[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE Current States

To: "Coffin, Chris" <ccoffin@mitre.org>, "kseifried@redhat.com" <kseifried@redhat.com>, Beverly Finch <beverlyfinch@lenovo.com>
Subject: Re: CVE Current States
From: Art Manion <amanion@cert.org>
Date: Wed, 14 Jun 2017 12:08:57 -0400
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;
Cc: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-date: Wed Jun 14 12:34:46 2017
Dkim-filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu v5EG93WY009407
In-reply-to: <MWHPR09MB14858ADF42E58ED268D075ABA1C30@MWHPR09MB1485.namprd09.prod.outlook.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <MWHPR09MB14852CA28BDB4D4259BDB4CAA1FF0@MWHPR09MB1485.namprd09.prod.outlook.com> <CANO=Ty0SKo8LKeTwMCgGLuejpsFVexvLgXUvx22fwW4cqykwOw@mail.gmail.com> <63507D25FF3F774F9AA912018147F1DB01085F8B2F@USMAILMBX01> <MWHPR09MB148500311EC3B97AB29C0D83A1FC0@MWHPR09MB1485.namprd09.prod.outlook.com> <63507D25FF3F774F9AA912018147F1DB01085FB2A4@USMAILMBX01> <6b6b338d-faa7-1a6a-0eec-cabfb914f4d7@redhat.com> <MWHPR09MB14858ADF42E58ED268D075ABA1C30@MWHPR09MB1485.namprd09.prod.outlook.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.1.1

On 2017-06-14 10:25, Coffin, Chris wrote:
> Here is what I think we are driving to in this thread. We can discuss 
> more on the call today if needed.

I won't make the call today, here's some input.

1. When we're ready, publicly document states, including a state 
transition diagram.  A colleague of mine started one but it's not quite 
ready to share.

> STATE:UNASSIGNED: A CVE that has never been RESERVED. The CVE master 
> list provides an error message in the case that someone attempts to 
> view this CVE ID.
> Example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2001-10000
> STATE_DETAIL:N/A (I don't believe it would ever be needed)

This is the default state, correct?  This state should never appear in 
a CVE data record?

> STATE:RESERVED: A CVE Identifier (CVE ID) is marked as "RESERVED" 
> when it has been reserved for use by a CVE Numbering Authority (CNA) 
> or security researcher, but the details of it are not yet populated.
> Example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1253
> STATE_DETAIL:CNA_ALLOCATED - Provided as part of a block request to a 
> CNA
> STATE_DETAIL:ASSIGNED - assigned to a vulnerability

Are these finite state details?  If reserved, must also be 
cna_allocated or assigned, state detail can't be empty?

> STATE:REJECT: A CVE ID listed as "REJECT" is a CVE ID that is not 
> accepted as a CVE ID. The reason a CVE ID is marked REJECT will most 
> often be stated in the description of the CVE ID.
> Example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8784
> STATE_DETAIL:DUPLICATE_ASSIGNMENT
> STATE_DETAIL:DUPLICATE_RESERVATION
> STATE_DETAIL:DUPLICATE_TYPO_SEQ_OR_YEAR
> STATE_DETAIL:MIXED_ISSUES_OR_DUAL_USE
> STATE_DETAIL:MERGED
> STATE_DETAIL:WITHDRAWN
> STATE_DETAIL:EXPIRED
> STATE_DESCRIPTION: // probably the only STATE where this is required

Again, is state detail required?

If duplicate or merged, must description note the other IDs involved?

> STATE:POPULATED: The CVE entry has been published with at least a 
> minimum amount of detail and at least one public reference.
> Example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0002
> STATE_DETAIL:N/A (I don't believe it would ever be needed)

There is currently a PUBLIC state I think.  Is populated replacing 
public?

Regards,

 - Art

Follow-Ups:
- Re: CVE Current States
  - From: "Landfield, Kent" <Kent_Landfield@McAfee.com>
- RE: CVE Current States
  - From: "Coffin, Chris" <ccoffin@mitre.org>

References:
- RE: CVE Current States
  - From: "Coffin, Chris" <ccoffin@mitre.org>

Prev by Date: RE: CVE REJECT State
Next by Date: Re: CVE Current States
Previous by thread: RE: CVE Current States
Next by thread: Re: CVE Current States
Index(es):
- Date
- Thread