[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-CNA JSON Format Proposal

On 3/21/17 9:36 AM, Booth, Harold (Fed) wrote:
The working group is proposing that the format available at
be used as the structured format for CNAs to submit CVE information
effective as soon as the this recommendation has been accepted by the

I did a quick parse of the OpenSSL xml data to see how close we are to be able to automatically create the right format. Output for CVE-2017-3731 attached. But is this right or close enough? It's not clear yet if

* ID or CVE_ID (docs have both)
* if version_data is okay when listing all affected versions
* if the unicode encoding of the original utf-8 credit worked out okay
* may need to parse the description to remove the \n's
* how to define the namespace of the impact word (i.e. this is "moderate" by (url defining what moderate means to this vendor)

Cheers, Mark

Attachment: openssl-CVE-2017-3731.json
Description: application/json

Page Last Updated or Reviewed: March 30, 2017