(S)ADP data, system, and CVE Services architecture and data storage

[zmanion]

Copied from CVEProject/quality-workgroup#17.

As the Program continues to discuss ADP, and more specifically the "supplier CNA as ADP for upstream vulnerabilities" topic, we need to consider where this additional data is stored and how it is retrieved. For example, imagine a future with 10s or 100s of supplier CNA containers associated with a CVE ID (log4j, Heartbleed). We probably don't want a single JSON file or API response with 134 containers in it. Or do we? Today, I think there's a 4MB limit on CVE JSON file size.

Some incomplete ideas:

1. Indeed, return the full JSON with all containers via API (or even GitHub file cache).
2. Return CVE Record meta/index data, so user can then request specific parts/containers
3. Return specified containers from one or more Records
4. Could an ADP container instead/also be a pointer/URL to elsewhere? Still have container metadata, but effectively a URL to dereference the container content from somewhere else, perhaps constrained to a location/prefix declared by the supplier-CNA-as-ADP? "Elsewhere" could be the supplier CNA's domain or declared data location, or just an API call into CVE Services.

[zmanion]

A relevant addition from that SPWG meeting, in summary, consider different JSON for "annotations" (vs. full or partial CVE Record Format JSON).

The CVE Record container data format is not especially useful for an ADP to express their additions to or comments on a CNA container. We should explore a data format that is designed for this type of content, such as the W3C Web Annotation Data Model on the https://w3.org/TR/annotation-model/ website, with JSON Pointer to specify the CVE data element in question, e.g.,

{
  "@context": [
    "https://www.w3.org/ns/anno.jsonld",
    { "jsonptr": "http://tools.ietf.org/rfc/rfc6901" }
  ],
  "type": "Annotation",
  "id": "urn:uuid:67ab386b-3b2d-42a0-8be6-8b2cd4d26cfb",
  "created": "2025-07-16T20:00:00Z",
  "creator": { "id": "https://example.com/our-cve-partnerships/adp", "type": "Organization" }, 
  "target": {
    "source": "https://github.com/CVEProject/cve-schema/blob/main/schema/docs/cnaContainer-basic-example.json",
    "selector": {
      "type": "FragmentSelector",
      "conformsTo": "jsonptr",
      "value": "/cnaContainer/problemTypes/0/descriptions/0/description",
      "refinedBy": {
        "type": "TextQuoteSelector",
        "exact": "CWE-78"
      }
    }
  },
  "motivation": "commenting",
  "body": {
    "type": "TextualBody",
    "purpose": "commenting",
    "value": "CWE-77"
  }
}