|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CNA Rules Announcement
- To: Art Manion <amanion@cert.org>
- Subject: Re: CNA Rules Announcement
- From: Kurt Seifried <kseifried@redhat.com>
- Date: Wed, 12 Oct 2016 09:11:33 -0600
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=redhat.com;mitre.org; dkim=none (message not signed) header.d=none;
- Cc: Chandan Nandakumaraiah <cbn@juniper.net>, "Booth, Harold (Fed)" <harold.booth@nist.gov>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>, cve-cna-list <cve-cna-list@lists.mitre.org>
- Delivery-date: Wed Oct 12 17:13:15 2016
- In-reply-to: <1053f99a-f2a3-6897-04f3-636b47ce39c9@cert.org>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <MWHPR09MB1485225620B9A4E94B589A85A1C60@MWHPR09MB1485.namprd09.prod.outlook.com> <8958b557-5518-b383-8c2a-fe5089dc25d6@juniper.net> <CY4PR09MB1255129E06A8EEEFBFA9AB4CE6DA0@CY4PR09MB1255.namprd09.prod.outlook.com> <19b176ce-df69-89cd-ed8e-8b2553ec6e28@juniper.net> <CANO=Ty2HwiK-cqLBVShLmtwFVaLizQv9XNNAMMK-4S0zRO_pSA@mail.gmail.com> <251834b1-a008-3d3c-797e-6507ad3082cb@juniper.net> <1053f99a-f2a3-6897-04f3-636b47ce39c9@cert.org>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
To be clear I'm quite happy to adopt a better standard than anything I can probably think of, but sadly I haven't seen this yet (e.g. CVRF lacks CVSSv3 and can't easily be extended, what if someone wants to put an AV sig or snort sig or whatever into the data?).
On Wed, Oct 12, 2016 at 7:19 AM, Art Manion <amanion@cert.org> wrote:
On 2016-10-12 01:43, Chandan Nandakumaraiah wrote:
>> https://github.com/distributedweaknessfiling/DWF- Database-Artifacts/blob/ master/JSON-file-format.md
>
> I did suggest that this should be considered by the OASIS TC.
>
>> The protocol is JSON based and can contain typical JSON types, and text,
>> and point to other files in certain areas (e.g. the artifacts). Long
>> term I want to find a better way to attach/embed data (such as the SWID
>> in AFFECTS thing).
Let me take this chance to say: No hand-jamming JSON or XML. Need tool
support. I tried two DWF JSON formats by hand (_javascript_ editor in
browser) and it was horrible. YAML maybe?
It would be great to see the following efforts aligned, or at least
cross-compatible:
CVRF v.new
CVE minimum viable request
DWF JSON
Red Hat/OpenSSL XML
NIST/NVD ontology
VRDX vxref (only used for references, not a full vulnerability record)
and probably something else I'm forgetting
Minimum viable product and actual use cases.
- Art
--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com
- References:
- CNA Rules Announcement
- From: "Coffin, Chris" <ccoffin@mitre.org>
- RE: CNA Rules Announcement
- From: "Booth, Harold (Fed)" <harold.booth@nist.gov>
- Re: CNA Rules Announcement
- From: Kurt Seifried <kseifried@redhat.com>
- Re: CNA Rules Announcement
- From: Art Manion <amanion@cert.org>
- CNA Rules Announcement
- Prev by Date: Re: CNA Rules Announcement
- Next by Date: RE: CNA Rules Announcement
- Previous by thread: Re: CNA Rules Announcement
- Next by thread: REMINDER - Invitation to CVE CNA Summit, November 8th-9th
- Index(es):