[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

JSON data format handling



So long story shot:

The JSON data has a specification for the core required data:

https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema

This is the classic "minimum data needed to specify a CVE entry"

I am proposing that

1) any data outside of that specification be generally allowed, e.g.
if a vendor wants to add data about signatures for the vuln, or
whatever. Ideally MITRE should allow the data to be published in the
central CVE git repo at:

https://github.com/CVEProject/cvelist

this might require changes on their end (e.g. if the regenerate the
entries from their internal database I'm not clear on how the extra
data they don't care about/process is put back in to the entry).

2) We the board allow such experimentation, in that much like HTTP
headers, people can choose to arbitrary create, and consume them if
they want, and then if stuff turns out to be useful/widespread it can
be added to the specification (and in general anything really good
will be adopted widely making it a moot point).

-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com


Page Last Updated or Reviewed: February 07, 2018