disallow matchCriteriaId in new CPE schema?

[zmanion]

From https://github.com/CVEProject/cve-schema/releases/tag/v5.1.1-rc2:

The syntax and format of the cpeApplicability block matches that used by the NIST NVD CVE API JSON v2.0 schema (configurations). NOTE: The “matchCriteriaId” property is optional in the CVE Record Format.

IIUC matchCriteriaId is created by the NVD to identify a CPE match statement and is effectively "internal" to the NVD database, I can't see any reason for an external party to generate or use a matchCriteriaId unless that party is operating their own NVD-like database. It may only be confusing to allow matchCriteriaId in CVE data, so consider not allowing it at all.

This doesn't have to hold up the release of 5.1.1 with new CPE support, but if I'm not wrong (and I could be), and if CNAs start submitting matchCriteriaId, we'll be supporting increased confusion.

[ccoffin]

Discussed in 10/31/2024 QWG. Allowing this would be very convenient for CNAs who want to synchronize their local cpeApplicability blocks to NVD. Will coordinate with NVD to see if this can be synchronized in some way.