cpes, affected, versions, cisagov#41

Signed-off-by: Art Manion <arthur.manion@associates.cisa.dhs.gov>

README.md

@@ -154,27 +154,28 @@ Of all the enriched data types, consistent and universal software identification
 2. CPE entries that are present in NVD data but not in the Dictionary
 3. CPE entries created by CISA
 
+Due to the current design of the CVE Record Format, adding CPE strings (to the `cpes` list) effectively requires us to also create [`affected`](https://cveproject.github.io/cve-schema/schema/docs/#oneOf_i0_containers_cna_affected) and [`versions`](https://cveproject.github.io/cve-schema/schema/docs/#oneOf_i0_containers_cna_affected_items_versions) arrays. This increases the possibility of disagreement between sources of vulnerability status and software identity information, including:
+
+* the CVE description (CNA)
+* `affected` data (CNA)
+* `cpes` data (ADP)
+* `affected` data (ADP)
+* external references, like an advisory from the CNA
+* external references from a party other than the CNA
+
+We'll do what we can to fix or improve data in our control, please open an [issue](https://github.com/cisagov/vulnrichment/issues) if you notice trouble with ADP-provided data.
+
 ### A note about updated CVE entries
 
 Since the CISA ADP is committed to encouraging CNAs to Do The Right Thing and provide their own CWE, CVSS, and CPE data, if a CVE entry is updated to include that data after the CISA ADP has made their assessment, the CISA ADP will drop its own assessments from the CVE entry. This approach will reduce duplicate (and conflicting) data within the CVE record. In the rare event that there is CWE, CVSS, or CPE data provided by the originating CNA *and* the CISA ADP, this should be treated as an error in the CISA ADP container, and the originating CNA's data should take precedence.
 
 ### A note about SSVC data
 
-SSVC data is encoded in a way that aligns with the schema for the SSVC 
-version used in the decision tree that generated the data. Currently, 
-CISA is utilizing the [CISA Coordinator](https://github.com/CERTCC/SSVC/blob/main/docs/ssvc-calc/CISA-Coordinator.json) 
-tree.
-
-The version field in SSVC data follows the major.minor.patch convention,
-where major.minor denotes the SSVC version, and patch denotes the
-decision tree version. For the current CISA decision tree, this results
-in a version number of 2.0.3: SSVC version 2.0, CISA Coordinator tree
-version 3. 
-
-Updates to the decision tree to conform with updates to SSVC will result
-in changes to the version string. Users consuming this data are urged to 
-observe the version when decoding SSVC scores to determine how to validate 
-and process the JSON data.
+SSVC data is encoded in a way that aligns with the schema for the SSVC version used in the decision tree that generated the data. Currently, CISA is utilizing the [CISA Coordinator](https://github.com/CERTCC/SSVC/blob/main/docs/ssvc-calc/CISA-Coordinator.json) tree.
+
+The version field in SSVC data follows the major.minor.patch convention, where major.minor denotes the SSVC version, and patch denotes the decision tree version. For the current CISA decision tree, this results in a version number of 2.0.3: SSVC version 2.0, CISA Coordinator tree version 3.
+
+Updates to the decision tree to conform with updates to SSVC will result in changes to the version string. Users consuming this data are urged to observe the version when decoding SSVC scores to determine how to validate and process the JSON data.
 
 ## Issues and Pull Requests