CVE Services 2.1 “Soft Deploy” Phase 2, completed on October 25, 2022, comprised the deployment of several components that must work very closely together to implement the new CVE JSON 5.0 capabilities while maintaining the current CVE JSON 4.0 support.

As the CNA community begins using CVE Services to submit and manage CVE Records, if you notice an issue, please report it to the CVE Program Automation Working Group (AWG).

In general, issues that are reported to the CVE Program are recorded and managed on the CVE Program GitHub page. Two development efforts where issues are reported are the CVE Program Website and CVE Services. Feel free to peruse all of the issues that have been raised and are currently being prioritized in the development sprint planning.

There are programmatic critical issues that may, and have, been defined that each CNA should be aware of as they plan their CVE Services/CVE JSON 5.0 adoption. These issues will affect a significant portion of the CVE community and downstream users of the CVE List. Please review these issues and consider your adoption plan/schedule carefully. As these issues are addressed, they will be removed from this list and not and the community will be notified.

How to Report an Issue

If you observe anomalous behavior in any of the three workflows listed below, submit your observation to the AWG at awg@cve-cwe-programs.groups.io and we will work to document the issue and get it resolved:

  1. CVE Services submission workflow (CVE JSON 5.0)
  2. CVEList GitHub Pilot submissions workflow (CVE JSON 4.0)
  3. CVE Program Request web forms submissions workflow (CVE JSON 4.0)

Immediate Priority Issues

Below are known issues for CVE Services 2.1/CVE JSON 5.0 Soft Deploy. These issues are being addressed as “high priorities” and solutions are being developed.

CNAs preparing to transition to CVE Services - Record Submission and Upload Service (RSUS) should review these issues and understand the impact that they may have on their CVE Record management.

  1. Some CVE JSON 5.0 CVE Records (submitted through RSUS) are not being down-converted to CVE JSON 4.0
    Added: 11/15/2022
    It has been observed that some JSON 5.0 records are not being down-converted to JSON 4.0. This means the JSON 4.0 repository (maintained as part of the CVEList GitHub Pilot) and the traditional bulk downloadable content located at the here may not contain these records. This issue is being researched to better characterize which records are being “skipped” for down convert (and “why”).

  2. Pagination in CVE Services offering incorrect/incomplete results
    Added 11/15/2022
    The current CVE Services pagination function can produce incorrect data. CNAs should not rely on the responses from the GET /cve-id endpoint when page=2 (or a higher page number) is used. Also, because pagination is used internally in Secretariat operations, the Secretariat will be performing additional analysis, and will make a later announcement about whether any CVE Record data is incomplete within resources maintained by the Secretariat.

  3. CVE JSON 5.0 “REJECTED” state only partially supports CVE JSON 4.0 conversion for CVE List. When a CVE JSON 5.0 record is submitted in the “REJECTED” state, the CVE List will show that the state is “REJECT”, but the description will not contain the “**REJECT**” text
    Added: 10/26/2022
    If a CNA wishes to submit a CVE JSON 5.0 record and is subsequently required to reject the record, contact the Secretariat for that support using the CVEList GitHub Pilot and the CVE Program Request web forms (select the “Other” form) until the problem is resolved.

  4. CVE JSON 5.0 “DISPUTED” tag is not supported on CVE JSON 4.0 down conversion for CVE List
    Updated: 11/10/2022
    When a CVE JSON 5.0 record is submitted with the “DISPUTED” tag it will not be propagated to the CVE JSON 4.0 CVE List or the GitHub/bulk download file.

    This issue coupled with Issue Number 4 (below) means that automated submissions for DISPUTED records is currently not available.

    It is recommended that the CVE Program Request web forms (select the “Other” form) be used by CNAs who wish to initially publish a CVE Record as DISPUTED, add a dispute indication to a CVE Record, or change the dispute explanation of a CVE Record.

  5. “DISPUTED” tag is not supported for CVE JSON 4.0 CVEList GitHub Pilot submissions
    Added: 11/10/2022
    When a CVE JSON 4.0 Record is created with “**DISPUTED**” at the beginning of the description, software at the Secretariat can behave incorrectly, disrupting some aspects of CVE Record publication for *all* CNAs

    This issue, coupled with Issue Number 3 above, means that automated submission for DISPUTED records is currently not available.

    It is recommended that the CVE Program Request web forms (select the “Other” form) be used by CNAs who wish to initially publish a CVE Record as DISPUTED, add a dispute indication to a CVE Record, or change the dispute explanation of a CVE Record.

  6. Secretariat Service to add references to CVE Records may be degraded
    Added: 10/26/2022
    Secretariat staff may need to manually add references for some CVE Records. Records submitted through the CVE List GitHub Pilot and the CVEList GitHub Pilot and the CVE Program Request web forms are unaffected.

Resolved Issues

Issues that have been resolved are included below.

  • CVE Record JSON 5.0 Rendering on the cve.org website may present ambiguities
    (Added: 11/4/2022) Resolved: 12/8/2022
    The cve.org CVE Record Lookup capability may, under certain circumstances, render the record where the “affected version” is ambiguously/erroneously stated. The circumstances in which this behavior is observed is when the “change” field is used. It is suggested that CNAs not use the “change” field until this issue is addressed.

  • Conversion of the “Affected” field of CVE JSON 5.0 records to CVE JSON 4.0 does not accurately convert “version ranges”
    (Added: 10/26/2022) Resolved: 02/13/2023
    IMPORTANT: Please refrain from using version ranges in CVE JSON 5.0 records until a solution is developed. Records requiring a version in the affected field may continue to be submitted in CVE JSON 4.0.