exclusively-hosted-service and unsupported-when-assigned tags should apply to `affected` element not CNA contaner

The exclusively-hosted-service and unsupported-when-assigned tags ([glossary](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryTags), [schema](https://github.com/CVEProject/cve-schema/blob/master/schema/tags/cna-tags.json)) apply to the entire CNA container. Should they instead apply to an `affected` element?

Real world example: Given a CVE ID that affects Adminer (unsupported, will not be fixed) and AdminerEvo (fork of Adminer, supported, fixed), there is currently not a machine-readable way to specifify that Adminer is EOL.

Example: A CVE ID affects software that exists both as a service and an "on-prem" product. It is not possible to indicate that one `affected` element is a cloud service while another element is not.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

exclusively-hosted-service and unsupported-when-assigned tags should apply to `affected` element not CNA contaner #13

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

exclusively-hosted-service and unsupported-when-assigned tags should apply to affected element not CNA contaner #13

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

exclusively-hosted-service and unsupported-when-assigned tags should apply to `affected` element not CNA contaner #13