[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-CNA JSON Format Proposal

Well in theory I would say yes to both because:

the source is created automatically, e.g. each CNA in the chain applies their source.

As for assigner, in the DWF world we're using signed git commits and/or signed JSON files (so you can create a JSON file and sit on it for embargoed situations and then submit it for automated processing), so it MUST be signed by someone who is a valid CVE mentor (cause we need proof of where it came from), so again that data is automatically harvested/added to the entry (once we get automation). 

On Wed, Mar 22, 2017 at 1:45 PM, Art Manion <amanion@cert.org> wrote:
On 3/22/17 3:31 PM, Kurt Seifried wrote:
> So the DWF will require the ASSIGNER, and ideally also the
> "source":{

Same questions then for source.  Should ASSIGNER and source be required
in the minimum CVE entry?

What I'm really interested in is who assigned the entry (and is likely
responsible if there are issues) and the (best reasonably available)
source public reference.

Maybe what I'm thinking of is a separate or special case of
"references", or that a minimum entry must contain at least one public
source "references" for the vulnerability.

 - Art

> On Wed, Mar 22, 2017 at 12:52 PM, Art Manion <amanion@cert.org
> <mailto:amanion@cert.org>> wrote:
>     Should ASSIGNER be required as part of the minimal example?  I'd say
>     yes.
>     ASSIGNER is currently an email address, should it be a CNA name?  I'd
>     say maybe, someone would otherwise have to map email addresses to CNAs.
>      - Art
> --
> Kurt Seifried
> kurt@seifried.org <mailto:kurt@seifried.org>

Kurt Seifried

Page Last Updated or Reviewed: March 28, 2017