search

CVEProject / cve-schema

This repository is used for the development of the CVE JSON record format. Releases of the CVE JSON record format will also be published here. This repository is managed by the CVE Quality Working Group.
Creative Commons Zero v1.0 Universal
256 stars 141 forks source link

original assigner vs. owner #294

Open zmanion opened 7 months ago

zmanion commented 7 months ago

Copied from https://github.com/CVEProject/automation-working-group/issues/116

On the 2023-01-11 SPWG meeting, during a discussion about bulk download, this came up:

The assigning CNA is recorded in the JSON schema (assignerOrgId), this is effectively the owning CNA at the time of assignment The owner of a record can change Ownership and the transaction log are stored somewhere, not explicitly in JSON 5 3.a. Ownership might have been stored in JSON 4 (but I don't readily see where) JSON 5.0 does not provide explicit "owner" fields CVE Services, with knowledge of the non-public ownership, can (broken at the moment?) provide a CNA with their currently owned records.

JSON 5 alone, e.g., as a bulk download format, contains neither ownership information nor transaction information.

Regardless of where ownership and transaction information is stored, it should be available publicly.

Related to/partial duplicate of: https://github.com/CVEProject/cve-website/issues/1224

owning_cna can be accessed via Services API:

https://cveawg.mitre.org/api/cve-id/CVE-2020-28367 https://cveawg.mitre.org/api/cve/CVE-2020-28367

zmanion commented 7 months ago

Proposal: Add new ownerCnaId and ownerCnaShortName fields to JSON schema, basically matching assignerOrgId and assignerShortName.

Unless the owner values are filled out, treat them as equal to assginer.

Both owner values must be filled out, which I think is similar to assigner, and ShortName should be looked up based on OrgId.

I think this means that owner MUST be a CNA, is that a problem?

zmanion commented 7 months ago

Proposal 2: Make ownership (and other?) change/transaction logs/history public. Possibly within a CVE record, so there is one self-contained place to look. This should probably be a separate issue.

zmanion commented 7 months ago

Overall, eliminate or minimze the need for separate sources of CVE entry data.

https://cveawg.mitre.org/api/cve-id/CVE-2020-28367

"cve_id":"CVE-2020-28367",
"cve_year":"2020",
"state":"PUBLISHED",
"owning_cna":"Go",
"dateUpdated":"2022-12-28T14:23:56.914Z"

Aside from owning_cna, the rest of this information is available within a CVE record, with the possible exception of cve_year.

If "cve_year" is not just the year part of the CVE ID then we need to discuss.