[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE Current States

To: Art Manion <amanion@cert.org>
Subject: Re: CVE Current States
From: "Landfield, Kent" <Kent_Landfield@McAfee.com>
Date: Wed, 14 Jun 2017 16:19:12 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=McAfee.com;
Cc: "Coffin, Chris" <ccoffin@mitre.org>, "kseifried@redhat.com" <kseifried@redhat.com>, Beverly Finch <beverlyfinch@lenovo.com>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-date: Wed Jun 14 12:34:45 2017
In-reply-to: <e05dba02-aa71-fcec-711d-2e10a0d0e21a@cert.org>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <MWHPR09MB14852CA28BDB4D4259BDB4CAA1FF0@MWHPR09MB1485.namprd09.prod.outlook.com> <CANO=Ty0SKo8LKeTwMCgGLuejpsFVexvLgXUvx22fwW4cqykwOw@mail.gmail.com> <63507D25FF3F774F9AA912018147F1DB01085F8B2F@USMAILMBX01> <MWHPR09MB148500311EC3B97AB29C0D83A1FC0@MWHPR09MB1485.namprd09.prod.outlook.com> <63507D25FF3F774F9AA912018147F1DB01085FB2A4@USMAILMBX01> <6b6b338d-faa7-1a6a-0eec-cabfb914f4d7@redhat.com> <MWHPR09MB14858ADF42E58ED268D075ABA1C30@MWHPR09MB1485.namprd09.prod.outlook.com>,<e05dba02-aa71-fcec-711d-2e10a0d0e21a@cert.org>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
Thread-index: AdLVpPWdEMSTnoAPSeieEtHn052g5gAFrqkAAAGlHAAAF7ngMAAByz2AAAVYFAADtkZS0AAEbQOAAABbwr8=
Thread-topic: CVE Current States

Sadly I too will not make the call today.

Kent Landfield
Kent_Landfield@McAfee.com
+1.817.637.8026 

> On Jun 14, 2017, at 12:17 PM, Art Manion <amanion@cert.org> wrote:
> 
>> On 2017-06-14 10:25, Coffin, Chris wrote:
>> Here is what I think we are driving to in this thread. We can 
>> discuss more on the call today if needed.
> 
> I won't make the call today, here's some input.
> 
> 1. When we're ready, publicly document states, including a state 
> transition diagram.  A colleague of mine started one but it's not 
> quite ready to share.
> 
>> STATE:UNASSIGNED: A CVE that has never been RESERVED. The CVE master 
>> list provides an error message in the case that someone attempts to 
>> view this CVE ID.
>> Example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2001-10000
>> STATE_DETAIL:N/A (I don't believe it would ever be needed)
> 
> This is the default state, correct?  This state should never appear 
> in a CVE data record?
> 
>> STATE:RESERVED: A CVE Identifier (CVE ID) is marked as "RESERVED" 
>> when it has been reserved for use by a CVE Numbering Authority (CNA) 
>> or security researcher, but the details of it are not yet populated.
>> Example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1253
>> STATE_DETAIL:CNA_ALLOCATED - Provided as part of a block request to 
>> a CNA
>> STATE_DETAIL:ASSIGNED - assigned to a vulnerability
> 
> Are these finite state details?  If reserved, must also be 
> cna_allocated or assigned, state detail can't be empty?
> 
>> STATE:REJECT: A CVE ID listed as "REJECT" is a CVE ID that is not 
>> accepted as a CVE ID. The reason a CVE ID is marked REJECT will most 
>> often be stated in the description of the CVE ID.
>> Example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8784
>> STATE_DETAIL:DUPLICATE_ASSIGNMENT
>> STATE_DETAIL:DUPLICATE_RESERVATION
>> STATE_DETAIL:DUPLICATE_TYPO_SEQ_OR_YEAR
>> STATE_DETAIL:MIXED_ISSUES_OR_DUAL_USE
>> STATE_DETAIL:MERGED
>> STATE_DETAIL:WITHDRAWN
>> STATE_DETAIL:EXPIRED
>> STATE_DESCRIPTION: // probably the only STATE where this is required
> 
> Again, is state detail required?
> 
> If duplicate or merged, must description note the other IDs involved?
> 
>> STATE:POPULATED: The CVE entry has been published with at least a 
>> minimum amount of detail and at least one public reference.
>> Example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0002
>> STATE_DETAIL:N/A (I don't believe it would ever be needed)
> 
> There is currently a PUBLIC state I think.  Is populated replacing 
> public?
> 
> Regards,
> 
> - Art

Follow-Ups:
- Re: CVE Current States
  - From: "kseifried@redhat.com" <kseifried@redhat.com>

References:
- RE: CVE Current States
  - From: "Coffin, Chris" <ccoffin@mitre.org>
- Re: CVE Current States
  - From: Art Manion <amanion@cert.org>

Prev by Date: Re: CVE Current States
Next by Date: RE: CVE Current States
Previous by thread: Re: CVE Current States
Next by thread: Re: CVE Current States
Index(es):
- Date
- Thread