added root cause tags and descriptions to cna and adp tag files

CVEProject · Aug 14, 2024 · 6b3c524 · 6b3c524
1 parent 30f59c7
commit 6b3c524
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/schema/tags/adp-tags.json b/schema/tags/adp-tags.json
@@ -2,6 +2,6 @@
     "$schema": "http://json-schema.org/draft-07/schema#",
     "$id": "https://cve.mitre.org/cve/v5_00/tags/adp/",
     "type": "string",
-    "description": "disputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.",
-    "enum": ["disputed"]
+    "description": "disputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.\n\nhardware-root-cause: Tag this to a CVE if the primary root cause of the security vulnerability originated from the hardware component of the affected product(s). The intent is to facilitate Hardware Designers to learn how to prevent similar weaknesses. Even when a hardware vulnerability can be addressed by a software workaround, the hardware-root-cause tag should still be applied, since the focus is on how the issue is introduced, not how it is remediated.\n\nsoftware-root-cause: Tag this to a CVE if the primary root cause of the security vulnerability originated from the software component of the affected product(s). The intent is to facilitate Software Developers to learn how to prevent similar weaknesses.\n\nspecification-root-cause: Tag this to a CVE if the primary root cause of the security vulnerability originated from the industry specification that the affected product(s) comply with. The intent is to facilitate Industry Specification Groups to learn how to prevent similar weaknesses. If the root cause of the CVE is related to inappropriate adoption of an industry standard (e.g., use of an obsolete cryptographic algorithm) or incorrect implementation of an industry standard (e.g., product does not implement the error recovery flow as captured in the protocol specification) in the affected product(s), the appropriate “Hardware Root Cause” or “Software Root Cause” should be applied instead.",
+    "enum": ["disputed", "hardware-root-cause", "software-root-cause", "specification-root-cause"]
 }
diff --git a/schema/tags/cna-tags.json b/schema/tags/cna-tags.json
@@ -2,6 +2,6 @@
     "$schema": "http://json-schema.org/draft-07/schema#",
     "$id": "https://cve.mitre.org/cve/v5_00/tags/cna/",
     "type": "string",
-    "description": "exclusively-hosted-service: All known software and/or hardware affected by this CVE Record is known to exist only in the affected hosted service. If the vulnerability affects both hosted and on-prem software and/or hardware, then the tag should not be used.\n\nunsupported-when-assigned: Used by the assigning CNA to indicate that when a request for a CVE assignment was received, the product was already end-of-life (EOL) or a product or specific version was deemed not to be supported by the vendor. This tag should only be applied to a CVE Record when all affected products or version lines referenced in the CVE-Record are EOL.\n\ndisputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.",
-    "enum": ["unsupported-when-assigned", "exclusively-hosted-service", "disputed"]
+    "description": "exclusively-hosted-service: All known software and/or hardware affected by this CVE Record is known to exist only in the affected hosted service. If the vulnerability affects both hosted and on-prem software and/or hardware, then the tag should not be used.\n\nunsupported-when-assigned: Used by the assigning CNA to indicate that when a request for a CVE assignment was received, the product was already end-of-life (EOL) or a product or specific version was deemed not to be supported by the vendor. This tag should only be applied to a CVE Record when all affected products or version lines referenced in the CVE-Record are EOL.\n\ndisputed: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Record assigned to that issue may be tagged as being 'disputed'.\n\nhardware-root-cause: Tag this to a CVE if the primary root cause of the security vulnerability originated from the hardware component of the affected product(s). The intent is to facilitate Hardware Designers to learn how to prevent similar weaknesses. Even when a hardware vulnerability can be addressed by a software workaround, the hardware-root-cause tag should still be applied, since the focus is on how the issue is introduced, not how it is remediated.\n\nsoftware-root-cause: Tag this to a CVE if the primary root cause of the security vulnerability originated from the software component of the affected product(s). The intent is to facilitate Software Developers to learn how to prevent similar weaknesses.\n\nspecification-root-cause: Tag this to a CVE if the primary root cause of the security vulnerability originated from the industry specification that the affected product(s) comply with. The intent is to facilitate Industry Specification Groups to learn how to prevent similar weaknesses. If the root cause of the CVE is related to inappropriate adoption of an industry standard (e.g., use of an obsolete cryptographic algorithm) or incorrect implementation of an industry standard (e.g., product does not implement the error recovery flow as captured in the protocol specification) in the affected product(s), the appropriate “Hardware Root Cause” or “Software Root Cause” should be applied instead.",
+    "enum": ["unsupported-when-assigned", "exclusively-hosted-service", "disputed", "hardware-root-cause", "software-root-cause", "specification-root-cause"]
 }