source object in the cna container

[MrSeccubus]

As per a discussion on CVE-CNA Slack (https://cve-cna.slack.com/archives/C01J6B3TZQ9/p1722882028361409).

The cna container has a property called source.

Looking at the CVE schema, the existance of the object if defined and even mandatory, but the contents is not documented (https://cveproject.github.io/cve-schema/schema/docs/#oneOf_i0_containers_cna_source)

The documentation states that:

This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).
Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.

As pointed out by Daniel Beck the concept of CNA_chain was abandoned after the 3.0 schema, given this search https://github.com/search?q=repo%3ACVEProject%2Fcve-schema%20CNA_chain&type=code

It looks like this object either needs TLC or should be abandoned.

[kernelsmith]

At a minimum, I would suggest "who discovered it" be removed from the field description because it overlaps with the "credits" field which is clearly intended for "finders" among other credits. "who researched it" is also confusing for the same reason, but could be interpreted as "who researched it on the CNA's end", so it could be removed or edited.

I've heard that other use this field for "internal" vs "external", but I can't comment on that

[pete2160]

Under ISOs (i.e. 30111) and under best practices CVD, the term is 'finder'. It is meant primarily for those external to the maintainers / vendors.

…

On Tue, Aug 20, 2024 at 4:25 PM Josh ***@***.***> wrote: At a minimum, I would suggest "who discovered it" be removed from the field description because it overlaps with the "credits" field which is clearly intended for "finders" among other credits. "who researched it" is also confusing for the same reason, but could be interpreted as "who researched it on the CNA's end", so it could be removed or edited. I've heard that other use this field for "internal" vs "external", but I can't comment on that — Reply to this email directly, view it on GitHub <#332 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AOLITHEXRMJ45PAVS3CZRNTZSOQZ3AVCNFSM6AAAAABMBYWP3WVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTANBQGAYDQOI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.*** com>