- 
                Notifications
    You must be signed in to change notification settings 
- Fork 208
Description
https://github.com/CVEProject/cve-schema/blob/2aa608b6733cc2730a43901472ef0e706d0ef2b5/schema/v5.0/docs/versions.md says "Because the Git version identifiers cannot be understood without reference to a specific Git repository, this form adds a new repo field containing the URL of the repository" but some CNAs identify the repository in a different way, and have no valid repo field. For example:
- CVE-2023-0045 "repo": "https://git.kernel.org"(This is a website for many repositories, not a specific repo.)
- CVE-2023-0815 "repo": "https://github.com/OpenNMS"(Again, not a specific repo.)
- CVE-2024-22119 "repo":"https://git.zabbix.com/"(Again, not a specific repo.)
- CVE-2023-2163,CVE-2023-3036,CVE-2023-23556,etc. repo seems to be implied by references
- CVE-2023-4540 repo seems to be implied by references(orcollectionURL)
- CVE-2024-0879 repo seems to be implied by references(orcollectionURLandpackageName)
- CVE-2023-4504 arguably ambiguous because referenceshas URLs associated with two repos
As far as I know, it was not intended that a provider use "versionType":"git" without a directly usable repo value, because this could break automation that, for example, tries to automatically clone the repository in order to determine whether an instance of a product (built from a specific commit) is vulnerable. However, nothing in the versions.md document directly states that a repo field is mandatory in any situation. It would be possible to identify all affected CVE Records (and their CNAs) if the decision is that it can actually be mandatory. It would be approximately 80 CVE Records from 10 CNAs.