It's interesting that the example given is how the CNCF data for log4j is better than CVE (ref: https://github.com/cncf/tag-security/issues/835#issuecomment-991467721 ) however the CNCF entry is actually worse, because, for example, their version comparison incorrectly would flag log4j 2.12.3 as vulnerable when it isn't. However the CVE entry that we've been updating is correct https://www.cve.org/CVERecord?id=CVE-2021-44228
For the upcoming White House meeting this week (which I'm attending) in the ASF position paper we mention this CVE agility as being deliberate and important. https://cwiki.apache.org/confluence/display/COMDEV/Position+Paper Mark On Tue, 11 Jan 2022 at 14:59, Art Manion <aman...@cert.org> wrote: > > All, > > https://github.com/cncf/tag-security/issues/835 > > I plan to be involved in this event assuming it happens, for both CVE and > $dayjob reasons. I will of course represent CVE but we may want additional > involvement, including someone from the Secretariat (MITRE is specifically > mentioned). > > Regards, > > - Art
