[Bug/Discussion] Migrate additional version_data properties to CVE JSON 5.0

[dkoehler-boschpsirt]

Hi MITRE Team,

Currently only the version_value for an affected product structure is migrated to CVE JSON 5.0 by the converter script.

However, there are several fields which should also be migrated because affected version interpretation may change without them:

• version_affected, although not part of CVE JSON 4.0 min JSON schema.
• version_name as used in Vulnogram: e.g. CVE-2020-6769 in CVE JSON 4.0 vs. CVE-2020-6769 in CVE JSON 5.0 Review
• potential CNA-custom fields: e.g. we saw the need to add a configuration field to express e.g. hardware appliances running with a vulnerable software version (example) or products where the actual version number does not change when installing a patch for technical reasons (example)

Best Regards,
David Köhler (Bosch PSIRT)

[chandanbn]

version_name is now renamed as versionGroup in CVE JSON 5.0.

[dkoehler-boschpsirt]

Hi @chandanbn, thanks for the info.
I don't want to stretch this issue too far but do you have any recommendations/suggestions on how to express something like:

• "Appliance A is affected if a vulnerable software version is running on it"
• "Software B in version X.Y.Z is affected unless patch P is installed".
  • Note that the patch doesn't increase the actual version but replaces some DLLs
  • We are generally trying to avoid "polluting" the version_value field with free text information and keep it down to the version number.

[mprpic]

Appliance can be thought of as a product while software can be identified in packageName in the 5.0 schema:

• https://cveproject.github.io/cve-schema/schema/v5.0/docs/#oneOf_i0_containers_cna_affected_items_product
• https://cveproject.github.io/cve-schema/schema/v5.0/docs/#oneOf_i0_containers_cna_affected_items_packageName

If this is still insufficient, please open a new issue in the https://github.com/CVEProject/cve-schema/ repo to discuss any outstanding questions.