[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Notice of Pilot Activity in CVE Auto WG - Phase 2 of the Git Pilot

On Mon, Oct 2, 2017 at 6:02 PM, Theall, George A <gtheall@mitre.org> wrote:

The CVE Automation Working Group (AWG) has operated a pilot since May 2017 to explore sharing of CVE data using git. To date, this has involved use of a private, MITRE-hosted git repository, with participation limited to members of the AWG.  We now propose that, as a second phase of the pilot, the repository be moved to a public one hosted on Github.com and that updates be accepted only from members of the CVE Automation Working Group.


For some time now, CNAs have been supplying information beyond descriptions and references when populating CVE entries; eg, affected products and versions as well as problem types.  This additional information is not currently published in the CVE List on https://cve.mitre.org/ but is included in the CVE JSON files in the repository.  We see great benefit in making that information public and hope that doing so will spur development of tooling and services to work with these files. We also see great benefit in making public the change history that git natively provides as doing so will increase situational awareness and provide transparency.


We consider this second phase a short, transitional one, supporting migration to a new platform. Our goals during this phase include to :


- Verify that Github.com can be used to submit assignment information to the primary CNA by means of pull requests.


- Experiment with automation by setting up a process to validate JSON files in submissions against the minimal CVE schema.

Please note that longer term we can also have CI that does things like:

1) Validate the CVE being assigned is part of the block "owned" by the submitter, preventing accidentaly typo/theft of CVE's (it happens)
2) Longer term validate the actual data, not just the JSON format but start adding business/process logic that we currently have people doing

amongst other things. As Martha Stewart would say "It's a good thing". 


Unless there are sustained objections from the Board, we will start the second phase of the pilot on Wednesday, October 11th and let it run for one month. Afterwards, we hope to give access to all CNAs and explore other forms of automation in subsequent phases.

It's almost important to note that moving this to GitHUB not only makes submissions easier, but makes monitoring CVE for new/changed CVEs a lot easier which is an important thing for many of us who consume CVE at scale. 






The MITRE Corporation


Kurt Seifried

Page Last Updated or Reviewed: October 16, 2017