CVEs are REJECTed in NVD and should be removed #333
Comments
|
I strongly believe that a CVE that has been rejected should NOT be removed from OSS Index... but the system needs to support reflecting that the CVE has been rejected. And that might mean that additions to the API are needed. Keeping the CVE but providing such status information allows downstream consumers to maintain accurate audit trails... and for their consumers to do the same. ie, there is a an impact on VEX , etc. And this might have regulatory compliance angles (eg if/when CRA comes into effect in the European Union). Basically, it is important that an advisory should not just "poof" from the system. Oh, and on a side note... OSS Index data should also be able to reflect that a CVE is disputed. |
|
Hi! The majority of these have been removed from OSS Index. I have raised an internal ticket on the ones that do not appear to have been dealt with yet. I have been working on our roadmap for this year, and I do like the suggestion about tracking issues that have been removed from NVD. I am adding the story to our board, though I cannot be certain when this change will happen. For the record, we are migrating to a new email-based reporting system in order to better mesh with our internal processes, which will allow us to be more reactive to our users. As such, if you notice further issues or would like to follow up on this one, please email [email protected] |
CVE-2022-40154
CVE-2022-40155
CVE-2022-40156
CVE-2022-41852
CVE-2022-40157
CVE-2022-40158
CVE-2022-40161
CVE-2022-41946
The text was updated successfully, but these errors were encountered: