|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CNA Rules Announcement
- To: Art Manion <amanion@cert.org>, Pascal Meunier <pmeunier@cerias.purdue.edu>, jericho <jericho@attrition.org>, "Chandan Nandakumaraiah" <cbn@juniper.net>
- Subject: Re: CNA Rules Announcement
- From: "Landfield, Kent B" <kent.b.landfield@intel.com>
- Date: Mon, 10 Oct 2016 15:00:09 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=intel.com;mitre.org; dkim=none (message not signed) header.d=none;
- Cc: cve-cna-list <cve-cna-list@LISTS.MITRE.ORG>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Delivery-date: Mon Oct 10 15:57:08 2016
- In-reply-to: <53f31392-47ce-b893-0aba-0f9dc4abd718@cert.org>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <MWHPR09MB1485225620B9A4E94B589A85A1C60@MWHPR09MB1485.namprd09.prod.outlook.com> <alpine.LNX.2.00.1610071348180.22653@forced.attrition.org> <21d6a5ec-f1ab-cc13-d159-4fef3991bbca@juniper.net> <alpine.LNX.2.00.1610071921490.22653@forced.attrition.org> <aa36938b-cd80-a602-ec4c-8ad9633298ee@juniper.net> <CY4PR01MB22301017E8B70A8071ADB5E7F1D90@CY4PR01MB2230.prod.exchangelabs.com> <3FDA0275-3555-49D6-B940-90A07DDDF085@LP3.com> <alpine.LNX.2.00.1610091505350.22653@forced.attrition.org> <e8cbc4d2-62b3-c492-1c7e-f1fd1a626ccb@juniper.net> <alpine.LNX.2.00.1610092105040.22653@forced.attrition.org> <ff0acb4b-99cb-2c93-5387-2703994ebcf9@cerias.purdue.edu> <53f31392-47ce-b893-0aba-0f9dc4abd718@cert.org>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- Thread-index: AdIgrTkQvuowFGniRlm81U+T+iL1AAAWZ6oAAAkLWAAAApRFgAAKFhOAABV99AAALhAJgAAN6KIAAAbpEQAABdjSgAAPVWoAAApYYoD//7TzAA==
- Thread-topic: CNA Rules Announcement
- User-agent: Microsoft-MacOutlook/f.1a.1.160916
Art,
You wrote:
In my view, the role of CVE is to identify/name vulnerabilities, and
nothing further. Other downstream users, like NVD, can build on
CVE.
Of course CVE needs to make abstraction decisions and contain enough
information to de-duplicate entries.
I could not agree more. The power of CVE is that it is simply a means
for naming vulnerabilities. Others should build on it as their use
cases require.
---
Kent Landfield
+1.817.637.8026
On 10/10/16, 9:28 AM, "owner-cve-cna-list@lists.mitre.org on behalf of
Art Manion" <owner-cve-cna-list@lists.mitre.org on behalf of
amanion@cert.org> wrote:
On 2016-10-10 05:32, Pascal Meunier wrote:
> I agree with Brian, it makes sense to have one ID for a flaw in
the
> specification of a protocol, and multiple IDs for vendor
implementations
> with different code bases, even if they happen to have made
similar
> mistakes. I think Kurt's suggestion to cross-reference them
"(this is
> related to the following CVEs: Z/X/Y)" would be helpful although
not
> necessary.
Noting the disagreement about level of abstraction, I suspect that
beyond individual opinion, different vulnerability
analysis/management
use cases prefer different abstractions. VRDX-SIG at FIRST has a
proposed answer for this, which is basically a protocol (working
title:
vxref) for relationships between vulnerability IDs.
https://www.first.org/resources/papers/conf2015/first_2015_-_manion-_uchiyama-_terada_-_vrdx-sig_20150619.pdf
So one could say CVE-X is a subset of CVE-Y. Or similar to. If
VDBs
were to use the protocol, a user could construct a graph of IDs.
vxref
isn't limited to CVE IDs.
In a world of, at the very minimum, 14K publicly disclosed
vulnerabilities per year, a way to deal with different abstractions
within or across VDBs is more than helpful, it's essential, unless
one
VDB is going to cover the entire world's uses.
In my view, the role of CVE is to identify/name vulnerabilities, and
nothing further. Other downstream users, like NVD, can build on
CVE.
Of course CVE needs to make abstraction decisions and contain enough
information to de-duplicate entries.
- Art
- Follow-Ups:
- RE: CNA Rules Announcement
- From: "Coffin, Chris" <ccoffin@mitre.org>
- RE: CNA Rules Announcement
- References:
- CNA Rules Announcement
- From: "Coffin, Chris" <ccoffin@mitre.org>
- Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- RE: CNA Rules Announcement
- From: "Williams, Ken" <Ken.Williams@ca.com>
- Re: CNA Rules Announcement
- From: Scott Lawler <scott.lawler@lp3.com>
- Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- Re: CNA Rules Announcement
- From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Re: CNA Rules Announcement
- From: Art Manion <amanion@cert.org>
- CNA Rules Announcement
- Prev by Date: Re: CNA Rules Announcement
- Next by Date: RE: CNA Rules Announcement
- Previous by thread: Re: CNA Rules Announcement
- Next by thread: RE: CNA Rules Announcement
- Index(es):