Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question/Discussion] Separate attributes for different CVE states in JSON schema (v5.13) #91

Closed
mprpic opened this issue Jul 21, 2020 · 3 comments
Closed

[Question/Discussion] Separate attributes for different CVE states in JSON schema (v5.13) #91

mprpic opened this issue Jul 21, 2020 · 3 comments

Comments

@mprpic
Copy link
Collaborator

mprpic commented Jul 21, 2020

Looking at cve513.schema, the root level attributes that contain the actual CVE meta data must be under one of:

  • CVE_data_meta_public
  • CVE_data_meta_reserved
  • CVE_data_meta_reject

Is there a specific reason why the attribute name changes depending on the CVE's state despite the fact that STATE is a property of each of those attributes? This makes it more difficult to parse the JSON and does not really provide any extra value since the state is available as a child property anyway.

Also, is there a reason the REJECT state is not named REJECTED to stay consistent with RESERVED?
@jwhitmore-mitre
Copy link
Contributor

Those 3 names are just reference tags to navigate the schema.
The CVE schema requirements change with the CVE state (PUBLIC, RESERVED, REJECT), If you follow that each of those tags you'll find that they define the content for CVE_data_meta and that they do not create an additional property value. A simplistic interpretation is the value of those properties is substituted the $ref property with their value.
Any JSON produced against this schema should only have the CVE_data_meta property and not the *_public, *_reserved, *_reject reference tags.

@jwhitmore-mitre
Copy link
Contributor

The REJECT state value, we will verify it with the Quality Working Group. And update the schema to match the direction from the QWG.

@mprpic
Copy link
Collaborator Author

mprpic commented Jul 21, 2020

Those 3 names are just reference tags to navigate the schema.
The CVE schema requirements change with the CVE state (PUBLIC, RESERVED, REJECT), If you follow that each of those tags you'll find that they define the content for CVE_data_meta and that they do not create an additional property value. A simplistic interpretation is the value of those properties is substituted the $ref property with their value.
Any JSON produced against this schema should only have the CVE_data_meta property and not the *_public, *_reserved, *_reject reference tags.

Ohhh, that makes more sense now. I somehow missed that the top-level attribute name was CVE_data_meta and not the name of the definition being used.

The REJECT state value, we will verify it with the Quality Working Group. And update the schema to match the direction from the QWG.

Ack! Should I rename this issue to reflect that it tracks the decision of the QWG?

@mprpic mprpic closed this as completed Nov 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mprpic @jwhitmore-mitre