- CVE Services Status to release into the Testing Environment (versioning discussion)
- CSV Download Request (Status/scheduled input)
- CVE Services Status to release into the Testing Environment (versioning discussion)
The CVE Services development team reported that they were ready to release the next version of CVE Services into the Testing Enviroment for community review.
After some discussion, the AWG agreed to move forward and release next version of CVE Services into the testing environment.
The discussion focused on a recently reported bug in the CVSS 4.0 specification and the fact that the CVSS v 4.0 specification may change in the near future. In general the AWG response was that given the fact that we are ready to release JSON 5.1 into the Testing Environment AND it remains unclear the nature of the bug or when a fix would be agreed upon it is was decided to move forward with the release as planned. If/when an update to the CVSS 4.0 specification is released, the CVE program can respond accordingly. If the CVE program wishes to wait for a CVSS 4.0 udpate it can make that decision as part of the testing period, prior to the to deployment of 5.1 into PRODUCTION.
- CSV Format Request as part of bulk download (Status/Schedule input)
In the last 4 weeks, there has been a discussion in the community not retire the CSV format on June 30 as previously reported. This topic was introduced when two unrelated downstream users requested this.
The program is currenlty in "data gathering mode" to determine the nature of the use cases and possible solutions to continue to support these types of user. There was a data gathering session last week (with Army representatives) and there is a data gathering session with U.S. Navy representatives on Wednesday, 3/13/2024. The results will be reported to the TWG/Board for discussion as they decided the path forward.
The AWG discussion focused on two angles on this topic:
- general concensus on whether CSV support should be continued or not: There was no general concensus on this however it was noted that if we continue to support CSV the program should make it as "useful" as possible, meaning that the current CSV download would have to be significantly reworked to take advantage of the richness of data that is now available in JSON 5.0.
- Level of Effort for a technical solution: The question was asked "What is the level of effort would be for CSV solution?" The response was that the LOE at this point could not be determined. A very simple (and fast) solution could be created but it is highly likely that it would be not very useful to many downstream users. The most robust solution, will be complex and take significant development effort. There is most likely a "sweet spot" to meet the broadest spectrum of use cases cost in a cost effective manner but defining the requirments will take some time.
*It was decided that the next version of CVE Service will be released this week according to the agreed upon schedule. This will begin the review adoption period for CNAs to adopt JSON 5.1 data format.
[x] The AWG Chair will craft a notice to the CNA community to begin reviewing/testing CVE Services in preparation for the adoption of the JSON 5.1 schema.
Meeting Recordings are available at on the AWG Groups.io platform. To become a member of the AWG (and gain access this platform), send email to AWG@CVE-CWE-Programs.groups.io with a request.