[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA Rules Announcement

To be clear I'm quite happy to adopt a better standard than anything I can probably think of, but sadly I haven't seen this yet (e.g. CVRF lacks CVSSv3 and can't easily be extended, what if someone wants to put an AV sig or snort sig or whatever into the data?). 

On Wed, Oct 12, 2016 at 7:19 AM, Art Manion <amanion@cert.org> wrote:
On 2016-10-12 01:43, Chandan Nandakumaraiah wrote:

>> https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/JSON-file-format.md
> I did suggest that this should be considered by the OASIS TC.
>> The protocol is JSON based and can contain typical JSON types, and text,
>> and point to other files in certain areas (e.g. the artifacts). Long
>> term I want to find a better way to attach/embed data (such as the SWID
>> in AFFECTS thing).

Let me take this chance to say:  No hand-jamming JSON or XML. Need tool
support.  I tried two DWF JSON formats by hand (_javascript_ editor in
browser) and it was horrible.  YAML maybe?

It would be great to see the following efforts aligned, or at least

CVRF v.new
CVE minimum viable request
Red Hat/OpenSSL XML
NIST/NVD ontology
VRDX vxref (only used for references, not a full vulnerability record)
and probably something else I'm forgetting

Minimum viable product and actual use cases.

 - Art


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: October 14, 2016