CVE Services 2.1/CVE JSON 5.0 – Known Issues ATTENTION: This page has been moved to ARCHIVE STATUS. Please go to the "Current Status" section on the CVE Services page on the CVE.ORG website for the most current information about CVE Services and CVE JSON 5.0. The CVE Program Automation Upgrade effort reached the “Hard Deploy” milestone for CVE Services/CVE JSON 5.0 adoption on March 29, 2023, with the deployment of the CVE JSON 5.0 Bulk Download Capability. In addition, on April 7, 2023, the MITRE Top-Level Root (MITRE TL-Root) CNA-LR software was updated to address a number of key Known Issues that encumbered continued CVE JSON 4.0 transitional support. With these developments, the official CVE List (i.e., the most complete/accurate list) available for update and download is now the CVE JSON 5.0 list, which can be viewed on the Downloads page on the https://www.cve.org website and downloaded from the cvelistV5 repository on GitHub.com. With the CVE Services Hard Deploy milestone being met, the issues noted in the “CVE Services 2.1/CVE JSON 5.0 Software Deploy - Prioritized Issues” list have been resolved. This fact is noted in the “Resolved Issues Identified during Soft Deploy” section below. Moving forward through the Hard Deploy phase, issues may still be identified and reported to the Secretariat for remediation. How to Report an Issue If you observe anomalous behavior in any of the three workflows listed below, submit your observation to the AWG at awg@cve-cwe-programs.groups.io and we will work to document the issue and get it resolved: CVE Services submission workflow (CVE JSON 5.0) CVEList GitHub Pilot submissions workflow (CVE JSON 4.0) CVE Program Request web forms submissions workflow (CVE JSON 4.0) Known Issues Below are known issues for CVE Services 2.1.3/CVE JSON 5.0. CNAs preparing to transition to CVE Services - Record Submission and Upload Service (RSUS) should review these issues and understand the impact that they may have on their CVE Record management. CVE Record Retrieval returning over 500 records may return incomplete results Added: 4/14/2023 In a situation where the following conditions are present: (1) A CNA submits a request for a CVE Record lookup that results in over 500 records being returned, AND (2) that CNA owns records that are being updated (either by the CNA or the Secretariat) at the exact instance the retrieval is processing. The results returned may not be complete (i.e., one record may be dropped). It is suggested that if CNAs are repeatedly retrieving more than 500 records from CVE Services (using the GET /cve-id endpoint), that they contact the Secretariat for guidance on how best to implement/use this function in their client. Soft Deploy Resolved Issues Issues that have been resolved are included below. Pagination for large CVE Record Retrieval in CVE Services offering incorrect/incomplete results (Added: 11/15/2022) Resolved/Deferred: 3/6/2023 In very specific circumstances (i.e., when the Secretariat or CNA is attempting the update a record at the same time that it is being “searched for”) the current CVE Services pagination function (which is invoked when more than 500 records are being retrieved) can produce incorrect data. CNAs should not rely on the responses from the GET /cve-id endpoint when page=2 (or a higher page number) is used. NOTE: The resolution for this issue addressed most use cases for retrieval of large (i.e., over 500) CVE Records, however there are some very specific use cases where CVE Record retrievals resulting in over 500 CVE Records being returned will return inconsistent results. The AWG determined that the circumstances under which this could happen was such a low probability that this issue should be considered resolved and a new issue established that will be addressed in a future CVE Services release. “DISPUTED” tag is not supported for CVE JSON 4.0 CVEList GitHub Pilot submissions (Added: 11/10/2022) Resolved 4/7/2023 When a CVE JSON 4.0 Record is created with “** DISPUTED **” at the beginning of the description, software at the Secretariat can behave incorrectly, disrupting some aspects of CVE Record publication for *all* CNAs. This issue, coupled with Issue Number 3 above, means that automated submission for DISPUTED records is currently not available. It is recommended that the CVE Program Request web forms (select the “Other” form) be used by CNAs who wish to initially publish a CVE Record as DISPUTED, add a dispute indication to a CVE Record, or change the dispute explanation of a CVE Record. Conversion of the “Affected” field of CVE JSON 5.0 records to CVE JSON 4.0 does not accurately convert “version ranges” (Added: 10/26/2022) Resolved: 02/13/2023 IMPORTANT: Please refrain from using version ranges in CVE JSON 5.0 records until a solution is developed. Records requiring a version in the affected field may continue to be submitted in CVE JSON 4.0. CVE JSON 5.0 “DISPUTED” tag is not supported on CVE JSON 4.0 down conversion for CVE List (Added: 11/10/2022) Resolved 4/7/2023 When a CVE JSON 5.0 record is submitted with the “DISPUTED” tag it will not be propagated to the CVE JSON 4.0 CVE List or the GitHub/bulk download file. This issue coupled with Issue Number 4 (below) means that automated submissions for DISPUTED records is currently not available. CVE JSON 5.0 “REJECTED” state only partially supports CVE JSON 4.0 conversion for CVE List (Added: 10/26/2022) Resolved 4/7/2023 When a CVE JSON 5.0 record is submitted in the “REJECTED” state, the CVE List will show that the state is “REJECT”, but the description will not contain the “**REJECT**” text. Some CVE JSON 5.0 CVE Records (submitted through RSUS) are not being down-converted to CVE JSON 4.0 (Added: 11/15/2022) Resolved: 4/7/2023 It has been observed that some JSON 5.0 records are not being down-converted to JSON 4.0. This means the JSON 4.0 repository (maintained as part of the CVEList GitHub Pilot) and the traditional bulk downloadable content located [here](https://www.cve.org/Downloads#legacy-format) may not contain these records. This issue is being researched to better characterize which records are being “skipped” for down convert (and “why”). Secretariat Service to add references to CVE Records may be degraded (Added: 10/26/2022) Resolved: 4/7/2023 Secretariat staff may need to manually add references for some CVE Records. Records submitted through the CVEList GitHub Pilot and the CVE Program Request web forms are unaffected. Conversion of the “Affected” field of CVE JSON 5.0 records to CVE JSON 4.0 does not accurately convert “version ranges” (Added: 10/26/2022) Resolved: 2/13/2023 IMPORTANT: Please refrain from using version ranges in CVE JSON 5.0 records until a solution is developed. Records requiring a version in the affected field may continue to be submitted in CVE JSON 4.0. CVE Record JSON 5.0 Rendering on the cve.org website may present ambiguities (Added: 11/4/2022) Resolved: 12/8/2022 The cve.org CVE Record Lookup capability may, under certain circumstances, render the record where the “affected version” is ambiguously/erroneously stated. The circumstances in which this behavior is observed is when the “change” field is used. It is suggested that CNAs not use the “change” field until this issue is addressed.