[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot



Kent,

We would like to extend the pilot to all CNAs except sub-CNAs (as they 
need to pass assignment information and updates to the root that 
manages them).

George

-----Original Message-----
From: Landfield, Kent [mailto:Kent_Landfield@McAfee.com] 
Sent: Wednesday, December 06, 2017 4:30 PM
To: Theall, George A <gtheall@mitre.org>; cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the 
Git Pilot

I have no issues with the proposal but would like to understand the 
term “root CNA”.  Are you talking about all CNAs today or just the DWF 
and JPCERT/CC?

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!, ありがとう, 
धन्यवाद!

 

-- 

Kent Landfield

+1.817.637.8026

kent_landfield@mcafee.com

 

 

From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of 
"Theall, George A" <gtheall@mitre.org>
Date: Wednesday, December 6, 2017 at 3:16 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git 
Pilot

 

The CVE Automation Working Group (AWG) has operated a pilot since May 
2017 to explore sharing of CVE data using git. 

 

The first phase involved use of a private, MITRE-hosted git repository 
and ran from May through August of this year.  Participation was 
limited to members of the Automation Group.

 

The second phase has been a short, transitional one in which activity 
shifted to a public repo hosted on Github.com and a process was 
established to perform some basic validation of JSON files in pull 
requests (submissions) against the minimal schema automatically. In the 
past 6 weeks, there have been over a hundred pull requests, nearly all 
of which have been accepted.

 

The Automation Working Group now proposes a third phase of the pilot, 
to focus on several workflow issues : 

 

1. Extended automatic validation of pull requests.

 

Note the goal here is to identify areas of concern for further review, 
either by the submitter or the primary CNA.

 

  a. Check GPG signatures on commits.

  b. Identify when requests to populate or modify descriptions by a CNA 
involve ids allocated to a different CNA.

  c. Identify when references are "broken".

  d. Identify if none of the references associated with a CVE id 
specifically mention that id.

 

2. Automatic acceptance by policy of pull requests.

 

  a. Requests from IBM that populate or update descriptions provided 
automatic validation has not identified any areas of concern.

  b. Requests from any pilot participant that solely add references.

  c. Requests from the NVD that add CVSS / CPE information that is 
separate from what may have been added by the assigning CNA.

 

3. Handling of updates to a single entry by multiple maintainers.

 

The goal here is to see if multiple stakeholders can update a single 
entry; for example, a description update from the assigning CNA, 
reference additions from other CNAs, and adds of CVSS and CPE 
information by the NVD. Of particular interest is whether it’s possible 
to support updates in close proximity to one another, such as might 
happen with a vulnerability such as Heartbleed.

 

4. Identification of workflows for addressing issues in entries across 
participants. 

 

In addition, we would like to see the pilot opened up all interested 
root CNAs.

 

Unless there are sustained objections from the Board (ie, "silence 
begets acceptance"), we propose to start the third phase of the pilot 
after next week’s Board call, on Wednesday, December 13th, and let it 
run through May 2018.

 

George

--

gtheall@mitre.org

The MITRE Corporation

 


Page Last Updated or Reviewed: December 07, 2017