnerability ratings description in XML and Protobuf schemas, and revert extension changes Signed-off-by: fahed dorgaa --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.xsd | 2 +- schema/bom-1.7.proto | 2 +- schema/bom-1.7.xsd | 2 +- schema/ext/vulnerability-1.0-SNAPSHOT.schema.json | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index ddcfc3f7..e7b7a0b1 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -888,7 +888,7 @@ message Vulnerability { optional Source source = 3; // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Oftentimes, the same vulnerability may exist in multiple sources of vulnerability intelligence but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. repeated VulnerabilityReference references = 4; - // List of vulnerability ratings + // List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. repeated VulnerabilityRating ratings = 5; // List of Common Weaknesses Enumerations (CWEs) codes that describe this vulnerability. For example, 399 (of https://cwe.mitre.org/data/definitions/399.html) repeated int32 cwes = 6; diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 847c5261..bbe6e536 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -4218,7 +4218,7 @@ limitations under the License. - List of vulnerability ratings. + List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 6def360f..1b507781 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -990,7 +990,7 @@ message Vulnerability { optional Source source = 3; // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Oftentimes, the same vulnerability may exist in multiple sources of vulnerability intelligence but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. repeated VulnerabilityReference references = 4; - // List of vulnerability ratings + // List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. repeated VulnerabilityRating ratings = 5; // List of Common Weaknesses Enumerations (CWEs) codes that describe this vulnerability. For example, 399 (of https://cwe.mitre.org/data/definitions/399.html) repeated int32 cwes = 6; diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index deba3de2..2d110b9a 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -4461,7 +4461,7 @@ limitations under the License. - List of vulnerability ratings. + List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. diff --git a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json index efb95c16..378bd498 100644 --- a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json +++ b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json @@ -146,7 +146,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", + "description": "List of the vulnerability ratings as defined by various risk rating methodologies.", "items": {"$ref": "#/definitions/rating"} }, "cwes": { From 713a20c88d9bf1ff89ae1b09b8604102baac66db Mon Sep 17 00:00:00 2001 From: fahed dorgaa Date: Sat, 17 Jan 2026 14:38:10 +0100 Subject: [PATCH 3/6] fix(spec): improve ratings descriptions in schema files for clarity on VEX usage Signed-off-by: Fahed Dorgaa --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.schema.json | 2 +- schema/bom-1.6.xsd | 2 +- schema/bom-1.7.proto | 2 +- schema/bom-1.7.schema.json | 2 +- schema/bom-1.7.xsd | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index e7b7a0b1..97a28dab 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -888,7 +888,7 @@ message Vulnerability { optional Source source = 3; // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Oftentimes, the same vulnerability may exist in multiple sources of vulnerability intelligence but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. repeated VulnerabilityReference references = 4; - // List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. + // List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization. repeated VulnerabilityRating ratings = 5; // List of Common Weaknesses Enumerations (CWEs) codes that describe this vulnerability. For example, 399 (of https://cwe.mitre.org/data/definitions/399.html) repeated int32 cwes = 6; diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 9aa94372..ced928cf 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2681,7 +2681,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", + "description": "List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" } diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index bbe6e536..f4d6eb37 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -4218,7 +4218,7 @@ limitations under the License. - List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. + List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization. diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 1b507781..ac905b93 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -990,7 +990,7 @@ message Vulnerability { optional Source source = 3; // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Oftentimes, the same vulnerability may exist in multiple sources of vulnerability intelligence but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. repeated VulnerabilityReference references = 4; - // List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. + // List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization. repeated VulnerabilityRating ratings = 5; // List of Common Weaknesses Enumerations (CWEs) codes that describe this vulnerability. For example, 399 (of https://cwe.mitre.org/data/definitions/399.html) repeated int32 cwes = 6; diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index d9311c03..4d509e99 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -2841,7 +2841,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", + "description": "List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" } diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 2d110b9a..4549d6fd 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -4461,7 +4461,7 @@ limitations under the License. - List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization. + List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization. From 60d1ae6a3d32daab61c5c960f1a350f611c78c4c Mon Sep 17 00:00:00 2001 From: fahed dorgaa Date: Fri, 14 Nov 2025 14:28:47 +0100 Subject: [PATCH 4/6] Update ratings descriptions in schema files for clarity on VEX usage Signed-off-by: fahed dorgaa --- schema/bom-1.6.schema.json | 2 +- schema/bom-1.7.schema.json | 2 +- schema/ext/vulnerability-1.0-SNAPSHOT.schema.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index ced928cf..9aa94372 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2681,7 +2681,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.", + "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" } diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 4d509e99..d9311c03 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -2841,7 +2841,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.", + "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" } diff --git a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json index 378bd498..efb95c16 100644 --- a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json +++ b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json @@ -146,7 +146,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of the vulnerability ratings as defined by various risk rating methodologies.", + "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", "items": {"$ref": "#/definitions/rating"} }, "cwes": { From 82770ace65ee8a744403599725da159e1f9f50f3 Mon Sep 17 00:00:00 2001 From: fahed dorgaa Date: Fri, 26 Dec 2025 22:23:22 +0100 Subject: [PATCH 5/6] Update vulnerability ratings description in XML and Protobuf schemas, and revert extension changes Signed-off-by: fahed dorgaa --- schema/ext/vulnerability-1.0-SNAPSHOT.schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json index efb95c16..378bd498 100644 --- a/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json +++ b/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json @@ -146,7 +146,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", + "description": "List of the vulnerability ratings as defined by various risk rating methodologies.", "items": {"$ref": "#/definitions/rating"} }, "cwes": { From 80db0257f1182a2d4220b3a2ab6970f4bab824df Mon Sep 17 00:00:00 2001 From: fahed dorgaa Date: Sat, 7 Feb 2026 22:34:15 +0100 Subject: [PATCH 6/6] fix(schema): clarify ratings description for prioritization decisions Signed-off-by: Fahed Dorgaa --- schema/bom-1.6.schema.json | 2 +- schema/bom-1.7.schema.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 9aa94372..ced928cf 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2681,7 +2681,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", + "description": "List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" } diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index d9311c03..4d509e99 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -2841,7 +2841,7 @@ "ratings": { "type": "array", "title": "Ratings", - "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.", + "description": "List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.", "items": { "$ref": "#/definitions/rating" }