SemVer Checker

(paste a schema and click Check SemVer Compliance)

Rules implemented

• versionType === "semver-2.0.0": any value in version, lessThan, lessThanOrEqual, and changes[*].at must match the SemVer 2.0.0 regexp; bad values are collected into badSemVer2 and the API call has a hard failure. As of now, for correct input, versionType is rewritten to "semver" - this may help consumers who have already set up back-end processing for SemVer, and helps to emphasize that the CVE Program is adopting SemVer 2.0.0 as the one supported SemVer type
• For that same case, if lessThan or lessThanOrEqual equals "0.0.0" or "0.0.0-0", change it to "4294967295.0.0" - this supports the proposed semver-2.0.0 input format for ranges with no upper bound, while maintaining compatibility with consumers' algorithms for checking whether an observed version is inside a range
• versionType === "semver": allow exceptions so that current semver producers do not have to change their processes — version === "0", and any lessThan / lessThanOrEqual that ends with *. In changes[*].at, allow "0" or strings ending with *. If data fails the SemVer 2.0.0 regexp match and is not an exception, collect those values into badSemVer and set that item’s versionType → "custom" with an API response warning. This provides a transition period for producers who publish invalid semver today.
• Items without versionType, or with a different versionType, are left unchanged.

AJV dialect is auto-detected from your schema’s $schema (2020-12 → ajv2020, 2019-09 → ajv2019, draft-07/06 → ajv7). Also, ajv-formats is loaded for common format keywords.