Cvv #479
Description
In the CVRF files linked from the https://www.cve.org/Downloads page, a CVE Record can have two date fields, e.g., shown as:
<Note Ordinal="2" Title="Published" Type="Other">2021-12-01</Note> <Note Ordinal="[23]" Title="Modified" Type="Other">2021-12-01</Note>Internal MITRE source code implements this in the add_vulnerabilities function in the cps/tarball/scripts/cvrf_files.py file.
The CVRF Published field is derived from the populated_date of a CVE Entry object in CPS. It is the date that the CVE Record was first public on the cve.mitre.org website.
The CVRF Modified field is derived from the history data structure of a CVE Entry object in CPS. Specifically, it is the latest (i.e., maximum) of all dates in the history. This is the date that the CVE Record was most recently updated on the cve.mitre.org website.
So, for example, CVE-2021-44228 was updated dozens of times, but the latest was 2022-04-19. Also, CVE-2021-44228 first appeared on the cve.mitre.org website on 2021-12-10. Therefore, the CVRF data has:
<Title>CVE-2021-44228</Title> ... <Note Ordinal="2" Title="Published" Type="Other">2021-12-10</Note> <Note Ordinal="3" Title="Modified" Type="Other">2022-04-19</Note>CVE-2014-9734 is an example of a CVE Record that was never modified. The CVRF data has:
<Title>CVE-2014-9734</Title> ... <Note Ordinal="2" Title="Published" Type="Other">2015-06-30</Note>In this type of situation, the missing CVRF "Modified" date should be considered to be the same as the CVRF "Published" date. (It's theoretically possible for the Title="Published" Note to be missing from the CVRF data, but I didn't see any.)
The majority opinion in the QWG meeting today was:
in the upconverter output, the cveMetadata.dateUpdated field should be set to the CVRF "Modified" date followed by "T00:00:00"
the containers.cna.providerMetadata.dateUpdated field should also be set to this same value
the cveMetadata.datePublished field should be set to the CVRF "Published" date followed by "T00:00:00"
Also, for completeness:
QWG did not discuss cveMetadata.dateRejected. MITRE may have usable information in some cases but it is not part of the CVRF.
QWG did not discuss cveMetadata.dateReserved. MITRE may have usable information in all cases but it is not part of the CVRF. Also, QWG decided weeks ago that cveMetadata.dateReserved won't be part of the initially planned JSON 5.0 rendering on the cve.org website, because cveMetadata.dateReserved is usually of little value to readers of a CVE Record and is often misunderstood.
QWG did not discuss containers.cna.dateAssigned. MITRE often does not have usable information for this.
QWG did not discuss containers.cna.datePublic. MITRE often does not have usable information for this.
Originally posted by @ElectricNroff in #169