Skip to content

vendor/product/versions in container but not mentioned in README #41

Closed
@ElectricNroff

Description

The CISAADP container has the affected.vendor, affected.product, and affected.versions fields in at least several hundred CVE Records, but nothing in https://github.com/cisagov/vulnrichment/blob/034bc878aecbbc99cc211b0ceafa3fc53ddb5459/README.md mentions that this should be occurring. Also, in at least a few cases, the vendor/product/versions data is inaccurate relative to both the CNA container and the references. For example, here is an off-by-one error (for the version 24.0.1) caused by erroneous replacement of lessThanOrEqual with lessThan:

"product": "Animate",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "24.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"

"cpe:2.3:a:adobe:animate:*:*:*:*:*:*:*:*"
],
"vendor": "adobe",
"product": "animate",
"versions": [
{
"status": "affected",
"version": "*",
"lessThan": "24.0.1 ",
"versionType": "custom"

If enriching vendor/product/versions is currently less important than CVSS/CWE/CPE, then one might consider an alternative design of the affected property:

"affected": [
        {
          "cpes": [
            "cpe:2.3:a:a_legitimate_vendor_name:a_real_product_name:*:*:*:*:*:*:*:*"
            ],
          "collectionURL": "https://github.com/cisagov/vulnrichment/blob/develop/NULL-collection.md",
          "packageName": "NULL",
          "defaultStatus": "unknown"
        }
      ]

in which collectionURL/packageName/defaultStatus would be the same in all CISAADP containers that provide an affected property. Then, https://github.com/cisagov/vulnrichment/blob/develop/NULL-collection.md could offer a brief explanation that it is not really a collection, that CISA is not enriching vendor/product/versions in the initial production rollout, but (because of the current design of the CVE Record Format) JSON validation requires perfunctory non-blank values for collectionURL/packageName/defaultStatus.

Metadata

Assignees

Labels

blockedThis issue or pull request is awaiting the outcome of another issue or pull requestbugThis issue or pull request addresses broken functionalitycpeIssues around CPE strings

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions