-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Define how to handle overlapping assignments #47
Comments
Can you clarify this, is this a counting issue, e.g. same CNA assigned both, or a duplicate CVE assignment issue (different CNAs), or something else? |
I believe we need to expand the scope of the outcome here, since it is likely that such a problem will be found by a downstream (e.g., NVD, end-user, tool vendor). The identifier of the problem must be able to figure out what to do, who to contact, what mechanism(s) are to be used for communication. Secondly, the assigning parties need a way to become aware of the issue. And lastly, there needs to be a way to either pick a winner (e.g., first assigner) and deprecate the other, or to create a new CVE record which will result in the original duplicates being deprecated. |
As per Appendix E, the process for resolving duplicates is:
For cases where there is overlap, we can use a similar process to determine which ID to be the winner, and then add language to explain how to reword the descriptions to clarify which covers which vulnerabilities, such as "This CVE ID may overlap...". I suggest we add this additional case to Appendix E. The communication issue @david-waltermire-nist mentioned is something we will address separately, as we discussed in the last Strategic Planning WG meeting and Board meeting. |
What @dadinolfi said, also whoever gets it into the MITRE database first (and thus probably wins the above tests) should be used. |
Suggestion: Add a section to Appendix E to cover the special case of partial duplicates (the overlap case). There are cases where two CVE IDs overlap in what software or hardware is affected by the same vulnerabilities. An example of this would be if CVE-2017-nnnn1 references Product1 versions 1.0, 2.0, and 3.0 and CVE-2017-nnnn2 is assigned to the same vulnerability and references Product1 versions 3.0, 4.0, and 5.0. In this situation, use the following process.
Note that the process described above is reserved for cases where the CVE IDs have clearly been assigned to the same vulnerability. If there is insufficient information to decide, the description of the CVE entries may be changed to indicate that they may be the same. For example, a NOTE sentence such as "This may be the same as " or "This may overlap " may be used. |
GOAL: Document and standardized CNA processes
CHANGE: Fill the gap in the Process to Correct Counting Issues (Appendix E) of how to handle overlapping assignments. For example when one CVE ID is assigned to cover parameter a, b, and c and another is assigned to cover parameter b, c, and d.
OUTCOME: CNAs will know how to handle these situations.
The text was updated successfully, but these errors were encountered: