openapi.json appears to not precisely match the outputs returned by the live API #1
Description
I'm building a CWE API consumer in Rust that uses the openapi.json file in this repo as the basis for code generation.
As part of testing this code, I've encountered several API responses which fail to deserialize because the schema provided in the OpenAPI file does not match what's returned by the server.
For example, calls to the endpoint /cwe/weakness/{id} are described by the schema as returning an array of Weakness. The actual API call currently returns a map with a Weaknesses key, whose value is an array of Weakness structures. This difference causes deserialization failures in the generated code.
Can openapi.json be updated to reflect the schemas of values returned by the API as it is running today?
You can validate this with my cwe-api CLI (in the linked repo) by running a command like:
$ cwe-api weakness info 466This will fail with an error about a failed deserialization:
error: Invalid Response Payload (b"{\"Weaknesses\":[{\"ID\":\"466\",\"Name\":\"Return of Pointer Value Outside of Expected Range\",\"Abstraction\":\"Base\",\"Structure\":\"Simple\",\"Status\":\"Draft\",\"Description\":\"A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.\",\"RelatedWeaknesses\":[{\"Nature\":\"ChildOf\",\"CweID\":\"119\",\"ViewID\":\"1000\",\"Ordinal\":\"Primary\"},{\"Nature\":\"ChildOf\",\"CweID\":\"20\",\"ViewID\":\"700\",\"Ordinal\":\"Primary\"}],\"ApplicablePlatforms\":[{\"Type\":\"Language\",\"Name\":\"C\",\"Prevalence\":\"Undetermined\"},{\"Type\":\"Language\",\"Name\":\"C++\",\"Prevalence\":\"Undetermined\"}],\"ModesOfIntroduction\":[{\"Phase\":\"Implementation\"}],\"CommonConsequences\":[{\"Scope\":[\"Confidentiality\",\"Integrity\"],\"Impact\":[\"Read Memory\",\"Modify Memory\"]}],\"TaxonomyMappings\":[{\"TaxonomyName\":\"7 Pernicious Kingdoms\",\"EntryName\":\"Illegal Pointer Value\"},{\"TaxonomyName\":\"Software Fault Patterns\",\"EntryID\":\"SFP1\",\"EntryName\":\"Glitch in computation\"}],\"References\":[{\"ExternalReferenceID\":\"REF-6\",\"Authors\":[\"Katrina Tsipenyuk\",\"Brian Chess\",\"Gary McGraw\"],\"Title\":\"Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors\",\"Publication\":\"NIST Workshop on Software Security Assurance Tools Techniques and Metrics\",\"PublicationYear\":\"2005\",\"PublicationMonth\":\"11\",\"PublicationDay\":\"07\",\"Publisher\":\"NIST\",\"URL\":\"https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf\"},{\"ExternalReferenceID\":\"REF-44\",\"Section\":\"\\\"Sin 5: Buffer Overruns.\\\" Page 89\",\"Authors\":[\"Michael Howard\",\"David LeBlanc\",\"John Viega\"],\"Title\":\"24 Deadly Sins of Software Security\",\"Publication\":\"McGraw-Hill\",\"PublicationYear\":\"2010\"}],\"MappingNotes\":{\"Usage\":\"Allowed\",\"Rationale\":\"This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.\",\"Comments\":\"Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.\",\"Reasons\":[\"Acceptable-Use\"]},\"Notes\":[{\"Type\":\"Maintenance\",\"Note\":\"This entry should have a chaining relationship with CWE-119 instead of a parent / child relationship, however the focus of this weakness does not map cleanly to any existing entries in CWE. A new parent is being considered which covers the more generic problem of incorrect return values. There is also an abstract relationship to weaknesses in which one component sends incorrect messages to another component; in this case, one routine is sending an incorrect value to another.\"}],\"ContentHistory\":[{\"Type\":\"Submission\",\"SubmissionName\":\"7 Pernicious Kingdoms\",\"SubmissionDate\":\"2006-07-19\",\"SubmissionVersion\":\"Draft 3\",\"SubmissionReleaseDate\":\"2006-07-19\"},{\"Type\":\"Modification\",\"ModificationName\":\"Eric Dalci\",\"ModificationOrganization\":\"Cigital\",\"ModificationDate\":\"2008-07-01\",\"ModificationComment\":\"updated Potential_Mitigations, Time_of_Introduction\"},{\"Type\":\"Modification\",\"ModificationOrganization\":\"KDM Analytics\",\"ModificationDate\":\"2008-08-01\",\"ModificationComment\":\"added/updated white box definitions\"},{\"Type\":\"Modification\",\"ModificationName\":\"CWE Content Team\",\"ModificationOrganization\":\"MITRE\",\"ModificationDate\":\"2008-09-08\",\"ModificationComment\":\"updated Applicable_Platforms, Relationships, Taxonomy_Mappings\"},{\"Type\":\"Modification\",\"ModificationName\":\"CWE Content Team\",\"ModificationOrganization\":\"MITRE\",\"ModificationDate\":\"2008-11-24\",\"ModificationComment\":\"updated Relationships, Taxonomy_Mappings\"},{\"Type\":\"Modification\",\"ModificationName\":\"CWE Content Team\",\"ModificationOrganization\":\"MITRE\",\"ModificationDate\":\"2009-10-29\",\"ModificationComment\":\"updated Maintenance_Notes\"},{\"Type\":\"Modification\",\"ModificationName\":\"CWE Content Team\",\"ModificationOrganization\":\"MITRE\",\"ModificationDate\":\"2011-06-01\",\"ModificationComment\":\"updated Common_Consequences\"},{\"Type\":\"Modification\",\"ModificationName\":\"CWE Content Team\",\"ModificationOrganization\":\"MITRE\",\"ModificationDate\":\"2011-09-13\",\"ModificationComment\":\"updated Relationships, Taxonomy_Mappings\"},{\"Type\":\"Modification\",\"ModificationName\":\"CWE Content Team\",\"ModificationOrganization\":\"MITRE\",\"ModificationDate\":\"2012-05-11\",\"ModificationComment\":\"updated Potential_Mitigations, References, Relationships\"},{\"Type\":\"Modification\",\"ModificationName\":\"CWE Content Team\",\"ModificationOrganization\":\"MITRE\",\"ModificationDate\":\"2012-10-30\",\"ModificationComment\":\"updated Potential_Mitigations\"},{\"Type\":\"Modification\",\"ModificationName\":\"CWE Content Team\",\"ModificationOrganization\":\"MITRE\",\"ModificationDate\":\"2014-07-30\",\"ModificationComment\":\"updated Relationships, Taxonomy_Mappings\"},{\"Type\":\"Modification\",\"ModificationName\":\"CWE Content Team\",\"ModificationOrganization\":\"MITRE\",\"ModificationDate\":\"2017-11-08\",\"ModificationComment\":\"updated Taxonomy_Mappings, White_Box_Definitions\"},{\"Type\":\"Modification\",\"ModificationName\":\"CWE Content Team\",\"ModificationOrganization\":\"MITRE\",\"ModificationDate\":\"2020-02-24\",\"ModificationComment\":\"updated References\"},{\"Type\":\"Modification\",\"ModificationName\":\"CWE Content Team\",\"ModificationOrganization\":\"MITRE\",\"ModificationDate\":\"2023-04-27\",\"ModificationComment\":\"updated Relationships, Time_of_Introduction\"},{\"Type\":\"Modification\",\"ModificationName\":\"CWE Content Team\",\"ModificationOrganization\":\"MITRE\",\"ModificationDate\":\"2023-06-29\",\"ModificationComment\":\"updated Mapping_Notes\"},{\"Type\":\"Rename\",\"PreviousEntryName\":\"Illegal Pointer Value\",\"Date\":\"2008-04-11\"}]}]}"): invalid type: map, expected a sequence at line 1 column 0
error: invalid type: map, expected a sequence at line 1 column 0