CVEProject · alilleybrinker · May 9, 2025 · Jun 26, 2025 · Jun 26, 2025 · Jul 17, 2025
diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json
@@ -361,6 +361,21 @@
                         },
                         "additionalProperties": false
                     }
+                },
+                "artifactID": {
+                    "type": "string",
+                    "pattern": "^gitoid:blob:sha256:[0-9a-f]{64}$",
+                    "description": "The OmniBOR Artifact ID of the artifact to be matched against.",
+                    "examples": [
+                        "gitoid:blob:sha256:9f64df92367881be21e23567a31a8ce01994d98b69d28917b5c132ce32a8e6c8",
+                        "gitoid:blob:sha256:09c825ac02df9150e4f93d12ba1da5d1ff5846c3e62503c814aa3a300c535772",
+                        "gitoid:blob:sha256:230f3515d1306690815bd9c3da0d15d8b6fcf43894d17100eb44b6d329a92f61"
+                    ]
+                },
+                "artifactType": {
+                    "type": "string",
+                    "enum": ["artifact", "buildInput"],
+                    "description": "Specifies how consumers of the Artifact ID should search for matches. If the 'target' is 'artifact', then the Artifact ID is identifying an artifact which should be searched for directly (for example, within a file system by matching against Artifact IDs for files). If the 'target' is 'build_input' then the Artifact ID is identifying a build input, and consumers should match the Artifact ID against IDs found in OmniBOR Input Manifests for their software."
                 }
             }
         },
@@ -778,7 +793,13 @@
             "type": "array",
             "description": "List of affected products.",
             "minItems": 1,
-            "items": {"$ref": "#/definitions/product"}
+            "items": {"$ref": "#/definitions/product"},
+            "contains": {
+                "anyOf": [
+                    { "required": ["vendor", "product"] },
+                    { "required": ["collectionURL", "packageName"] }
+                ]
+            }
         },
         "description": {
             "type": "object",

diff --git a/schema/docs/cnaContainer-advanced-example.json b/schema/docs/cnaContainer-advanced-example.json
@@ -82,6 +82,13 @@
           }
         ],
         "defaultStatus": "unaffected"
+      },
+      {
+          "vendor": "Example.org",
+          "product": "Example Enterprise",
+          "artifactID": "gitoid:blob:sha256:fee53a18d32820613c0527aa79be5cb30173c823a9b448fa4817767cc84c6f03",
+          "artifactType": "artifact",
+          "defaultStatus": "affected"
       }
     ],
     "cpeApplicability": [

diff --git a/schema/docs/full-record-advanced-example.json b/schema/docs/full-record-advanced-example.json
@@ -95,6 +95,13 @@
             }
           ],
           "defaultStatus": "unaffected"
+        },
+        {
+            "vendor": "Example.org",
+            "product": "Example Enterprise",
+            "artifactID": "gitoid:blob:sha256:fee53a18d32820613c0527aa79be5cb30173c823a9b448fa4817767cc84c6f03",
+            "artifactType": "artifact",
+            "defaultStatus": "affected"
         }
       ],
       "cpeApplicability": [
@@ -162,7 +169,7 @@
               "value": "OS-komand-injekta vundebleco <tt>parseFilename</tt> funkcio de <tt>example.php</tt> en la Web Administrado-Interfaco de Example.org Example Enterprise ĉe Windows, macOS kaj XT-4500 permesas al malproksimaj neaŭtentikigitaj atakantoj eskaladi privilegiojn.<br><br> Ĉi tiu afero efikas:<br><ul><li>1.0-versioj antaŭ 1.0.6</li><li>2.1-versioj de 2.1.6 ĝis 2.1.9.</li></ul>"
             }
           ]
-        }          
+        }
       ],
       "metrics": [
         {