Validating JSON issues and future

Hello there,

I'm reviewing the material and bumped into a series of issues while validating JSON files. Particularly with cmdlinejsonvalidator.py. Below I provide a couple of examples of the issues I encountered. First, tried with CVE_JSON_4.0_min_public.schema though I suspect this is not the intended use of the script (reason why I did so is because the tickets report version 4.0, e.g. this one https://github.com/CVEProject/cvelist/blob/master/2019/1000xxx/CVE-2019-1000005.json#L35):

cmdlinejsonvalidator.py CVE_JSON_4.0_min_public.schema

```bash python2 cmdlinejsonvalidator.py ../cve_json_schema/CVE_JSON_4.0_min_public.schema ~/Downloads/CVE-2019-1000005.json Traceback (most recent call last): File "cmdlinejsonvalidator.py", line 70, in main() File "cmdlinejsonvalidator.py", line 66, in main jsonvalidation(args.jsondoc, args.schema) File "cmdlinejsonvalidator.py", line 48, in jsonvalidation validate(json_doc, schema_doc) File "/usr/local/lib/python2.7/site-packages/jsonschema/validators.py", line 930, in validate cls.check_schema(schema) File "/usr/local/lib/python2.7/site-packages/jsonschema/validators.py", line 294, in check_schema raise exceptions.SchemaError.create_from(error) jsonschema.exceptions.SchemaError: {u'description_data': [{u'lang': u'eng', u'value': u'mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim server and trigger generation of pdf file with content

. This vulnerability appears to have been fixed in 7.1.8.'}]} is not of type u'string' Failed validating u'type' in metaschema[u'properties'][u'description']: {u'type': u'string'} On schema[u'description']: {u'description_data': [{u'lang': u'eng', u'value': u'mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim server and trigger generation of pdf file with content

. This vulnerability appears to have been fixed in 7.1.8.'}]} ```

Then, I tried with what looks like the intenteded JSON schema but of version 3.1:

cmdlinejsonvalidator.py CVE_JSON_schema-3.1.json

```bash ❯ python2 cmdlinejsonvalidator.py ../cve_json_schema/v3.1/CVE_JSON_schema-3.1.json ~/Downloads/CVE-2019-1000005.json Traceback (most recent call last): File "cmdlinejsonvalidator.py", line 70, in main() File "cmdlinejsonvalidator.py", line 66, in main jsonvalidation(args.jsondoc, args.schema) File "cmdlinejsonvalidator.py", line 48, in jsonvalidation validate(json_doc, schema_doc) File "/usr/local/lib/python2.7/site-packages/jsonschema/validators.py", line 930, in validate cls.check_schema(schema) File "/usr/local/lib/python2.7/site-packages/jsonschema/validators.py", line 294, in check_schema raise exceptions.SchemaError.create_from(error) jsonschema.exceptions.SchemaError: {u'description_data': [{u'lang': u'eng', u'value': u'mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim server and trigger generation of pdf file with content

. This vulnerability appears to have been fixed in 7.1.8.'}]} ```

Am I using the schemas wrongly maybe? If so, can someone please point me to a usage section or simply provide an example?

In addition, it'd be extremely helpful to understand what's the future like for these tools. Will they be maintained? There doesn't seem to be active support behind them (Python 2.x, 2 years last update).

CVEProject / automation-working-group

Validating JSON issues and future #83