Allow non-vendor CNAs to provide "affects" data #12
Description
When vendor CNAs provide information about affected products, that information is included in published entries.
When CNAs or other parties who are not vendor CNAs submit entries, any product information is stripped and replaced with "n/a." In JSON 4 this includes fields like version_value, version_affected, product_name, vendor_name within the "affects" element. Also problemtype is stripped.
I was concerned this was some sort of bug, it is intentional behavior.
An example:
Product information submitted by non-vendor: CVEProject/cvelist@4f7a575
Product and problem type information is removed:
CVEProject/cvelist@7fcef33
https://github.com/CVEProject/cvelist/commits/master/2022/24xxx/CVE-2022-24106.json
Presumably past discussion lead to this policy decision, a likely concern was that non-vendor CNAs would (intentionally or otherwise) provide enough inaccurate information that on the balance, this would negatively affect quality. One trade-off is that information of reasonable quality is not accepted.
We should reconsider this policy. At least non-vendor (or not-the-vendor) CNAs should be permitted to submit affected product information.
ADP containers in JSON 5 may provide a technical solution.