CVE 5.2.0-rc1 schema prevents the use of experimental "x_...." properties in the affected arrayΒ #463
Description
Problem:
The CVE 5.X Schema currently does not support a dedicated field for content related to software editions. While the value of this information can be debated, organizations currently place edition related information within existing fields (usually product, version, lessThan, lessThanOrEqual, changes[*].at) causing bloat, inconsistency and additional downstream parsing needs.
I recently created an issue in my own project to track proposed guidance for CNAs to assist in reducing the downstream parsing needs related to platform identification automation.
While there are legitimate reasons to include the additionalProperties: false schema check in the affected array, doing so also prevents the use of experimental fields. As such, the only legitimate path for providing non-sanctioned data through the CVE Program is to have new properties included in a future revision (which historically has been a slow, onerous and non-guaranteed process).