You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When vendor CNAs provide information about affected products, that information is included in published entries.
When CNAs or other parties who are not vendor CNAs submit entries, any product information is stripped and replaced with "n/a." In JSON 4 this includes fields like version_value, version_affected, product_name, vendor_name within the "affects" element. Also problemtype is stripped.
I was concerned this was some sort of bug, it is intentional behavior.
Presumably past discussion lead to this policy decision, a likely concern was that non-vendor CNAs would (intentionally or otherwise) provide enough inaccurate information that on the balance, this would negatively affect quality. One trade-off is that information of reasonable quality is not accepted.
We should reconsider this policy. At least non-vendor (or not-the-vendor) CNAs should be permitted to submit affected product information.
ADP containers in JSON 5 may provide a technical solution.
The text was updated successfully, but these errors were encountered:
When vendor CNAs provide information about affected products, that information is included in published entries.
When CNAs or other parties who are not vendor CNAs submit entries, any product information is stripped and replaced with "n/a." In JSON 4 this includes fields like version_value, version_affected, product_name, vendor_name within the "affects" element. Also problemtype is stripped.
I was concerned this was some sort of bug, it is intentional behavior.
An example:
Product information submitted by non-vendor: CVEProject/cvelist@4f7a575
Product and problem type information is removed:
CVEProject/cvelist@7fcef33
https://github.com/CVEProject/cvelist/commits/master/2022/24xxx/CVE-2022-24106.json
CVEProject/cvelist#7712
Presumably past discussion lead to this policy decision, a likely concern was that non-vendor CNAs would (intentionally or otherwise) provide enough inaccurate information that on the balance, this would negatively affect quality. One trade-off is that information of reasonable quality is not accepted.
We should reconsider this policy. At least non-vendor (or not-the-vendor) CNAs should be permitted to submit affected product information.
ADP containers in JSON 5 may provide a technical solution.
The text was updated successfully, but these errors were encountered: