original assigner vs. owner #116
Comments
|
Related to/partial duplicate of: CVEProject/cve-website#1224 |
|
owning_cna can be accessed via Services API: https://cveawg.mitre.org/api/cve-id/CVE-2020-28367 |
|
Proposal: Add new ownerCnaId and ownerCnaShortName fields to JSON schema, basically matching assignerOrgId and assignerShortName. Unless the owner* values are filled out, treat them as equal to assginer*. Both owner* values must be filled out, which I think is similar to assigner*, and *ShortName should be looked up based on *OrgId. I think this means that owner MUST be a CNA, is that a problem? |
|
Proposal 2: Make ownership (and other?) change/transaction logs/history public. Possibly within a CVE record, so there is one self-contained place to look. This should probably be a separate issue. |
|
Overall, eliminate or minimze the need for separate sources of CVE entry data. https://cveawg.mitre.org/api/cve-id/CVE-2020-28367 Aside from owning_cna, the rest of this information is available within a CVE record, with the possible exception of cve_year. If "cve_year" is not just the year part of the CVE ID then we need to discuss. |
|
...and, as a JSON schema change, this probably belongs in QWG. |
|
Moved to CVEProject/cve-schema#294 |
On the 2023-01-11 SPWG meeting, during a discussion about bulk download, this came up:
3.a. Ownership might have been stored in JSON 4 (but I don't readily see where)
CVE Services, with knowledge of the non-public ownership, can (broken at the moment?) provide a CNA with their currently owned records.
JSON 5 alone, e.g., as a bulk download format, contains neither ownership information nor transaction information.
Regardless of where ownership and transaction information is stored, it should be available publicly.
The text was updated successfully, but these errors were encountered: