-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move Disputed To CVE State #343
Comments
Could you expand on what benefit you would expect to see from this change?
|
The change would be to identify the "State" of a CVE quickly, but it appears that Tags have taken over this instead and have started to be used in the last few weeks. Disputed seemed to be the most common state after Rejected, with a GitHub search showing over 1,000 CVEs containing the string Someone may have made a data change, added disputed to tags, and removed the ** from being displayed on the CVE.org website, but that description is still present in the JSON. |
Is DISPUTED a secondary state? For example, could a CVE be DISPUTED and then additionally either published or rejected? (I think the answer is yes to that?) To your point, maybe we treat disputed (and "unverifiable", etc) as a tag? Also, I think your 1000's of matches are finding it in the X_legacyV4 section of most of the CVEs. The current v5 data only has 9 that match that. |
To me, I pulled all the tag counts (from NVD data), and it was these today which are different from your list?
Here are all the CVEs with Tags in a CSV File. |
Okay, in the cvelistv5 data, there exists the
Would these tags not allow a consumer to identify the CVEs that are disputed? Or are you suggesting that by making it a top level state, that it becomes more apparent because being DISPUTED is very important? |
A CVE can't be both Rejected and Disputed. Disputed seems to be a "limbo" state between the Published and Rejected, but does it feel more important than a normal tag? The Disputed tag would be a time-limited tag in a perfect world until the reporter and software owner agree on the final state of the CVE. At present, if you want to get a full list of "Accepted" CVEs, you have to do a double filtering of removing the |
The CNA tags includes a 'Disputed" label that would make much more sense as a CVE state.
The three states would then be:
As of 9/26 the breakdown of CVE State is:
The text was updated successfully, but these errors were encountered: