Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discuss whether Cve-Services should enforce/validate affected versions #1135

Open
jdaigneau5 opened this issue Nov 3, 2023 · 3 comments
Open

Discuss whether Cve-Services should enforce/validate affected versions #1135

jdaigneau5 opened this issue Nov 3, 2023 · 3 comments
Labels
QWG Decision

Comments

@jdaigneau5
Copy link
Collaborator

Summary

Affected versions in the 5.0 schema follow a semantic versioning pattern, which could be validated by Cve-Services, but currently is not because it's an optional field. However, this allows invalid semantic versions to be submitted in CVE records.

Definition of Done

  • Discuss whether Cve-Services should validate and enforce affected version field

Note
This is related to an overall discussion about whether optional fields should be validated by Cve-Services at all or not.
@andrewpollock
Copy link

Ultimately, I would very much love to see such enforcement happen. Where it becomes impossible to sufficiently validate the version by schema specification alone, CVE Services could then get involved at submission time, but ideally a record author would have a pretty clear idea of how their record is going to be treated by CVE Services by offline validation against the schema, prior to submission.

My thoughts on how to get to this state:

  1. A future revision of the JSON schema (say 5.2.0) defines what values are acceptable for affected[].versions[].versionType and how these values influence expectations of the values of
  • affected[].versions[].version
  • affected[].versions[].lessThan
  • affected[].versions[].lessThanOrEqual
  1. Generation tools like Vulnogram then start adhering with the schema on this (I note today that Vulnogram seems to have its own idea of what it will generate that may be above and beyond what the schema mandates today)
  2. CVE Services continues(?) to enforce schema compliance

@andrewpollock andrewpollock mentioned this issue Apr 10, 2024
Open
@jdaigneau5
Copy link
Collaborator Author

Note from 4/16/24 AWG: Discussed having smaller subschemas for validating versions. Could be warnings at first, and potentially incorporated into main schema in following releases.

@jdaigneau5 jdaigneau5 moved this to High Priority in Issue Triage Jul 2, 2024
@mprpic
Copy link
Contributor

mprpic commented Jul 30, 2024

Note from AWG meeting on Jul 30, 2024: this issue is actively being discussed in QWG issues CVEProject/cve-schema#263, CVEProject/cve-schema#264, CVEProject/cve-schema#279, and others. Nothing actionable for AWG right now. Schema-specific enforcement of data quality should be preferred over any backend-implemented validation rules. For example, if semver version data should be validated, it can be enforced at the schema level with a specific regex that checks for valid semver versions.

@jdaigneau5 jdaigneau5 moved this from High Priority to Needs Triage in Issue Triage Jul 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
QWG Decision
Projects
Issue Triage
Status: Needs Triage
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mprpic @andrewpollock @jdaigneau5