[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation



What about Fedora? CentOS? Trust me when I say, we don't want the CNA UUID, e.g. other Linux vendors that are not CNAs (like well CentOS and Fedora =). 

Also things like RPMForge, RPMFusion, etc, etc. 

On Fri, Mar 2, 2018 at 3:24 PM, Chandan Nandakumaraiah <cbn@juniper.net> wrote:
On 3/1/18 6:33 AM, Kurt Seifried wrote:
>
> Can I suggest instead of name we consider using the alias field? We
> would simply identify the namespaces, e.g. "RedHat-RHSA" (because we
> might want to also alias package names using e.g. "RedHat-RPMS")

You are kludging "type" and a "namespace" in "RedHat-RHSA"

I would suggest encoding "RedHat-RHSA" as:

        namespace: CNA-< Redhat's UUID >
        type: ['advisory']
        value: 'RHSA-2018:0380'
        url: 'https://access.redhat.com/errata/RHSA-2018:0380'

Encode "RedHat-RPMS" as :

        namespace: CNA-< Redhat's UUID >
        type: ['solution']
        value: 'ansible-2.4.3.0-1.el7ae.src.rpm'
        url: "https://downloads...."

Encode "RedHat-Bugzilla" as :

        namespace: CNA-< Redhat's UUID >
        type: ['defect']
        value: '1253012'
        url: 'https://bugzilla.redhat.com/show_bug.cgi?id=1253012'

Encode "RedHat-CVRF" as

        namespace: CNA-< Redhat's UUID >
        type: ['cvrf']
        value: 'cvrf-rhsa-2018-0002.xml'
        url:
'https://www.redhat.com/security/data/cvrf/2018/cvrf-rhsa-2018-0002.xml'

Is this more extensible and scalable?
If a CVE consumer wants automate fetching CVRFs or RPMs for a set of
CNAs they are interested in, this allows it.
They do not have to hardcode "RedHat-CVRF" into their scripting.

Thanks,
-Chandan

--
Security Incident Response Team
Juniper Networks



--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: March 13, 2018