CVE Record Format version 5.2.0 Release Candidate 1

Changes in CVE Record Format 5.2.0:

1. Added support for PURL (Package URL) identifiers using the packageURL property within the affected array items (i.e., product objects).
2. Added additionalProperties equal to false for the affected array items. New or renamed properties are no longer allowed for affected array items (i.e., product objects).
3. Updates were made to the example CVE Records including PURL examples, tag examples, and a fix to improve compliance with the CNA Rules.
4. Multiple documentation and infrastructure improvements were made to better support future CVE Record Format updates.

CVE JSON producing tools or CVE client implementation considerations:

⚠️ In some rare instances, if a tool is defining JSON property names incorrectly or adding additional properties under the affected array (product objects), the schema validation will now flag and disallow these cases.

✅ With the exception of the rare case described above, if a tool is already producing valid CVE 5.1.1 Records then no changes to client-side tooling are required. However, it is recommended to upgrade to the CVE Record Format 5.2.0 to support the new features listed above.

⚠️ If a CVE services client is performing schema validation prior to submission, please use the CVE Record Format 5.2.0 schema to validate the Record.

CVE data consumer considerations:

✅ If a CVE data consumer is not validating the JSON data against the CVE Record Format schema, then no changes are required to the consumer side code.

⚠️ If a CVE data consumer is validating the JSON data against the CVE Record Format schema, then it is recommended that they begin using the CVE Record Format 5.2.0 schema to validate Records.