So we have a situation where CVE published an ID after the GSD ID was published, creating a duplicate of ours.
From the gsd-database repo (
https://github.com/cloudsecurityalliance/gsd-database)
$ cd 2022/1000xxx/
$ git log GSD-2022-1000006.json
commit be5271f3766a85f01b4a51a88b818ed7fe6d64f2
Author: Josh Bressers <
jo...@bress.net>
Date: Thu Jan 20 21:04:49 2022 -0600
Fix the namespaces
commit 967ea5c2a6ee70e24c6f17e8d7dad7fec11d9f86
Author: Kurt Seifried <
ku...@seifried.org>
Date: Fri Jan 7 21:20:21 2022 -0800
Created GSD-2022-1000006.json
=========================
From the cvelist repo (
https://github.com/cveproject/cvelist)
$ cd 2021/42xxx/
$ git log CVE-2021-42392.json
commit d03873140ec6356cd51b0109ee1beddb9ec83a08
Author: CVE Team <
cve-r...@mitre.org>
Date: Wed Jan 19 23:01:12 2022 +0000
"-Synchronized-Data."
commit 6f006cbb55fd521630771af08c52ed4ecbced75e (origin/release/20220112-1700)
Author: CVE Team <
cve-r...@mitre.org>
Date: Wed Jan 12 17:01:06 2022 +0000
"-Synchronized-Data."
commit 0729feeb33094d4613e11757ad04a29839417ba8 (origin/release/20220107-2300)
Author: CVE Team <
cve-r...@mitre.org>
Date: Fri Jan 7 23:01:05 2022 +0000
"-Synchronized-Data."
commit 7248e9b9112fe8570909e57e6b80b78d32b3969b (origin/release/20211014-1900)
Author: CVE Team <
cve-r...@mitre.org>
Date: Thu Oct 14 19:00:58 2021 +0000
"-Synchronized-Data."
=========================
Ok, their git commits are not so helpful so I manually checked:
d03873140ec6356cd51b0109ee1beddb9ec83a08
added a url to CVE-2021-42392.json
6f006cbb55fd521630771af08c52ed4ecbced75e
added a url to CVE-2021-42392.json
0729feeb33094d4613e11757ad04a29839417ba8
basic CVE data added to CVE-2021-42392.json
7248e9b9112fe8570909e57e6b80b78d32b3969b
set to RESERVED state, no info in CVE-2021-42392.json, so this was part of an assignment block, CNAs often reserve big blocks in advance (while i was doing CVEs at Red Hat I often asked for blocks of 500 CVEs at a time).
=========================
So basically what happened is this: I saw a JFrog advisory, added it to GSD because I didn't see it in CVE data, and then 2 hours later CVE published their data (not bad for them, usually they're a few days behind, like the current Samba CVE-2021-44142, I added it to GSD 2 days ago, and CVE still hasn't published any data, e.g.
https://www.cve.org/CVERecord?id=CVE-2021-44142 and it's been half a week now).
So what should we do, we have several options as I see it:
1) leave both entries, add a note to each in the GSD data section cross-linking them
2) reject the older GSD-2021-44142 and adopt a simple "first to publish" rule, so GSD-2022-1000006 is the primary
3) reject GSD-2022-1000006 since we can update our data more easily and update GSD-2021-44142 with the missing data from GSD-2022-1000006
4) other options?
Also I'd like to point out that whatever we decide for this case doesn't have to be a hard rule, e.g. we can do this on a case by case basis, or adopt a rule for a while and see how it works out. So what do you the community think we should do?
 | Kurt Seifried (He/Him) Chief Blockchain Officer and Director of Special Projects Cloud Security Alliance |