The CVE Program is pleased to announce the addition of a new CVE Program Container within CVE Records. It allows us to deliver additional information more effectively to downstream users, while making no changes to the CVE Record Format schema used by CVE Program partners. Today’s addition supports CVE Program capabilities including providing additional references and Record state information. Over time, the new container will also store various “value added” Program data to further enhance individual CVE Records.

The CVE Program identifies references to CVE IDs across the Internet and then adds them to their respective CVE Records for additional valuable information. Previously, the only place to store these additional references was the CNA container. Placing them there, however, violated a principle established before the initial definition of the JSON data format which stated that CNA Containers are owned by the entity that reserved and published the CVE ID, and no one else should modify them. Recognizing the benefit of the additional references, the CVE Board granted an exception to temporarily place them into CNA Containers until a proper solution was able to be implemented.

The CVE Program is now rectifying this with the deployment of a CVE Program Container. As envisioned, we needed to assure the automation was able to support this capability. Over the last few months, we have been enhancing and testing the automation to do just that.

The CVE Program Container is implemented in an ADP container format in the CVE Record as initially intended.

Specific JSON/CVE Record format information for this container are as follows:

• adp:title field: “CVE Program Container”
• adp:providerMetadata:shortName field: “CVE”
• adp:references field as described here

To avoid overwhelming downstream users with a large volume of updated CVE Records, the deployment will occur over a two-week period starting on July 31, 2024. After deployment is complete, each CVE Record in the CVE Repository as of July 31, 2024, will have a CVE Program Container.

The CVE Program is using a two-part process to populate the “CVE Program Container”.

1. First, the system has been updated to place Program-added references into this new container. Program-added references will no longer be placed in the CNA container.
2. Second, the existing references previously placed into the CNA container will be copied to the CVE Program Container and marked with an x_transferred tag. This list of references is only a “snapshot in time” and will not be kept “in sync” with the CNA-provided references going forward. The x_transferred tagging is to support downstream users in determining which references have been “copied over,” and which references have been provided after the deployment date. Future references provided by the CVE Program will not have this tag.

During the two-week deployment, CNAs can, of course, update their CNA containers at any time to add or correct vulnerability information, or to add references. The CVE Program is not making any types of changes or deletions within any CNA container.

After the two-week deployment, all existing and new CVE Program-added references for a CVE Record will be stored in the CVE Program Container of that Record. In the case of new CVE Records created after this initial deployment, if no Program-provided data is added (e.g., no additional references, other Program metadata or Record state information), there will be no CVE Program Container associated with the CVE Record.

Upon deployment completion, the CNAs will be notified and permitted to remove unnecessary references from their CNA Containers while being sure to retain at least one Public Reference, as required by the CVE CNA Rules.

This milestone positions us to complete the foundation of a CVE Record, which now consists of:

• CNA Container
• CVE Program Container
• Optional third-party ADP-specific containers

While we anticipate adding more ADPs and their associated containers in the future, we do not expect to introduce additional container types at this time.

Implementation Considerations:

Required Containers processing: Going forward, it is mandatory for tool vendors and community users to construct a CVE Record using at least the CNA Container and the CVE Program Container, if one exists. Those two containers are mandatory. All other ADP containers remain optional from a Program perspective.

Parsing the CVE Program Container: References in the CVE Program Container maintain the same format and properties as in the CVE Record’s CNA container (see ADP references definition / description here).

Potential for Duplicate References: The possibility of reference duplication is an artifact of having more than one organization providing references in separate locations. On the deployment date, a copy of all references will be made, and each copied reference will be tagged x_transferred. In the end, downstream users will have to determine the appropriate way to resolve potential reference duplication between the CNA Container and the CVE Program Container for their use.