Adding a field/container in the CVE record format

[adulau]

What is the process for adding a new field/container to the CVE Record format?

The field we would like to propose is gcveMetadata.

Our main motivation is that the current publication process relies on existing CNA-enabled software, such as Vulnogram. Adding this field would allow seamless integration of GCVE processes with those existing tools and the CNA process.

Further context and discussion can be found in GCVE BCP-05 where we rely in the CVE record format:
https://discourse.ossbase.org/t/gcve-bcp-05-drafting-best-practices-for-the-container-format-modified-cve-record-format/121/11

Copy of the issue at CVEProject/cvelistV5#110

[amanion-cisa]

I'll suggest that we consider handling references to other vulnerability IDs/databases formally and generically, which should support this specific request for GCVE and others.

CVEProject/Board-Discussions#10

Sure, there's an array of public references, but the relationship itself is the important information, a reference (URL) is supporting evidence and convenience.

[zmanion]

This may relate to the Supplier-as-ADP discussion. At a high level, a concise but well-designed relationship object/array in the CVE schema would allow CVE to store and convey knowledge such as:

CVE-1234 is equivalent to GCVE-3-1234-34343

Microsoft Products have status related to CVE-1234

CVE-1234 includes RHSA-4321

In such relationships, when possible, the type of data at the other end could be specified, for example, GCVE uses the CVE Record Format, and Red Hat uses CSAF.

[adulau]

Some more updates in the BCP-05 of GCVE including the proposal for the relationships as discussed during the last meeting.

https://discourse.ossbase.org/t/gcve-bcp-05-drafting-best-practices-for-the-container-format-modified-cve-record-format/121/17?u=adulau

Feel free to comment.

[adulau]

A new version of the GCVE format has been published, including the relationships format using an x_ prefix, following feedback from @zmanion on the reference type:

https://gcve.eu/bcp/gcve-bcp-05/#gcve-container-format-overview

For more details:
https://discourse.ossbase.org/t/gcve-bcp-05-drafting-best-practices-for-the-container-format-modified-cve-record-format/121

The structure is the following:

"x_gcve": {
  "relationships": [
    { "dest_id": "CVE-2025-4444", "type": "equal" },
    { "dest_id": "CVE-2025-4443", "type": "subset" }
  ]
}

If there is a relationship field added later on, we can adapt and keep the x_ entry at the same time.

[adulau]

We recently received interesting feedback from @jgamblin about using ADP instead of the x_ namespace. We looked into the ADP program, but so far CISA is the only authorized data publisher. What would be the process for GCVE to become an ADP publisher and use it as a way to add metadata? Especially if the x_ namespace becomes deprecated.

https://discourse.ossbase.org/t/gcve-bcp-05-drafting-best-practices-for-the-container-format-modified-cve-record-format/121/32

Related to an original question in #325