[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVEs with no REF URL (or a REF URL that is self referential)



On 10/4/17 12:48 PM, Kurt Seifried wrote:
So currently CVE assignments require a URL.

My proposal is that, simply put, if the CVE itself can contain all the 
needed data why not remove the requirement for the URL. The advantage 
of this is that for embargoed issues we can immediately submit the CVE 
to the database without having to wait for REF URL's to be created. The 
other advantage is that the REF URL can't disappear, the data is 
embedded directly in the CVE entry.

The common case is that in the OpenSource world we often have all the information 
needed for a CVE assignment, specifically in the form of a patch with notes, but 
that patch has not yet been committed, and it may not be a deterministic URL once 
committed (if we knew the URL in advance we would simply put it into the REF 
URL). This is especially true for Linux kernel commits and many other projects 
that use git. Often times as well these entities do not publish a security 
advisory or anything beyond "here's the patch commit with a note" 
(which is sufficient information in almost all cases).

So I think simply put if the rules are changed to include a statement 
such as:

The REF URL may be omitted, or set to reference the CVE itself 
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-XXXXXX) if the 
description contains sufficient detail to fully explain the CVE (e.g. 
code patch information).

There are certainly benefits to having information included 
locally/directly in a CVE entry.

Concerns:

There isn't currently a way in CVE to do this?  Do I paste the 
patch/diff into the description?  DWF has artifacts.  Might need to 
change CVE records to be able to contain patches/notes.

And, why submit embargoed issues to CVE before the embargo is over?  
Wait until public, and then you also have a git commit URL.


 - Art


Page Last Updated or Reviewed: October 05, 2017