diff --git a/README.md b/README.md index 43842625dd96..31c99aa41006 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -> **Note 2024-07-16 on upcoming CVE Program Container launch**: The Secretariat Program Container deployment has been delayed. Check this page in the coming days for details of the new deployment date +> **Note 2024-07-31 CVE Records may now contain a new container called the *CVE Program Container***: This new container provides additional information added by the CVE Program to include Program-added references. Users of this repository may need to process two containers. See below for more information. > **Note 2024-05-08 5:30pm**: CVE REST Services was updated to the CVE Record Format Schema 5.1 on 2024-05-08 at 5:30pm EDT. With this update, a CVE Record in this repository may now be either a 5.0 or a 5.1 formatted record. The format is reflected in the the "dataversion" field. Users of this repository who "validate" CVE records are advised to validate records by using the appropriate version of the schema (i.e, 5.0 or 5.1) as reflected in this field. Users should not determine which schema to use based on the deployment date of the new format (i.e., 2024-05-08 at 5:30pm EDT) as there are inconsistencies in published/updated date values. > @@ -10,6 +10,47 @@ This repository hosts downloadable files of CVE Records in the [CVE Record Forma **Legacy Format Downloads No Longer Supported**—All support for the legacy CVE content download formats (i.e., CSV, HTML, XML, and CVRF) ended on June 30, 2024. These legacy download formats, which will no longer be updated and were phased out over the first six months of 2024, have been replaced by this repository as the only supported method for CVE Record downloads. Learn more [here](https://www.cve.org/Media/News/item/blog/2024/07/02/Legacy-CVE-Download-Formats-No-Longer-Supported). +## CVE Record Containers + +CVE Records may now consist of multiple containers: +* A CNA container +* The CVE Program Container +* Optional multiple ADP-specific containers + +### CVE Program Container + +All CVE Program-added references after 7/31/2024 for a CVE Record will be stored in the CVE Program Container of that Record. CNA-provided references will continue to be stored in the CNA Container. + +The CVE Program Container is implemented in an [ADP container format](https://cveproject.github.io/cve-schema/schema/docs/#oneOf_i0_containers_adp) in the CVE Record. + +Specific JSON/CVE Record fields that will be in the CVE Program Container are as follows: +* adp:title field: "**CVE Program Container**" +* adp:providerMetadata:shortName:"**CVE**" +* adp:references field as described [here](https://cveproject.github.io/cve-schema/schema/docs/#oneOf_i0_containers_adp_items_references) + +References in the CVE Program Container maintain the same format as references in a CNA Container. + +The CVE Program container may contain references that have the *x_transferred* tag. References with this tag were read from the CNA container on 7/31/2024. This is a "one time" copy to maintain the "state" of the CNA reference list as of 7/31/2024. CVE Program-added references after this date will not have the *x_transfered" tag. + +In the case of new CVE records created after 7/31/2024, if no Program provided enriched data is added, there will be no CVE Porgram Container associated with the CVE Record. + +#### Implementation Considerations: + +*Required Containers processing:* After 7/31//2024, to retrieve all information about a reported vulnerability in the CVE Repositoyr, tool vendors and community users will need to examine the CVE Record CNA Container and the CVE Program Container (if one exists). These two containers are minimially required to obtain the core information required by the Program. All other ADP constainers remain optional from a Program perspective. + +*Potential for Duplicate References* The possibility of reference duplications is an artifact of having more than one organizatoin providing references in separate locations. Downstream users will have to determine the appropriate way to resovle potential reference duplications between the CNA container and the CVE Program Container. + +### CISA-ADP Container + +The CISA-ADP Container was launched on June 4 to provide value added information for CVE Records going forward, and retroactively to February, 2024. + +The CISA ADP is providing three components to enrich CVE Records: +1. [Stakeholder-Specific vulnerability Categorization (SSVC)](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc) +1. [Known Exploitable Vulnerabilities (KEV)](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog data +1. "Vulnrichment" updates (e.g., missing [CVSS](https://www.first.org/cvss/), [CWE](https://cwe.mitre.org/), [CPE information](https://nvd.nist.gov/products/cpe) for CVE Records that meet specific threat characteristics, and for when CNAs do not provide it themselves) + +Reference the [CISA ADP Process](https://www.cve.org/ProgramOrganization/ADPs) or the [CISA Vulnrichment github site](https://github.com/cisagov/vulnrichment) for a full description of what information is provided and the format in which it is recorded. + ## How to Download the CVE List There are 2 main ways to download CVE Records from this repository: