can JSON 5 record detail show owning_cna, not assignerShortName, at the top? #1224
Assignees
Labels
cve-record-page
HIGH-LOE
~1 - 2 weeks LoE
needs-discussion
Needs more discussion, either with TWG or internally
Comments
|
+1, this is a use case I regularly run into, and the current answer is to ask an upstream CNA, typically root/LR, so MITRE. Technical implementation aside, please provide the owning CNA information in an easy-to-find way/location in the cve.org CVE record display. |
|
Fundamentally owner and assigner are different, some discussion and a proposal to modify JSON can be found here: CVEProject/automation-working-group#116 |
|
I think related to this: I was looking for a way to map between a CVE 5 record's |
jdaigneau5
added
needs-discussion
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When a user visits the JSON 5 record detail display page, their goal might be to contact the responsible CNA to request that a CVE Record be updated. Similarly, they might want to associate the CVE Record information with the current name of a vendor who produces the vulnerable product.
cve-website/src/views/CVERecord/PublishedRecord.vue
Lines 23 to 24 in 6052ad9
and
cve-website/src/views/CVERecord/PublishedRecord.vue
Lines 159 to 161 in 6052ad9
(admittedly, this code is in progress and is almost certainly not intended for public consumption) seem to display the assignerShortName field from a PUBLISHED CVE Record. For a REJECTED CVE Record, assignerShortName is used similarly.
https://github.com/CVEProject/cve-schema/blob/fbf54b99da863b80ea1c721cf2e9f107913b7325/schema/v5.0/CVE_JSON_5.0_schema.json#L380-L382
says "assignerShortName ... The short name for the organization to which the CVE ID was originally assigned" and this would not necessarily help such a user to achieve their goal. The most common situation is that a CNA can request that the Secretariat change that CNA's short name via the
PUT /org/{shortname}API. When the Secretariat completes this, none of the assignerShortName fields (of CVE Records belonging to that CNA) are changed. Instead, every assignerShortName field contains the old short name. However, the response to aGET /cve-id/{id}API call contains the new short name in the owning_cna field. In other words, as soon as a CNA is renamed, theGET /cve-id/{id}API immediately starts providing the correct short name value, but theGET /cve/{id}API continues to provide an outdated value indefinitely.If the user sees an outdated short name on the JSON 5 record detail display page, they do not have a straightforward way to find contact information for the CNA. The https://www.cve.org/PartnerInformation/ListofPartners page is not searchable by previously used short names. This could be changed, but https://github.com/CVEProject/cve-website/blob/dev/src/assets/data/CNAsList.json currently does not store previously used short names in a JSON format. If the user were very familiar with the implementation of the CVE website, then they could go to https://github.com/CVEProject/cve-website/commits/main/src/assets/data/CNAsList.json and search for "Update" but most users would not know that.
To resolve this issue, one approach is to never include an assignerShortName value on the JSON 5 record detail display page. Instead, to build this page (for the PUBLISHED and REJECTED cases), there would be both a
GET /cve/{id}API call and aGET /cve-id/{id}API call. The response for the latter would only be used to determine the owning_cna value for the Assigner field (i.e., for the name of the CNA). It is unlikely that a user would specifically need the assignerShortName value for their use case; however, if they did, they would still be able to find it in the full JSON 5 document.The text was updated successfully, but these errors were encountered: