|
|
So we currently have several defined CVE States, some of which are overloaded (e.g. REJECT), we also need some new states potentially. We also need to define the JSON format for these states (e.g. for REJECT not a vuln we can't have an impact type), so once we define which states we want, then we can define the JSON format(s). First I'd like to confirm that we have a list of all the common states we need, so:
PUBLIC - currently covered by the minimum JSON format
REJECT - currently not covered by JSON format, needs specific sub states?
CVE-2017-7319,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.","",Assigned (20170329),"None (candidate not yet proposed)"
CVE-2017-7469,Candidate,"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-7466. Reason: This candidate is a reservation duplicate of CVE-2017-7466. Notes: All CVE users should reference CVE-2017-7466 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.","",Assigned (20170405),"None (candidate not yet proposed)"
DWF had these states for REJECT’ed CVEs:
DUPLICATE_OF [CVE]
SPLIT_TO [list of CVEs]
MERGED_TO [lCVE]
REJECT (classic, e.g. not a vuln)
RESERVED - currently not covered by JSON format, needs specific sub states?
CVE-2017-8761,Candidate,"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","",Assigned (20170503),"None (candidate not yet proposed)"
We would generally want to split:
RESERVED as part of CNA block, not used yet (do we want to actually list this uniquely?)
RESERVED as an actual CVE assignment that will become public (most useful for MITRE “Retail” assignments?)
Other RESERVED states?