[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
RE: Notice of Pilot Activity in CVE Auto WG - Phase 2 of the Git Pilot
The repo on Github is now live -- https://github.com/CVEProject/cvelist
-- and I encourage members of the Automation Working Group to join us
today for the conference call to discuss the next phase of the pilot.
George
-----Original Message-----
From: Theall, George A
Sent: Monday, October 02, 2017 8:02 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Cc: cve-board-auto-list <cve-board-auto-list@lists.mitre.org>
Subject: Notice of Pilot Activity in CVE Auto WG - Phase 2 of the Git
Pilot
The CVE Automation Working Group (AWG) has operated a pilot since May
2017 to explore sharing of CVE data using git. To date, this has
involved use of a private, MITRE-hosted git repository, with
participation limited to members of the AWG. We now propose that, as a
second phase of the pilot, the repository be moved to a public one
hosted on Github.com and that updates be accepted only from members of
the CVE Automation Working Group.
For some time now, CNAs have been supplying information beyond
descriptions and references when populating CVE entries; eg, affected
products and versions as well as problem types. This additional
information is not currently published in the CVE List on
https://cve.mitre.org/ but is included in the CVE JSON files in the
repository. We see great benefit in making that information public and
hope that doing so will spur development of tooling and services to
work with these files. We also see great benefit in making public the
change history that git natively provides as doing so will increase
situational awareness and provide transparency.
We consider this second phase a short, transitional one, supporting
migration to a new platform. Our goals during this phase include to :
- Verify that Github.com can be used to submit assignment information
to the primary CNA by means of pull requests.
- Experiment with automation by setting up a process to validate JSON
files in submissions against the minimal CVE schema.
Unless there are sustained objections from the Board, we will start the
second phase of the pilot on Wednesday, October 11th and let it run for
one month. Afterwards, we hope to give access to all CNAs and explore
other forms of automation in subsequent phases.
George
--
gtheall@mitre.org
The MITRE Corporation