vendor/product/versions in container but not mentioned in README #41
Description
The CISAADP container has the affected.vendor, affected.product, and affected.versions fields in at least several hundred CVE Records, but nothing in https://github.com/cisagov/vulnrichment/blob/034bc878aecbbc99cc211b0ceafa3fc53ddb5459/README.md mentions that this should be occurring. Also, in at least a few cases, the vendor/product/versions data is inaccurate relative to both the CNA container and the references. For example, here is an off-by-one error (for the version 24.0.1) caused by erroneous replacement of lessThanOrEqual with lessThan:
vulnrichment/2024/20xxx/CVE-2024-20794.json
Lines 18 to 25 in 4395c94
vulnrichment/2024/20xxx/CVE-2024-20794.json
Lines 139 to 148 in 4395c94
If enriching vendor/product/versions is currently less important than CVSS/CWE/CPE, then one might consider an alternative design of the affected property:
"affected": [
{
"cpes": [
"cpe:2.3:a:a_legitimate_vendor_name:a_real_product_name:*:*:*:*:*:*:*:*"
],
"collectionURL": "https://github.com/cisagov/vulnrichment/blob/develop/NULL-collection.md",
"packageName": "NULL",
"defaultStatus": "unknown"
}
]
in which collectionURL/packageName/defaultStatus would be the same in all CISAADP containers that provide an affected property. Then, https://github.com/cisagov/vulnrichment/blob/develop/NULL-collection.md could offer a brief explanation that it is not really a collection, that CISA is not enriching vendor/product/versions in the initial production rollout, but (because of the current design of the CVE Record Format) JSON validation requires perfunctory non-blank values for collectionURL/packageName/defaultStatus.