[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Mark,

Those attributes are optional - CNAs can elect to include them when 
they send us JSON.  MITRE will, though, include them when we sync the 
CVE List with the files in the repo.

I have created a pull request -- 
https://github.com/CVEProject/automation-working-group/pull/69 -- to 
add support for them in the schema for PUBLIC ids and invite someone 
else (eg, Kurt, Chris) to review and accept if they approve.

George

-----Original Message-----
From: markcox@gmail.com [mailto:markcox@gmail.com] On Behalf Of Mark J 
Cox
Sent: Thursday, April 12, 2018 4:17 AM
To: Theall, George A <gtheall@mitre.org>
Cc: cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>; cve-board-auto-list 
<cve-board-auto-list@lists.mitre.org>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's 
Participation

If "refsource" and "name" are now required fields could you update the 
schema to ensure they are present.

Cheers, Mark

On Thu, Apr 5, 2018 at 3:23 PM, Theall, George A <gtheall@mitre.org> 
wrote:
> To let everyone know, we implemented the change and updated the JSON 
> in the cvelist Git repo a short while ago.
>
> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org 
> [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
> Theall, George A
> Sent: Friday, March 30, 2018 12:09 PM
> To: cve-editorial-board-list 
> <cve-editorial-board-list@lists.mitre.org>
> Cc: cve-board-auto-list <cve-board-auto-list@lists.mitre.org>
> Subject: RE: Notice of Pilot Activity in CVE Auto WG - Supporting 
> NVD's Participation
>
> After further discussion, we have minor changes to the original 
> proposal -- instead of "source", an attribute named "refsource" will 
> be used for the reference source, and the "name" attribute will be 
> populated for all sources, even "CONFIRM" and "MISC".
>
> Attached is an example of the JSON for CVE-2017-5753 using the 
> modified proposal.
>
> If there are concerns from members of the Board, please let us know 
> and we will discuss in the call next Wednesday. Absent any sustained 
> objections, we are looking to put the changes into effect next 
> Thursday.
>
> George
>
> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org 
> [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
> Theall, George A
> Sent: Thursday, March 01, 2018 7:51 AM
> To: cve-editorial-board-list 
> <cve-editorial-board-list@lists.mitre.org>
> Cc: cve-board-auto-list <cve-board-auto-list@lists.mitre.org>
> Subject: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's 
> Participation
>
> To support NVD's participation in the git pilot, MITRE proposes to 
> add one or two attributes to reference objects in the CVE JSON files 
> in the cvelist repo, which will allow NIST to regenerate the CVE List 
> from the repo rather than having to rely on an older download file 
> (allitems.xml). Specifically, we propose to add the following 
> attributes :
>
>
>
> - "source", which represents the source of the reference. It will 
> have one of the values listed at 
> https://cve.mitre.org/data/refs/#sources; eg, "CERT-VN", "CISCO", 
> "CONFIRM", "REDHAT", etc.
>
>
>
> - "name", which is a string that helps identify the reference among 
> others in the same source; eg, "VU#584653" (for CERT-CC), "20180104 
> CPU Side-Channel Information Disclosure Vulnerabilities" (for 
> "CISCO") "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE 
> uses the reference URL as the name for the "CONFIRM" and "MISC" 
> sources in the CVE List, we plan to omit this attribute for those two 
> sources.
>
>
>
> If there are objections from anyone on the Board list, please let us 
> know and we will discuss in the next call. Otherwise, we will proceed 
> with the change and implement early next week
>
>
>
>
>
> George
>
> --
>
> gtheall@mitre.org
>
> The MITRE Corporation
>
>
Page Last Updated or Reviewed: April 13, 2018