[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot

The CVE Automation Working Group (AWG) has operated a pilot since May 2017 to explore sharing of CVE data using git.


The first phase involved use of a private, MITRE-hosted git repository and ran from May through August of this year.  Participation was limited to members of the Automation Group.


The second phase has been a short, transitional one in which activity shifted to a public repo hosted on Github.com and a process was established to perform some basic validation of JSON files in pull requests (submissions) against the minimal schema automatically. In the past 6 weeks, there have been over a hundred pull requests, nearly all of which have been accepted.


The Automation Working Group now proposes a third phase of the pilot, to focus on several workflow issues :


1. Extended automatic validation of pull requests.


Note the goal here is to identify areas of concern for further review, either by the submitter or the primary CNA.


  a. Check GPG signatures on commits.

  b. Identify when requests to populate or modify descriptions by a CNA involve ids allocated to a different CNA.

  c. Identify when references are "broken".

  d. Identify if none of the references associated with a CVE id specifically mention that id.


2. Automatic acceptance by policy of pull requests.


  a. Requests from IBM that populate or update descriptions provided automatic validation has not identified any areas of concern.

  b. Requests from any pilot participant that solely add references.

  c. Requests from the NVD that add CVSS / CPE information that is separate from what may have been added by the assigning CNA.


3. Handling of updates to a single entry by multiple maintainers.


The goal here is to see if multiple stakeholders can update a single entry; for example, a description update from the assigning CNA, reference additions from other CNAs, and adds of CVSS and CPE information by the NVD. Of particular interest is whether it’s possible to support updates in close proximity to one another, such as might happen with a vulnerability such as Heartbleed.


4. Identification of workflows for addressing issues in entries across participants.


In addition, we would like to see the pilot opened up all interested root CNAs.


Unless there are sustained objections from the Board (ie, "silence begets acceptance"), we propose to start the third phase of the pilot after next week’s Board call, on Wednesday, December 13th, and let it run through May 2018.





The MITRE Corporation


Page Last Updated or Reviewed: December 06, 2017