|
|
The CVE Automation Working Group (AWG) has operated a pilot since May 2017 to explore sharing of CVE data using git. To date, this has involved use of a private, MITRE-hosted git repository, with participation limited to members of the AWG. We now propose that, as a second phase of the pilot, the repository be moved to a public one hosted on Github.com and that updates be accepted only from members of the CVE Automation Working Group.
For some time now, CNAs have been supplying information beyond descriptions and references when populating CVE entries; eg, affected products and versions as well as problem types. This additional information is not currently published in the CVE List on https://cve.mitre.org/ but is included in the CVE JSON files in the repository. We see great benefit in making that information public and hope that doing so will spur development of tooling and services to work with these files. We also see great benefit in making public the change history that git natively provides as doing so will increase situational awareness and provide transparency.
We consider this second phase a short, transitional one, supporting migration to a new platform. Our goals during this phase include to :
- Verify that Github.com can be used to submit assignment information to the primary CNA by means of pull requests.
- Experiment with automation by setting up a process to validate JSON files in submissions against the minimal CVE schema.
Unless there are sustained objections from the Board, we will start the second phase of the pilot on Wednesday, October 11th and let it run for one month. Afterwards, we hope to give access to all CNAs and explore other forms of automation in subsequent phases.