CVEs are REJECTed in NVD and should be removed

[flemminglau]

 CVE-2022-40154  CVE-2022-40155  CVE-2022-40156  CVE-2022-41852  CVE-2022-40157  CVE-2022-40158  CVE-2022-40161 CVE-2022-41946

[msymons]

I strongly believe that a CVE that has been rejected should NOT be removed from OSS Index... but the system needs to support reflecting that the CVE has been rejected. And that might mean that additions to the API are needed.

Keeping the CVE but providing such status information allows downstream consumers to maintain accurate audit trails... and for their consumers to do the same. ie, there is a an impact on VEX , etc. And this might have regulatory compliance angles (eg if/when CRA comes into effect in the European Union).

Basically, it is important that an advisory should not just "poof" from the system.

Oh, and on a side note... OSS Index data should also be able to reflect that a CVE is disputed.

[ken-duck]

Hi!

The majority of these have been removed from OSS Index. I have raised an internal ticket on the ones that do not appear to have been dealt with yet.

I have been working on our roadmap for this year, and I do like the suggestion about tracking issues that have been removed from NVD. I am adding the story to our board, though I cannot be certain when this change will happen.

For the record, we are migrating to a new email-based reporting system in order to better mesh with our internal processes, which will allow us to be more reactive to our users.

As such, if you notice further issues or would like to follow up on this one, please email ossindex@sonatype.org