CVE syntax is changing

CVE syntax is changing on January 1, 2014. Be prepared, modify and test your code. This modification is not a big deal, the last 4 fixed digits became arbitrary digits with a minimum of 4 and without a maximum.

PNG - 11.6 kb

"The new syntax for CVE Identifiers (CVE-IDs), which was determined in a recent vote by the CVE Editorial Board, will take effect on January 1, 2014. This announcement is being made now so that users will have enough time to change their processes and software to handle the new ID syntax."

"The CVE Editorial Board determined that the new syntax was needed so that CVE can track more than 10,000 vulnerabilities in a single year. The CVE-ID syntax used since the inception of CVE in 1999, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year so a change was necessary."

For us, not a big deal, only one change in our code. Testing are done. Great !

A simple example of a PHP Regex syntax (with a limitation of 100 digits witch is a lots) :

  1. <?php
  2. $subject = "CVE-2014-10000000";
  3. if (preg_match_all("|CVE-[0-9]{4}-[0-9]{4,100}|i", $subject, $matches)) {
  4. var_dump($matches);
  5. }

The Security-Database Team



Comments

Related Articles

Documentations
Update