118955 CVE records don't have an affected product/vendor or version

[cookiengineer]

I have a question regarding the quality of the dataset.

From all CVEs that ...

• have not been rejected
• have not been reserved

... 118955 records have not a valid affected software in their details. With some random picks to verify, the software is only noted down in the descriptions[] fields as text, but are not set inside the containers/cna/affected Array inside the JSON file.

Is this a mistake in the database export, the CVE website doesn't list any details in the rendered fields on the website?

I've generated a list of those records that do not contain valid affected fields and exported them here as a gist.

[chandanbn]

The CVE JSON record formats up to v4 were experimental and run as a pilot program to let program participants update the records themselves using GitHub as a channel. CVE assignments done before or outside this pilot didn't have the data structured this way to begin with.

The automated upconversion process tried not to add or remove data that didn't exist in the v4 format records.

Keep in mind that only bare minimum information is required in a CVE record to publish it. Rest is optional- but left to the CNA if they see value in providing such information.