Closed MrSeccubus closed 1 year ago
@MrSeccubus That's because it's the output of two different API calls, one to get the object representing the CVE ID reservation, and the other is the CVE record object. We chose to put them in as two items of an array to still have a valid JSON object as a result.
The CVE record object (the second item in the array) is a full record that is valid against the 5.0 schema; you'll notice it has the cveMetadata
object within itself. The CVE ID reservation object is not the part of the schema under cveMetadata
. In the actual schema, that object looks like this:
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2021-20311",
"datePublished": "2021-05-11T22:30:47",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2021-05-11T22:30:47",
"state": "PUBLISHED"
},
which is different from what the API returns:
{
"cve_id": "CVE-2022-36249",
"cve_year": "2022",
"owning_cna": "TEST",
"requested_by": {
"cna": "TEST",
"user": "TEST_USER"
},
"reserved": "2022-11-07T11:55:12.047Z",
"state": "PUBLISHED",
"time": {
"created": "2022-11-07T11:55:12.049Z",
"modified": "2022-11-07T16:03:20.456Z"
}
}
If you're parsing the JSON output, and want the record only, you could simply use the second item in the array. If you have any ideas on how to improve this, do let us know :wink:.
Damn! I see what you mean and my PR #45 then doesn't fix this either :-(
I think the help test of cve show -h
is misleading.
Options:
-r, --show-record Show full CVE record in JSON v5 format.
--raw Print response JSON.
-h, --help Show this message and exit.
It says that with -r it should return a full cve record.
But, if I take the output of cve show -r --raw CVE-2022-36249
and validate it against the schema, it simply doesn't validate because you are not showing the full record, you are showing an array with the full record and the data of the reservation.
In my opnion -r should show the full record and the full record only.
I have updated PR #45 to change this.
What I was looking for is a cve command to run that would return the full record to me so I could send it to a json file.
cve show -r --raw CVE-2022-36249 >CVE-2022-36249.json
doesn't produce a json file with a cve record in it
cve show -r CVE-2022-36249 >CVE-2022-36249.json
doesn't produce a valid json file with a cve record in it because it has this header
cve show -r CVE-2022-36249 |jq .[1]>CVE-2022-36249.json
might do the trick, but it is not obvious from the docs that this is what you need to do.
Agreed, I guess showing the full record only when the option is specified is the less surprising and would make your first command work as you'd expect.
Command:
cve show -r --raw
Expected:
Got: