original assigner vs. owner

[zmanion]

On the 2023-01-11 SPWG meeting, during a discussion about bulk download, this came up:

1. The assigning CNA is recorded in the JSON schema (assignerOrgId), this is effectively the owning CNA at the time of assignment
2. The owner of a record can change
3. Ownership and the transaction log are stored somewhere, not explicitly in JSON 5 3.a. Ownership might have been stored in JSON 4 (but I don't readily see where)
4. JSON 5.0 does not provide explicit "owner" fields

CVE Services, with knowledge of the non-public ownership, can (broken at the moment?) provide a CNA with their currently owned records.

JSON 5 alone, e.g., as a bulk download format, contains neither ownership information nor transaction information.

Regardless of where ownership and transaction information is stored, it should be available publicly.

[zmanion]

Related to/partial duplicate of: https://github.com/CVEProject/cve-website/issues/1224

[zmanion]

owning_cna can be accessed via Services API:

https://cveawg.mitre.org/api/cve-id/CVE-2020-28367 https://cveawg.mitre.org/api/cve/CVE-2020-28367

[zmanion]

Proposal: Add new ownerCnaId and ownerCnaShortName fields to JSON schema, basically matching assignerOrgId and assignerShortName.

Unless the owner values are filled out, treat them as equal to assginer.

Both owner values must be filled out, which I think is similar to assigner, and ShortName should be looked up based on OrgId.

I think this means that owner MUST be a CNA, is that a problem?

[zmanion]

Proposal 2: Make ownership (and other?) change/transaction logs/history public. Possibly within a CVE record, so there is one self-contained place to look. This should probably be a separate issue.

[zmanion]

Overall, eliminate or minimze the need for separate sources of CVE entry data.

https://cveawg.mitre.org/api/cve-id/CVE-2020-28367

{
"cve_id":"CVE-2020-28367",
"cve_year":"2020",
"state":"PUBLISHED",
"owning_cna":"Go",
"dateUpdated":"2022-12-28T14:23:56.914Z"
}

Aside from owning_cna, the rest of this information is available within a CVE record, with the possible exception of cve_year.

If "cve_year" is not just the year part of the CVE ID then we need to discuss.

[zmanion]

...and, as a JSON schema change, this probably belongs in QWG.

[zmanion]

Moved to https://github.com/CVEProject/cve-schema/issues/294