search

CVEProject / cve-schema

This repository is used for the development of the CVE JSON record format. Releases of the CVE JSON record format will also be published here. This repository is managed by the CVE Quality Working Group.
Creative Commons Zero v1.0 Universal
257 stars 143 forks source link

5.1.0 accepts an object (instead of a string) for source.discovery #261

Open ElectricNroff opened 11 months ago

ElectricNroff commented 11 months ago

At the 2023-12-14 TWG meeting, the discussion suggested that, during testing of the 5.1.0 schema, any CVE Record that validated even though the record format was not "intended" would be considered a "loophole."

It might not be intended that CVE Records use source.discovery in a different way than Vulnogram.

Vulnogram, by default, inserts "source": { "discovery": "UNKNOWN" } into a CVE Record.

minimal/plausible test case (the CNA chooses to specify a language for the word "UNKNOWN")

{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-0001",
"assignerOrgId":"b3476cb9-2e3d-41a6-98d0-0f47421a65b6","state":"PUBLISHED"},
"containers":{"cna":{"providerMetadata":{"orgId":"b3476cb9-2e3d-41a6-98d0-0f47421a65b6"},
"affected":[{"vendor":"v","product":"p",
"versions":[{"version":"1","status":"affected"}],
"defaultStatus":"affected"}],
"source":{"discovery":{"lang":"en","value":"UNKNOWN"}},
"descriptions":[{"lang":"en","value":"d"}],"references":[{"url":"https://a.ai"}]}}}

This is similar to https://github.com/CVEProject/cve-schema/issues/212 but does not require an x_ field. A possible solution is to require source.discovery to have a string value (not allow an object), so that all CVE Records are structurally consistent with how Vulnogram uses the source.discovery field.

sei-vsarvepalli commented 2 months ago

also related to https://github.com/CVEProject/cve-schema/issues/339