Need a guidance document on defining products and versions within CVE Record Format affected array

[ccoffin]

The affected array is used within the CVE Record Format to define affected/unaffected/unknown products and versions within a CVE Record. The format is very flexible and allows products and versions (including version ranges) to be defined in many different ways. Because of this flexibility (and complexity), data consumers interpreting the information may have trouble. It may also present challenges when trying to automate and ingest the data into other tools and products.

We don't currently have a lot of detailed guidance or best practices on how to define and use products and versions within the CVE Record Format affected array. We should work to create this, starting with the most common use cases and building over time to cover the more complex or exotic use cases. We may also want to consider including similar information regarding the newer cpeApplicability format in the same document as these may be used together and given one of these, users will want to understand how to translate or possibly auto-generate the other.

This topic was raised on the CVE QWG list in the following message in regards to the need for more standardization around how product and version information is provided within CVE Records. One glaring need identified is that the CVE Program lacks sufficient guidance around this topic. There are many examples in the replies that could be used in future guidance.

https://cve-cwe-programs.groups.io/g/qwg/message/138
https://cve-cwe-programs.groups.io/g/qwg/topic/cve_quality_working_group/109432554