GCVE BCP-05-X-01: AI-Assisted Vulnerability Information Annotation

adulau · June 14, 2026, 1:12pm

The following update is proposed to GCVE BCP-05-X-01: AI-Assisted Vulnerability Information Annotation to align with the testing implementation but also to allow multiple GNAs to add their own model and contribution.

github.com/gcve-eu/gcve.eu

Update BCP-05-X-01 GNA provenance levels (v1.2) (#39)

main ← codex/update-gcve-bcp-05-x-01-for-gna-source-changes

opened 01:09PM - 14 Jun 26 UTC

adulau

+62 -9

### Motivation - Clarify provenance semantics so GNA attribution can be expresse…d both for an annotation as a whole and for individual model contributions when different GNAs provide or run models. ### Description - Bump BCP-05-X-01 to `version 1.2` and update the publication date to `2026-06-14` in the extension document at `content/bcp/extension/gcve-bcp-05-x-01.md`. - Allow `gna_source` as an optional field at the AI-annotation level and add an optional `gna_source` to each `model` entry with documented override and fallback semantics so model-level provenance can override the annotation-level default. - Add a new example showing a field-level annotation where `gna_source` is placed on a model entry (VLAI severity enrichment) to demonstrate the multi-GNA scenario. - Update the CSAF extension schema at `static/schema/csaf/extensions/gcve-bcp-05-x-01_1.0.0.json` to permit `gna_source` in both the `aiAnnotation` object and the `model` object. ### Testing - `git diff --check` was run and reported no whitespace or diff errors. - JSON schema was validated with `python3 -m json.tool static/schema/csaf/extensions/gcve-bcp-05-x-01_1.0.0.json` and the file is syntactically valid. - Site build command `hugo --gc --minify` was attempted but not run successfully because `hugo` is not installed in the environment. ------ [Codex Task](https://chatgpt.com/codex/cloud/tasks/task_e_6a2ea6ccc21883248499626b858bf1b1)

Thanks to @jgamblin for the original issue `gna_source` placement diverges from BCP-05-X-01 (model-level vs annotation-level) · Issue #3 · gcve-eu/gcve-enriched-dumps · GitHub and the feedback from @iglocska about the multiple GNAs.

If there are no objection, this will be update an update to BCP-05-X-01