container examples incorrectly include providerMetadata #312
Comments
|
If the providerMetadata property is removed from the example, this causes the example to be invalid against the schema since providerMetadata is a required property. If CNAs are creating their CVE Records and validating them using our schema, this would always result in validation errors on their side before submitting to CVE Services. I believe that our only options would be to document that CNAs provide this default value or their actual orgId in providerMetadata, or we could change the schema to NOT require providerMetadata. Seems like the latter option shouldn't matter since CVE Services is automatically adding the needed providerMetadata property and values, but i may be wrong and missing something. |
ccoffin
added
Needs Discussion
|
Discussed in 1/23/2025 QWG. General consensus seems to be that the schema should be considered an input schema for now. If someone wants to use the schema for output purposes, we may want to create a separate output schema at that time. |
cve-schema/schema/docs/cnaContainer-basic-example.json
Lines 3 to 5 in e23bb9e
cve-schema/schema/docs/cnaContainer-rejected-example.json
Lines 3 to 6 in e23bb9e
cve-schema/schema/docs/cnaContainer-advanced-example.json
Lines 3 to 5 in e23bb9e
The providerMetadata property should be deleted from these files because it is not needed when using CVE Services, and introduces a support cost because users do not immediately know whether to send the specific value of
00000000-0000-4000-9000-000000000000or the UUID of their organization (or either or neither), and thus sometimes ask the CVE program for additional help.Similarly, examples should not be inconsistent (
shortNameabove is only in the rejected example, not in the other two).As shown at https://cveawg.mitre.org/api-docs/#/CVE%20Record/cveCnaCreateSingle
The same note also occurs at https://cveawg.mitre.org/api-docs/#/CVE%20Record/cveCnaUpdateSingle and https://cveawg.mitre.org/api-docs/#/CVE%20Record/cveCnaCreateReject and https://cveawg.mitre.org/api-docs/#/CVE%20Record/cveCnaUpdateReject as well.
With this change, CNAs who study the examples will be ready to submit CVE Records as soon as they are able to compose and send a container. They will not need to guess that the
00000000-0000-4000-9000-000000000000value is fine, will not need to make other API calls to look up their organization's UUID, and will not need to think about whether it is appropriate to send data that is documented aswill be overwritten.The text was updated successfully, but these errors were encountered: