Add property "productId" (of uuidType) to "product" object

[dim0x69]

Matching CVEs and Software Bill of Materials is probably the hardest challenge when doing Vulnerability Management, because there is no way to agree on a unique ID of a specific product between vendor and user.

The current workflow is (on a very high level) as follows:

1. Users create lists of components they use in their final product. This list contains the names of the components used in the final product along with the component's vendors.
2. Users regularly scan the NVD / published CVEs for vulnerabilities matching vendor and name, to find CVEs for their components.

Agreeing on something like "product name" and "vendor name" is hard. Especially agreeing on a product name is hard, because there is a lot potential for ambiguity: Spaces, dashes, special characters (e.g. german Umlaute).

Many vendors are CNAs now.

Adding a field productId of type "uuidType" in the "product" object would be very beneficial. Vendors who are CNA can add - additionally to their product name - each time they publish a CVE for a specific product, the same product UUID to the CVE record. This would allow consumers of the CVE data allow to easily identify a product, independent of the product name.

I am sure this is not going to solve all problems with respect to matching CVEs and sBoMs. But I think the CVE JSON, along with the CNAs, is a pretty good place to have such an identifier.

[CyberDaedalus00]

I was thinking something similar but my thought was with the introduction of Software Identifiers (SWID) that are part of SBOM, that the "cpes" field would actually be "productIds" and instead of an array of strings, make it an array of ProductIdentifier where there could be an something like an "namingScheme" to indicate the type of product id and then a "productId" field which would hold a cpe identifier or a SWID or whatever else the CNA feels compelled to supply.

[chandanbn]

It was discussed during QWG call today. Feedback: this list could be generalized as a list of aliases for a product to make room for alternate vendor specific identifier strings (SKUs, part numbers etc.,) along with UUIDs.
Slated for discussion during 5.1 revision.

[david-waltermire]

On the 2/16/2023 QWG call, Feng Cao volunteered to submit a PR with the schema change needed to support this.

[ccoffin]

Discussed this in the September 12, 2024 QWG Meeting. A UUID doesn't mean anything within a CVE Record by itself and wouldn't be easily interpreted.

[ccoffin]

Discussed in previous QWG and will not implement at this time. We can reopen if additional discussion is need.