[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation



Chandan,

Looking at the discussion of "source" in the draft, I feel it's better 
to use something else for references - most source names are not 
associated with CNAs, and some, such as MISC, MLIST, and CONFIRM, are 
not even associated with a single site.

George

-----Original Message-----
From: Chandan Nandakumaraiah [mailto:cbn@juniper.net] 
Sent: Thursday, March 01, 2018 12:45 PM
To: Theall, George A <gtheall@mitre.org>; cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>
Cc: cve-board-auto-list <cve-board-auto-list@lists.mitre.org>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's 
Participation



On 3/1/18 4:51 AM, Theall, George A wrote:

> - "source", which represents the source of the reference. It will 
> have 
> one of the values listed at https://cve.mitre.org/data/refs/#sources
> eg, "CERT-VN", "CISCO", "CONFIRM", "REDHAT", etc.

"source" is already defined in the JSON v4 as an object, meant to be 
used for such purposes:

https://github.com/CVEProject/automation-working-group/blob/master/cve_json_schema/DRAFT-JSON-file-format-v4.md#source

If there is a CNA ID, use that instead of "REDHAT" or "CISCO"
example:

  references: {
    reference_data: [
      {
        name : "RedHat Security Advisory RHSA-2018:0151"
        url: "https://access.redhat.com/errata/RHSA-2018:0151";,
        source : {
                CNA_ID: "CNA-72a82740-9249-4699-8803-5c4e4b590ce8",
        },
      },
   }


> - "name", which is a string that helps identify the reference among 
> others in the same source; eg, "VU#584653" (for CERT-CC), "20180104 
> CPU Side-Channel Information Disclosure Vulnerabilities" (for 
> "CISCO") 
> "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE uses the 
> reference URL as the name for the "CONFIRM" and "MISC" sources in the 
> CVE List, we plan to omit this attribute for those two sources.

This is OK. I remember seeing some CNAs already use this field.

Thanks
-Chandan
--
Security Incident Response Team
Juniper Networks


Page Last Updated or Reviewed: March 30, 2018