affected vendors/affectsCpe could cause ambiguity #41
Comments
|
affectsCpe can have a flattened list of vendor/product/version tree. For eg.,
can be
Ensuring consistency between them seems outside the scope of schema definition. We discussed tabling affectsSwid for now from v5. |
|
@chandanbn The problem is that most vendors don't consider the product object in this schema to be identifiable across disparate systems. That's what CPE is for. So if a particular product object specifies the affected versions and components, not being able to link it to data from e.g. CSAF advisories through a CPE identifier makes the entire product object pointless. Pretty much every other spec that deals with software identification defines a CPE on the individual component level: |
chandanbn
modified the milestones:
CVE Record JSON Format v5.0,
CVE Record JSON Format v5.1
|
With refactoring vendor->product tree to a flat list of products in #86, the list of affected CPEs can be attached to a product object. It would be a Cartesian product of product names x platforms x affected versions. Eg Does this address your concern here? |
It does! And #99 solves this nicely. |
- Changed affected from object with array of vendor objects
with array of products to just plain array of products.
- Added vendor string to product object.
- Renamed productName to product in product object.
- Added cpes array of string to product object,
replacing affectsCpes inside old affected object.
- Reordered property list in product object
to put all identifying fields first.
- Changed programRoutines to be array of objects, not array of strings.
- Defined that product object:
- Requires a product identification, at least one of:
- vendor and product
- collectionURL and packageName
- cpes
- Also requires versions.
- Expands CPE definition (previously unspecified).
Based on discussion on issue CVEProject#86.
Fixes CVEProject#41.
Fixes CVEProject#86.
- Changed affected from object with array of vendor objects
with array of products to just plain array of products.
- Added vendor string to product object.
- Renamed productName to product in product object.
- Added cpes array of string to product object,
replacing affectsCpes inside old affected object.
- Reordered property list in product object
to put all identifying fields first.
- Changed programRoutines to be array of objects, not array of strings.
- Defined that product object:
- Requires a product identification, at least one of:
- vendor and product
- collectionURL and packageName
- cpes
- Also requires versions.
- Expands CPE definition (previously unspecified).
Based on discussion on issue CVEProject#86.
Fixes CVEProject#41.
Fixes CVEProject#86.
- Changed affected from object with array of vendor objects
with array of products to just plain array of products.
- Added vendor string to product object.
- Renamed productName to product in product object.
- Added cpes array of string to product object,
replacing affectsCpes inside old affected object.
- Reordered property list in product object
to put all identifying fields first.
- Changed programRoutines to be array of objects, not array of strings.
- Defined that product object:
- Requires a product identification, at least one of:
- vendor and product
- collectionURL and packageName
- cpes
- Also requires versions.
- Expands CPE definition (previously unspecified).
Based on discussion on issue CVEProject#86.
Fixes CVEProject#41.
Fixes CVEProject#86.
- Changed affected from object with array of vendor objects
with array of products to just plain array of products.
- Added vendor string to product object.
- Renamed productName to product in product object.
- Added cpes array of string to product object,
replacing affectsCpes inside old affected object.
- Reordered property list in product object
to put all identifying fields first.
- Changed programRoutines to be array of objects, not array of strings.
- Defined that product object:
- Requires a product identification, at least one of:
- vendor and product
- collectionURL and packageName
- cpes
- Also requires versions.
- Expands CPE definition (previously unspecified).
Based on discussion on issue CVEProject#86.
Fixes CVEProject#41.
Fixes CVEProject#86.
- Changed affected from object with array of vendor objects
with array of products to just plain array of products.
- Added vendor string to product object.
- Renamed productName to product in product object.
- Added cpes array of string to product object,
replacing affectsCpes inside old affected object.
- Reordered property list in product object
to put all identifying fields first.
- Changed programRoutines to be array of objects, not array of strings.
- Defined that product object:
- Requires a product identification, at least one of:
- vendor and product
- collectionURL and packageName
- Also requires versions.
- Expands CPE definition (previously unspecified).
Based on discussion on issue CVEProject#86.
Fixes CVEProject#41.
Fixes CVEProject#86.
I am not sure all of the semantics behind choosing one of
affected.affectsCpe,affected.vendors, oraffected.affectsSwid, but currently, the schema allows for potentially all 3 to be submitted. However,affected.vendorscan contain multiple products in and of itself, each of which could have separate CPEs. Can/should we moveaffectsCpeelsewhere?The text was updated successfully, but these errors were encountered: