|
02:35-03:55: Review of Action items (see attached excel file)
See attached Excel spreadsheet for open action items from prior meetings (CVE Board Meeting 14 April21– Agenda and Action items)
|
03.31.02
|
Send email to CNAs about deprecations of format, to understand the impact and why they are using Flat file and CSV formats.
|
Kent L.
|
Not Started
|
Assigned on 3/31/2021
|
§
Revised Directive on Security of Network and Information Systems (NIS2)
Update -
Kent Landfield
oKent provided an update on the draft NIS2 Directive, its potential impact on the CVE program and further clarification on the NIS2 objectives. NIS2 is specifying there be established a coordination capability across the EU and EU countries, with national level Member State CERTs working together to create a coordinated environment for action and information sharing. Kent explained that EU's DG CONNECT, and EU Members of Parliament (MEP) are interested in getting more involved and in integrating with the CVE Program. Kent has the action of scheduling a discussion with the Secretariat and members of DG Connect that will be involved with the standup and support of the effort.
§
Deprecation of acceptable CVE formats -
Kent Landfield
-
Background:
Currently, the CVE Program supports three different formats for submitting CVE-related record information: a flat file format, a CSV format, and a JSON format. The flat file and CSV formats have not changed since their creation and there is no current formal mechanism to update these formats. Today the non-JSON formats require manual processing and CPS support. It should be noted that AWG services have no plans to support the non-JSON formats at this point. Today, 30% to 40% of CNAs in the CVE Program use these legacy formats.
-
The program is moving towards
CVE JSON
version 5 (JSON5) and are getting close to finalizing it. JSON makes it easier to express relationships between fields, easier to extend, to add support for other capabilities (such as additional language support), is well-defined, and a community consensus is currently on track to be achieved. It is the intent of the Program to publish a JSON5 format and use that as the basis for our automation services going forward.
-
The
Flat File and CSV formats
are not well documented and currently do not support all the fields supported by JSON5.
-
The legacy formats only support the required fields today. These formats have been difficult to work with and add unnecessary complexity when the required information is modified or updated. As we move forward with automated services, we need to reduce code complexity and remove things that inhibit adoption of the authorized, automated, self-service CVE record update services.
-
The final option discussed was deprecation of legacy formats in favor of JSON5. For those CNAs who have automated current submissions using flat files or CSV formats, convertors could be created for use by the CNAs. Or they could be given the documentation to assure they have the knowledge to upgrade their existing automation to support the JSON5 format.
-
Submission capabilities, such as a GUI for uploading and modifying records in RSUS, via automation and via the new partner portal will need to be developed.
-
It is understood all this is dependent on the user registry for authentication and authorization. There were discussions of working with Chandan to use Vulnogram as that GUI. This could be modified to integrate with the partner portal and a provide a version for CNA submissions via automation.
-
SPWG's Board Recommendation:
The SPWG recommends the CVE Program adopt JSON5 and deprecates all legacy formats for submission and update of CVE records, when the proper environment for doing so exists.
-
The Board agreed the SPWG will send an email to the CNAs about the impact of deprecating to one format, and to get a better understanding for why they are still using Flat File and CSV. In addition, the deprecation of acceptable formats, will be added to the CVE Summit agenda to discuss further with the CNAs.
See attached Excel spreadsheet (CVE Board Meeting 14April21– Agenda and Action items)
§The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to CVE Program Secretariat ().
|