[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

I believe they are not required per se, I asked about this on a board call (e.g. are we supposed to fill them out, or does NVD do this, or what?). My understanding was that we could fill it out, but it's not required.

On Thu, Apr 12, 2018 at 2:16 AM, Mark J Cox <mark@awe.com> wrote:
If "refsource" and "name" are now required fields could you update the
schema to ensure they are present.

Cheers, Mark

On Thu, Apr 5, 2018 at 3:23 PM, Theall, George A <gtheall@mitre.org> wrote:
> To let everyone know, we implemented the change and updated the JSON in the cvelist Git repo a short while ago.
>
> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Theall, George A
> Sent: Friday, March 30, 2018 12:09 PM
> To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
> Cc: cve-board-auto-list <cve-board-auto-list@lists.mitre.org>
> Subject: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
>
> After further discussion, we have minor changes to the original proposal -- instead of "source", an attribute named "refsource" will be used for the reference source, and the "name" attribute will be populated for all sources, even "CONFIRM" and "MISC".
>
> Attached is an example of the JSON for CVE-2017-5753 using the modified proposal.
>
> If there are concerns from members of the Board, please let us know and we will discuss in the call next Wednesday. Absent any sustained objections, we are looking to put the changes into effect next Thursday.
>
> George
>
> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Theall, George A
> Sent: Thursday, March 01, 2018 7:51 AM
> To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
> Cc: cve-board-auto-list <cve-board-auto-list@lists.mitre.org>
> Subject: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
>
> To support NVD's participation in the git pilot, MITRE proposes to add one or two attributes to reference objects in the CVE JSON files in the cvelist repo, which will allow NIST to regenerate the CVE List from the repo rather than having to rely on an older download file (allitems.xml). Specifically, we propose to add the following attributes :
>
>
>
> - "source", which represents the source of the reference. It will have one of the values listed at https://cve.mitre.org/data/refs/#sources; eg, "CERT-VN", "CISCO", "CONFIRM", "REDHAT", etc.
>
>
>
> - "name", which is a string that helps identify the reference among others in the same source; eg, "VU#584653" (for CERT-CC), "20180104 CPU Side-Channel Information Disclosure Vulnerabilities" (for "CISCO") "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE uses the reference URL as the name for the "CONFIRM" and "MISC" sources in the CVE List, we plan to omit this attribute for those two sources.
>
>
>
> If there are objections from anyone on the Board list, please let us know and we will discuss in the next call. Otherwise, we will proceed with the change and implement early next week
>
>
>
>
>
> George
>
> --
>
> gtheall@mitre.org
>
> The MITRE Corporation
>
>



--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com
Page Last Updated or Reviewed: April 12, 2018