|
|
Tags Container for CVE entries:
Must:
Must specify some origin/name space
Must specify some tag value(s)
Optional:
Optional: can specify a tag version # (this can be a number, version #, date string)
Optional: can specify some language value for tag(s) (default eng?)
Possibile Option:
Possible Optional: can specify a value for the tag (so you can have a key pair store? Do we allow multiple values? Sort of a sub tag? e.g. "license":"GPLv2" which helps gives context)
Please note that tags can occur at multiple places, e.g. globally, within an affects, etc, like the other containers so some degree of access control will take place based on this most likely (e.g. I’m inclined to let Red Hat do whatever tags they want in a Red Hat vendor section vs. Allowing some random person to do so).
Questions for operations:
Do we allow someone to add tags from MITRE’s name space for example, or can only MITRE do that? I think we have to let people use other peoples tags ior we would have a proliferation of tag name spaces that overlap.
Can a namespace (e.g. DWF) declare that anyone can add tags? Do we have a free for all community tag section?