<?xml version="1.0"?> | |
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" | |
targetNamespace="http://nvd.nist.gov/feeds/cve/1.2" | |
xmlns:cve="http://nvd.nist.gov/feeds/cve/1.2" | |
elementFormDefault="qualified" attributeFormDefault="unqualified" | |
version="1.2"> | |
<xs:annotation> | |
<xs:documentation>This schema defines the structure of the National | |
Vulnerability Database XML feed files version: 1.2. The elements and | |
attribute in this document are described by xs:annotation tags. This | |
file is kept at http://nvd.nist.gov/schema/nvdcve.xsd. The NVD XML | |
feeds are available at http://nvd.nist.gov/download.cfm. | |
Release Notes: | |
Version 1.2: | |
* CVSS version 2 scores and vectors have been added. Please see | |
http://nvd.nist.gov/cvss.cfm?vectorinfo and | |
http://www.first.org/cvss/cvss-guide.html for more information on | |
how to interpret this data. </xs:documentation> | |
</xs:annotation> | |
<xs:element name="nvd"> | |
<xs:annotation> | |
<xs:documentation>The root element of the NVD CVE feed. Multiple "entry" child elements describe specific NVD CVE entries.</xs:documentation> | |
</xs:annotation> | |
<xs:complexType> | |
<xs:sequence> | |
<xs:element ref="cve:entry" minOccurs="0" maxOccurs="unbounded"/> | |
</xs:sequence> | |
<xs:attribute name="nvd_xml_version" type="xs:NMTOKEN" use="required"> | |
<xs:annotation> | |
<xs:documentation>The schema version number supported by the feed.</xs:documentation> | |
</xs:annotation> | |
</xs:attribute> | |
<xs:attribute name="pub_date" type="cve:dateType" use="required"> | |
<xs:annotation> | |
<xs:documentation>The date the feed was generated.</xs:documentation> | |
</xs:annotation> | |
</xs:attribute> | |
</xs:complexType> | |
</xs:element> | |
<xs:element name="entry" type="cve:entryType"> | |
<xs:annotation> | |
<xs:documentation>A CVE entry.</xs:documentation> | |
</xs:annotation> | |
</xs:element> | |
<!-- ******************************************************************* --> | |
<!-- * Complex Types * --> | |
<!-- ******************************************************************* --> | |
<xs:complexType name="entryType"> | |
<xs:annotation> | |
<xs:documentation> Documents one CVE entry. The child elements should always | |
appear in the sequence defined below. These elements are compatible with | |
entry elements from the CVE XML feeds.</xs:documentation> | |
</xs:annotation> | |
<xs:sequence> | |
<xs:element name="desc"> | |
<xs:annotation> | |
<xs:documentation>Description wrapper tag, parent to any | |
documented descriptions of this CVE entry. While the "desc" | |
tag will always be present, there may be no "descript" child | |
tags. Only one "descript" tag will exist for each | |
description source (i.e. CVE, NVD, ...). </xs:documentation> | |
</xs:annotation> | |
<xs:complexType> | |
<xs:sequence> | |
<xs:element name="descript" type="cve:descriptType" minOccurs="0" maxOccurs="2"> | |
<xs:annotation> | |
<xs:documentation>A description of a CVE entry | |
from the source indicated by the "source" | |
attribute.</xs:documentation> | |
</xs:annotation> | |
</xs:element> | |
</xs:sequence> | |
</xs:complexType> | |
</xs:element> | |
<xs:element name="impacts" minOccurs="0"> | |
<xs:annotation> | |
<xs:documentation> Impact wrapper tag (may or may not be | |
present). Only one "impact" tag will exist for each impact | |
explanation source. </xs:documentation> | |
</xs:annotation> | |
<xs:complexType> | |
<xs:sequence> | |
<xs:element name="impact" type="cve:impactType"> | |
<xs:annotation> | |
<xs:documentation> Contains a specific impact | |
explanation of this CVE entry from source | |
indicated by the "source" attribute. | |
</xs:documentation> | |
</xs:annotation> | |
</xs:element> | |
</xs:sequence> | |
</xs:complexType> | |
</xs:element> | |
<xs:element name="sols" type="cve:solsType" minOccurs="0"> | |
<xs:annotation> | |
<xs:documentation> Solution wrapper tag (may or may not be | |
present). Only one "sol" tag will exist for each solution | |
explanation source. </xs:documentation> | |
</xs:annotation> | |
</xs:element> | |
<xs:element name="loss_types" type="cve:lossTypeType" minOccurs="0"> | |
<xs:annotation> | |
<xs:documentation> Loss type tag (may or may not be present). | |
Contains one loss type child for each loss type of this CVE | |
entry. Potential loss types are: "avail" => availability | |
"conf" => confidentiality "int" => integrity "sec_prot" => | |
security protection </xs:documentation> | |
</xs:annotation> | |
</xs:element> | |
<xs:element name="vuln_types" type="cve:vulnType" minOccurs="0"> | |
<xs:annotation> | |
<xs:documentation> Vulnerability type tag (may or may not be | |
present). Contains one vulnerability type child for each | |
vulnerability type of this CVE entry. Potential | |
vulnerability types are: "access" => Access validation error | |
"input" => Input validation error "design" => Design error | |
"exception" => Exceptional condition error "env" => | |
Environmental error "config" => Configuration error "race" | |
=> Race condition error "other" => other </xs:documentation> | |
</xs:annotation> | |
</xs:element> | |
<xs:element name="range" type="cve:rangeType" minOccurs="0"> | |
<xs:annotation> | |
<xs:documentation> Vulnerability range tag (may or may not be | |
present). Contains one vulnerability range child for each | |
vulnerability range of this CVE entry. Potential | |
vulnerability ranges are: "local" => Locally exploitable | |
"local_network" => Local network exploitable "network" => | |
Network exploitable "user_init" => User accesses attacker | |
</xs:documentation> | |
</xs:annotation> | |
</xs:element> | |
<xs:element name="refs"> | |
<xs:annotation> | |
<xs:documentation> Reference wrapper tag (always present). | |
External references to this CVE entry are contained within | |
this tag. </xs:documentation> | |
</xs:annotation> | |
<xs:complexType> | |
<xs:sequence> | |
<xs:element name="ref" type="cve:refType" minOccurs="0" maxOccurs="unbounded"> | |
<xs:annotation> | |
<xs:documentation> Individual reference to this CVE | |
entry. Text is the name of this vulnerability at | |
this particular reference. Attributes: "source" | |
(required) => Name of reference source "url" | |
(required) => hyperlink to reference "sig" => | |
indicates this reference includes a tool | |
signature "adv" => indicates this reference is a | |
Security Advisory "patch" => indicates this | |
reference includes a patch for this | |
vulnerability </xs:documentation> | |
</xs:annotation> | |
</xs:element> | |
</xs:sequence> | |
</xs:complexType> | |
</xs:element> | |
<xs:element name="vuln_soft" type="cve:vulnSoftType" minOccurs="0"> | |
<xs:annotation> | |
<xs:documentation> Vulnerable software wrapper tag (may or may | |
not be present). Software affected by this CVE entry are | |
listed within this tag. </xs:documentation> | |
</xs:annotation> | |
</xs:element> | |
</xs:sequence> | |
<xs:attribute name="type" use="required"> | |
<xs:annotation> | |
<xs:documentation>CVE or CAN</xs:documentation> | |
</xs:annotation> | |
<xs:simpleType> | |
<xs:restriction base="xs:NMTOKEN"> | |
<xs:enumeration value="CAN"/> | |
<xs:enumeration value="CVE"/> | |
</xs:restriction> | |
</xs:simpleType> | |
</xs:attribute> | |
<xs:attribute name="name" use="required"> | |
<xs:annotation> | |
<xs:documentation>the full CVE name</xs:documentation> | |
</xs:annotation> | |
<xs:simpleType> | |
<xs:restriction base="xs:ID"> | |
<xs:pattern value="(CAN|CVE)\-\d\d\d\d\-\d\d\d\d"/> | |
</xs:restriction> | |
</xs:simpleType> | |
</xs:attribute> | |
<xs:attribute name="seq" use="required"> | |
<xs:annotation> | |
<xs:documentation>the sequence number from CVE name</xs:documentation> | |
</xs:annotation> | |
<xs:simpleType> | |
<xs:restriction base="xs:NMTOKEN"> | |
<xs:pattern value="\d\d\d\d\-\d\d\d\d"/> | |
</xs:restriction> | |
</xs:simpleType> | |
</xs:attribute> | |
<xs:attribute name="nvd_name" type="xs:string"> | |
<xs:annotation> | |
<xs:documentation>the NVD name (if it exists)</xs:documentation> | |
</xs:annotation> | |
</xs:attribute> | |
<xs:attribute name="discovered" type="cve:dateType"> | |
<xs:annotation> | |
<xs:documentation>the date this entry was discovered</xs:documentation> | |
</xs:annotation> | |
</xs:attribute> | |
<xs:attribute name="published" type="cve:dateType" use="required"> | |
<xs:annotation> | |
<xs:documentation>the date this entry was published</xs:documentation> | |
</xs:annotation> | |
</xs:attribute> | |
<xs:attribute name="modified" type="cve:dateType"> | |
<xs:annotation> | |
<xs:documentation>the date this entry was last modified</xs:documentation> | |
</xs:annotation> | |
</xs:attribute> | |
<xs:attribute name="severity"> | |
<xs:annotation> | |
<xs:documentation>the entry's severity as determined by the NVD analysts: High, Medium, or Low</xs:documentation> | |
</xs:annotation> | |
<xs:simpleType> | |
<xs:restriction base="xs:NMTOKEN"> | |
<xs:enumeration value="High"/> | |
<xs:enumeration value="Medium"/> | |
<xs:enumeration value="Low"/> | |
</xs:restriction> | |
</xs:simpleType> | |
</xs:attribute> | |
<xs:attribute name="reject" type="cve:trueOnlyAttribute"> | |
<xs:annotation> | |
<xs:documentation>indicates that this CVE entry has been rejected by CVE or NVD</xs:documentation> | |
</xs:annotation> | |
</xs:attribute> | |
<xs:attribute name="CVSS_version" type="xs:string"> | |
<xs:annotation> | |
<xs:documentation>the CVSS Version Indicator</xs:documentation> | |
</xs:annotation> | |
</xs:attribute> | |
<xs:attribute name="CVSS_score" type="cve:zeroToTen"> | |
<xs:annotation> | |
<xs:documentation>Same as the CVSS_base_score to provide backwards compatability with the previous CVE XML feed format. This field is deprecated an may be removed at a future date.</xs:documentation> | |
</xs:annotation> | |
</xs:attribute> | |
<xs:attribute name="CVSS_base_score" type="cve:zeroToTen"> | |
<xs:annotation> | |
<xs:documentation>CVSS version 2 Base Score</xs:documentation> | |
</xs:annotation> | |
</xs:attribute> | |
<xs:attribute name="CVSS_impact_subscore" type="cve:zeroToTen"> | |
<xs:annotation> | |
<xs:documentation>CVSS version 2 Impact Score</xs:documentation> | |
</xs:annotation> | |
</xs:attribute> | |
<xs:attribute name="CVSS_exploit_subscore" type="cve:zeroToTen"> | |
<xs:annotation> | |
<xs:documentation>CVSS version 2 Exploit Score</xs:documentation> | |
</xs:annotation> | |
</xs:attribute> | |
<xs:attribute name="CVSS_vector" type="cve:CVSSVector"> | |
<xs:annotation> | |
<xs:documentation>the CVSS version 2 Vector string</xs:documentation> | |
</xs:annotation> | |
</xs:attribute> | |
</xs:complexType> | |
<xs:complexType name="descriptType"> | |
<xs:simpleContent> | |
<xs:extension base="xs:string"> | |
<xs:attribute name="source" type="cve:descriptSourceType" use="required"> | |
<xs:annotation> | |
<xs:documentation>The source of the CVE description.</xs:documentation> | |
</xs:annotation> | |
</xs:attribute> | |
</xs:extension> | |
</xs:simpleContent> | |
</xs:complexType> | |
<xs:complexType name="impactType"> | |
<xs:simpleContent> | |
<xs:extension base="xs:string"> | |
<xs:attribute name="source" type="cve:impactSourceType" use="required"> | |
</xs:attribute> | |
</xs:extension> | |
</xs:simpleContent> | |
</xs:complexType> | |
<xs:complexType name="vulnType"> | |
<xs:sequence> | |
<xs:element name="access" minOccurs="0"/> | |
<xs:element name="input" minOccurs="0"> | |
<xs:annotation> | |
<xs:documentation> Input validation error tag with | |
one attribute for each input validation error | |
type. Potential input validation error types | |
are: "bound" => Boundary condition error | |
"buffer" => Buffer overflow </xs:documentation> | |
</xs:annotation> | |
<xs:complexType> | |
<xs:attribute name="bound" type="cve:trueOnlyAttribute"/> | |
<xs:attribute name="buffer" type="cve:trueOnlyAttribute" | |
/> | |
</xs:complexType> | |
</xs:element> | |
<xs:element name="design" minOccurs="0"/> | |
<xs:element name="exception" minOccurs="0"/> | |
<xs:element name="env" minOccurs="0"/> | |
<xs:element name="config" minOccurs="0"/> | |
<xs:element name="race" minOccurs="0"/> | |
<xs:element name="other" minOccurs="0"/> | |
</xs:sequence> | |
</xs:complexType> | |
<xs:complexType name="solsType"> | |
<xs:sequence> | |
<xs:element name="sol"> | |
<xs:annotation> | |
<xs:documentation> Contains a specific solution | |
explanation of this CVE entry from source | |
indicated by the "source" attribute. | |
</xs:documentation> | |
</xs:annotation> | |
<xs:complexType mixed="true"> | |
<xs:simpleContent> | |
<xs:extension base="xs:string"> | |
<xs:attribute name="source" type="cve:solsSourceType" use="required"> | |
</xs:attribute> | |
</xs:extension> | |
</xs:simpleContent> | |
</xs:complexType> | |
</xs:element> | |
</xs:sequence> | |
</xs:complexType> | |
<xs:complexType name="lossTypeType"> | |
<xs:sequence> | |
<xs:element name="avail" minOccurs="0"/> | |
<xs:element name="conf" minOccurs="0"/> | |
<xs:element name="int" minOccurs="0"/> | |
<xs:element name="sec_prot" minOccurs="0"> | |
<xs:annotation> | |
<xs:documentation> Security Protection tag with one | |
attribute for each security protection type. | |
Potential security protection types are: "admin" | |
=> gain administrative access "user" => gain | |
user access "other" => other </xs:documentation> | |
</xs:annotation> | |
<xs:complexType> | |
<xs:attribute name="admin" type="cve:trueOnlyAttribute"/> | |
<xs:attribute name="user" type="cve:trueOnlyAttribute"/> | |
<xs:attribute name="other" type="cve:trueOnlyAttribute" | |
/> | |
</xs:complexType> | |
</xs:element> | |
</xs:sequence> | |
</xs:complexType> | |
<xs:complexType name="rangeType"> | |
<xs:sequence> | |
<xs:element name="local" minOccurs="0"/> | |
<xs:element name="local_network" minOccurs="0"/> | |
<xs:element name="network" minOccurs="0"/> | |
<xs:element name="user_init" minOccurs="0"/> | |
</xs:sequence> | |
</xs:complexType> | |
<xs:complexType name="refType"> | |
<xs:simpleContent> | |
<xs:extension base="xs:string"> | |
<xs:attribute name="source" type="xs:string" use="required"/> | |
<xs:attribute name="url" type="cve:urlType" use="required"/> | |
<xs:attribute name="sig" type="cve:trueOnlyAttribute"/> | |
<xs:attribute name="adv" type="cve:trueOnlyAttribute"/> | |
<xs:attribute name="patch" type="cve:trueOnlyAttribute"/> | |
</xs:extension> | |
</xs:simpleContent> | |
</xs:complexType> | |
<xs:complexType name="vulnSoftType"> | |
<xs:sequence> | |
<xs:element name="prod" maxOccurs="unbounded"> | |
<xs:annotation> | |
<xs:documentation> Product wrapper tag. Versions of | |
this product that are affected by this | |
vulnerability are listed within this tag. | |
Attributes: "name" => Product name "vendor" => | |
Vendor of this product </xs:documentation> | |
</xs:annotation> | |
<xs:complexType> | |
<xs:sequence> | |
<xs:element name="vers" maxOccurs="unbounded"> | |
<xs:annotation> | |
<xs:documentation> Represents a version | |
of this product that is affected by | |
this vulnerability. Attributes: | |
"num" => This version number "prev" | |
=> Indicates that versions previous | |
to this version number are also | |
affected by this vulnerability | |
"edition" => Indicates the edition | |
associated with the version number | |
</xs:documentation> | |
</xs:annotation> | |
<xs:complexType> | |
<xs:attribute name="num" | |
type="xs:string" use="required"/> | |
<xs:attribute name="prev" | |
type="cve:trueOnlyAttribute"/> | |
<xs:attribute name="edition" | |
type="xs:string"/> | |
</xs:complexType> | |
</xs:element> | |
</xs:sequence> | |
<xs:attribute name="name" type="xs:string" | |
use="required"/> | |
<xs:attribute name="vendor" type="xs:string" | |
use="required"/> | |
</xs:complexType> | |
</xs:element> | |
</xs:sequence> | |
</xs:complexType> | |
<!-- ******************************************************************* --> | |
<!-- * Simple Types * --> | |
<!-- ******************************************************************* --> | |
<xs:simpleType name="descriptSourceType"> | |
<xs:restriction base="xs:NMTOKEN"> | |
<xs:enumeration value="cve"/> | |
<xs:enumeration value="nvd"/> | |
</xs:restriction> | |
</xs:simpleType> | |
<xs:simpleType name="impactSourceType"> | |
<xs:restriction base="xs:NMTOKEN"> | |
<xs:enumeration value="nvd"/> | |
</xs:restriction> | |
</xs:simpleType> | |
<xs:simpleType name="solsSourceType"> | |
<xs:restriction base="xs:NMTOKEN"> | |
<xs:enumeration value="nvd"/> | |
</xs:restriction> | |
</xs:simpleType> | |
<xs:simpleType name="dateType"> | |
<xs:annotation> | |
<xs:documentation> Defines date format for NVD. Dates follow the mask "yyyy-mm-dd" | |
</xs:documentation> | |
</xs:annotation> | |
<xs:restriction base="xs:string"> | |
<xs:pattern | |
value="(19|20)\d\d-((01|03|05|07|08|10|12)-(0[1-9]|[1-2]\d|3[01])|(04|06|09|11)-(0[1-9]|[1-2]\d|30)|02-(0[1-9]|1\d|2\d))" | |
/> | |
</xs:restriction> | |
</xs:simpleType> | |
<xs:simpleType name="urlType"> | |
<xs:annotation> | |
<xs:documentation> Restricts urls in NVD beyond the xs:anyURI restrictions. | |
</xs:documentation> | |
</xs:annotation> | |
<xs:restriction base="xs:anyURI"> | |
<xs:whiteSpace value="collapse"/> | |
<xs:pattern value="(news|(ht|f)tp(s)?)://.+"/> | |
</xs:restriction> | |
</xs:simpleType> | |
<xs:simpleType name="trueOnlyAttribute"> | |
<xs:annotation> | |
<xs:documentation> simpleType used for attributes that are only present when they are | |
true. Such attributes appear only in the form attribute_name="1". | |
</xs:documentation> | |
</xs:annotation> | |
<xs:restriction base="xs:NMTOKEN"> | |
<xs:enumeration value="1"/> | |
</xs:restriction> | |
</xs:simpleType> | |
<xs:simpleType name="zeroToTen"> | |
<xs:annotation> | |
<xs:documentation> simpleType used when scoring on a scale of 0-10, inclusive | |
</xs:documentation> | |
</xs:annotation> | |
<xs:restriction base="xs:decimal"> | |
<xs:minInclusive value="0" fixed="true"/> | |
<xs:maxInclusive value="10" fixed="true"/> | |
</xs:restriction> | |
</xs:simpleType> | |
<xs:simpleType name="CVSSVector"> | |
<xs:annotation> | |
<xs:documentation>simpleType to describe the CVSS Base Vector </xs:documentation> | |
</xs:annotation> | |
<xs:restriction base="xs:string"> | |
<xs:pattern | |
value="\(AV:[LAN]/AC:[HML]/Au:[NSM]/C:[NPC]/I:[NPC]/A:[NPC]\)"/> | |
</xs:restriction> | |
</xs:simpleType> | |
</xs:schema> |