Skip to content

Latest commit

 

History

History
111 lines (65 loc) · 11.6 KB

automation-cve-services-faqs.md

File metadata and controls

111 lines (65 loc) · 11.6 KB
title layout
Transition FAQs
page


ATTENTION: This page has been moved to ARCHIVE STATUS. Please go to the CVE Services page on the CVE.ORG website for the most current information about CVE Services and CVE JSON 5.0.



Frequently Asked Questions (FAQs) about the CVE ID Reservation Service, Record Submission and Upload Service, and CVE JSON 5.0 (i.e., [CVE Services 2.1]([https://cveproject.github.io/automation-cve-services#services-overview](https://www.cve.org/AllResources/CveServices#cve-json-5))/[CVE JSON 5.0](https://cveproject.github.io/automation-cve-services#json-overview)) are included below. If you have additional questions, please submit them to the [CVE Program Secretariat](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossarySecretariat) using the [CVE Program Request web forms](https://cveform.mitre.org/) (select the “Other” form).

NOTE: As of March 29, 2023, the CVE Program achieved “hard deploy” of the CVE Services/CVE JSON 5.0/CVE JSON 5.0 Bulk Download automation upgrade. Learn more here.

What are the CVE Services?

CVE Services is a RESTful CVE Program Web application (and its associated processes) that provides a series of Application Program Interfaces (APIs) for CVE Number Authorities (CNAs) to reserve CVE IDs and submit/update/reject CVE Records directly to the CVE List without the need for manual processing.

CVE Services includes the following components:

  1. CVE ID Reservation (IDR) service – enables CNAs to directly reserve any number of candidate CVE IDs in sequential or non-sequential order, for CVE ID assignments by the CNA.
  2. CVE Record Submission and Upload Service (RSUS) – enables CNAs to directly populate the details of their CVE Records and upload them for publication to the CVE List.
  3. CNA User Registry – authenticates and manages the users of the services for CNA organizations.

What is the CVE JSON 5.0 format?

CVE JSON 5.0 is the CVE Program’s format/data schema for CVE Records. The CVE Program is currently in a data format transition from the CVE JSON 4.0 Schema to the CVE JSON 5.0 Schema. You can learn more about the CVE JSON 5.0 schema here.

Will the CVE JSON 4.0 format be deprecated? When?

Yes. The CVE Program’s plan is to deprecate the CVE JSON 4.0 format over time. The CVE Board has noted that this transition will be complete by December 31, 2023, however the specific CVE JSON 4.0 sunset date has not yet been decided. Both formats, CVE JSON 5.0 and CVE JSON 4.0, will be supported until the yet-to-be-determined CVE JSON 4.0 Sunset Date is reached (see Transition Bulletin #9). We will be in a transition period until that time. The goal of the transition period is to provide community stakeholders with ample time to prepare for the transition to CVE JSON 5.0.

What is the “transition period”?

The Transition Period is the timeframe in which both CVE JSON 4.0 and CVE JSON 5.0 are supported by the CVE Program. The transition period started in October 2022 with the deployment of CVE Services 2.1.0. The duration of the transition period has not specifically been decided, however, it is bounded by the CVE Board decision to deprecate the JSON 4.0 CVE List (and its legacy download formats) by December 31, 2023. At this point in the transition period, the JSON 5.0 CVE List is the “official list” which represents the most complete and up to date CVE Information. The legacy JSON 4.0 List will continue to be “synced” with this list (along with the legacy download formats) until the end of the transition period when the JSON 4.0 “synced” list (with its legacy download formats) list will be retired. This retirement is expected to happen no earlier than six months after CVE Services “hard deploy” (see What is meant by CVE Services 2.1 “hard deploy”?).

Does RSUS support CVE JSON 4.0 submissions during the transition period?

No, RSUS will not process CVE JSON 4.0 records.

How can CNAs submit CVE Records in CVE JSON 4.0 during the transition period?

At this point in the transition period, CNAs should be submitting CVE Records using one of the available JSON 5.0 clients (see “How can CNAs submit CVE Records in CVE JSON 5.0 format). Under very limited circumstances where a CNA must submit a JSON 4.0-format record, it should use the CVE Program Request Form and choose “Other” to make a request of the Secretariat to submit a JSON 4.0 CVE Record on its behalf.

IMPORTANT: The CVEList GitHub Pilot will be deprecated for CVE Record submissions on June 30, 2023.

How can CNAs submit CVE Records in CVE JSON 5.0 format?

CVE Records in CVE JSON 5.0 format may only be submitted through RSUS/CVE JSON 5.0-compliant clients. See Using CVE Services Clients for a list of currently available clients.

How can I search/view the CVE List in CVE JSON 4.0 format during the transition period?

Searching/viewing CVE Records in CVE JSON 4.0 format will continue to be available at CVE - Search CVE List (cve.mitre.org) during the transition period.

How can I view/download the CVE List in CVE JSON 5.0 format?

The JSON 5.0 CVE List (which is the “official” CVE List as of March 29, 2023) can be viewed and downloaded here. You can also initiate a full JSON 5.0 CVE List download from cve.org. In addition, individual JSON 5.0 records can be viewed through the cve.org Search Capability here.

How can I download the CVE List in CVE JSON 4.0 format during the transition period?

During the transition period, the traditional CVE List download formats will continue to be available here.

During the transition period, will the CVE List in CVE JSON 5.0 format comprise the same vulnerabilities as the CVE List in CVE JSON 4.0 format?

Yes. During the transition period, as both formats are supported, the two lists will be kept in sync so users can view records in either format. Every CVE Record submitted in CVE JSON 5.0 format will be “down converted” to CVE JSON 4.0 format and viewable in that format (although this down convert may “lag” the original posting to the CVE JSON 5.0 list.

How do I get started with the new RSUS service?

CVE Services functions are accessed through CVE Services clients that are developed by CNAs as part of their vulnerability management infrastructures or by adopting an already existing client that is known to operate with CVE Services. See Using CVE Services Clients for additional information.

Do I have to develop my own CVE Services Client?

No. There are RSUS clients available for use. Some of the clients are available to run through a web browser, while others can easily be integrated into an existing vulnerability management infrastructure. See Using CVE Services Clients for additional information.

If a CNA wishes to develop its own CVE Services client, a publicly available API and test environment are available. See Build Your Own Client for details.

What is meant by CVE Services 2.1 “soft deploy”?

CVE Services 2.1 soft deploy references a deployment of CVE Services (completed at the end of October 2022) which offered the new RSUS interfaces for CNAs to submit/update CVE JSON 5.0 records. This deployment, which ended on March 29, 2023, marked the beginning of the transition from CVE JSON 4.0 to CVE JSON 5.0 format. (See What is the transition period?)

The specific objectives of the soft deploy were two-fold:

  1. To allow CNAs to begin submitting/updating CVE JSON 5.0 records directly to the CVE List.
  2. To allow the CVE Community to identify CVE Services 2.1/CVE JSON 5.0 Soft Deploy - Prioritized Issues that needed to be addressed prior to making CVE Services the primary submission workflow for the CVE Program (i.e., post the transition period).

What is meant by CVE Services 2.1 “hard deploy”?

Where CVE Services 2.1 soft deploy focused heavily on CVE Record submission, i.e., introducing the RSUS/CVE JSON 5.0 submission capability, “hard deploy” focuses more on introducing capability for downstream users (i.e., the ability to view and bulk download the CVE List in CVE JSON 5.0 format). Upon “Hard Deploy” the official, most complete CVE List is the JSON 5.0 List found here. Hard deploy was achieved on March 29, 2023. Learn more here.

Specifically, hard deploy:

  1. Addressed CVE Services 2.1 issues identified during the couple of months of RSUS execution.
  2. Deployed a CVE JSON 5.0 “bulk download” capability that allows downstream users to download the full CVE List in CVE JSON 5.0 format.
  3. Established the official, most complete CVE List to be the CVE JSON 5.0 formatted list.

When did CVE Services 2.1 hard deploy occur?

The CVE Program achieved “hard deploy” of the CVE Services, CVE JSON 5.0, and the CVE JSON 5.0 Bulk Download capability on March 29, 2023. Learn more here.

What is the CVE Services “Test Environment” and how is it accessed?

A CVE Services test environment consisting of a CVE Services test instance and a CVE website test instance is available for partners to test the integration of CVE Services into their existing vulnerability management infrastructures. By using the test environment, which is completely separate from the official CVE Services, CNAs can assign test CVE IDs and publish and edit test CVE Records and view them on the test CVE website with no impact on their official CVE IDs or CVE Records. Partners wishing to develop their own CVE Services clients can also use the test environment to verify that their client is working properly. The test environment provides for unlimited self-training and process testing as organizations prepare to adopt the new CVE Services and the CVE JSON 5.0 record format.

A separate set of “test” credentials is required for access. Learn how to acquire credentials here.