`adp` field with "CISA ADP Vulnrichment" data gets overridden by us (because of lacking CVE 5.1 support)

[maltejur]

Looking through the log of https://github.com/mozilla/foundation-security-advisories/actions/runs/10692809635/job/29641916920, I noticed that we delete some data when updating already published advisories. For example

-> CVE-2024-8381
--- Remote  2024-09-03 21:22:43 UTC
+++ Local   2024-09-04 00:26:20 UTC
@@ -1,107 +1,5 @@
 {
   "containers": {
-    "adp": [
-      {
-        "affected": [
-          {
-            "cpes": [
-              "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*"
-            ],
-            "defaultStatus": "unknown",
-            "product": "firefox",
-            "vendor": "mozilla",
-            "versions": [
-              {
-                "lessThan": "130",
-                "status": "affected",
-                "version": "0",
-                "versionType": "custom"
-              }
-            ]
-          },
-          {
-            "cpes": [
-              "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*"
-            ],
-            "defaultStatus": "unknown",
-            "product": "firefox_esr",
-            "vendor": "mozilla",
-            "versions": [
-              {
-                "lessThan": "128.2",
-                "status": "affected",
-                "version": "0",
-                "versionType": "custom"
-              },
-              {
-                "lessThan": "115.15",
-                "status": "affected",
-                "version": "0",
-                "versionType": "custom"
-              }
-            ]
-          }
-        ],
-        "metrics": [
-          {
-            "cvssV3_1": {
-              "attackComplexity": "LOW",
-              "attackVector": "NETWORK",
-              "availabilityImpact": "HIGH",
-              "baseScore": 9.8,
-              "baseSeverity": "CRITICAL",
-              "confidentialityImpact": "HIGH",
-              "integrityImpact": "HIGH",
-              "privilegesRequired": "NONE",
-              "scope": "UNCHANGED",
-              "userInteraction": "NONE",
-              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-              "version": "3.1"
-            }
-          },
-          {
-            "other": {
-              "content": {
-                "id": "CVE-2024-8381",
-                "options": [
-                  {
-                    "Exploitation": "none"
-                  },
-                  {
-                    "Automatable": "yes"
-                  },
-                  {
-                    "Technical Impact": "total"
-                  }
-                ],
-                "role": "CISA Coordinator",
-                "timestamp": "2024-09-03T15:55:45.647342Z",
-                "version": "2.0.3"
-              },
-              "type": "ssvc"
-            }
-          }
-        ],
-        "problemTypes": [
-          {
-            "descriptions": [
-              {
-                "cweId": "CWE-843",
-                "description": "CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')",
-                "lang": "en",
-                "type": "CWE"
-              }
-            ]
-          }
-        ],
-        "providerMetadata": {
-          "dateUpdated": "2024-09-03T15:57:38.939Z",
-          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
-          "shortName": "CISA-ADP"
-        },
-        "title": "CISA ADP Vulnrichment"
-      }
-    ],
     "cna": {
       "affected": [
         {
@@ -188,5 +86,5 @@
     }
   },
   "dataType": "CVE_RECORD",
-  "dataVersion": "5.1"
+  "dataVersion": "5.0"
 }

This seems to have been caused by the new CVE 5.1 format published a few months ago. From https://cveproject.github.io/cve-schema:

Note: The CVE Record Format now supports Authorized Data Publisher (ADP) containers there is one active ADP currently. The CVE Program uses a separate ADP container to provide additional CVE information (e.g., references) for some records. Access this README.md page here for more information about the CVE Program Container.

This should be a relatively easy fix, with which we can also declare our data to now be in CVE 5.1 format. Additionally, we should probably also ensure that this doesn't happen again in the future when a new field is added that the code does not know about.