most CVE Records fail validation with recent ajv-formats

[ElectricNroff]

The 5.1.0 schema has:

cve-schema/schema/v5.0/CVE_JSON_5.1_schema.json

Lines 76 to 78 in 2aa608b

	"timestamp": {
	"type": "string",
	"format": "date-time",

It doesn't suggest preferred JSON schema validation software, but because ajv is used internally in the cve-schema repository:

cve-schema/.github/workflows/validate-schema.yml

Line 35 in 2aa608b

ajv validate -c ajv-formats -s "${CVE_SCHEMA_DIR}/docs/CVE_JSON_bundled.json" -d "${CVE_SCHEMA_DIR}/docs/full-record-basic-example.json"

one might expect that ajv is a reasonable choice for validating the CVE Records in the official CVE List. Also, although nothing says this directly, a downstream user might reasonably expect that the latest version of ajv should work, and that using the CVE List should not require staying at an older version of ajv.

In the context of ajv, the "format": "date-time" above typically means that one should install the ajv-formats NPM package.

The problem is that the CVE List is not compatible with ajv-formats releases on or after 2024-03-30. There are thousands of CVE Records that have timestamps without a timezone, and validating the entire CVE List will produce literally millions of error messages, e.g.,

CVE-1999-0001
...
        "datePublished": "2000-02-04T05:00:00",
        "dateReserved": "1999-06-07T00:00:00",
        "dateUpdated": "2005-12-17T00:00:00",

{
    instancePath:'/cveMetadata/dateUpdated',
    schemaPath: '#/definitions/timestamp/format',
    keyword: 'format',
    params: { format: 'date-time' },
    message: 'must match format "date-time"'
  },
  {
    instancePath:'/cveMetadata/dateReserved',
    schemaPath:'#/definitions/timestamp/format',
    keyword:'format',
    params: { format:'date-time' },
    message: 'must match format "date-time"'
  },
  {
    instancePath:'/cveMetadata/datePublished',
    schemaPath:'#/definitions/timestamp/format',
    keyword:'format',
    params: { format:'date-time'},
    message:'must match format "date-time"'
  }

etc.

The ajv-formats behavior change is documented in release notes for a release candidate, but there apparently aren't release notes on GitHub for the official 3.x releases. However, users will get an official 3.x release (with the new behavior) if they simply type npm install ajv-formats

https://github.com/ajv-validator/ajv-formats/releases/tag/v3.0.0-rc.0
Formats time and date-time now require timezone, as per JSON Schema specification / RFC3339

(The timing is somewhat unusual, with the last 3.x release candidate dated 2021-11-07, but no 3.x release until 2024-03-30.)

Anyway, possible courses of action include:

• inform downstream users that they must not validate CVE Records with up-to-date ajv/ajv-formats installations, and instead should do something like npm install [email protected]
• do a one-time change to the entire CVE List such that 100% of timestamp values have timezones, and then update CVE Services to depend on "ajv-formats": "^3.0.1" so that there are always timezones going forward
• ask all CNAs to correct their CVE Records and re-submit with timezones
• remove "format": "date-time" from the schema
• guess that the ajv-formats maintainers might later add a run-time option for loose date-time validation, e.g., in response to date-time validation fails with [email protected] ajv-validator/ajv-formats#96
• somehow try to change user behavior or expectations (e.g., construct an explanation for why we didn't initially require timezones and/or advise against ajv)
• ignore the problem in the hope that ajv-formats 2.1.1 (or earlier) remains the most popular version