Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move "x_generator" to an official and optional string value "generator" #327

Open
jayjacobs opened this issue Jun 19, 2024 · 5 comments
Open

Move "x_generator" to an official and optional string value "generator" #327

jayjacobs opened this issue Jun 19, 2024 · 5 comments
Labels
enhancement New feature or request Needs Discussion Discuss in a future QWG meeting or on mailing list

Comments

@jayjacobs
Copy link
Collaborator

I suggest, as a way to standardize this field across different tools and more importantly, json records, that we add the "generator" field as a string into the "cveMetadataPublished" definition, and move away from the experimental field for the same purpose.

This is related to, but independent from #318

To be inserted into the properties of the cveMetadataPublished definition (and not required):

generator: {
    type: "string",
    description: "An identifying string for any software used to generate or maintain this record, e.g. \"Vulnogram 0.2.0\".",
    minLength: 1,
    maxLength: 256
},

And leave the field as optional.
@jayjacobs jayjacobs added the enhancement New feature or request label Oct 18, 2024
@jayjacobs jayjacobs added the Needs Discussion Discuss in a future QWG meeting or on mailing list label Oct 31, 2024
@ccoffin
Copy link
Collaborator

ccoffin commented Jan 17, 2025

Probably should make this official in the CVE Record Format. Maybe just define this as stated use what Vulnogram provides today for structure.

@zmanion
Copy link
Contributor

zmanion commented Mar 6, 2025

Not to overcomplicate things, but do we want a separate field for generator version? Also is "engine" an unnecessarily weird word?

Current:

"x_generator": {
  "engine": "Vulnogram 0.2.0"
}

Proposed:

"generator": {
  "name": "Vulnogram",
  "version": "0.2.0"
}

@MrMegaZone
Copy link
Collaborator

Not to overcomplicate things, but do we want a separate field for generator version? Also is "engine" an unnecessarily weird word?

"generator": {
"name": "Vulnogram",
"version": "0.2.0"
}

I do think name & version are better. 'Engine' never really made sense to me.

I'm not sure if it is possible, but I'd say name is optional, and version is optional but is only valid when name is also present. That way we don't get weirdness with just a 'version' being provided and no name.

@mprpic
Copy link
Contributor

mprpic commented Mar 7, 2025

+1 for separate name and version. That is also how the CSAF specification uses this, see e.g.: https://github.com/oasis-tcs/csaf/blob/bdc1381881beeba2a03a6321f37febc9c5794ec5/csaf_2.0/examples/csaf/rhsa-2022_0011.json#L62-L65

@MrMegaZone
Copy link
Collaborator

MrMegaZone commented Mar 10, 2025
edited
Loading

+1 for separate name and version. That is also how the CSAF specification uses this, see e.g.: https://github.com/oasis-tcs/csaf/blob/bdc1381881beeba2a03a6321f37febc9c5794ec5/csaf_2.0/examples/csaf/rhsa-2022_0011.json#L62-L65

Interesting - maybe we should borrow a bit from CSAF:

 "generator": {
        "date": "2022-03-23T20:31:00Z",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.4.3"
        }
      },

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request Needs Discussion Discuss in a future QWG meeting or on mailing list
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mprpic @jayjacobs @ccoffin @zmanion @MrMegaZone and others