OPEV: Expansion of the Vulnerability Field #15
Comments
|
I think adding a referencable object with the actual contents as optional may lead to failure to resolve some of these details at consumption time (unable to get object). Although I see the value of using the reference, i worry about the reliability to rely on it solely as a pattern for common use. As of the current state of maturity of cross-referencing objects across standards and the adoption of json LD by these standards, i would be more comfortable if it was not optional to include the vulnerability identifiers within the struct. i.e. the example here wouldn't be possible without the additional resolved information from the original format. This may just be a rewording and a recommendation instead of a change in the struct definition |
|
While not a voting member, I agree with and endorse this update. I think this helps set us up for success as we start to see openvex used more broadly. |
|
@lumjjb so, do you think we should make "vulnerability": {
"name": "CVE-2019-17571"
} |
|
yep - that works!. sorry for the late response, was out sick. |
|
π |
|
Proposal approved and enhancement document has merged π https://github.com/openvex/community/blob/main/enhancements/opev-0015.md |
OPEV # 0015: Expansion of the Vulnerability Field
ποΈ Enhancement Overview
During the development of the initial implementations, there have been issues raised about the need to expand the vulnerability field. While this OPEV only addresses the need to expand the vulnerability field 1) become an object and to
2) to express more names or aliases of a vulnerability, members of the community have pointed to other cases where the vulnerability entry needs to be expanded from an identifier string to a full struct.
π§βπ» Enhancement Proposal Authors
π©βπ§ Sponsoring Maintainers
(not required)
π OpenVEX Projects
π Specs and Documents
Pull Request open: #17
β Enhancement Questions
Does this enhancement propose a change to the OpenVEX project's governance
structure?
NO
Does this enhancement propose a breaking change with the upstream VEX design
established by the VEX Working Group?
NO
π¬ Discussion Start Date:
OPEVs shall be discussed for no longer than 30 days after which the vote tally
will be computed and the proposal will either merge or be rejected.
Start Date: 2023-07-09
π³οΈ Voting Results
Final Enhancement Vote Tally:
Final Enhancement Vote Tally:
π : 3 Votes @lumjjb @wagoodman @puerco (implicit) | non binding: @SecurityCRob
π : 0 Votes
βΉοΈ Voting Instructions:
To vote for this enhancement, maintainers should add a comment with a π emoji
to show support or π to reject the enhancement. After voting is over (usually
after 30 days), votes will be computed by the project's mantainers and
registered in this issue. Refer to GOVERNANCE.md for details
on how many votes are required to approve and when voting ends.
The text was updated successfully, but these errors were encountered: