[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
- To: Kurt Seifried <kseifried@redhat.com>
- Subject: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
- From: "Theall, George A" <gtheall@mitre.org>
- Date: Fri, 2 Mar 2018 15:20:09 -0500
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is 198.49.146.235) smtp.mailfrom=LISTS.MITRE.ORG; imc.mitre.org; dkim=none (message not signed) header.d=none;imc.mitre.org; dmarc=none action=none header.from=mitre.org;
- Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>, cve-board-auto-list <cve-board-auto-list@lists.mitre.org>
- Delivery-date: Fri Mar 2 15:34:36 2018
- In-reply-to: <CANO=Ty2wSDOkzgnGZVzxvuOohYn+sFUx=UhbxKNPgBr_0Zh9YQ@mail.gmail.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <SN1PR09MB07360F2095982406AE646F42B6C60@SN1PR09MB0736.namprd09.prod.outlook.com> <CANO=Ty2wSDOkzgnGZVzxvuOohYn+sFUx=UhbxKNPgBr_0Zh9YQ@mail.gmail.com>
- Sender: "owner-cve-editorial-board-list@lists.mitre.org" <owner-cve-editorial-board-list@lists.mitre.org>
- Thread-index: AdOxW/wrcf67jZi8SRaj1ItS8Zj/mQADkMaAADukl1A=
- Thread-topic: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
After private discussions with Kurt, we are amending the proposal to
use an alias for each reference. Each alias will be declared in the
"MITRE-REF" namespace and have as its value the reference as it appears
in the CVE List. For example,
{
{
"alias": {
"alias_data": [
{
"namespace": ["MITRE-REF"],
"value":
"CONFIRM:https://01.org/security/advisories/intel-oss-10002";
}
]
},
},
"url" : "https://01.org/security/advisories/intel-oss-10002";
},
{
{
"alias": {
"alias_data": [
{
"namespace": ["MITRE-REF"],
"value": "CISCO:20180104 CPU Side-Channel
Information Disclosure Vulnerabilities"
}
]
},
},
"url" :
"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel";
},
{
{
"alias": {
"alias_data": [
{
"namespace": ["MITRE-REF"],
"value": "REDHAT:RHSA-2018:0292"
}
]
},
},
"url" : "https://access.redhat.com/errata/RHSA-2018:0292";
},
...
George
-----Original Message-----
From: Kurt Seifried [mailto:kseifried@redhat.com]
Sent: Thursday, March 01, 2018 9:33 AM
To: Theall, George A <gtheall@mitre.org>
Cc: cve-editorial-board-list
<cve-editorial-board-list@lists.mitre.org>; cve-board-auto-list
<cve-board-auto-list@lists.mitre.org>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's
Participation
On Thu, Mar 1, 2018 at 5:51 AM, Theall, George A <gtheall@mitre.org
<mailto:gtheall@mitre.org> > wrote:
To support NVD's participation in the git pilot, MITRE proposes
to add one or two attributes to reference objects in the CVE JSON files
in the cvelist repo, which will allow NIST to regenerate the CVE List
from the repo rather than having to rely on an older download file
(allitems.xml). Specifically, we propose to add the following
attributes :
- "source", which represents the source of the reference. It
will have one of the values listed at
https://cve.mitre.org/data/refs/#sources
<https://cve.mitre.org/data/refs/#sources> ; eg, "CERT-VN", "CISCO",
"CONFIRM", "REDHAT", etc.
- "name", which is a string that helps identify the reference
among others in the same source; eg, "VU#584653" (for CERT-CC),
"20180104 CPU Side-Channel Information Disclosure Vulnerabilities" (for
"CISCO") "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE
uses the reference URL as the name for the "CONFIRM" and "MISC" sources
in the CVE List, we plan to omit this attribute for those two sources.
Can I suggest instead of name we consider using the alias field? We
would simply identify the namespaces, e.g. "RedHat-RHSA" (because we
might want to also alias package names using e.g. "RedHat-RPMS") or
"CERT-CC" and the data would otherwise be identical (e.g. an RHSA #).
If there are objections from anyone on the Board list, please
let us know and we will discuss in the next call. Otherwise, we will
proceed with the change and implement early next week
Not an objection but a suggestion =)
George
--
gtheall@mitre.org <mailto:gtheall@mitre.org>
The MITRE Corporation
--
Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995
7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security
contact: secalert@redhat.com <mailto:secalert@redhat.com>
- References:
- Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
- From: "Theall, George A" <gtheall@mitre.org>
- Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
- From: Kurt Seifried <kseifried@redhat.com>
- Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
- Prev by Date: CVE Board Meeting Summary - 7 February 2018
- Next by Date: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
- Previous by thread: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
- Next by thread: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
- Index(es):
