Move Disputed To CVE State

[jgamblin]

The CNA tags includes a 'Disputed" label that would make much more sense as a CVE state.

The three states would then be:

• Published
• Rejected
• Disputed

As of 9/26 the breakdown of CVE State is:

PUBLISHED    249255
REJECTED      14429

[jayjacobs]

Could you expand on what benefit you would expect to see from this change? Also, why just DISPUTED? What about some of the keywords that have been used (and some new ones I haven't seen until recently)? Are these less helpful?

REJECTED      14436
DEADLOCK         15
DISPUTED          9
UNVERIFIABLE      5
SPLIT             1
UAF               1

[jgamblin]

The change would be to identify the "State" of a CVE quickly, but it appears that Tags have taken over this instead and have started to be used in the last few weeks.

Disputed seemed to be the most common state after Rejected, with a GitHub search showing over 1,000 CVEs containing the string ** DISPUTED **

Someone may have made a data change, added disputed to tags, and removed the ** from being displayed on the CVE.org website, but that description is still present in the JSON.
https://www.cve.org/CVERecord?id=CVE-2020-8812 https://github.com/CVEProject/cvelistV5/blob/5bc42f06ee73702307c480a5ebd35abaa41e3165/cves/2020/8xxx/CVE-2020-8812.json#L85 https://nvd.nist.gov/vuln/detail/CVE-2020-8812

[jayjacobs]

Is DISPUTED a secondary state? For example, could a CVE be DISPUTED and then additionally either published or rejected? (I think the answer is yes to that?) To your point, maybe we treat disputed (and "unverifiable", etc) as a tag?

Also, I think your 1000's of matches are finding it in the X_legacyV4 section of most of the CVEs. The current v5 data only has 9 that match that.

[jgamblin]

To me, disputed is a primary state because it means the vendor is unlikely ever to patch it making the CVE not useful?

I pulled all the tag counts (from NVD data), and it was these today which are different from your list?

Tag
Blank                                    262848
[disputed]                                 1254
[unsupported-when-assigned]                 404
[exclusively-hosted-service]                 19
[unsupported-when-assigned, disputed]         1

Here are all the CVEs with Tags in a CSV File.

[jayjacobs]

Okay, in the cvelistv5 data, there exists the containers.cna.tags list that has these counts (as of a month ago, I need to updated my local data):

 tags                                n
 disputed                         1244
 unsupported-when-assigned         391
 exclusively-hosted-service         14
 x_open-source                       5
 x_known-exploited-vulnerability     3
 x_nt_ware                           2
... < 10 more silly x_tags >

Would these tags not allow a consumer to identify the CVEs that are disputed? Or are you suggesting that by making it a top level state, that it becomes more apparent because being DISPUTED is very important? And to my question before, can a CVE be both REJECTED and DISPUTED? Or would DISPUTED always imply it is also published?

[jgamblin]

A CVE can't be both Rejected and Disputed. Disputed seems to be a "limbo" state between the Published and Rejected, but does it feel more important than a normal tag? The Disputed tag would be a time-limited tag in a perfect world until the reporter and software owner agree on the final state of the CVE.

At present, if you want to get a full list of "Accepted" CVEs, you have to do a double filtering of removing the Rejected and then a second filtering on Disputed.