-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for GS1 (GTIN and GMN) identifiers #194
Comments
This can be supported using version and versionType fields as these are meant to accommodate any type of version expressed as a string. eg., One problem: the 5.0 schema is currently defined such that versionType is needed only when ranges are defined, and can't be used for single version identifier. Alternatively this can be encoded for hardware are list of platforms if the hardware also has software versions that are affected. platforms: [ "PlayStation5", "1234567890" ] |
QWG discussed this today, for now the recommended field is to use the platforms field to mention any hardware identifiers. The definition does say "hardware models". One difficultly would be with validating/associating the number with the numbering scheme. If there are other suggestions to encode this, please submit a pull request to the schema. |
Any reason not to allow versionType for single (non-range) version identifiers? I guess there are costs to keep track of and validate each versionType. |
There is no valid reason why it shouldn't be allowed. I guess this was an oversight, artifact of oneOf/anyOf subschema complications. It would be a backwards compatible change to allow it, we will fix in 5.1. Currently no plans to validate if the version conforms to what is said in versionType - may be hard to do with the JSON schema. |
Tracked as #201 closing this. |
Currently hardware devices in the NVD are specified using CPE. The hardware industry does not natively use CPE, but they do use multiple standards from GS1 including GTIN and GMN.
GTIN is an identification standard for all trade items developed by the international non-profit GS1. These identifiers are specifically designed to be unique to individual trade items and provide a simple way to uniquely identify trade items across multiple databases and organizational boundaries.
GMN is a standard from GS1 which allows manufacturers to describe products and product families. The GMN and GTIN share the same Company Prefix (GCP) in the specification. However, a single GMN may have several GTINs. This allows databases to track a model number along with all the variants of each model number, without the need to track individual GTINs. In the European Union, the GMN supports the implementation of the requirements of the Basic UDI-DI under the EU Unique Device Identification (UDI) regulations on medical devices.
By supporting these standards, it would be possible for example, to query using the UPC number on the back of a device to identify if the device has any known vulnerabilities.
Both of these standards are in widespread use and already supported in manufacturing, procurement, and CMDB systems.
The text was updated successfully, but these errors were encountered: