stix_schema_spy 1.0

data/config/1.0/stix/external/cvrf_1.1/common.xsd

@@ -0,0 +1,176 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema
+ xmlns:cvrf-common="http://www.icasi.org/CVRF/schema/common/1.1"
+ xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns:dc="http://purl.org/dc/elements/1.1/"
+ id="CVRFCommonDictionary"
+ targetNamespace="http://www.icasi.org/CVRF/schema/common/1.1"
+ elementFormDefault="qualified"
+ attributeFormDefault="unqualified"
+ version="1.1">
+  <!-- =============================================================================== -->
+  <!-- =============================   SCHEMA IMPORTS  =============================== -->
+  <!-- =============================================================================== -->
+  <xs:import namespace="http://purl.org/dc/elements/1.1/" schemaLocation="dc.xsd"/>
+  <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
+  <!-- =============================================================================== -->
+  <!-- ============================ SCHEMA INFORMATION =============================== -->
+  <!-- =============================================================================== -->
+  <xs:annotation>
+    <xs:documentation xml:lang="en">This is the XML schema for the Common Vulerability Reporting Framework's common data types.</xs:documentation>
+    <xs:appinfo>
+      <dc:creator>Brian Schafer &lt;bschafer@microsoft.com&gt;</dc:creator>
+      <dc:contributor>Joe Clarke &lt;jclarke@cisco.com&gt;</dc:contributor>
+      <dc:contributor>Joe Hemmerlein &lt;Joe.Hemmerlein@microsoft.com&gt;</dc:contributor>
+      <dc:date>2012-05-07</dc:date>
+      <dc:subject>CVRF Common Data Types</dc:subject>
+      <version>1.1</version>
+    </xs:appinfo>
+  </xs:annotation>
+  <!-- =============================================================================== -->
+  <!-- =================================== DATA TYPES ================================ -->
+  <!-- =============================================================================== -->
+  <xs:simpleType name="nonEmptyNormalizedString">
+    <xs:annotation>
+      <xs:documentation xml:lang="en">A normalized string type that cannot be empty.</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:normalizedString">
+      <xs:minLength value="1" />
+    </xs:restriction>
+  </xs:simpleType>
+  <xs:simpleType name="nonEmptyString">
+    <xs:annotation>
+      <xs:documentation xml:lang="en">A string type that cannot be empty.</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:string">
+      <xs:minLength value="1" />
+    </xs:restriction>
+  </xs:simpleType>
+  <xs:complexType name="localizedString">
+    <xs:annotation>
+      <xs:documentation xml:lang="en">String type with an optional language attribute.  The default language is English.</xs:documentation>
+    </xs:annotation>
+    <xs:simpleContent>
+      <xs:extension base="cvrf-common:nonEmptyString">
+        <xs:attribute ref="xml:lang" default="en">
+          <xs:annotation>
+            <xs:documentation xml:lang="en">Locale code used for the string value.  The default is &quot;en&quot;.</xs:documentation>
+          </xs:annotation>
+        </xs:attribute>
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+  <xs:complexType name="localizedNormalizedString">
+    <xs:annotation>
+      <xs:documentation xml:lang="en">Normalized string type with an optional language attribute.  The default language is English.  This string cannot be empty.</xs:documentation>
+    </xs:annotation>
+    <xs:simpleContent>
+      <xs:extension base="cvrf-common:nonEmptyNormalizedString">
+        <xs:attribute ref="xml:lang" default="en">
+          <xs:annotation>
+            <xs:documentation xml:lang="en">Locale code used for the string value.  The default is &quot;en&quot;.</xs:documentation>
+          </xs:annotation>
+        </xs:attribute>
+      </xs:extension>
+    </xs:simpleContent>
+  </xs:complexType>
+  <xs:simpleType name="revisionNumber">
+    <xs:annotation>
+      <xs:documentation xml:lang="en">Dotted string representing the document revision</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:token">
+      <xs:pattern value="(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*)){0,3}" />
+    </xs:restriction>
+  </xs:simpleType>
+  <xs:simpleType name="ReferenceTypeEnum">
+    <xs:annotation>
+      <xs:documentation xml:lang="en">Types enumerating the type of reference document</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:token">
+      <xs:enumeration value="External">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">This document is an external reference to the current vulnerability.</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+      <xs:enumeration value="Self">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">This document is a reference to this same vulnerability.</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+    </xs:restriction>
+  </xs:simpleType>
+  <xs:simpleType name="PublisherEnumType">
+    <xs:annotation>
+      <xs:documentation xml:lang="en">Types enumerating the various publishers of a document.</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:token">
+      <xs:enumeration value="Vendor">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">Developers or maintainers of information system products or services.</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+      <xs:enumeration value="Discoverer">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">Individuals or organizations that find vulnerabilities or security weaknesses.</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+      <xs:enumeration value="Coordinator">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">Individuals or organizations that manage a single vendor's response or multiple vendors' responses to a vulnerability, a security flaw, or an incident.</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+      <xs:enumeration value="User">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">Everyone using a vendor's product.</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+      <xs:enumeration value="Other">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">Catchall for everyone else. Currently this includes forwarders, re-publishers, language translators and miscellaneous contributors.</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+    </xs:restriction>
+  </xs:simpleType>
+  <xs:simpleType name="NoteTypeEnumType">
+    <xs:annotation>
+      <xs:documentation xml:lang="en">Allowed type values for CVRF notes.</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:token">
+      <xs:enumeration value="General">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">A general, high-level note (Title may have more information).</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+      <xs:enumeration value="Details">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">A low-level detailed discussion (Title may have more information).</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+      <xs:enumeration value="Description">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">A description of something (Title may have more information).</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+      <xs:enumeration value="Summary">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">A summary of something (Title may have more information).</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+      <xs:enumeration value="FAQ">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">A list of frequently asked questions.</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+      <xs:enumeration value="Legal Disclaimer">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">Any possible legal discussion, including constraints, surrounding the document.</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+      <xs:enumeration value="Other">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">Something that doesn’t fit (Title should have more information).</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+    </xs:restriction>
+  </xs:simpleType>
+</xs:schema>

data/config/1.0/stix/external/cvrf_1.1/cpe-language_2.2a.xsd

@@ -0,0 +1,182 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+      xmlns:cpe="http://cpe.mitre.org/language/2.0"
+      xmlns:xml="http://www.w3.org/XML/1998/namespace"
+      xmlns:sch="http://purl.oclc.org/dsdl/schematron"
+      targetNamespace="http://cpe.mitre.org/language/2.0" elementFormDefault="qualified"
+      attributeFormDefault="unqualified" version="2.2a">
+      <xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
+      <xsd:annotation>
+            <xsd:documentation xml:lang="en">This XML Schema defines the CPE Language. An individual
+                  CPE Name addresses a single part of an actual system. To identify more complex
+                  platform types, there needs to be a way to combine different CPE Names using
+                  logical operators. For example, there may be a need to identify a platform with a
+                  particular operating system AND a certain application. The CPE Language exists to
+                  satisfy this need, enabling the CPE Name for the operating system to be combined
+                  with the CPE Name for the application. For more information, consult the CPE
+                  Specification document.</xsd:documentation>
+            <xsd:appinfo>
+                  <schema>CPE Language</schema>
+                  <author>Neal Ziring, Andrew Buttner, David Waltermire</author>
+                  <version>2.2</version>
+                  <date>10/27/2008 10:00:00 AM</date>
+            </xsd:appinfo>
+      </xsd:annotation>
+
+      <!-- =============================================================================== -->
+      <!-- =============================================================================== -->
+      <!-- =============================================================================== -->
+      <xsd:element name="platform-specification" type="cpe:platformSpecificationType">
+            <xsd:annotation>
+                  <xsd:documentation xml:lang="en">This element is the root element of a CPE
+                        Language XML documents and therefore acts as a container for child platform
+                        definitions.</xsd:documentation>
+            </xsd:annotation>
+            <xsd:key name="platformKey">
+                  <xsd:selector xpath="cpe:platform"/>
+                  <xsd:field xpath="@id"/>
+            </xsd:key>
+      </xsd:element>
+
+      <xsd:element name="platform" type="cpe:PlatformType"/>
+      <xsd:element name="platform-configuration" type="cpe:PlatformBaseType"/>
+
+      <xsd:element name="logical-test" type="cpe:LogicalTestType"/>
+
+      <xsd:element name="fact-ref" type="cpe:FactRefType"/>
+      
+
+      <!-- =============================================================================== -->
+      <!-- =========================== PLATFORM SPECIFICATION ============================ -->
+      <!-- =============================================================================== -->
+      <xsd:complexType name="platformSpecificationType">
+            <xsd:sequence>
+                  <xsd:element ref="cpe:platform" minOccurs="1"
+                        maxOccurs="unbounded"/>
+            </xsd:sequence>
+      </xsd:complexType>
+      
+      <!-- =============================================================================== -->
+      <!-- ==================================  PLATFORM  ================================= -->
+      <!-- =============================================================================== -->
+      <xsd:complexType name="PlatformBaseType">
+            <xsd:annotation>
+                  <xsd:documentation xml:lang="en">The platform element represents the description
+                        or qualifications of a particular IT platform type. The platform is defined
+                        by the logical-test child element.</xsd:documentation>
+            </xsd:annotation>
+            <xsd:sequence>
+                  <xsd:element name="title" type="cpe:TextType" minOccurs="0" maxOccurs="unbounded">
+                        <xsd:annotation>
+                              <xsd:documentation xml:lang="en">The optional title element may appear as a child
+                                    to a platform element. It provides a human-readable title for it. To support
+                                    uses intended for multiple languages, this element supports the ‘xml:lang’
+                                    attribute. At most one title element can appear for each language.</xsd:documentation>
+                        </xsd:annotation>
+                  </xsd:element>
+                  <xsd:element name="remark" type="cpe:TextType" minOccurs="0" maxOccurs="unbounded">
+                        <xsd:annotation>
+                              <xsd:documentation xml:lang="en">The optional remark element may appear as a child
+                                    of a platform element. It provides some additional description. Zero or more
+                                    remark elements may appear. To support uses intended for multiple languages,
+                                    this element supports the ‘xml:lang’ attribute. There can be multiple
+                                    remarks for a single language.</xsd:documentation>
+                        </xsd:annotation>
+                  </xsd:element>
+                  <xsd:element ref="cpe:logical-test" minOccurs="1" maxOccurs="1"/>
+            </xsd:sequence>
+      </xsd:complexType>
+      <xsd:complexType name="PlatformType">
+            <xsd:complexContent>
+                  <xsd:extension base="cpe:PlatformBaseType">
+                        <xsd:attribute name="id" type="xsd:anyURI" use="required">
+                              <xsd:annotation>
+                                    <xsd:documentation xml:lang="en">The id attribute holds a locally unique
+                                          name for the platform. There is no defined format for this id, it just has
+                                          to be unique to the containing language document.</xsd:documentation>
+                              </xsd:annotation>
+                        </xsd:attribute>
+                  </xsd:extension>
+            </xsd:complexContent>
+      </xsd:complexType>
+      <xsd:complexType name="LogicalTestType">
+            <xsd:annotation>
+                  <xsd:documentation xml:lang="en">The logical-test element appears as a child of a
+                        platform element, and may also be nested to create more complex logical
+                        tests. The content consists of one or more elements: fact-ref, and
+                        logical-test children are permitted. The operator to be applied, and
+                        optional negation of the test, are given as attributes.</xsd:documentation>
+            </xsd:annotation>
+            <xsd:sequence>
+                  <xsd:element name="logical-test" type="cpe:LogicalTestType" minOccurs="0"
+                        maxOccurs="unbounded"/>
+                  <xsd:element ref="cpe:fact-ref" minOccurs="0"
+                        maxOccurs="unbounded">
+                        <xsd:annotation>
+                              <xsd:documentation xml:lang="en"></xsd:documentation>
+                        </xsd:annotation>
+                  </xsd:element>
+            </xsd:sequence>
+            <xsd:attribute name="operator" type="cpe:operatorEnumeration" use="required"/>
+            <xsd:attribute name="negate" type="xsd:boolean" use="required"/>
+      </xsd:complexType>
+      <xsd:complexType name="FactRefType">
+            <xsd:annotation>
+                  <xsd:documentation xml:lang="en">The fact-ref element appears as a
+                        child of a logical-test element. It is simply a reference to a CPE Name that
+                        always evaluates to a Boolean result.</xsd:documentation>
+            </xsd:annotation>
+            <xsd:attribute name="name" type="cpe:namePattern" use="required"/>
+      </xsd:complexType>
+
+      <!-- =============================================================================== -->
+      <!-- ===============================  ENUMERATIONS  ================================ -->
+      <!-- =============================================================================== -->
+      <xsd:simpleType name="operatorEnumeration">
+            <xsd:annotation>
+                  <xsd:documentation xml:lang="en">The OperatorEnumeration simple type defines
+                        acceptable operators. Each operator defines how to evaluate multiple
+                        arguments.</xsd:documentation>
+            </xsd:annotation>
+            <xsd:restriction base="xsd:string">
+                  <xsd:enumeration value="AND"/>
+                  <xsd:enumeration value="OR"/>
+            </xsd:restriction>
+      </xsd:simpleType>
+      <!-- =============================================================================== -->
+      <!-- ==============================  SUPPORTING TYPES  ============================== -->
+      <!-- =============================================================================== -->
+      <xsd:complexType name="TextType">
+            <xsd:annotation>
+                  <xsd:documentation xml:lang="en">This type allows the xml:lang attribute to
+                        associate a specific language with an element's string
+                  content.</xsd:documentation>
+            </xsd:annotation>
+            <xsd:simpleContent>
+                  <xsd:extension base="xsd:string">
+                        <xsd:attribute ref="xml:lang"/>
+                  </xsd:extension>
+            </xsd:simpleContent>
+      </xsd:complexType>
+      <!-- =============================================================================== -->
+      <!-- ================================  ID PATTERNS  ================================ -->
+      <!-- =============================================================================== -->
+      <xsd:simpleType name="namePattern">
+            <xsd:annotation>
+                  <xsd:documentation xml:lang="en">Define the format for acceptable CPE Names. A URN
+                        format is used with the id starting with the word cpe followed by :/ and
+                        then some number of individual components separated by
+                  colons.</xsd:documentation>
+            </xsd:annotation>
+            <xsd:restriction base="xsd:anyURI">
+                  <xsd:pattern value="[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6}"/>
+            </xsd:restriction>
+      </xsd:simpleType>
+    <!-- ================================================== -->
+    <!-- =====  Change History  -->
+    <!-- ================================================== -->
+    <!--
+        v2.2 - Initial working version
+        v2.3 - Various refactoring of types to use element refs.  This enables more fine-grained reuse of this schema and allows XSD substitution to be possible.
+    -->
+</xsd:schema>

data/config/1.0/stix/external/cvrf_1.1/cvrf.xsd

@@ -0,0 +1,487 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema id="CVRFDictionary"
+  targetNamespace="http://www.icasi.org/CVRF/schema/cvrf/1.1"
+  xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1"
+  xmlns:vuln="http://www.icasi.org/CVRF/schema/vuln/1.1"
+  xmlns:prod="http://www.icasi.org/CVRF/schema/prod/1.1"
+  xmlns:cvrf-common="http://www.icasi.org/CVRF/schema/common/1.1"
+  xmlns:xs="http://www.w3.org/2001/XMLSchema"
+  xmlns:dc="http://purl.org/dc/elements/1.1/"
+  elementFormDefault="qualified"
+  attributeFormDefault="unqualified"
+  version="1.1">
+  <!-- =============================================================================== -->
+  <!-- =============================   SCHEMA IMPORTS  =============================== -->
+  <!-- =============================================================================== -->
+  <xs:import namespace="http://purl.org/dc/elements/1.1/" schemaLocation="dc.xsd" />
+  <xs:import namespace="http://www.icasi.org/CVRF/schema/vuln/1.1" schemaLocation="vuln.xsd" />
+  <xs:import namespace="http://www.icasi.org/CVRF/schema/common/1.1" schemaLocation="common.xsd" />
+  <xs:import namespace="http://www.icasi.org/CVRF/schema/prod/1.1" schemaLocation="prod.xsd" />
+  <!-- =============================================================================== -->
+  <!-- ============================ SCHEMA INFORMATION =============================== -->
+  <!-- =============================================================================== -->
+  <xs:annotation>
+    <xs:documentation xml:lang="en">This is the XML schema for the Common Vulnerability Reporting Framework.  For more information, see the CVRF whitepaper.</xs:documentation>
+    <xs:appinfo>
+      <dc:creator>Brian Schafer &lt;bschafer@microsoft.com&gt;</dc:creator>
+      <dc:contributor>Joe Clarke &lt;jclarke@cisco.com&gt;</dc:contributor>
+      <dc:contributor>Joe Hemmerlein &lt;Joe.Hemmerlein@microsoft.com&gt;</dc:contributor>
+      <dc:date>2012-05-07</dc:date>
+      <dc:subject>CVRF Dictionary</dc:subject>
+      <version>1.1</version>
+    </xs:appinfo>
+  </xs:annotation>
+  <!-- =============================================================================== -->
+  <!-- =================================== DATA TYPES ================================ -->
+  <!-- =============================================================================== -->
+  <xs:simpleType name="DocumentStatusEnumType">
+    <xs:annotation>
+      <xs:documentation xml:lang="en">Types enumerating the status of the document.</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:normalizedString">
+      <xs:enumeration value="Draft">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">Pre-release, intended for issuing party’s internal use only, or possibly used externally when the party is seeking feedback or indicating its intentions regarding a specific issue.</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+      <xs:enumeration value="Interim">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">The issuing party believes the content is subject to change.</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+      <xs:enumeration value="Final">
+        <xs:annotation>
+          <xs:documentation xml:lang="en">The issuing party asserts the content is unlikely to change.</xs:documentation>
+        </xs:annotation>
+      </xs:enumeration>
+    </xs:restriction>
+  </xs:simpleType>
+  <xs:simpleType name="cvrfVersion">
+    <xs:annotation>
+      <xs:documentation xml:lang="en">Floating point number representing the CVRF specification version</xs:documentation>
+    </xs:annotation>
+    <xs:restriction base="xs:float">
+      <xs:pattern value="[0-9]+\.[0-9]{1,3}" />
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- =============================================================================== -->
+  <!-- ============================= DOCUMENT DEFINITION ============================= -->
+  <!-- =============================================================================== -->
+  <xs:element name="cvrfdoc">
+    <xs:annotation>
+      <xs:documentation xml:lang="en">Root element of a CVRF document.</xs:documentation>
+    </xs:annotation>
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element name="DocumentTitle" minOccurs="1" maxOccurs="1">
+          <xs:annotation>
+            <xs:documentation xml:lang="en">A definitive canonical name for the document, providing enough descriptive content to differentiate from other similar documents, ideally providing a unique “handle”.</xs:documentation>
+          </xs:annotation>
+          <xs:complexType>
+            <xs:simpleContent>
+              <xs:extension base="cvrf-common:localizedNormalizedString" />
+            </xs:simpleContent>
+          </xs:complexType>
+        </xs:element>
+        <xs:element name="DocumentType" minOccurs="1" maxOccurs="1">
+          <xs:annotation>
+            <xs:documentation xml:lang="en">A short canonical name, chosen by the document producer, which will inform the consumer about the type of the document.</xs:documentation>
+          </xs:annotation>
+          <xs:complexType>
+            <xs:simpleContent>
+              <xs:extension base="cvrf-common:localizedNormalizedString" />
+            </xs:simpleContent>
+          </xs:complexType>
+        </xs:element>
+        <xs:element name="DocumentPublisher" minOccurs="1" maxOccurs="1">
+          <xs:annotation>
+            <xs:documentation xml:lang="en">A container holding all information about the publisher of the CVRF document.</xs:documentation>
+          </xs:annotation>
+          <xs:complexType>
+            <xs:sequence>
+              <xs:element name="ContactDetails" minOccurs="0" maxOccurs="1">
+                <xs:annotation>
+                  <xs:documentation xml:lang="en">Author contact information such as address, phone number, email, etc.</xs:documentation>
+                </xs:annotation>
+                <xs:complexType>
+                  <xs:simpleContent>
+                    <xs:extension base="cvrf-common:localizedString" />
+                  </xs:simpleContent>
+                </xs:complexType>
+              </xs:element>
+              <xs:element name="IssuingAuthority" minOccurs="0" maxOccurs="1">
+                <xs:annotation>
+                  <xs:documentation xml:lang="en">The name of the issuing party and their authority to release the document, in particular, the party's constituency and responsibilities or other obligations.</xs:documentation>
+                </xs:annotation>
+                <xs:complexType>
+                  <xs:simpleContent>
+                    <xs:extension base="cvrf-common:localizedString" />
+                  </xs:simpleContent>
+                </xs:complexType>
+              </xs:element>
+            </xs:sequence>
+            <xs:attribute name="Type" type="cvrf-common:PublisherEnumType" use="required">
+              <xs:annotation>
+                <xs:documentation xml:lang="en">Type is an enumerated list containing an array of different document publisher types.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+            <xs:attribute name="VendorID" type="xs:string">
+              <xs:annotation>
+                <xs:documentation xml:lang="en">Vendor ID is a unique identifier (OID) that a vendor uses as issued by FIRST under the auspices of IETF.</xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
+          </xs:complexType> 
+        </xs:element>
+        <xs:element name="DocumentTracking" minOccurs="1" maxOccurs="1">
+          <xs:annotation>
+            <xs:documentation xml:lang="en">The Document Tracking meta-container contains all of the attributes necessary to track a CVRF document.</xs:documentation>
+          </xs:annotation>
+          <xs:complexType>
+            <xs:sequence>
+              <xs:element name="Identification" minOccurs="1" maxOccurs="1">
+                <xs:annotation>
+                  <xs:documentation xml:lang="en">Contains document ID and optional document aliases</xs:documentation>
+                </xs:annotation>
+                <xs:complexType>
+                  <xs:sequence>
+                    <xs:element name="ID" minOccurs="1" maxOccurs="1">
+                      <xs:annotation>
+                        <xs:documentation xml:lang="en">Short unique identifier used to refer to the document unambiguously in any context.</xs:documentation>
+                      </xs:annotation>
+                      <xs:complexType>
+                        <xs:simpleContent>
+                          <xs:extension base="cvrf-common:localizedString" />
+                        </xs:simpleContent>
+                      </xs:complexType>
+                    </xs:element>
+                    <xs:element name="Alias" minOccurs="0" maxOccurs="unbounded">
+                      <xs:annotation>
+                        <xs:documentation xml:lang="en">Optional alternative ID for document</xs:documentation>
+                      </xs:annotation>
+                      <xs:complexType>
+                        <xs:simpleContent>
+                          <xs:extension base="cvrf-common:localizedString" />
+                        </xs:simpleContent>
+                      </xs:complexType>
+                    </xs:element>
+                  </xs:sequence>
+                </xs:complexType>
+              </xs:element>
+              <xs:element name="Status" type="cvrf:DocumentStatusEnumType" minOccurs="1" maxOccurs="1">
+                <xs:annotation>
+                  <xs:documentation xml:lang="en">The condition of the document with regard to completeness and the likelihood of future editions.</xs:documentation>
+                </xs:annotation>
+              </xs:element>
+              <xs:element name="Version" type="cvrf-common:revisionNumber" minOccurs="1" maxOccurs="1">
+                <xs:annotation>
+                  <xs:documentation xml:lang="en">Document Version is a simple counter to track the version of the document.</xs:documentation>
+                </xs:annotation>
+              </xs:element>
+              <xs:element name="RevisionHistory" minOccurs="1" maxOccurs="1">
+                <xs:annotation>
+                  <xs:documentation xml:lang="en">The Document Revision History contains one entry for each substantive version of the document, including the initial version and entries for each subsequent update.</xs:documentation>
+                </xs:annotation>
+                <xs:complexType>
+                  <xs:sequence>
+                    <xs:element name="Revision" minOccurs="1" maxOccurs="unbounded">
+                      <xs:annotation>
+                        <xs:documentation xml:lang="en">A set of Version, Date, and Description elements describing one iteration of this document</xs:documentation>
+                      </xs:annotation>
+                      <xs:complexType>
+                        <xs:sequence>
+                          <xs:element name="Number" type="cvrf-common:revisionNumber" minOccurs="1" maxOccurs="1">
+                            <xs:annotation>
+                              <xs:documentation xml:lang="en">Revision number of this iteration of the document.</xs:documentation>
+                            </xs:annotation>
+                          </xs:element>
+                          <xs:element name="Date" type="xs:dateTime" minOccurs="1" maxOccurs="1">
+                            <xs:annotation>
+                              <xs:documentation xml:lang="en">Date when this iteration of the document was released.</xs:documentation>
+                            </xs:annotation>
+                          </xs:element>
+                          <xs:element name="Description" minOccurs="1" maxOccurs="1">
+                            <xs:annotation>
+                              <xs:documentation xml:lang="en">Description of this iteration of the document.</xs:documentation>
+                            </xs:annotation>
+                            <xs:complexType>
+                              <xs:simpleContent>
+                                <xs:extension base="cvrf-common:localizedString" />
+                              </xs:simpleContent>
+                            </xs:complexType>
+                          </xs:element>
+                        </xs:sequence>
+                      </xs:complexType>
+                    </xs:element>
+                  </xs:sequence>
+                </xs:complexType>
+              </xs:element>
+              <xs:element name="InitialReleaseDate" type="xs:dateTime" minOccurs="1" maxOccurs="1">
+                <xs:annotation>
+                  <xs:documentation xml:lang="en">The initial date (and time, optionally) that the document was initially released by the issuing party.</xs:documentation>
+                </xs:annotation>
+              </xs:element>
+              <xs:element name="CurrentReleaseDate" type="xs:dateTime" minOccurs="1" maxOccurs="1">
+                <xs:annotation>
+                  <xs:documentation xml:lang="en">The current date (and time, optionally) that the document was released by the issuing party.</xs:documentation>
+                </xs:annotation>
+              </xs:element>
+              <xs:element name="Generator" minOccurs="0" maxOccurs="1">
+                <xs:annotation>
+                  <xs:documentation xml:lang="en">The Document Generator meta-container contains all of the elements related to the generation of the document.</xs:documentation>
+                </xs:annotation>
+                <xs:complexType>
+                  <xs:sequence>
+                    <xs:element name="Engine" minOccurs="0" maxOccurs="1">
+                      <xs:annotation>
+                        <xs:documentation xml:lang="en">The name and version of the engine that generated the CVRF document.</xs:documentation>
+                      </xs:annotation>
+                      <xs:complexType>
+                        <xs:simpleContent>
+                          <xs:extension base="cvrf-common:localizedString" />
+                        </xs:simpleContent>
+                      </xs:complexType>
+                    </xs:element>
+                    <xs:element name="Date" type="xs:dateTime" minOccurs="0" maxOccurs="1">
+                      <xs:annotation>
+                        <xs:documentation xml:lang="en">The date the CVRF document was generated.</xs:documentation>
+                      </xs:annotation>
+                    </xs:element>
+                  </xs:sequence>
+                </xs:complexType>
+              </xs:element>
+            </xs:sequence>
+          </xs:complexType>
+        </xs:element>
+        <xs:element name="DocumentNotes" minOccurs="0" maxOccurs="1">
+          <xs:annotation>
+            <xs:documentation xml:lang="en">The Document Notes text contains all of the individual notes necessary to provide different types of low-level discussions of a CVRF document to various audiences.</xs:documentation>
+          </xs:annotation>
+          <xs:complexType>
+            <xs:sequence>
+              <xs:element name="Note" minOccurs="1" maxOccurs="unbounded">
+                <xs:annotation>
+                  <xs:documentation xml:lang="en">A individual note in freeform text.</xs:documentation>
+                </xs:annotation>
+                <xs:complexType>
+                  <xs:simpleContent>
+                    <xs:extension base="cvrf-common:localizedString">
+                      <xs:attribute name="Title" type="xs:string">
+                        <xs:annotation>
+                          <xs:documentation xml:lang="en">Title should be a concise description of what is contained in this specific note.</xs:documentation>
+                        </xs:annotation>
+                      </xs:attribute>
+                      <xs:attribute name="Audience" type="xs:string">
+                        <xs:annotation>
+                          <xs:documentation xml:lang="en">Audience will indicate who is intended to read the note.</xs:documentation>
+                        </xs:annotation>
+                      </xs:attribute>
+                      <xs:attribute name="Type" type="cvrf-common:NoteTypeEnumType" use="required">
+                        <xs:annotation>
+                          <xs:documentation xml:lang="en">Type of content within this note.</xs:documentation>
+                        </xs:annotation>
+                      </xs:attribute>
+                      <xs:attribute name="Ordinal" type="xs:positiveInteger" use="required">
+                        <xs:annotation>
+                          <xs:documentation xml:lang="en">Ordinal is a locally significant integral counter indexed from 1 used to track notes.</xs:documentation>
+                        </xs:annotation>
+                      </xs:attribute>
+                    </xs:extension>
+                  </xs:simpleContent>
+                </xs:complexType>
+              </xs:element>
+            </xs:sequence>
+          </xs:complexType>
+        </xs:element>
+        <xs:element name="DocumentDistribution" minOccurs="0" maxOccurs="1">
+          <xs:annotation>
+            <xs:documentation xml:lang="en">The Document Distribution string should contain details on constraints, if any, about sharing this CVRF Document with additional recipients.</xs:documentation>
+          </xs:annotation>
+          <xs:complexType>
+            <xs:simpleContent>
+              <xs:extension base="cvrf-common:localizedString" />
+            </xs:simpleContent>
+          </xs:complexType>
+        </xs:element>
+        <xs:element name="AggregateSeverity" minOccurs="0" maxOccurs="1">
+          <xs:annotation>
+            <xs:documentation xml:lang="en">Aggregate Severity is provided by the producer of the document to convey the urgency and criticality with which the vulnerability or vulnerabilities should be addressed.</xs:documentation>
+          </xs:annotation>
+          <xs:complexType>
+            <xs:simpleContent>
+              <xs:extension base="cvrf-common:localizedString">
+                <xs:attribute name="Namespace" type="xs:anyURI">
+                  <xs:annotation>
+                    <xs:documentation xml:lang="en">URL of the namespace from which the Aggregate Severity is taken.</xs:documentation>
+                  </xs:annotation>
+                </xs:attribute>
+              </xs:extension>
+            </xs:simpleContent>
+          </xs:complexType>
+        </xs:element>
+        <xs:element name="DocumentReferences" minOccurs="0" maxOccurs="1">
+          <xs:annotation>
+            <xs:documentation xml:lang="en">This meta-container should include references to any conferences, papers, advisories, and other resources that are related and considered to be of value to the document consumer.</xs:documentation>
+          </xs:annotation>
+          <xs:complexType>
+            <xs:sequence>
+              <xs:element name="Reference" minOccurs="1" maxOccurs="unbounded">
+                <xs:annotation>
+                  <xs:documentation xml:lang="en">Related documents to the CVRF document.</xs:documentation>
+                </xs:annotation>
+                <xs:complexType>
+                  <xs:sequence>
+                    <xs:element name="URL" type="xs:anyURI" minOccurs="1" maxOccurs="1">
+                      <xs:annotation>
+                        <xs:documentation xml:lang="en">The URL of the related document.</xs:documentation>
+                      </xs:annotation>
+                    </xs:element>
+                    <xs:element name="Description" minOccurs="1" maxOccurs="1">
+                      <xs:annotation>
+                        <xs:documentation xml:lang="en">The description of the related document.</xs:documentation>
+                      </xs:annotation>
+                      <xs:complexType>
+                        <xs:simpleContent>
+                          <xs:extension base="cvrf-common:localizedString" />
+                        </xs:simpleContent>
+                      </xs:complexType>
+                    </xs:element>
+                  </xs:sequence>
+                  <xs:attribute name="Type" type="cvrf-common:ReferenceTypeEnum" default="External">
+                    <xs:annotation>
+                      <xs:documentation xml:lang="en">Enumerated type value of reference relative to this document.</xs:documentation>
+                    </xs:annotation>
+                  </xs:attribute>
+                </xs:complexType>
+              </xs:element>
+            </xs:sequence>
+          </xs:complexType>
+        </xs:element>
+        <xs:element name="Acknowledgments" minOccurs="0" maxOccurs="1">
+          <xs:annotation>
+            <xs:documentation xml:lang="en">The Acknowledgments container holds one or more Acknowledgement containers for document-level acknowledgements.</xs:documentation>
+          </xs:annotation>
+          <xs:complexType>
+            <xs:sequence>
+              <xs:element name="Acknowledgment" minOccurs="1" maxOccurs="unbounded">
+                <xs:annotation>
+                  <xs:documentation xml:lang="en">The Acknowledgment container holds recognition details for external parties, specific to the document as a whole rather than individual vulnerabilities.</xs:documentation>
+                </xs:annotation>
+                <xs:complexType>
+                  <xs:sequence>
+                    <xs:element name="Name" minOccurs="0" maxOccurs="unbounded">
+                      <xs:annotation>
+                        <xs:documentation xml:lang="en">The name (i.e., individual name) of the party being acknowledged.</xs:documentation>
+                      </xs:annotation>
+                      <xs:complexType>
+                        <xs:simpleContent>
+                          <xs:extension base="cvrf-common:localizedString" />
+                        </xs:simpleContent>
+                      </xs:complexType>
+                    </xs:element>
+                    <xs:element name="Organization" minOccurs="0" maxOccurs="unbounded">
+                      <xs:annotation>
+                        <xs:documentation xml:lang="en">The organization of the party being acknowledged or the organization itself being acknowledged.</xs:documentation>
+                      </xs:annotation>
+                      <xs:complexType>
+                        <xs:simpleContent>
+                          <xs:extension base="cvrf-common:localizedString" />
+                        </xs:simpleContent>
+                      </xs:complexType>
+                    </xs:element>
+                    <xs:element name="Description" minOccurs="0" maxOccurs="1">
+                      <xs:annotation>
+                        <xs:documentation xml:lang="en">The details of the acknowledgment that address the recognition of external parties who were instrumental in the discovery, reporting and response of this document.</xs:documentation>
+                      </xs:annotation>
+                      <xs:complexType>
+                        <xs:simpleContent>
+                          <xs:extension base="cvrf-common:localizedString" />
+                        </xs:simpleContent>
+                      </xs:complexType>
+                    </xs:element>
+                    <xs:element name="URL" type="xs:anyURI"  minOccurs="0" maxOccurs="unbounded">
+                      <xs:annotation>
+                        <xs:documentation xml:lang="en">The optional URL to the person, place, or thing being acknowledged.</xs:documentation>
+                      </xs:annotation>
+                    </xs:element>
+                  </xs:sequence>
+                </xs:complexType>
+              </xs:element>
+            </xs:sequence>
+          </xs:complexType>
+        </xs:element>
+        <xs:element ref="prod:ProductTree" minOccurs="0" maxOccurs="1" />
+        <xs:element ref="vuln:Vulnerability" minOccurs="0" maxOccurs="unbounded" />
+      </xs:sequence>
+    </xs:complexType>
+    <xs:unique name="UniqueOrdinal">
+      <xs:annotation>
+        <xs:documentation xml:lang="en">This is to ensure that each Vulnerability's Ordinal uses a unique value.</xs:documentation>
+      </xs:annotation>
+      <xs:selector xpath=".//vuln:Vulnerability"/>
+      <xs:field xpath="@Ordinal"/>
+    </xs:unique>
+     <xs:unique name="UniqueNotesOrdinal">
+      <xs:annotation>
+        <xs:documentation xml:lang="en">This is to ensure that each note has a unique ordinal value.</xs:documentation>
+      </xs:annotation>
+      <xs:selector xpath=".//cvrf:DocumentNotes/cvrf:Note"/>
+      <xs:field xpath="@Ordinal"/>
+    </xs:unique>
+    <xs:key name="ProductKey">
+      <xs:annotation>
+        <xs:documentation xml:lang="en">A key to reference a specific product defined in a referenced product schema.</xs:documentation>
+      </xs:annotation>
+      <xs:selector xpath=".//prod:FullProductName" />
+      <xs:field xpath="@ProductID" />
+    </xs:key>
+    <xs:keyref name="AffectedProductKeyRef" refer="cvrf:ProductKey">
+      <xs:annotation>
+        <xs:documentation xml:lang="en">An instance of the ProductKey to be used in the ProductID element for affected products.</xs:documentation>
+      </xs:annotation>
+      <xs:selector xpath=".//vuln:ProductStatuses/vuln:Status/vuln:ProductID"/>
+      <xs:field xpath="."/>
+    </xs:keyref>
+    <xs:keyref name="ScoreSetProductKeyRef" refer="cvrf:ProductKey">
+      <xs:annotation>
+        <xs:documentation xml:lang="en">An instance of the ProductKey to be used in the CVSS ScoreSet product references.</xs:documentation>
+      </xs:annotation>
+      <xs:selector xpath=".//vuln:CVSSScoreSets/vuln:ScoreSet/vuln:ProductID"/>
+      <xs:field xpath="."/>
+    </xs:keyref>
+    <xs:keyref name="ThreatProductKeyRef" refer="cvrf:ProductKey">
+      <xs:annotation>
+        <xs:documentation xml:lang="en">An instance of the ProductKey to be used in the Threat product references.</xs:documentation>
+      </xs:annotation>
+      <xs:selector xpath=".//vuln:Threats/vuln:Threat/vuln:ProductID"/>
+      <xs:field xpath="."/>
+    </xs:keyref>
+    <xs:keyref name="RemediationProductKeyRef" refer="cvrf:ProductKey">
+      <xs:annotation>
+        <xs:documentation xml:lang="en">An instance of the ProductKey to be used in the Remediation product references.</xs:documentation>
+      </xs:annotation>
+      <xs:selector xpath=".//vuln:Remediations/vuln:Remediation/vuln:ProductID"/>
+      <xs:field xpath="."/>
+    </xs:keyref>
+    <xs:key name="GroupKey">
+      <xs:annotation>
+        <xs:documentation xml:lang="en">A key to reference a specific product group defined in a referenced product schema.</xs:documentation>
+      </xs:annotation>
+      <xs:selector xpath=".//prod:ProductGroups/prod:Group" />
+      <xs:field xpath="@GroupID" />
+    </xs:key>
+    <xs:keyref name="ThreatGroupKeyRef" refer="cvrf:GroupKey">
+      <xs:annotation>
+        <xs:documentation xml:lang="en">An instance of the GroupKey to be used in the Threat product references.</xs:documentation>
+      </xs:annotation>
+      <xs:selector xpath=".//vuln:Threats/vuln:Threat/vuln:GroupID"/>
+      <xs:field xpath="."/>
+    </xs:keyref>
+    <xs:keyref name="RemediationGroupKeyRef" refer="cvrf:GroupKey">
+      <xs:annotation>
+        <xs:documentation xml:lang="en">An instance of the GroupKey to be used in the Remediation product references.</xs:documentation>
+      </xs:annotation>
+      <xs:selector xpath=".//vuln:Remediations/vuln:Remediation/vuln:GroupID"/>
+      <xs:field xpath="."/>
+    </xs:keyref>
+  </xs:element>
+</xs:schema>