JSON 5.0 - Why is problemTypes so different in format from Impacts

MrSeccubus commented 2 years ago

See https://github.com/Vulnogram/Vulnogram/issues/63

JSON format of CWE (problemtypes) is

      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "cweId": "CWE-129",
              "description": "CWE-129 Improper Validation of Array Index",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "cweId": "CWE-77",
              "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')",
              "type": "CWE"
            }
          ]
        }
      ],

But capec is:

      "impacts": [
        {
          "capecId": "CAPEC-102",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-102 Session Sidejacking"
            }
          ]
        },
        {
          "capecId": "CAPEC-107",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-107 Cross Site Tracing"
            }
          ]
        }
      ],

Since cweId and type are not language specific, shouldn't they be outside the descriptions array and formatted just like impacts?

david-waltermire commented 2 years ago

@chandanbn Would you please clarify the relationship between the v4 and v5 fields? Thanks!

chandanbn commented 2 years ago

Agree the cweId field can be pulled up and the data structures can be made similar, but now too late to change. I don't see this as a stopper for services/5.0 deployment.

A change would be backwards incompatible, so this needs to be addressed in 6.0.

CVEProject / cve-schema

JSON 5.0 - Why is problemTypes so different in format from Impacts #163