[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Notice of Pilot Activity in CVE Auto WG - Phase 2 of the Git Pilot

The repo on Github is now live -- https://github.com/CVEProject/cvelist 
-- and I encourage members of the Automation Working Group to join us 
today for the conference call to discuss the next phase of the pilot.


-----Original Message-----
From: Theall, George A 
Sent: Monday, October 02, 2017 8:02 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Cc: cve-board-auto-list <cve-board-auto-list@lists.mitre.org>
Subject: Notice of Pilot Activity in CVE Auto WG - Phase 2 of the Git 

The CVE Automation Working Group (AWG) has operated a pilot since May 
2017 to explore sharing of CVE data using git. To date, this has 
involved use of a private, MITRE-hosted git repository, with 
participation limited to members of the AWG.  We now propose that, as a 
second phase of the pilot, the repository be moved to a public one 
hosted on Github.com and that updates be accepted only from members of 
the CVE Automation Working Group. 


For some time now, CNAs have been supplying information beyond 
descriptions and references when populating CVE entries; eg, affected 
products and versions as well as problem types.  This additional 
information is not currently published in the CVE List on 
https://cve.mitre.org/ but is included in the CVE JSON files in the 
repository.  We see great benefit in making that information public and 
hope that doing so will spur development of tooling and services to 
work with these files. We also see great benefit in making public the 
change history that git natively provides as doing so will increase 
situational awareness and provide transparency.


We consider this second phase a short, transitional one, supporting 
migration to a new platform. Our goals during this phase include to : 


- Verify that Github.com can be used to submit assignment information 
to the primary CNA by means of pull requests.


- Experiment with automation by setting up a process to validate JSON 
files in submissions against the minimal CVE schema.


Unless there are sustained objections from the Board, we will start the 
second phase of the pilot on Wednesday, October 11th and let it run for 
one month. Afterwards, we hope to give access to all CNAs and explore 
other forms of automation in subsequent phases.






The MITRE Corporation


Page Last Updated or Reviewed: October 16, 2017