Outdated reference to CNA rules 8.1.2 in CVE record format docs #461
Description
There is an outdated reference and link in the schema docs for root > oneOf > Published > containers > cna > affected > items > versions. Doc description in question, for versions, emphasis mine:
Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules 8.1.2 requirement. Versions or defaultStatus may be omitted, but not both.
This link doesn’t work. As far as I could see, 8.1.2 is gone, it last existed in CNA rules v3, with this wording:
8.1.2 MUST contain the affected or fixed version(s).
I’m not sure if this is just best removed, or replaced with a newer reference. I had a look at the last CNA rules, there are 3 points within 5.1 Required CVE Record Content that seem similar-ish:
5.1.3 MUST identify at least one affected Product using information such as Supplier and Product names, versions, and dates.
5.1.5 SHOULD identify Fixed versions of Products.
Hope this helps!