Skip to content

Fix Node_Validator build path and regenerate stale dist#482

Open
asheshv wants to merge 1 commit intoCVEProject:mainfrom
asheshv:fix/node-validator-stale-dist
Open

Fix Node_Validator build path and regenerate stale dist#482
asheshv wants to merge 1 commit intoCVEProject:mainfrom
asheshv:fix/node-validator-stale-dist

Conversation

@asheshv
Copy link
Copy Markdown

@asheshv asheshv commented May 11, 2026

Summary

  • schema/support/Node_Validator/build.js still required ../../docs/CVE_JSON_bundled.json, but that file was renamed to CVE_Record_Format_bundled.json in commit a9e9fa9 (April 2024). node build.js has failed with Cannot find module ever since, so the checked-in dist/cve5validator.js has been frozen against the pre-rename schema.
  • The stale dist expresses CVSS score types via multipleOf: 0.1 instead of the enum lists the current bundled schema uses. AJV's multipleOf check is unreliable against IEEE-754 representations of certain decimals, so valid CVSS base scores like 4.8, 7.1, 7.6, 8.1, 8.7 are rejected even though they are produced by the official CVSS v4.0 calculator and accepted by the live CVE Services backend.
  • This PR points build.js at the current bundled filename and ships the regenerated dist/cve5validator.js.

Reproduction (before this PR)

$ node schema/support/Node_Validator/build.js
Error: Cannot find module '../../docs/CVE_JSON_bundled.json'

A minimal CVE record with cvssV4_0.baseScore: 4.8 (vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N, the score the official calculator produces) fails validation against the existing dist with:

schemaPath: '#/definitions/metrics/items/properties/cvssV4_0/definitions/mediumScoreType/multipleOf',
keyword:    'multipleOf',
message:    'must be multiple of 0.1'

This cascades into a spurious cveMetadata additionalProperty: requesterUserId error, because the top-level oneOf falls through from cveMetadataPublished (which permits requesterUserId) to cveMetadataRejected (which does not).

After this PR

  • node build.js succeeds and writes a fresh dist/cve5validator.js.
  • The regenerated dist still validates schema/docs/full-record-basic-example.json and schema/docs/full-record-advanced-example.json cleanly.
  • It accepts CVSS v4.0 base scores produced by the official calculator across the whole 0.0-10.0 range — including the values previously rejected.

Test plan

  • node schema/support/Node_Validator/build.js runs without error
  • node schema/support/Node_Validator/validate.js schema/docs/full-record-basic-example.json schema/docs/full-record-advanced-example.json reports both files valid
  • CVE records with cvssV4_0.baseScore values that previously failed (4.8, 7.1, 8.7) now validate, with no other behaviour change observed

@asheshv
Fix Node_Validator build path and regenerate stale dist
0e48e99 
build.js still required ../../docs/CVE_JSON_bundled.json, but that file
was renamed to CVE_Record_Format_bundled.json in commit a9e9fa9
(April 2024), so `node build.js` has failed ever since. The checked-in
dist (dist/cve5validator.js) has been frozen against the pre-rename
schema for the same reason.

That stale dist still expresses CVSS score types via multipleOf: 0.1
instead of the enum lists the current bundled schema uses. AJV's
multipleOf check is unreliable against IEEE-754 representations of
some decimals (4.8, 7.1, 7.6, 8.1, 8.7, ...) and rejects valid CVSS
base scores that the live CVE Services backend accepts without issue.

Pointing build.js at the current bundled file and regenerating the
dist resolves both problems. The regenerated dist still validates the
in-repo full-record example files.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@asheshv