|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Dot Notation Proposal WAS: Exploding CVE entries
- To: Pascal Meunier <pascalm@cup.hp.com>
- Subject: Re: Dot Notation Proposal WAS: Exploding CVE entries
- From: Dave Mann <damann@mitre.org>
- Date: Tue, 20 Jul 1999 10:36:25 -0400
- CC: cve-editorial-board-list@lists.mitre.org
- Organization: The MITRE Corporation
- References: <v03130303b3b7f7dccfbe@[15.13.188.202]> <v03130305b3b995ce1b3c@[15.13.188.202]>
- Reply-To: damann@mitre.org
- Sender: owner-cve-editorial-board-list@lists.mitre.org
Pascal Meunier wrote: > > Sounds fine to me, although the notation could be lighter, i.e., it could > be understood that if a CVE entry has a list at the end like: > > 1. Digital Unix 3.0x, 3.2x, 4.0, 4.0a and products based on these > 2. FreeBSD v prior to 2.1.6 > 3. HPUX 9.x, 10.00-10.20, > 4. AIX 3.2, 4.1, 4.2 > > then referring to CVE-1999-0128.3 means the vulnerability instance of > CVE-1999-0128 in > HPUX 9.x, 10.00-10.20. Right! Steve and I see 2 fundamentally different approaches for implementing the dot notation. The difference hinges entirely one what we mean by a CVE entry. These models are: 1) THE CERT ADVISORY MODEL - In this model, a CVE entry is a high, "same attack" level description of a vulnerability. The label for each CVE entry would be of the form CVE-DDDD-N with no dot. In a manner similar to a typical CERT Advisory, the description for each CVE entry would contain numbered references to each known instance of the vulnerability at the lower, "same codebase" level. Hence, a CVE number of the form CVE-DDDD-N.x would refer to a particular instance of the CVE entry CVE-DDDD-N. 2) THE CARD CATALOG MODEL - In this model, a CVE entry is either a high, "same attack" level description of a vulnerability or a low level, "same codebase" level description. The label for each CVE entry would be of the form CVE-DDDD-N.x where: (x = 0) implies that the entry is a high level entry and (x > 0) implies that the entry is a low level entry. Clearly, the existence of an entry of the form CVE-DDDD-N.3 (a low level entry) would imply the existence of an entry of the form CVE-DDDD-N.0 (the corresponding high level entry). This model is somewhat akin to the old fashioned Title card catalogs in a library where each card (corresponding to a CVE entry) describes a particular instance of a title with respect to edition information. Speaking only for myself at the moment, I am somewhat ambivalent as to which implementation scheme is preferable. Since the 2 approaches are logically equivalent, I would suggest that the decision should be based on a consideration as to which scheme will allow better automated CVE referencing and external db interoperability. Thoughts? Preferences? Other suggestions? Dave -- ========================================================= David Mann || phone: (781) 271 - 2252 INFOSEC Engineer/Scientist, Sr || Enterprise Security Solutions || fax: (781) 271 - 3957 The MITRE Corporation || Bedford, Mass 01730 || e-mail: damann@mitre.org
- References:
- Exploding CVE entries
- From: Pascal Meunier <pascalm@cup.hp.com>
- Re: Dot Notation Proposal WAS: Exploding CVE entries
- From: Pascal Meunier <pascalm@cup.hp.com>
- Exploding CVE entries
- Prev by Date: Re: Dot Notation Proposal WAS: Exploding CVE entries
- Next by Date: PROPOSAL: Cluster 19 - NTCONFIG (13 candidates)
- Prev by thread: Re: Dot Notation Proposal WAS: Exploding CVE entries
- Next by thread: Re: Dot Notation Proposal WAS: Exploding CVE entries
- Index(es):