You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This means that CVE Records that are created by the POST /cve/:id/cna or POST /cve/:id/reject endpoint, and not subsequently modified, have dataVersion 5.1, but other CVE Records sent to CVE Services v2.5.0 have dataVersion 5.1.1 (except in the unlikely case that the Secretariat uses the POST /cve/:id or PUT /cve/:id endpoint and explicitly sends a wrong version number).
In particular, any CNA is able to publish a CVE Record that has a containers.cna.cpeApplicability property and also has dataVersion 5.1, which may be problematic for downstream consumers, if they expect that any dataVersion 5.1 document can be validated by using the 5.1.0 schema. For example:
Is it intentional that some CVE Records that include cpeApplicability have dataVersion 5.1.1 but others have dataVersion 5.1?
Is src/constants/index.js correct, or is src/model/cve.js correct? In CVE Services production today, dataVersion is set to 5.1 even though the schema version in the cve-schema repository is 5.1.0:
cve-services/src/constants/index.js
Line 19 in 7748d46
cve-services/src/model/cve.js
Lines 42 to 45 in 7748d46
This means that CVE Records that are created by the
POST /cve/:id/cnaorPOST /cve/:id/rejectendpoint, and not subsequently modified, have dataVersion 5.1, but other CVE Records sent to CVE Services v2.5.0 have dataVersion 5.1.1 (except in the unlikely case that the Secretariat uses thePOST /cve/:idorPUT /cve/:idendpoint and explicitly sends a wrong version number).In particular, any CNA is able to publish a CVE Record that has a containers.cna.cpeApplicability property and also has dataVersion 5.1, which may be problematic for downstream consumers, if they expect that any dataVersion 5.1 document can be validated by using the 5.1.0 schema. For example:
Is it intentional that some CVE Records that include cpeApplicability have dataVersion 5.1.1 but others have dataVersion 5.1?
Is src/constants/index.js correct, or is src/model/cve.js correct? In CVE Services production today, dataVersion is set to 5.1 even though the schema version in the cve-schema repository is 5.1.0:
cve-services/src/constants/index.js
Line 19 in 39eac21
Is the value of dataVersion supposed to include the "patch" version of the schema version number, or is it only supposed to include the "major" version and "minor" version (which has been the case in the past)? Do we expect that 5.1 is correct here:
https://github.com/CVEProject/cve-schema/blob/cc1c0214befc0e2ccfb98c8f4306ec116f65fd34/schema/docs/full-record-advanced-example.json#L3
? Or do we expect that 5.1.1 is correct here:
https://github.com/CVEProject/cve-schema/blob/cc1c0214befc0e2ccfb98c8f4306ec116f65fd34/schema/CVE_Record_Format.json#L378
? Which part of the CVE Program decides what number is supposed to be placed in the dataVersion property after each new release of the schema, and how is this number communicated to others? @ccoffin
The text was updated successfully, but these errors were encountered: