[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
RE: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot
Kent,
We would like to extend the pilot to all CNAs except sub-CNAs (as they
need to pass assignment information and updates to the root that
manages them).
George
-----Original Message-----
From: Landfield, Kent [mailto:Kent_Landfield@McAfee.com]
Sent: Wednesday, December 06, 2017 4:30 PM
To: Theall, George A <gtheall@mitre.org>; cve-editorial-board-list
<cve-editorial-board-list@lists.mitre.org>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the
Git Pilot
I have no issues with the proposal but would like to understand the
term “root CNA”. Are you talking about all CNAs today or just the DWF
and JPCERT/CC?
Thank you, Gracias, Grazie, 谢谢, Merci!, Спасибо!, Danke!, ありがとう,
धन्यवाद!
--
Kent Landfield
+1.817.637.8026
kent_landfield@mcafee.com
From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of
"Theall, George A" <gtheall@mitre.org>
Date: Wednesday, December 6, 2017 at 3:16 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git
Pilot
The CVE Automation Working Group (AWG) has operated a pilot since May
2017 to explore sharing of CVE data using git.
The first phase involved use of a private, MITRE-hosted git repository
and ran from May through August of this year. Participation was
limited to members of the Automation Group.
The second phase has been a short, transitional one in which activity
shifted to a public repo hosted on Github.com and a process was
established to perform some basic validation of JSON files in pull
requests (submissions) against the minimal schema automatically. In the
past 6 weeks, there have been over a hundred pull requests, nearly all
of which have been accepted.
The Automation Working Group now proposes a third phase of the pilot,
to focus on several workflow issues :
1. Extended automatic validation of pull requests.
Note the goal here is to identify areas of concern for further review,
either by the submitter or the primary CNA.
a. Check GPG signatures on commits.
b. Identify when requests to populate or modify descriptions by a CNA
involve ids allocated to a different CNA.
c. Identify when references are "broken".
d. Identify if none of the references associated with a CVE id
specifically mention that id.
2. Automatic acceptance by policy of pull requests.
a. Requests from IBM that populate or update descriptions provided
automatic validation has not identified any areas of concern.
b. Requests from any pilot participant that solely add references.
c. Requests from the NVD that add CVSS / CPE information that is
separate from what may have been added by the assigning CNA.
3. Handling of updates to a single entry by multiple maintainers.
The goal here is to see if multiple stakeholders can update a single
entry; for example, a description update from the assigning CNA,
reference additions from other CNAs, and adds of CVSS and CPE
information by the NVD. Of particular interest is whether it’s possible
to support updates in close proximity to one another, such as might
happen with a vulnerability such as Heartbleed.
4. Identification of workflows for addressing issues in entries across
participants.
In addition, we would like to see the pilot opened up all interested
root CNAs.
Unless there are sustained objections from the Board (ie, "silence
begets acceptance"), we propose to start the third phase of the pilot
after next week’s Board call, on Wednesday, December 13th, and let it
run through May 2018.
George
--
gtheall@mitre.org
The MITRE Corporation