vendor/product/versions in container but not mentioned in README #41
Assignees
Comments
todb-cisa
added
bug
|
This looks like it's blocked, or possibly just influenced by, this upstream issue in CPE-land: CVEProject/cve-schema#321 . More cycles shall be spent on this to figure out how to best solve this issue for everyone, not just ADPs or CVEs. |
todb-cisa
added
the
blocked
|
An option is to document the behavior (in the README), at least until a more lasting solution or decision is in place. |
|
Still blocked by CVEProject/cve-schema#321 . |
|
Currently being discussed at Quality Working Group in CVE. |
amanion-cisa
added a commit
to amanion-cisa/vulnrichment
that referenced
this issue
Sep 19, 2024
Signed-off-by: Art Manion <[email protected]>
Merged
todb-cisa
pushed a commit
that referenced
this issue
Sep 23, 2024
Looks good to me! * cpes, affected, versions, #41 Signed-off-by: Art Manion <[email protected]> * 2 spaces per indent Signed-off-by: Art Manion <[email protected]> --------- Signed-off-by: Art Manion <[email protected]>
|
Hi @ElectricNroff ! Is this actually resolved by #117? |
|
So, I'm pretty sure this is resolved, and at the very least, it's documented. If this should be re-opened, please blink twice! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The CISAADP container has the affected.vendor, affected.product, and affected.versions fields in at least several hundred CVE Records, but nothing in https://github.com/cisagov/vulnrichment/blob/034bc878aecbbc99cc211b0ceafa3fc53ddb5459/README.md mentions that this should be occurring. Also, in at least a few cases, the vendor/product/versions data is inaccurate relative to both the CNA container and the references. For example, here is an off-by-one error (for the version 24.0.1) caused by erroneous replacement of lessThanOrEqual with lessThan:
vulnrichment/2024/20xxx/CVE-2024-20794.json
Lines 18 to 25 in 4395c94
vulnrichment/2024/20xxx/CVE-2024-20794.json
Lines 139 to 148 in 4395c94
If enriching vendor/product/versions is currently less important than CVSS/CWE/CPE, then one might consider an alternative design of the affected property:
in which collectionURL/packageName/defaultStatus would be the same in all CISAADP containers that provide an affected property. Then, https://github.com/cisagov/vulnrichment/blob/develop/NULL-collection.md could offer a brief explanation that it is not really a collection, that CISA is not enriching vendor/product/versions in the initial production rollout, but (because of the current design of the CVE Record Format) JSON validation requires perfunctory non-blank values for collectionURL/packageName/defaultStatus.
The text was updated successfully, but these errors were encountered: