JSON 5.1 - introduce disputedReasons #140
Description
The CVE website working group wants to have the capability, at some future time, of more structured rendering of JSON 5 records that contain the disputed tag in one or more containers.
For example,
"disputedReasons": {
"description": "Reasons for disputing this CVE Record.",
"$ref": "#/definitions/descriptions"
},
With JSON 4 records today, a disputedReasons value is informally found by checking whether the description starts with "** DISPUTED **" and, if so, extracting the substring that begins immediately after the "NOTE: " marker. This is effective only because all disputed records come from a single CNA-LR that happens to follow this convention. A schema change in JSON 5.1 would, ideally, make it unnecessary to teach this convention to other CNA-LRs or CNAs. It might also make the data easier for many consumers to use.
The minimum goal for the CVE website's JSON 5 record detail display is: if the CNA container has the disputed tag, and the CNA container has disputedReasons information, then the website visitor should see some type of visual distinction between the vulnerability description and the reasons for the dispute. This is a goal for several months in the future.
There are several unknowns:
-
at what point does the CVE website also perform special handling of a disputed tag in an ADP container
-
it may or may not be reasonable for disputedReasons to be allowed in any container, regardless of whether a disputed tag is present in that container
-
it might be reasonable to recommend or require disputedReasons in any new JSON 5 record whenever a disputed tag is present, but possibly not for all legacy records
-
it may be untenable for the disputed tag and the disputedReasons field to exist in structurally unrelated parts of the schema (in other words, the best solution may be a larger reorganization of how the schema represents the concept of a dispute)
-
etc.