Move CNA controlled metadata fields to the container level

Jonathan Evans · web-flow · commit 69f0c508193b · 2021-07-22T17:46:09.000-04:00
diff --git a/schema/v5.0/CVE_JSON_5.0.schema b/schema/v5.0/CVE_JSON_5.0.schema
@@ -274,7 +274,7 @@
             "enum": ["5.0"]
         },
         "cveMetadataPublished": {
-            "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, when it was assigned, the current state (RESERVED, PUBLISHED, or REJECTED) and so on.",
+            "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on.  These fields are controlled by the CVE Services.",
             "type": "object",
             "required": [
                 "id",
@@ -311,14 +311,6 @@
                     "$ref": "#/definitions/timestamp",
                     "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."
                 },
-                "dateAssigned": {
-                    "$ref": "#/definitions/timestamp",
-                    "description": "The date/time this CVE ID was associated with a vulnerability by a CNA."
-                },
-                "datePublic": {
-                    "$ref": "#/definitions/timestamp",
-                    "description": "if known, the date/time the vulnerability was disclosed publicly."
-                },
                 "datePublished": {
                     "$ref": "#/definitions/timestamp",
                     "description": "The date/time the CVE record was first published in the CVE List."
@@ -327,19 +319,13 @@
                     "description": "State of CVE - PUBLISHED, RESERVED, REJECTED",
                     "type": "string",
                     "enum": ["PUBLISHED"]
-                },
-                "title": {
-                    "type": "string",
-                    "description": "Short title - if the description is long we may want a short title to refer to",
-                    "minLength": 1,
-                    "maxLength": 128
                 }
             },
             "additionalProperties": false
         },
         "cveMetadataReserved": {
             "type": "object",
-            "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, when it was assigned, the current state (PUBLISHED, REJECTED, etc.) and so on.",
+            "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on.  These fields are controlled by the CVE Services.",
             "required": [
                 "id",
                 "state"
@@ -362,10 +348,6 @@
                     "description": "State of CVE - PUBLISHED, RESERVED, REJECTED",
                     "enum": ["RESERVED"]
                 },
-                "datePublic": {
-                    "$ref": "#/definitions/datestamp",
-                    "description": "Anticipated date for public release (YYYY-MM-DD)."
-                },
                 "dateReserved": {
                     "$ref": "#/definitions/timestamp",
                     "description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."
@@ -375,7 +357,7 @@
         },
         "cveMetadataRejected": {
             "type": "object",
-            "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, when it was assigned, the current state (RESERVED, PUBLISHED, or REJECTED) and so on.",
+            "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on.  These fields are controlled by the CVE Services.",
             "required": [
                 "id",
                 "assigner",
@@ -431,6 +413,20 @@
                 "updated": {
                     "$ref": "#/definitions/timestamp",
                     "description": "Timestamp to be set by the system of record at time of submission. If updated is provided to the system of record it will be replaced by the current timestamp at the time of submission. If a provider has multiple contributions, they shall be consolidated to a final single contribution before submission, or the system of record will reject the input with, Rejected \u2013 simultaneous contributions by a single provider."
+                },
+                "dateAssigned": {
+                    "$ref": "#/definitions/timestamp",
+                    "description": "The date/time this CVE ID was associated with a vulnerability by a CNA."
+                },
+                "datePublic": {
+                    "$ref": "#/definitions/timestamp",
+                    "description": "if known, the date/time the vulnerability was disclosed publicly."
+                },
+                "title": {
+                    "type": "string",
+                    "description": "Short title - if the description is long we may want a short title to refer to",
+                    "minLength": 1,
+                    "maxLength": 128
                 }
             },
             "required": ["id"]
