Some CVEs do not have dateReserved or datePublished

[jobselko]

Currently, the cvelistV5 repository contains 516 CVEs with the PUBLISHED state, where 500 do not have both dateReserved and datePublished set, and 16 do not have only dateReserved set (e.g. CVE-2024-37273, CVE-2021-25741).
I know that dateReserved and datePublished fields are not required by CVE JSON record format, but I would expect them to be set when a CVE is published. Also, there is an issue CVEProject/cve-schema#334, which suggests these fields should be required.

Are there plans to include the missing fields in CVEs additionally, or a time estimation of when these fields will be required? Thank you in advance!

[zmanion]

datePublished can be obtained accurately enough from git history and the NVD, this could be done programatically by the Secretariat in the name of data maintenance (or, CNAs, including the MITRE CNA-LR, could be given a timed opportunity to fix).

For example, CVE​-2021-40700 (Adobe) has a bad 4.0 DATE_PUBLIC.

This is noted as an error in the upconvert to 5.0.

CVE-2021​-40700 was reserved on 2021-09-08 and published on 2021-09-27, corroborated by the NVD entry.

[zmanion]

I was surprised to notice this record missing .cveMetadata.DatePublished https://cveawg.mitre.org/api/cve/CVE-2024-35109, possibly published on 2024-08-02.

[jobselko]

Hi @zmanion

I think that obtaining the published date from git history is not always straightforward. A CVE record can be of different versions, so e.g. CVE-2024-35352 seems to be published on 2024-05-30 as its record was created on this date, with the PUBLISHED state already present (NVD mentions the same date). I do not see any other clues on identifying the published date in this case. (This is based on the assumption that only published and rejected CVEs get to this repository since only these options are defined in the schema. Please correct me if there is a way for "reserved only" CVEs to get into this repository as well).

Also, the published date in NVD seems to be derived from the date when a CVE was created in NVD. This means that the date might be distorted when NVD tooling is delayed.

Regarding CVE-2024-35109 you mentioned, NVD surprisingly states that its published date was 2024-05-14, but its record was created on 2024-05-15. 2024-08-02 is the last date when the record was updated in this repository, so it does not look like the published date.

Based on the above, finding the universal solution to this issue is hard. Do you know the proper way to report this so it will get the appropriate attention? Thank you!

EDIT: I will be on vacation next week and reply to new messages once I return.

[zmanion]

This issue is I believe the best way to report. The CVE Project is aware of the probem, the question is what exactly to do about it and where the effort falls in relation to many other priorities.

I agree that using GitHub or NVD is not straightforward or a guarantee of getting the correct dates, but it could still be a choice that is better than leaving the values empty. A CVE working group or the Board will have to decide this.

Should CNAs with missing values be asked/encouraged to fix them?

If the CNAs do not act in time, will the Secretariat fix the dates, even if there is some inaccuracy from GitHub/NVD?

containers[].cna.providerMetadata.dateUpdated is another clue, but this clearly can be later than the original date published.

[zmanion]

The right people are aware and fixing this is in progress. There are two types of error, one is 4.0 -> 5.0 conversion when the 4.0 date format was invalid (multiple CNAs), the other was due to a bug that affected records from the MITRE CNA in ~May/June 2024.

@jobselko hopefully this matches the ~500 records you observed and we'll update this issue when the dates have been fixed.