[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DWV JSON format Version 2.0 (breaks some compat with Version 1.x)

To: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>, Kurt Seifried <kseifried@redhat.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: DWV JSON format Version 2.0 (breaks some compat with Version 1.x)
From: "Booth, Harold (Fed)" <harold.booth@nist.gov>
Date: Wed, 19 Oct 2016 22:12:04 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=nist.gov;mitre.org; dkim=none (message not signed) header.d=none;
Delivery-date: Thu Oct 20 07:45:07 2016
In-reply-to: <7748E4BAEC3B964387F3535351DCBA1FF758E75F@D2ASEPREA010>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty1BZB5psgLUsTwVXTUiRKLq_dMvBtAp-+Do2ra16Rjhgg@mail.gmail.com>,<CANO=Ty1AbqU-d6mjwCFLT2bxWdU05o0GtGhrcrgT7NtziDj3+w@mail.gmail.com> <7748E4BAEC3B964387F3535351DCBA1FF758E75F@D2ASEPREA010>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
Thread-index: AQHSKjKxfY3qDcP/rUaqfIfQkngsG6CwLTwAgAAoogCAAADsUA==
Thread-topic: DWV JSON format Version 2.0 (breaks some compat with Version 1.x)

Not to plug this, but the document I recently put out for public 
comment has some ideas on how to go about it:
http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8138

From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
Millar, Thomas
Sent: Wednesday, October 19, 2016 6:07 PM
To: Kurt Seifried <kseifried@redhat.com>; cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>
Subject: RE: DWV JSON format Version 2.0 (breaks some compat with 
Version 1.x)

In this case we mean impact of the vulnerability being exploited, 
right? I have no knowledge of a good taxonomy for



Tom Millar, US-CERT

Sent from +1-202-631-1915
https://www.us-cert.gov

________________________________
From: 
owner-cve-editorial-board-list@lists.mitre.org<mailto:owner-cve-editorial-board-list@lists.mitre.org>
 on behalf of Kurt Seifried
Sent: Wednesday, October 19, 2016 8:41:42 PM
To: cve-editorial-board-list
Subject: Re: DWV JSON format Version 2.0 (breaks some compat with 
Version 1.x)
The corrected one with SOURCES as well. One thing MITRE asks for is 
IMPACT, I didn't add that yet because as far as I know there's no 
standard for that (ala CWE/OWASP), so if anyone knows of a good IMPACT 
(a list of keywords even?) that would be useful, otherwise I'll just 
make it atext field I guess, it'll be an additive change anyways so 
won't break backwards compatibility so 2.1 or whatever can have it.

{
  "VERSION": "2.0",
  "UPDATED": "DATE-TIMESTAMP",
  "SERIAL": "INT",
  "NOTES": {
    "eng": "Text data here",
    "ger": "Textdaten hier",
    "jpn": "ここにテキストデータ"
  },
  "DWF": {
    "VERSION": "2.0",
    "CVE_ID": "CVE-YEAR-NNNNNNN",
    "PROBLEM_TYPE": {
      "CWE": "X",
      "OWASP": "X",
      "DESCRIPTION": {
        "eng": "String description of issue",
        "ger": "String Beschreibung des Problems",
        "jpn": "問題の説明文字列"
      }
    },
    "CVSSv2": {
      "VERSION": "2.0",
      "BM": {
        "AV": "X",
        "AC": "X",
        "AU": "X",
        "C": "X",
        "I": "X",
        "A": "X",
        "SCORE": "N.N",
        "NOTES": "string"
      },
      "TM": {
        "E": "X",
        "RL": "X",
        "RC": "X",
        "SCORE": "N.N",
        "NOTES": "string"
      },
      "EM": {
        "CDP": "X",
        "TD": "X",
        "CR": "X",
        "IR": "X",
        "AR": "X",
        "SCORE": "N.N",
        "NOTES": "string"
      },
      "NOTES": "string"
    },
    "CVSSv3": {
      "VERSION": "2.0",
      "BM": {
        "AV": "X",
        "AC": "X",
        "PR": "X",
        "UI": "X",
        "S": "X",
        "C": "X",
        "I": "X",
        "A": "X",
        "SCORE": "N.N",
        "NOTES": "string"
      },
      "TM": {
        "E": "X",
        "RL": "X",
        "RC": "X",
        "SCORE": "N.N",
        "NOTES": "string"
      },
      "EM": {
        "CR": "X",
        "IR": "X",
        "AR": "X",
        "MAV": "X",
        "MAC": "X",
        "MPR": "X",
        "MUI": "X",
        "MS": "X",
        "MC": "X",
        "MI": "X",
        "MA": "X",
        "SCORE": "N.N",
        "NOTES": "string"
      }
    },
    "AFFECTS": [
      {
        "VENDOR": "string",
        "PRODUCT": "string",
        "VERSION": "string",
        "CPE": "cpe_string",
        "SWID": "swid_string (XML data with line breaks)",
        "AFFECTED": [
          "1.0",
          "2.0.6"
        ],
        "FIXEDIN": [
          "1.3",
          "2.0.7"
        ],
        "NOTES": {
          "eng": "Text data here",
          "ger": "Textdaten hier",
          "jpn": "ここにテキストデータ"
        }
      }
    ],
    "DESCRIPTION": {
      "eng": "String description of issue",
      "ger": "String Beschreibung des Problems",
      "jpn": "問題の説明文字列"
    },
    "REFERNCES": [
      {
        "VERSION": "2.0",
        "NAME": "name of source (can be URL)",
        "DESCRIPTION": {
          "eng": "String description of issue",
          "ger": "String Beschreibung des Problems",
          "jpn": "問題の説明文字列"
        },
        "TYPE": "WWW/PDF/TEXT/EMAIL/etc.",
        "FILES": [
          {
            "URL": "URL to source",
            "IMPORTTIME": "DATE-TIMESTAMP",
            "LOCALNAME": "local filename",
            "FORMAT": "string",
            "NOTES": "string"
          }
        ]
      }
    ],
    "EXPLOITATION": {
      "eng": "Text data here",
      "ger": "Textdaten hier",
      "jpn": "ここにテキストデータ"
    },
    "WORKAROUND": {
      "eng": "Text data here",
      "ger": "Textdaten hier",
      "jpn": "ここにテキストデータ"
    },
    "CREDITS": [
      {
        "VERSION": "2.0",
        "ID": {
          "type_of_id_string": "string"
        },
        "ROLE": [
          "role_name_string"
        ],
        "NOTES": {
          "eng": "Text data here",
          "ger": "Textdaten hier",
          "jpn": "ここにテキストデータ"
        }
      }
    ],
    "TIMELINE": [
      {
        "VERSION": "2.0",
        "TIMESTAMP": "DATE-TIMESTAMP",
        "SOURCE": {
          "type_of_id_string": "string"
        },
        "TEXT": {
          "eng": "Text data here",
          "ger": "Textdaten hier",
          "jpn": "ここにテキストデータ"
        },
        "NOTES": {
          "eng": "Text data here",
          "ger": "Textdaten hier",
          "jpn": "ここにテキストデータ"
        }
      }
    ],
    "SOURCE": {
      "DISCOVERED_BY": "X",
      "DISCOVERED_WITH": "X",
      "VERIFICATION": "X",
      "CNA_CHAIN": [
        "initial CNA",
        "parent CNA",
        "root CNA"
      ]
    },
    "NOTES": {
      "eng": "Text data here",
      "ger": "Textdaten hier",
      "jpn": "ここにテキストデータ"
    }
  },
  "COMMUNITY": {
    "VERSION": "2.0"
  },
  "EXPERIMENTAL": {
    "VERSION": "2.0"
  },
  "VENDOR": {
    "VERSION": "2.0",
    "Example Vendor Name": {
      "VERSION": "2.0",
      "PROBLEMTYPE": "same as in DWF section",
      "CVSSv2": "same as in DWF section",
      "CVSSv3": "same as in DWF section",
      "AFFECTS": "same as in DWF section",
      "DESCRIPTION": "same as in DWF section",
      "REFERENCES": "same as in DWF section",
      "EXPLOITATION": "same as in DWF section",
      "WORKAROUND": "same as in DWF section",
      "CREDITS": "same as in DWF section",
      "TIMELINE": "same as in DWF section",
      "NOTES": "same as in DWF section",
      "Example Product Name": {
        "VERSION": "2.0",
        "PROBLEMTYPE": "same as in DWF section",
        "CVSSv2": "same as in DWF section",
        "CVSSv3": "same as in DWF section",
        "AFFECTS": "same as in DWF section",
        "DESCRIPTION": "same as in DWF section",
        "REFERENCES": "same as in DWF section",
        "EXPLOITATION": "same as in DWF section",
        "WORKAROUND": "same as in DWF section",
        "CREDITS": "same as in DWF section",
        "TIMELINE": "same as in DWF section",
        "NOTES": "same as in DWF section"
      }
    }
  }
}

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
secalert@redhat.com<mailto:secalert@redhat.com>

Follow-Ups:
- Re: DWV JSON format Version 2.0 (breaks some compat with Version 1.x)
  - From: Kurt Seifried <kseifried@redhat.com>

References:
- DWV JSON format Version 2.0 (breaks some compat with Version 1.x)
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: DWV JSON format Version 2.0 (breaks some compat with Version 1.x)
  - From: Kurt Seifried <kseifried@redhat.com>
- RE: DWV JSON format Version 2.0 (breaks some compat with Version 1.x)
  - From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>

Prev by Date: RE: DWV JSON format Version 2.0 (breaks some compat with Version 1.x)
Next by Date: Re: DWV JSON format Version 2.0 (breaks some compat with Version 1.x)
Previous by thread: RE: DWV JSON format Version 2.0 (breaks some compat with Version 1.x)
Next by thread: Re: DWV JSON format Version 2.0 (breaks some compat with Version 1.x)
Index(es):
- Date
- Thread