You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The syntax and format of the cpeApplicability block matches that used by the NIST NVD CVE API JSON v2.0 schema (configurations). NOTE: The “matchCriteriaId” property is optional in the CVE Record Format.
IIUC matchCriteriaId is created by the NVD to identify a CPE match statement and is effectively "internal" to the NVD database, I can't see any reason for an external party to generate or use a matchCriteriaId unless that party is operating their own NVD-like database. It may only be confusing to allow matchCriteriaId in CVE data, so consider not allowing it at all.
This doesn't have to hold up the release of 5.1.1 with new CPE support, but if I'm not wrong (and I could be), and if CNAs start submitting matchCriteriaId, we'll be supporting increased confusion.
The text was updated successfully, but these errors were encountered:
From https://github.com/CVEProject/cve-schema/releases/tag/v5.1.1-rc2:
IIUC
matchCriteriaIdis created by the NVD to identify a CPE match statement and is effectively "internal" to the NVD database, I can't see any reason for an external party to generate or use amatchCriteriaIdunless that party is operating their own NVD-like database. It may only be confusing to allowmatchCriteriaIdin CVE data, so consider not allowing it at all.This doesn't have to hold up the release of 5.1.1 with new CPE support, but if I'm not wrong (and I could be), and if CNAs start submitting
matchCriteriaId, we'll be supporting increased confusion.The text was updated successfully, but these errors were encountered: