CVE v5 Schema $id returns a 404

[joshbuker]

Per the v5 schema: https://raw.githubusercontent.com/CVEProject/cve-schema/master/schema/v5.0/CVE_JSON_5.0_schema.json

The canonical URL for the schema is: https://cve.org/cve/record/v5_00/

"$id": "https://cve.org/cve/record/v5_00/",

That page currently returns a 404 instead of the schema json:

[chandanbn]

We discussed this and should fix by pointing to
https://raw.githubusercontent.com/CVEProject/cve-schema/master/schema/v5.0/CVE_JSON_5.0_schema.json

[joshbuker]

@chandanbn so, there is one gotcha that would make providing a specific endpoint as opposed to relying on githubusercontent preferable: JSON schema expects application/schema+json, but githubusercontent serves text/plain causing validators to break.

See also:

• How to handle JSON schema validation CloudSecurityAlliance/gsd-tools#173
• Add endpoint for serving the latest OSV JSON schema  google/osv.dev#1166
• https://json-schema.org/draft/2020-12/json-schema-core.html#name-json-schema-documents

Would it be possible to get specific endpoints that provide v4 and v5 schemas with the appropriate content type?

Alternatively, we could reach out to the JSON schema validator maintainers, and see if it's possible to get validators to accept text/plain for schema $ref's (perhaps as an optional flag).

[mprpic]

Alternatively, it could be published under https://cveproject.github.io/cve-schema/ where the content type should be set based on the file extension: https://github.com/jshttp/mime-db/blob/a76e5a824c228e2e58363c9404e42a54ee1d142f/src/apache-types.json#L195

[chandanbn]

Fixed to point to https://cveproject.github.io/cve-schema/schema/v5.0/docs/CVE_JSON_5.0_bundled.json
I see it has the right content type, and the bundles schema should not cause problems with refs.

[joshbuker]

@chandanbn Heads up that the $id for https://cveproject.github.io/cve-schema/schema/v5.0/docs/CVE_JSON_5.0_bundled.json does not point to itself (still points to the 404ing https://cve.org/cve/record/v5_00/)