Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add instructions for rejecting published CVEs #84

Closed
raboof opened this issue Jun 21, 2024 · 2 comments · Fixed by #85
Closed

add instructions for rejecting published CVEs #84

raboof opened this issue Jun 21, 2024 · 2 comments · Fixed by #85

Comments

@raboof
Copy link
Contributor

raboof commented Jun 21, 2024

Currently,

$ cve reject CVE-2024-31861
ERROR: 403 Client Error: Forbidden for url: https://cveawg.mitre.org/api/cve-id/CVE-2024-31861?state=REJECTED
DETAILS: {'error': 'CANNOT_CHANGE_CVE_ID_WITH_RECORD', 'message': 'A record was found for CVE-2024-31861. A CVE ID cannot be changed once a record exists for it. Instead, it changes according to the record.'}

It might be nice to recognize this error and instruct the user to use cve reject CVE-2024-31861 -f rejection-body.json
@mprpic
Copy link
Member

mprpic commented Jun 21, 2024
edited
Loading

@raboof What would you expect the output to be instead of the current backend error message? Note that this condition is mentioned in cve reject -h:

...A published CVE can only be rejected with an accompanying record...

I would almost argue that the error message from CVE Services should simply be improved to note that a published CVE record can only be rejected by providing a reject record since Instead, it changes according to the record. sounds a bit ambiguous.

@raboof raboof mentioned this issue Jun 24, 2024
Merged
@raboof
Copy link
Contributor Author

raboof commented Jun 24, 2024

@raboof What would you expect the output to be instead of the current backend error message? Note that this condition is mentioned in cve reject -h:

...A published CVE can only be rejected with an accompanying record...

Ah, that documentation is indeed pretty great, but I totally missed it ;).

I would almost argue that the error message from CVE Services should simply be improved to note that a published CVE record can only be rejected by providing a reject record since Instead, it changes according to the record. sounds a bit ambiguous.

As a data point, what I did after encountering this error was:

  • searching the web for 'CANNOT_CHANGE_CVE_ID_WITH_RECORD' (no results)
  • checking https://www.cve.org/ResourcesSupport/AllResources/CNARules to double-check it is actually allowed to reject a CVE once published (jep it was)
  • checking an older rejected CVE, try to publish that with cve publish (IIRC got a hard-to-read schema validation error)
  • finally finding cve reject -f

Perhaps it would be neat to end the error reporting with a generic "See cve <command> -h ", like #85?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Recommend '-h' on error raboof/cvelib
2 participants
@raboof @mprpic