[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Hi Omar,

Public CVEs can have one or more references. [There must be at least 
one so that CVE is not the first point of disclosure, and we cap the 
maximum number at 500 currently to allow end-users to plan for storage 
if necessary.]

By the way, issue #28 in the AWG's tracker 
(https://github.com/CVEProject/automation-working-group/issues/28) 
might be relevant here. Perhaps we could have devise one or more tags 
for machine-readable references.

George

-----Original Message-----
From: Omar Santos (osantos) [mailto:osantos@cisco.com] 
Sent: Friday, March 02, 2018 3:41 PM
To: Theall, George A <gtheall@mitre.org>; Kurt Seifried 
<kseifried@redhat.com>
Cc: cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>; cve-board-auto-list 
<cve-board-auto-list@lists.mitre.org>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's 
Participation


Hi George and team,

Sorry that I am a bit late to the party. This makes complete sense and 
I really like the approach.

One minor question. As we evolve to more machine-readable formats and 
exchanges, we may eventually have different "URLs" for content. For 
example, one for the "human-readable advisory", another for an OVAL 
definition, another for CVRF/CSAF document. I assume that the URL is 
not restricted to one entity? (min zero, max: infinity)?

Great work on this!

Regards,

Omar Santos
Cisco PSIRT​




________________________________________
From: owner-cve-board-auto-list@lists.mitre.org 
<owner-cve-board-auto-list@lists.mitre.org> on behalf of Theall, George 
A <gtheall@mitre.org>
Sent: Friday, March 2, 2018 3:20 PM
To: Kurt Seifried
Cc: cve-editorial-board-list; cve-board-auto-list
Subject: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's 
Participation

After private discussions with Kurt, we are amending the proposal to 
use an alias for each reference. Each alias will be declared in the 
"MITRE-REF" namespace and have as its value the reference as it appears 
in the CVE List. For example,

         {
            {
              "alias": {
                "alias_data": [
                  {
                    "namespace": ["MITRE-REF"],
                    "value": 
"CONFIRM:https://01.org/security/advisories/intel-oss-10002";;
                  }
                ]
              },
            },
            "url" : 
"https://01.org/security/advisories/intel-oss-10002";;
         },
         {
            {
              "alias": {
                "alias_data": [
                  {
                    "namespace": ["MITRE-REF"],
                    "value": "CISCO:20180104 CPU Side-Channel 
Information Disclosure Vulnerabilities"
                  }
                ]
              },
            },
            "url" : 
"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel";;
         },
         {
            {
              "alias": {
                "alias_data": [
                  {
                    "namespace": ["MITRE-REF"],
                    "value": "REDHAT:RHSA-2018:0292"
                  }
                ]
              },
            },
            "url" : "https://access.redhat.com/errata/RHSA-2018:0292";;
         },
         ...

George

-----Original Message-----
From: Kurt Seifried [mailto:kseifried@redhat.com]
Sent: Thursday, March 01, 2018 9:33 AM
To: Theall, George A <gtheall@mitre.org>
Cc: cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>; cve-board-auto-list 
<cve-board-auto-list@lists.mitre.org>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's 
Participation



On Thu, Mar 1, 2018 at 5:51 AM, Theall, George A <gtheall@mitre.org 
<mailto:gtheall@mitre.org> > wrote:


        To support NVD's participation in the git pilot, MITRE proposes 
to add one or two attributes to reference objects in the CVE JSON files 
in the cvelist repo, which will allow NIST to regenerate the CVE List 
from the repo rather than having to rely on an older download file 
(allitems.xml). Specifically, we propose to add the following 
attributes :



        - "source", which represents the source of the reference. It 
will have one of the values listed at 
https://cve.mitre.org/data/refs/#sources 
<https://cve.mitre.org/data/refs/#sources>; ; eg, "CERT-VN", "CISCO", 
"CONFIRM", "REDHAT", etc.



        - "name", which is a string that helps identify the reference 
among others in the same source; eg, "VU#584653" (for CERT-CC), 
"20180104 CPU Side-Channel Information Disclosure Vulnerabilities" (for 
"CISCO") "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE 
uses the reference URL as the name for the "CONFIRM" and "MISC" sources 
in the CVE List, we plan to omit this attribute for those two sources.



Can I suggest instead of name we consider using the alias field? We 
would simply identify the namespaces, e.g. "RedHat-RHSA" (because we 
might want to also alias package names using e.g. "RedHat-RPMS") or 
"CERT-CC" and the data would otherwise be identical (e.g. an RHSA #).






        If there are objections from anyone on the Board list, please 
let us know and we will discuss in the next call. Otherwise, we will 
proceed with the change and implement early next week


Not an objection but a suggestion =)








        George

        --

        gtheall@mitre.org <mailto:gtheall@mitre.org>

        The MITRE Corporation






--


Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 
7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security 
contact: secalert@redhat.com <mailto:secalert@redhat.com>
Page Last Updated or Reviewed: March 05, 2018