[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

To : Chandan Nandakumaraiah < cbn@juniper.net >, cve-editorial-board-list < cve-editorial-board-list@lists.mitre.org >
Subject : RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
From : "Theall, George A" < gtheall@mitre.org >
Date : Fri, 2 Mar 2018 15:33:18 -0500
Accept-language : en-US
Authentication-results : spf=none (sender IP is 198.49.146.235) smtp.mailfrom=LISTS.MITRE.ORG; imc.mitre.org; dkim=none (message not signed) header.d=none;imc.mitre.org; dmarc=none action=none header.from=mitre.org;
Cc : cve-board-auto-list < cve-board-auto-list@lists.mitre.org >
Delivery-date : Fri Mar 2 15:34:37 2018
In-reply-to : <b80d86c2-4d3b-00ee-34d9-1639b1a3f6f9@juniper.net>
List-help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : < SN1PR09MB07360F2095982406AE646F42B6C60@SN1PR09MB0736.namprd09.prod.outlook.com > <b80d86c2-4d3b-00ee-34d9-1639b1a3f6f9@juniper.net>
Sender : " owner-cve-editorial-board-list@lists.mitre.org " < owner-cve-editorial-board-list@lists.mitre.org >
Thread-index : AdOxW/wrcf67jZi8SRaj1ItS8Zj/mQAKQo4AADfGXjA=
Thread-topic : Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Chandan,

Looking at the discussion of "source" in the draft, I feel it's better
to use something else for references - most source names are not
associated with CNAs, and some, such as MISC, MLIST, and CONFIRM, are
not even associated with a single site.

George

-----Original Message-----
From: Chandan Nandakumaraiah [mailto:cbn@juniper.net]
Sent: Thursday, March 01, 2018 12:45 PM
To: Theall, George A <gtheall@mitre.org>; cve-editorial-board-list
<cve-editorial-board-list@lists.mitre.org>
Cc: cve-board-auto-list <cve-board-auto-list@lists.mitre.org>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's
Participation



On 3/1/18 4:51 AM, Theall, George A wrote:

> - "source", which represents the source of the reference. It will
> have
> one of the values listed at https://cve.mitre.org/data/refs/#sources
> eg, "CERT-VN", "CISCO", "CONFIRM", "REDHAT", etc.

"source" is already defined in the JSON v4 as an object, meant to be
used for such purposes:

https://github.com/CVEProject/automation-working-group/blob/master/cve_json_schema/DRAFT-JSON-file-format-v4.md#source

If there is a CNA ID, use that instead of "REDHAT" or "CISCO"
example:

  references: {
    reference_data: [
      {
        name : "RedHat Security Advisory RHSA-2018:0151"
        url: "https://access.redhat.com/errata/RHSA-2018:0151";,
        source : {
                CNA_ID: "CNA-72a82740-9249-4699-8803-5c4e4b590ce8",
        },
      },
   }


> - "name", which is a string that helps identify the reference among
> others in the same source; eg, "VU#584653" (for CERT-CC), "20180104
> CPU Side-Channel Information Disclosure Vulnerabilities" (for
> "CISCO")
> "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE uses the
> reference URL as the name for the "CONFIRM" and "MISC" sources in the
> CVE List, we plan to omit this attribute for those two sources.

This is OK. I remember seeing some CNAs already use this field.

Thanks
-Chandan
--
Security Incident Response Team
Juniper Networks

References :
- Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
  - From: "Theall, George A" <gtheall@mitre.org>

Prev by Date: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
Next by Date: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
Previous by thread: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
Next by thread: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
Index(es):
- Date
- Thread