OK CVE wizards (@MITREcorp @CVEnew etc.):
Why do libraries get "n/a" in vendor_name, product_name, version_value fields? e.g.
https://github.com/CVEProject/cvelist/blob/e4f102fdffd602b8e995c3e49cf775d16807e29b/2016/9xxx/CVE-2016-9841.json …
https://github.com/CVEProject/cvelist/blob/f579c483790442a257c591c4cec154594725a035/2018/14xxx/CVE-2018-14048.json …
https://github.com/CVEProject/cvelist/blob/c54ac69e98d49654d8bc0c35bae632220aad65b3/2019/6xxx/CVE-2019-6128.json …
Isn't that throwing data away?
This doesn't seem fully baked to me.
I don't see the term "n/a" anywhere in the CVE JSON guidance: https://github.com/CVEProject/automation-working-group/blob/master/cve_json_schema/DRAFT-JSON-file-format-v4.md … Also, for those 3 examples I listed (which are admittedly spot checks), the affected versions are listed in the description_data prose. Doesn't it make more sense explicitly state versions?