[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot



Thanks, that makes sense.  

(As a project, we need to get a consistent set of terminology… ;-))

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!, ありがとう, 
धन्यवाद!
 
-- 
Kent Landfield
+1.817.637.8026
kent_landfield@mcafee.com
 

On 12/6/17, 3:38 PM, "Theall, George A" <gtheall@mitre.org> wrote:

    Kent,
    
    We would like to extend the pilot to all CNAs except sub-CNAs (as 
they need to pass assignment information and updates to the root that 
manages them).
    
    George
    
    -----Original Message-----
    From: Landfield, Kent [mailto:Kent_Landfield@McAfee.com] 
    Sent: Wednesday, December 06, 2017 4:30 PM
    To: Theall, George A <gtheall@mitre.org>; cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>
    Subject: Re: Notice of Pilot Activity in CVE Auto WG - Phase 3 of 
the Git Pilot
    
    I have no issues with the proposal but would like to understand the 
term “root CNA”.  Are you talking about all CNAs today or just the DWF 
and JPCERT/CC?
    
     
    
    Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!, ありがとう, 
धन्यवाद!
    
     
    
    -- 
    
    Kent Landfield
    
    +1.817.637.8026
    
    kent_landfield@mcafee.com
    
     
    
     
    
    From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of 
"Theall, George A" <gtheall@mitre.org>
    Date: Wednesday, December 6, 2017 at 3:16 PM
    To: cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>
    Subject: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the 
Git Pilot
    
     
    
    The CVE Automation Working Group (AWG) has operated a pilot since 
May 2017 to explore sharing of CVE data using git. 
    
     
    
    The first phase involved use of a private, MITRE-hosted git 
repository and ran from May through August of this year.  Participation 
was limited to members of the Automation Group.
    
     
    
    The second phase has been a short, transitional one in which 
activity shifted to a public repo hosted on Github.com and a process 
was established to perform some basic validation of JSON files in pull 
requests (submissions) against the minimal schema automatically. In the 
past 6 weeks, there have been over a hundred pull requests, nearly all 
of which have been accepted.
    
     
    
    The Automation Working Group now proposes a third phase of the 
pilot, to focus on several workflow issues : 
    
     
    
    1. Extended automatic validation of pull requests.
    
     
    
    Note the goal here is to identify areas of concern for further 
review, either by the submitter or the primary CNA.
    
     
    
      a. Check GPG signatures on commits.
    
      b. Identify when requests to populate or modify descriptions by a 
CNA involve ids allocated to a different CNA.
    
      c. Identify when references are "broken".
    
      d. Identify if none of the references associated with a CVE id 
specifically mention that id.
    
     
    
    2. Automatic acceptance by policy of pull requests.
    
     
    
      a. Requests from IBM that populate or update descriptions 
provided automatic validation has not identified any areas of concern.
    
      b. Requests from any pilot participant that solely add references.
    
      c. Requests from the NVD that add CVSS / CPE information that is 
separate from what may have been added by the assigning CNA.
    
     
    
    3. Handling of updates to a single entry by multiple maintainers.
    
     
    
    The goal here is to see if multiple stakeholders can update a 
single entry; for example, a description update from the assigning CNA, 
reference additions from other CNAs, and adds of CVSS and CPE 
information by the NVD. Of particular interest is whether it’s possible 
to support updates in close proximity to one another, such as might 
happen with a vulnerability such as Heartbleed.
    
     
    
    4. Identification of workflows for addressing issues in entries 
across participants. 
    
     
    
    In addition, we would like to see the pilot opened up all 
interested root CNAs.
    
     
    
    Unless there are sustained objections from the Board (ie, "silence 
begets acceptance"), we propose to start the third phase of the pilot 
after next week’s Board call, on Wednesday, December 13th, and let it 
run through May 2018.
    
     
    
    George
    
    --
    
    gtheall@mitre.org
    
    The MITRE Corporation
    
     
    
    


Page Last Updated or Reviewed: December 07, 2017