|
| 1 | +# Creating a CVE Record Validator Package |
| 2 | + |
| 3 | +| Field | Value | |
| 4 | +|:-----------------|:-------| |
| 5 | +| RFD Submitter | Andrew Lilley Brinker | |
| 6 | +| RFD Pull Request | [RFD #0000](https://github.com/CVEProject/cve-schema/pull/1234) | |
| 7 | + |
| 8 | +## Summary |
| 9 | +[summary]: #summary |
| 10 | + |
| 11 | +The CVE Quality Working Group (QWG) should create a JavaScript package that |
| 12 | +provides an API for validating CVE Records. This package would be used within |
| 13 | +CVE Services (the application providing the CVE API to CVE Numbering Authorities |
| 14 | +\[CNAs\] and Authorized Data Publishers \[ADPs\]) and would be published for |
| 15 | +others to use as well. It would perform both the basic validation of CVE Records |
| 16 | +against the CVE Record Format itself, as well as any validation necessary which |
| 17 | +is not expressible using a JSON Schema. |
| 18 | + |
| 19 | +## Problem Statement |
| 20 | +[problem-statement]: #problem-statement |
| 21 | + |
| 22 | +With the introduction of the `packageURL` field for objects within the |
| 23 | +`affected` array, the validity of CVE Records is no longer checkable solely by |
| 24 | +validating records for compliance with the CVE Record Format. The Record Format, |
| 25 | +written as a JSON Schema, is not sufficiently expressive to handle _all_ |
| 26 | +validation cases. In particular, Package URL parsing is sufficiently complicated |
| 27 | +to not be conveniently expressible with JSON Schemas' support for regular |
| 28 | +expressions. |
| 29 | + |
| 30 | +This raises the need for CNAs and ADPs, who submit CVE Records or CVE Record |
| 31 | +fragments to CVE Services for publication, to have some mechanism to validate |
| 32 | +records which applies _all_ of the checks which would be used at submission-time |
| 33 | +by CVE Services. This mechanism must also meet some additional constraints, |
| 34 | +including that it be runnable locally, without transmitting any information to |
| 35 | +an external service. While all CVE Record materials that get published will of |
| 36 | +course become public, some CVE stakeholders demand the ability to validate |
| 37 | +records within their own environments, including ensuring that no proprietary |
| 38 | +information would be published, before sending those records to CVE Services |
| 39 | +for publication. Validation is part of that checking, and so needs to be able |
| 40 | +to be performed locally. |
| 41 | + |
| 42 | +There is also the possibility that future constraints on CVE Records may be |
| 43 | +added which are not expressible, or not conveniently expressible, within the |
| 44 | +JSON Schema. For example, there are currently limited constraints on the |
| 45 | +expression of version ranges in the Record Format, which permits version ranges |
| 46 | +which are nonsensical. While the onus is and will always remain on CNAs to |
| 47 | +publish valid, sensible, high-quality information in their CVE Records, it would |
| 48 | +be useful for CVE Services and for CNAs themselves to be held to a higher |
| 49 | +standard with automated checking that disallows nonsensical version ranges. |
| 50 | + |
| 51 | +If nothing is done to adopt some mechanism for complete validation of CVE |
| 52 | +Records, then stakeholders would continue to rely on the Record Format to |
| 53 | +provide _most_ validation, but would still need to handle the possibility that |
| 54 | +CVE Records which pass Record Format validation would be rejected by CVE |
| 55 | +Services which implements additional checks not expressible in the Record |
| 56 | +Format. |
| 57 | + |
| 58 | +## Proposed Solution |
| 59 | +[proposed-solution]: #proposed-solution |
| 60 | + |
| 61 | +This RFD proposes creating a JavaScript package, to be published on the NPM |
| 62 | +package registry, which implements an API for validating CVE Records and |
| 63 | +CVE Record Fragments, according to the requirements of both the CVE Record |
| 64 | +Format and any additional rules not expressible with the Record Format. |
| 65 | + |
| 66 | +This validation library would be used by CVE Services and by external |
| 67 | +stakeholders such as CNAs. This would be done to ensure that the validation |
| 68 | +performed by CVE Services would not drift apart from the validation logic |
| 69 | +provided to stakeholders. |
| 70 | + |
| 71 | +The versioning of this library would, for clarity and simplicity, be matched |
| 72 | +to the versioning of the CVE Record Format. Whenever new versions of the Record |
| 73 | +Format are published, a new release of the validation library with a matching |
| 74 | +version number would also be published. This would ensure users have a clear |
| 75 | +answer for what version of the validation library to use, as it will always |
| 76 | +be the version that matches the current version of the Record Format used by |
| 77 | +CVE Services. |
| 78 | + |
| 79 | +To indicate that the library is officially maintained and provided by the CVE |
| 80 | +Project through the Quality Working Group, the package name should be scoped |
| 81 | +to an organization name which includes the word "cve" on the NPM package |
| 82 | +registry. The choice of a specific organization name is left unspecified here, |
| 83 | +as it will depend in part on name availability on the registry. |
| 84 | + |
| 85 | +The name of the package would be `cve-record-validator`, which is intended to be |
| 86 | +a clear and unambiguous name which reflects the purpose of the library. Coupled |
| 87 | +with the scope recommended by this RFD, the full package name would be |
| 88 | +`@<org>/cve-record-validator`. If the CVE Project is able to secure the |
| 89 | +organization name `cve` on NPM, then the name could be modified to |
| 90 | +`record-validator`, giving the full name `@cve/record-validator`. |
| 91 | + |
| 92 | +The specifics of what this API would look like are still to be determined. While |
| 93 | +possibilities have been raised of specific libraries in JavaScript which could |
| 94 | +be useful for expressing validation rules, such decisions are premature. Once |
| 95 | +consensus is reached among the QWG on the need to develop this library, the |
| 96 | +next step would be to work with both the Automation Working Group (AWG), which |
| 97 | +owns the development of CVE Services, and with the Community Working Group |
| 98 | +(CWG), which interfaces with and represents the interest of CVE stakeholders, |
| 99 | +to understand the set of requirements which must be met for the API of this |
| 100 | +validation library. |
| 101 | + |
| 102 | +With the creation of this library, two major procedural changes would also need |
| 103 | +to be made. First, the RFD template must be amended to include a requirement |
| 104 | +that new proposals be assessed for any necessary updates to the validator |
| 105 | +library. This will ensure that future improvements to the Record Format have |
| 106 | +their validation rules consistently applied to the validation library. The |
| 107 | +second procedural change would be to update the process of releasing new |
| 108 | +versions of the Record Format to include also releasing a new version of the |
| 109 | +validation library with a matching version number. These releases should |
| 110 | +include a changelog which describes the modifications made since the last |
| 111 | +version. |
| 112 | + |
| 113 | +## Examples |
| 114 | +[examples]: #examples |
| 115 | + |
| 116 | +Not applicable, as this is a procedural and goal-oriented RFD which does not |
| 117 | +describe changes to the Record Format. |
| 118 | + |
| 119 | +## Impact Assessment |
| 120 | +[impact-assessment]: #impact-assessment |
| 121 | + |
| 122 | +The benefits of the creation of a CVE Record validation library include: |
| 123 | + |
| 124 | +- CVE stakeholders, including CNAs and ADPs, having the ability to fully |
| 125 | + validate CVE Records before submitting them to CVE Services, ensuring they |
| 126 | + can have confidence in submissions to CVE Services while keeping potentially |
| 127 | + sensitive data from spilling to CVE Services unintentionally. |
| 128 | +- CVE Services being able to keep its validation logic in sync with the full |
| 129 | + set of rules required by the CVE Record Format, even as validation logic |
| 130 | + exceeds what is expressable with JSON Schemas. |
| 131 | +- The QWG becoming responsible for the maintenance of validation rules, which |
| 132 | + places responsibility for this work on the organization within CVE's structure |
| 133 | + most equipped to understand and implement the rules. |
| 134 | + |
| 135 | +The risks associated with the production of this validation library include: |
| 136 | + |
| 137 | +- The QWG may fail to maintain the library over time. |
| 138 | +- The need to maintain the library adds some additional overhead to the work |
| 139 | + of the QWG, as updates to the schema must be assessed for additional |
| 140 | + validation requirements, and any new requirements must be implemented by the |
| 141 | + QWG prior to shipping the next release of the Record Format. |
| 142 | + |
| 143 | +## Compatibility and Migration |
| 144 | +[compatibility-and-migration]: #compatibility-and-migration |
| 145 | + |
| 146 | +This change does not affect the CVE Record Format, and so does not impact the |
| 147 | +compatibility of the Format itself. |
| 148 | + |
| 149 | +For CVE Services, the introduction of this validation library will require some |
| 150 | +work on their part to replace any existing validation logic with uses of the |
| 151 | +library. |
| 152 | + |
| 153 | +For CVE stakeholders, such as CNAs or ADPs, they would need to transition their |
| 154 | +own existing validation logic which makes use of the Record Format to instead |
| 155 | +use this library. As we've already adopted the introduction of `packageURL`s as |
| 156 | +a field within the objects of the `affected` array, this kind of additional |
| 157 | +validation work is already set to be demanded of these stakeholders, but it |
| 158 | +continues under this proposal. Once such a transition is complete, stakeholders |
| 159 | +could continue to use this validation library, which may then be updated across |
| 160 | +subsequent versions of the Record Format to reflect additional validation rules, |
| 161 | +reducing maintenance burden for stakeholders over time, as they would not need |
| 162 | +to implement additional validation rules themselves, except for any they |
| 163 | +desire to implement beyond those required by CVE Services. |
| 164 | + |
| 165 | +## Success Metrics |
| 166 | +[success-metrics]: #success-metrics |
| 167 | + |
| 168 | +The RFD will be considered to be successful if, six months after the first |
| 169 | +release of the validation package, it is in use by two or more CVE stakeholders, |
| 170 | +as assessed by the Consumer Working Group, and if the validation library is also |
| 171 | +in use and considered valuable and maintainable by the CVE Services team. |
| 172 | + |
| 173 | +If these metrics are not met, the validation package will be discontinued and |
| 174 | +alternatives solicited by the QWG for consideration. |
| 175 | + |
| 176 | +## Supporting Data or Research |
| 177 | +[supporting-data-or-research]: #supporting-data-or-research |
| 178 | + |
| 179 | +The need for this or some alternative solution to the validation problem |
| 180 | +described is inherent in the adoption of the `packageURL` field and the new |
| 181 | +need to perform validation beyond what is expressible in JSON Schema. |
| 182 | + |
| 183 | +## Related Issues or Proposals |
| 184 | +[related-issues-or-proposals]: #related-issues-or-proposals |
| 185 | + |
| 186 | +There are no other open proposals currently available. |
| 187 | + |
| 188 | +One alternative considered was to offer some API on CVE Services which |
| 189 | +_only_ performs validation without publishing. However, this was rejected as |
| 190 | +it would require CVE stakeholders to share CVE Records with CVE Services before |
| 191 | +they are considered ready for publication. While CVE Services could establish |
| 192 | +policies to protect the confidentiality of these pre-publication records, |
| 193 | +such as not logging their contents and not storing them, such an approach would |
| 194 | +be riskier than one which does not involve the transmission of pre-publication |
| 195 | +CVE Records at all. |
| 196 | + |
| 197 | +## Recommended Priority |
| 198 | +[recommended-priority]: #recommended-priority |
| 199 | + |
| 200 | +This has a recommended priority of __High__, as it interacts with the already- |
| 201 | +approved `packageURL` field slated to be published in version 5.2.0 of the |
| 202 | +CVE Record Format. |
| 203 | + |
| 204 | +## Unresolved Questions |
| 205 | +[unresolved-questions]: #unresolved-questions |
| 206 | + |
| 207 | +The design and implementation of the API of this library remains open for |
| 208 | +determination, as do the specific set of requirements which are needed to |
| 209 | +support both CVE Services and external CVE stakeholders. |
| 210 | + |
| 211 | +## Future Possibilities |
| 212 | +[future-possibilities]: #future-possibilities |
| 213 | + |
| 214 | +We anticipate a follow-on RFD which addresses requirements, the design of the |
| 215 | +API, and any salient details about the implementation. |
0 commit comments