Removal of restrictions within the /cves/ 2.0 API schema

[alinposho]

I received the following email from NVD:

Removal of restrictions within the /cves/ 2.0 API schema

To enable more flexibility within our API output we need to remove certain restrictions from the existing 2.0 API schemas.

Why does this matter? All existing API users will need to update to the 2.1.0 /cves/ schema or later. Many systems reference a cached or local version of a schema when performing validation. Since the /cves/ schema prior to 2.1.0 is overly restrictive, any system that references an older version of the schema that contains additionalProperties: false in the locations changed may no longer validate against future 2.0 API output. We plan to begin including new data types within the 2.0 API output in the near future. We advise updating any schema references within the next 30 days.

What changes were made? Removed additionalProperties: false from the following objects:

"cve_item":
"reference":
"metrics":

Similar information is available at our news page.

For questions and concerns, you may contact [email protected].

How will this change in the NVD API affect DependencyCheck? And do I need to open a feature request for any changes that need to be done?

[aikebah]

Will require update of the open-vulnerability-clients library once that is updated. See also https://github.com/jeremylong/Open-Vulnerability-Project/issues/154

[jeremylong]

Note that while we created https://github.com/jeremylong/Open-Vulnerability-Project/pull/158 - there are no impactful changes due to the schema change.