[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

Re: CVSS Information in CVE Descriptions

To : "Waltermire, David A. (Fed)" < david.waltermire@nist.gov >, " cve-editorial-board-list@mitre.org " < cve-editorial-board-list@mitre.org >
Subject : Re: CVSS Information in CVE Descriptions
From : Art Manion < amanion@cert.org >
Date : Wed, 16 May 2018 19:55:17 -0400
Authentication-results : spf=neutral (sender IP is 198.49.146.235) smtp.mailfrom=cert.org; imc.mitre.org; dkim=test (signature was verified) header.d=cert.org;imc.mitre.org; dmarc=pass action=none header.from=cert.org;
Autocrypt : addr= amanion@cert.org ; keydata= xsFNBFoV8GMBEACXd7zH23Gx/W77Gr3Hs+n+BTtEt7IP0jU26vM9i4ASGewrIFZaRIOgL964 xX7Qk1wvxLl8HvUomLNHsJIZYG4EKcNkEfREO7lTx/3nYhG3wjF0DcHYuLwUkwAS3N6p9PQ7 bvEsXZMbfG0L8ASgRy0h4dWg+XGV4xT64REsIlzSsclVaHKTvP7FAMCDG70L/2wc+w24RAzs TYhfxLp4w8TBaVj/pONm+EDGVtK5u4LPLpLS0xmlGxgKP9mYSYAF3j44msAsbsuFPfWTa8JU s9yASol4pMECH24Cp3snHlSNHMl1APfVz3Xsfw5x/mekgCAPcGCARhA9ltRHLYgVMr1JCYZW JdyUB0UEiY0xvlb5JYfCFJm4fL8E2xoW/ATmDIxkU0qguL55AD2VYEwbWEsiP725YMSKBDaC cGH9fa2iuSxnflui6wR4K+FOjXfB2nF561q+HjlRb6bahdkYzWccX4fx3dSlZ6w62qRFNKAE 5zUfe2ZHwis9Bx9iqIp7Ini/sZ3ESJgMr7qlSSkYl10Esdl5CyFyxQ5g/LgzOlywdHazju13 /ckVBPo5vz9ZPOmafiUDSz6R/kbC0+nCrJSjIBvDfBWG7Gl2gon4HqB4Ji6r3+gFEFFJl+O/ PwID6Wh0jAjTQWvD+5L/vFTZ3/875Q2OcoxL9Hh4ls5ptg+7uwARAQABzR1BcnQgTWFuaW9u IDxhbWFuaW9uQGNlcnQub3JnPsLBkQQTAQgAOwIbAwIeAQIXgAULCQgHAwUVCgkICwUWAgMB ABYhBBHNrv2hhwlGumhcAVNt4uTRu2rfBQJaFmXUAhkBAAoJEFNt4uTRu2rfY1IP/j8cjh38 B0mnEo0Lk27r/mYRQhj2Yk/ClsAuPWea56BGAswtW2Q6g6DswcinjvTxrycSqAfpj2ZQP9Rx Ib/FsfozF5bC7Ja5/W4amH1NcTr/cE+sgKX3XZcRlOIrw2d0jmS1SAtDWPWn4zTYKoR7cbDz BAAABLb8/xQn7YFgf8nKQ4ZM0yOTUOnF7wG42UU0Y0ww3b+x2/ZMys0ntpz4ZSOgVJlun2xP WgFzkHu/fEJkVTPkZQweRULIGeFJBzuJP46+FMy6PJFZ/ZudzLy/VBMVAxA/yOszLbRvsl6z 3prRMgI+fJF/11ohRVQ5DWzS4AmfnI9RP6aOlUgEi4MYMcbYKrYGwguhGOpdg5iaO6ir4mhd OMcKLeV0ZqSef0ZpXTLQiTzWuFg9ECof5OCK/Y2VQ2EXyWIi7q4OPTFFoZBl2keoF6j0k272 PCYfJZIzq/ER9mfoH1+7nmIxvZ+XXQ6EoCCPv6le8VKQyZOFVgjD5rPvCeGZgAs9CRbfqYNm bF3jqeMk4kZbJ/+GsKv66M4R0VI2DijOLNF1kGXeU6s45lUBZmcT0Fb2MQ78rNItpeUP+XYj fpB0g/woOIstbSoOqpVZf++HIjnmMHj9jJrbFcMVIPac89EDcjbab3zPTMb5LHdk6AxMsWRM QqxofqoqqzNI7RiKisaDQhINXRwAzsBNBFoV8roBCADZKC4LLl6XhVvHCZZIwa9t2e+swdln YRtxwG1TDRxM1PaV7VDzB9K1FMRDC9CQQmiwI+Vl2j0Kn3BUvkCp3zmP+S7CRgK2vfP1GBAs CURE6j6M7S47qOhQvAvJK0qlF14tCBSX16CceGFV0XzfOUnQGt6m8AnVTr7WODilYsJPWUrj xLe3cKQJs7zk3iMLH1lJ7jNXlAQUgrTurVD7sl6PbKgbmDw3tIgXwep7tMOUzpiN4vCPALA+ WYL+0VxE03TZj/FqNzNrjoKXw+X3za675QnLsXww2cgLBV0Zjg3HZVDT5/0LlQjYqPnaWh3s ZG8uRJ104Thx1JVFLN4+8aDrABEBAAHCwXwEGAEIACYWIQQRza79oYcJRrpoXAFTbeLk0btq 3wUCWhXyugIbDAUJBaOagAAKCRBTbeLk0btq3zHYD/4vvS0lul3UKWGeRsVb33Y3eJ1yv4O3 EpBtmkVgCyxdG3zj8YrI15DCzhn6LSN3FqjV+wovE3SsxIrRjn7eoBA6SH54KlFRrW7pAARc NQaHFU+nX6ST6X3pOoNYzhXPZjkxoUpxyC+ehNARx+3tlQ0LScEr0L5Ttvr8W7nopWaXeuCt VI+8tjDnsCtWLaI2bYi3TYWDJdgWzNFSGYioqIxvQHIpokFZAx6fTKtEYaAqqg2cefRDgNoU bMcHmNtVMAXThLdNAx23F/sv2gV9a612ktCwl6hjKu1vuK4KGnhQu1T/oRk5EUA8jy5yBB6/ S5jwYbZR01EriZXSTXwT/gJcThBIXH8i9/4lUwdhV8+iBP/Pomhs8D7dPU7q1fUYlvVxn8iN K7IFoWdptGv+bhdNsf/qWGxVxOHwTAipr73Fl3eC5RovVM2aAK2Bx6xQFXlh4uPcI/S0gIPG tytClYZxtbXKM3qVhUTZgg1Ge6MgtgJkKWttzRciW0N9t5pZ/IbH7ax0NUv2hjHovGBXhuQb cVAEgmx90iyx9iRizCpgr3JyDNtKX+bc26aGI+mFOdiawp2HihhSazqiEpuNrxlQVWgMgmXa RduAg8L9z2CshZ6Zkcmwea79r8yDsBbwfJEZ71T0WWyfm1UcRVflPFAYb9xE8Ulgh8BQzw// z7Y5Lw==
Delivery-date : Thu May 17 07:44:43 2018
Dkim-filter : OpenDKIM Filter v2.11.0 taper.sei.cmu.edu w4GNtJ8u006904
Dkim-signature : v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1526514919; bh=3AvWMFCYZo8K4PGkB4TvXupzb79bv0u6Y8WZwE6I5wg=; h=Subject:From:To:References:Date:In-Reply-To:From; b=B742SkF2u5+1dLqmuadUNza9sVin25J9nJKr5dUskwkP2iXCh2GR+9oXN3lwYY7mu 9U0l2+VhS6uojzaXT66R0VgevAJVdj3qVI+K2G8Zg0FJwOGQO6frZNwqxk6i1nPplj SLcqG82E9vL/Zfb2yMnYMd33N38SRCWSUMX3bAx8=
In-reply-to : <02ef4a09-034d-b982-ebd8-72678edcecd8@cert.org>
Openpgp : preference=signencrypt
References : < BL0PR0901MB230653FF3F7DE805E8D7EAB5F0920@BL0PR0901MB2306.namprd09.prod.outlook.com > <02ef4a09-034d-b982-ebd8-72678edcecd8@cert.org>
Spamdiagnosticmetadata : NSPM
Spamdiagnosticoutput : 1:99
User-agent : Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0

On 5/16/18 1:18 PM, Art Manion wrote:

On 2018-05-16 13:00, Waltermire, David A. (Fed) wrote:

Since this information can also appear in a dedicated field in CVE
feeds, this seems to be duplicative in nature. This is not a widely
used practice yet. Is this a practice that board wants to
encourage/discourage?


CVSS scores, or ideally, just the vectors, should go in the appropriate
CVSS field in the CVE format, and not in the description.  I am in
favor of discouraging the practice.

I'd rather work towards:

1. A more comprehensive, standard set of fields for a vulnerability (or
vulnerability report), such as the NIST VDO.

2. A standard CVE record that complies with #1 but that only requires
the carefully selected minimum fields to achieve CVE mission:
Vulnerability identification.  Severity, priority, CVSS or otherwise,
are not needed for this mission and are extraneous and distracting.

CVSS as an optional field in a CVE record is fine, and users can
currently grab that information from JSON files in git.  Maybe MITRE
CVE or NVD would choose to expose CVSS and other optional data from CVE
records.

There is clearly a user need for #1, and people are happy enough to
just treat a CVE record as a more comprehensive vulnerability record.

I'm reasonably happy to work on #2 before #1 and back-fit #1 if that is
more practical.


  - Art

References :
- CVSS Information in CVE Descriptions
  - From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>

Prev by Date: CVSS Information in CVE Descriptions
Next by Date: CVE Automation Working Group Charter
Previous by thread: CVSS Information in CVE Descriptions
Next by thread: CVE Automation Working Group Charter
Index(es):
- Date
- Thread