-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check for n/a
in vendor
#10
Comments
Technically the schema for the
but I feel like if
which is pretty meh, or:
or even better:
which I now realize breaks our version check since a purl contains plenty of weird non-version-looking characters. But using purls in the version field is the recommended way to specify them: CVEProject/cve-schema#173 (comment) So I may modify the existing version check to ignore any fields that start with Side question: even if CNAs start filling out the |
@andrewpollock, any thoughts on the above? |
The objective is to as authoritatively as possible programmatically identify the subject of the vulnerability. I think we can have a heuristic for ways to consider that achievable:
I just discovered https://github.com/CVEProject/cve-schema/blob/master/schema/docs/versions.md while I was trying to do some research to provide a more informed response. I thought purls were more of a first-class thing in CVE 5.1, but I can't find any explicit mention of them? Yes, |
purl is technically supported as part of the
although there aren't any references to it in the docs I think. |
I've observed
n/a
in theaffected[].vendor
field in the wild.Example CVE: https://cveawg.mitre.org/api/cve/CVE-2023-22799
The text was updated successfully, but these errors were encountered: