[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DWF can go from red to a very dark orange...

Kurt,

On Thu, 20 Apr 2017, Kurt Seifried wrote:

: Progress in our time
: 
: 
https://github.com/distributedweaknessfiling/DWF-CVE-2017-1000000/commit/7e1ff65791a766fb74d440ab3110ab1331032e50

As an early advocate of, and now an apparent critic of... =)

Why did DWF break from the prior format?

https://github.com/distributedweaknessfiling/DWF-Database/

We had per-year CSVs with the assignment info. From there we could look 
at 
the artifacts in a separate repo using the same ID.

Now you are using a new repo and format:

https://github.com/distributedweaknessfiling/DWF-CVE-2017-1000000

Not only do we lose the CSV, we move entirely to JSON format. While 
that 
is of obvious interest to some stakeholders, and has been discussed on 
list recently, that isn't necessarily immediately usable to everyone. 
Further, the new format means there is no central file or 'registry' to 
reference these. Consider what the URL above gives us:

        CVE-2017-1000001.json   CVE-2017-1000001        3 months ago 
        CVE-2017-1000357.json   ODL CVE's       7 hours ago 
        CVE-2017-1000358.json   ODL CVE's       7 hours ago 
        CVE-2017-1000359.json   ODL CVE's       7 hours ago 
        CVE-2017-1000360.json   ODL CVE's       7 hours ago 
        CVE-2017-1000361.json   ODL CVE's       7 hours ago

So we have to click each link, digest the JSON, and figure out the 
assignment? Compare to the previous system where a single CSV gave us a 
reference point, vendor, product, dates, type of vuln, and who 
discovered... this seems to be a step back in many ways.

After several months of no new DWF assignments, while having a 
DWF-minted 
CNA in the form of an individual, that I have brought up on list 
because 
the Twitters brought it up and caught my attention... One has to wonder 
if 
DWF is losing focus from the original goal.

.b
Page Last Updated or Reviewed: April 21, 2017