original assigner vs. owner

[zmanion]

Copied from CVEProject/automation-working-group#116

On the 2023-01-11 SPWG meeting, during a discussion about bulk download, this came up:

The assigning CNA is recorded in the JSON schema (assignerOrgId), this is effectively the owning CNA at the time of assignment
The owner of a record can change
Ownership and the transaction log are stored somewhere, not explicitly in JSON 5
3.a. Ownership might have been stored in JSON 4 (but I don't readily see where)
JSON 5.0 does not provide explicit "owner" fields
CVE Services, with knowledge of the non-public ownership, can (broken at the moment?) provide a CNA with their currently owned records.

JSON 5 alone, e.g., as a bulk download format, contains neither ownership information nor transaction information.

Regardless of where ownership and transaction information is stored, it should be available publicly.

Related to/partial duplicate of: CVEProject/cve-website#1224

owning_cna can be accessed via Services API:

https://cveawg.mitre.org/api/cve-id/CVE-2020-28367
https://cveawg.mitre.org/api/cve/CVE-2020-28367

[zmanion]

Proposal: Add new ownerCnaId and ownerCnaShortName fields to JSON schema, basically matching assignerOrgId and assignerShortName.

Unless the owner* values are filled out, treat them as equal to assginer*.

Both owner* values must be filled out, which I think is similar to assigner*, and *ShortName should be looked up based on *OrgId.

I think this means that owner MUST be a CNA, is that a problem?

[zmanion]

Proposal 2: Make ownership (and other?) change/transaction logs/history public. Possibly within a CVE record, so there is one self-contained place to look. This should probably be a separate issue.

[zmanion]

Overall, eliminate or minimze the need for separate sources of CVE entry data.

https://cveawg.mitre.org/api/cve-id/CVE-2020-28367

"cve_id":"CVE-2020-28367",
"cve_year":"2020",
"state":"PUBLISHED",
"owning_cna":"Go",
"dateUpdated":"2022-12-28T14:23:56.914Z"

Aside from owning_cna, the rest of this information is available within a CVE record, with the possible exception of cve_year.

If "cve_year" is not just the year part of the CVE ID then we need to discuss.

[jayjacobs]

Related to AWG CVEProject/automation-working-group#133

[jayjacobs]

Currently the cveMetadata has the assignerOrgId and assignerShortName, which are "the organization to which the CVE ID was originally assigned" and the cna.providerMetadata has orgId and shortName which are "The container provider". Presumably the providerMeta and the "owning CNA" would be the exact same thing? Or are these different?

I do think the second proposal "Make ownership (and other?) change/transaction logs/history public." should be separate issue and discussed.