vulnrichment icon indicating copy to clipboard operation
vulnrichment copied to clipboard

Published 20 hours ago verified publisher icon cisagov

To specify multiple versions, prefer the versions array

Open prabhu opened this issue 9 months ago • 2 comments

💡 Summary

Noticed that the affected object was getting repeated for each version number.

https://github.com/cisagov/vulnrichment/blob/develop/2024/30xxx/CVE-2024-30378.json#L245-L326

{
            "cpe": "cpe:2.3:o:juniper:junos:21.1:-:*:*:*:*:*:*",
            "vendor": "juniper",
            "product": "junos",
            "versions": [
              {
                "status": "affected",
                "version": "21.1"
              }
            ],
            "defaultStatus": "unknown"
          },
          {
            "cpe": "cpe:2.3:o:juniper:junos:21.2:-:*:*:*:*:*:*",
            "vendor": "juniper",
            "product": "junos",
            "versions": [
              {
                "status": "affected",
                "version": "21.2"
              }
            ],
            "defaultStatus": "unknown"
          },

versions array could be used instead.

Motivation and context

This would reduce the size of the ADP data.

Implementation notes

Example output that utilizes the version array

{
            "cpe": "cpe:2.3:o:juniper:junos:21.1:-:*:*:*:*:*:*",
            "vendor": "juniper",
            "product": "junos",
            "versions": [
              {
                "status": "affected",
                "version": "21.1"
              },
              {
                "status": "affected",
                "version": "21.2"
              },
              {
                "status": "affected",
                "version": "21.3"
              }
            ],
            "defaultStatus": "unknown"
          }

This could also be simplified further by using version=21.1 and lessThanOrEqual=22.3

Acceptance criteria

How do we know when this work is done?

  • [ ] Criterion

prabhu avatar May 08 '24 19:05 prabhu

@prabhu Thank you for the report! We intend to revisit the way the version data is organized and support a more flexible and concise encoding of versions and bounds. Currently we do not have an ETA on this feature but will update this ticket as we make progress towards that goal.

jwoytek-cisa avatar May 10 '24 19:05 jwoytek-cisa

@prabhu we have implemented the versions array on our end. We are still making progress and need to support having multiple CPEs in an affected entry. In your example, one affected entry might have all three of the individually versioned CPEs, along with the array of versions that match. We continue to make progress there. For completeness, I'm going to leave this open for the moment until we support multiple CPEs in a single affected entry.

jwoytek-cisa avatar May 21 '24 18:05 jwoytek-cisa

I believe this is resolved per @jwoytek-cisa's comment above, at least for going forward. There are a few ways to do this correctly, so we'll have to weigh the value of going back and "fixing" the style in this issue for historical ADPs.

todb-cisa avatar Jun 05 '24 17:06 todb-cisa