schema: Ensure the pattern matches the known CVE sequence lengths

[Foxboron]

I don't see any guidelines how these patches should be done, but PR so I dont forget about it :smile:

---

The current schema only matches 5 digits in the sequence length, however MITRE defines this to be "four or more digits"1. The longest I have observed is 7 digits2, which is also an example on the website. This patch ensures we cover this range of known CVE IDs.

Signed-off-by: Morten Linderud morten@linderud.pw

[bwillis]

👍 Yeah makes sense to me, their FAQ has the format reference:

CVE prefix + year + sequence number digits

Reference MITRE CVE FAQ

[Foxboron]

Ah, I did find the news about the new format now: https://cve.mitre.org/news/archives/2014/news.html#jan152014_New_CVE_ID_Format_in_Effect_as_of_January_1_2014

Argueably 7 digits isn't enough either. I wonder if just specifying {4,99} (or something like that) would further futureproof the schema?

[bwillis]

Argueably 7 digits isn't enough either. I wonder if just specifying {4,99} (or something like that) would further futureproof the schema?

Yeah, 99 or I think if you leave it empty {4,} it would be unbounded. Up to you!

[Foxboron]

Went with {4,}. I reckon it's cleaner. Thanks :)

[joshbressers]

How do we get this merged? I have a suspicion there aren't enough people with write access.

I have an internal project I'm going to start using this schema for (and probably suggest some changes). I want to see this change merged but also have a path forward for getting things merged that doesn't require hassling @MarcinHoppe :)

[MarcinHoppe]

@joshbressers thanks for the ping! Looks like there are no objections so I will merge.

Currently adding people to the ossf org is a manual process, but I will that all current members of the WG are added.

[Foxboron]

Thanks :)