Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extending CVE with additional information not validating the CVE schema #325

Open
adulau opened this issue Jun 19, 2024 · 1 comment
Open

Extending CVE with additional information not validating the CVE schema #325

adulau opened this issue Jun 19, 2024 · 1 comment

Comments

@adulau
Copy link

adulau commented Jun 19, 2024

We are currently developing vulnerability-lookup where the organisation operating an instance can extend a CVE with comments or additional information. We were wondering what would be the best option to add such extended meta-data in a CVE, we looked into adp but it seems bound to the fields defined in the schema. What would be the best option? We don't want to create a new external format to encapsulate the CVE entries too. We assume someone has already addressed this issue and are seeking the best strategy.
@zmanion
Copy link
Contributor

zmanion commented Aug 9, 2024

Within the constraints that there are only two ADPs right now, and the guidance for additional ADPs is still being developed, it is possible for an ADP to provide data that is not inherently supported by the CNA container. For example, the CISA ADP provides SSVC and KEV using custom schema.

It is expected that an ADP using custom data/schema would need to provide the schema defintion and documenation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adulau @zmanion