You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"Picture in my head/picture in your head" type of stuff...
My interest is in aggregate machine-readability of CVEs (at scale).
I have encountered numerous responses in recent times expressing the belief that if the items discussed in section 5.1 of the CNA rules are provided in the human-readable description field, that this satisfies the CNA rules. It would be good if the CNA rules were unambiguous about this.
5.1.1 SHOULD contain sufficient information to uniquely identify the Vulnerability and distinguish it from similar Vulnerabilities.
5.1.3 MUST identify at least one affected Product using information such as Supplier and Product names, versions, and dates.
5.1.4 MUST identify at least one Product as “affected” or “unknown” (with the possibility of being affected).
5.1.5 SHOULD identify Fixed versions of Products.
5.1.7 MUST identify the type of Vulnerability. The CVE record SHOULD use the Common Weakness Enumeration (CWE) to classify the type or cause of the Vulnerability. A CVE Record MAY contain multiple types or causes of the Vulnerability.
The text was updated successfully, but these errors were encountered:
"Picture in my head/picture in your head" type of stuff...
My interest is in aggregate machine-readability of CVEs (at scale).
I have encountered numerous responses in recent times expressing the belief that if the items discussed in section 5.1 of the CNA rules are provided in the human-readable description field, that this satisfies the CNA rules. It would be good if the CNA rules were unambiguous about this.
The text was updated successfully, but these errors were encountered: