<?xml version="1.0" encoding="UTF-8"?>
<!--
== Model: Version 0-4 NetD
== Package: vulnerability
-->
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://scap.nist.gov/schema/vulnerability/0.4"
xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.1"
xmlns:cve="http://scap.nist.gov/schema/cve/0.1"
xmlns:cce="http://scap.nist.gov/schema/cce/0.1"
xmlns:cvssv2="http://scap.nist.gov/schema/cvss-v2/0.2"
xmlns:cpe-lang="http://cpe.mitre.org/language/2.0"
xmlns:patch="http://scap.nist.gov/schema/patch/0.1"
xmlns:xml="http://www.w3.org/XML/1998/namespace"
targetNamespace="http://scap.nist.gov/schema/vulnerability/0.4"
elementFormDefault="qualified" attributeFormDefault="unqualified"
version="0.4">
<xsd:import namespace="http://scap.nist.gov/schema/scap-core/0.1" schemaLocation="scap-core_0.1.xsd"/>
<xsd:import namespace="http://scap.nist.gov/schema/cve/0.1" schemaLocation="cve_0.1.xsd"/>
<xsd:import namespace="http://scap.nist.gov/schema/cce/0.1" schemaLocation="cce_0.1.xsd"/>
<xsd:import namespace="http://scap.nist.gov/schema/cvss-v2/0.2" schemaLocation="cvss-v2_0.2.xsd"/>
<xsd:import namespace="http://cpe.mitre.org/language/2.0" schemaLocation="cpe-language_2.1.xsd"/>
<xsd:import namespace="http://scap.nist.gov/schema/patch/0.1" schemaLocation="patch_0.1.xsd"/>
<xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="../common/xml.xsd"/>
<!-- ================================================== -->
<!-- ===== Element Declarations -->
<!-- ================================================== -->
<xsd:element name="vulnerability" type="vulnerabilityType"/>
<!-- ================================================== -->
<!-- ===== Simple Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Fix_Action_Description_List <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="fixActionDescriptionEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="PATCH"/>
<xsd:enumeration value="SOFTWARE_UPDATE"/>
<xsd:enumeration value="CONFIGURATION_CHANGE"/>
<xsd:enumeration value="POLICY_CHANGE"/>
<xsd:enumeration value="EXTERNAL_MITIGATION"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Fix_Action_Type_List <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="fixActionTypeEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="MITIGATION"/>
<xsd:enumeration value="REMEDIATION"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Fix_Effectiveness_List <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="fixEffectivenessEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="PARTIAL"/>
<xsd:enumeration value="COMPLETE"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Vulnerability_Reference_Category_List <<simpleType>> -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="vulnerabilityReferenceCategoryEnumType">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="PATCH"/>
<xsd:enumeration value="VENDOR_ADVISORY"/>
<xsd:enumeration value="THIRD_PARTY_ADVISORY"/>
<xsd:enumeration value="SIGNATURE_SOURCE"/>
<xsd:enumeration value="MITIGATION_PROCEDURE"/>
<xsd:enumeration value="TOOL_CONFIGURATION_DESCRIPTION"/>
<xsd:enumeration value="UNKNOWN"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Security_Protection -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:simpleType name="securityProtectionType">
<xsd:annotation>
<xsd:documentation>The security protection type</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:token">
<xsd:enumeration value="ALLOWS_ADMIN_ACCESS">
<xsd:annotation>
<xsd:documentation>gain administrative access</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
<xsd:enumeration value="ALLOWS_USER_ACCESS">
<xsd:annotation>
<xsd:documentation>gain user access</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
<xsd:enumeration value="ALLOWS_OTHER_ACCESS"/>
</xsd:restriction>
</xsd:simpleType>
<!-- ================================================== -->
<!-- ===== Complex Type Definitions -->
<!-- ================================================== -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Associated_Exploit_Location -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="associatedExploitLocationType">
<xsd:sequence>
<xsd:element name="physical-access" type="xsd:boolean" minOccurs="0" default="false"/>
<xsd:element name="voluntarily-interact" type="xsd:boolean" minOccurs="0" default="false"/>
<xsd:element name="dialup" type="xsd:boolean" minOccurs="0" default="false"/>
<xsd:element name="unknown" type="xsd:boolean" minOccurs="0" default="false"/>
</xsd:sequence>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Fix_Action -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="fixActionType">
<xsd:annotation>
<xsd:documentation>A single fix action should only cover a single patch application, software update, configuration change, or external fix. Dependencies should be documented by using the "next_fix_action" element to point to a recursive list of fix actions.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element ref="patch:patch" minOccurs="0"/>
<xsd:element name="configuration-remediation" type="vulnerabilityReferenceType" minOccurs="0"/>
<xsd:element name="software-update" type="scap-core:cpeNamePatternType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>CPE name of the software update package.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="notes" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="deprecated-by" type="scap-core:cpeNamePatternType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="next-fix-action" type="fixActionType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="fix-action-tool-configuration" type="toolConfigurationType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="applicable-configuration" type="cpe-lang:PlatformType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="effectiveness" type="fixEffectivenessEnumType" minOccurs="0">
<xsd:annotation>
<xsd:documentation>States whether the fix action fully avoids the risk associated with the vulnerability or reduces risk to some extent.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="applicable-check" type="scap-core:checkReferenceType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>Describes or points to the check/test (either OVAL or other) that this particular fix action addresses. E.G. applying this fix will change the value of this test result.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
<xsd:attribute name="fix_action_description" type="fixActionDescriptionEnumType" use="required"/>
<xsd:attribute name="fix_action_type" type="fixActionTypeEnumType" use="required"/>
<xsd:attribute name="id" type="xsd:token" use="required">
<xsd:annotation>
<xsd:documentation>Unique value within the source. Will be used with the source element to serve as a global unique identifier.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:attribute name="source" type="xsd:anyURI" use="required">
<xsd:annotation>
<xsd:documentation>Should be a URI-like -- e.g. inverted DNS address e.g mil.jtf-gno</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- OSVDB_Extension -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="osvdbExtensionType">
<xsd:sequence>
<xsd:element name="exploit-location" type="associatedExploitLocationType"/>
</xsd:sequence>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Tool_Configuration -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="toolConfigurationType">
<xsd:sequence>
<xsd:element name="name" type="scap-core:cpeNamePatternType" minOccurs="0">
<xsd:annotation>
<xsd:documentation>The CPE name of the scanning tool. A value must be supplied for this element. The CPE name can be used for a CPE from the NVD. The CPE title attribute can be used for internal naming conventions. (or both, if possible)</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="definition" type="scap-core:checkReferenceType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>Defines required signature or policy definition that must be installed on the tool.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- CWE Reference -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="cweReferenceType">
<xsd:attribute name="id" type="scap-core:cweNamePatternType" use="required"/>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Vulnerable Software -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="vulnerableSoftwareType">
<xsd:sequence>
<xsd:element name="product" type="cpe-lang:namePattern" minOccurs="1" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Vulnerability -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="vulnerabilityType">
<xsd:annotation>
<xsd:documentation>TODO: Low priority: Add reference to notes type to allow analysts, vendor and other comments. Add source attribute. Maybe categorization?</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="osvdb-ext" type="osvdbExtensionType" minOccurs="0"/>
<xsd:element name="vulnerable-configuration" type="cpe-lang:PlatformType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="vulnerable-software-list" type="vulnerableSoftwareType" minOccurs="0"/>
<xsd:choice minOccurs="0">
<xsd:element name="cve-id" type="cve:cveNamePatternType"/>
<xsd:element name="cce-id" type="cce:cceNamePatternType"/>
</xsd:choice>
<xsd:element name="discovered-datetime" type="xsd:dateTime" minOccurs="0"/>
<xsd:element name="disclosure-datetime" type="xsd:dateTime" minOccurs="0"/>
<xsd:element name="exploit-publish-datetime" type="xsd:dateTime" minOccurs="0"/>
<xsd:element name="published-datetime" type="xsd:dateTime" minOccurs="0"/>
<xsd:element name="last-modified-datetime" type="xsd:dateTime" minOccurs="0"/>
<xsd:element name="cvss" type="cvssv2:cvssImpactType" minOccurs="0"/>
<xsd:element name="security-protection" type="securityProtectionType" minOccurs="0"/>
<xsd:element name="assessment_check" type="scap-core:checkReferenceType" maxOccurs="unbounded" minOccurs="0"/>
<xsd:element name="cwe" type="cweReferenceType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="references" type="vulnerabilityReferenceType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="fix_action" type="fixActionType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="scanner" type="toolConfigurationType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>Denotes a scanner and required configuration that is capable of detecting the referenced vulnerability. May also be an OVAL definition and omit scanner name.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="summary" type="xsd:string" minOccurs="0"/>
<xsd:element name="technical_description" type="scap-core:referenceType" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="attack_scenario" type="scap-core:referenceType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>This element should ultimately be held in a threat model.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
<xsd:attribute name="id" type="vulnerabilityIdType" use="required"/>
</xsd:complexType>
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Vulnerability_Reference -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<xsd:complexType name="vulnerabilityReferenceType">
<xsd:annotation>
<xsd:documentation>TODO: revisit referenceType and textType</xsd:documentation>
<xsd:documentation>Extends the base "reference" class by adding the ability to specify which kind (within the vulnerability model) of reference it is. See "Vulnerability_Reference_Category_List" enumeration.</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="source" type="xsd:string" minOccurs="0">
<xsd:annotation>
<xsd:documentation>TODO: determine purpose</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="reference" type="scap-core:referenceType"/>
<xsd:element minOccurs="0" name="notes" type="scap-core:notesType"/>
</xsd:sequence>
<xsd:attribute ref="xml:lang" use="optional" default="en"/>
<xsd:attribute name="reference_type" type="vulnerabilityReferenceCategoryEnumType" use="required"/>
<xsd:attribute name="deprecated" type="xsd:boolean"/>
</xsd:complexType>
<xsd:simpleType name="vulnerabilityIdType">
<xsd:restriction base="xsd:token"/>
</xsd:simpleType>
</xsd:schema>