Re: CVEs with no REF URL (or a REF URL that is self referential)

To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: CVEs with no REF URL (or a REF URL that is self referential)
From: Scott Lawler <scott.lawler@lp3.com>
Date: Wed, 4 Oct 2017 16:59:01 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=lp3.com;
Delivery-date: Wed Oct 4 13:46:24 2017
In-reply-to: <CABqVa3-jbSjdzo9-4aPGyxXRUVWFDt=eaCqw8S6W=fuN3V6vmg@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CABqVa3-jbSjdzo9-4aPGyxXRUVWFDt=eaCqw8S6W=fuN3V6vmg@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
Spamdiagnosticoutput: 1:2
Thread-index: AQHTPTDqKKzaYEXTCUSZgnCraZeYsaLT6TrF
Thread-topic: CVEs with no REF URL (or a REF URL that is self referential)

I think making the URL optional is ok. But, what is the definition of "all the needed data"?

How can we quantify that sufficiently to quickly reject the items without sufficient information?

Can we provide sufficiently detailed guidance to cover most use cases?

Scott

From: owner-cve-editorial-board-list@lists.mitre.org <owner-cve-editorial-board-list@lists.mitre.org> on behalf of Kurt Seifried <kurt@seifried.org>
Sent: Wednesday, October 4, 2017 12:48:03 PM
To: cve-editorial-board-list
Subject: CVEs with no REF URL (or a REF URL that is self referential)

So currently CVE assignments require a URL.

My proposal is that, simply put, if the CVE itself can contain all the needed data why not remove the requirement for the URL. The advantage of this is that for embargoed issues we can immediately submit the CVE to the database without having to wait for REF URL's to be created. The other advantage is that the REF URL can't disappear, the data is embedded directly in the CVE entry.

The common case is that in the OpenSource world we often have all the information needed for a CVE assignment, specifically in the form of a patch with notes, but that patch has not yet been committed, and it may not be a deterministic URL once committed (if we knew the URL in advance we would simply put it into the REF URL). This is especially true for Linux kernel commits and many other projects that use git. Often times as well these entities do not publish a security advisory or anything beyond "here's the patch commit with a note" (which is sufficient information in almost all cases).

So I think simply put if the rules are changed to include a statement such as:

The REF URL may be omitted, or set to reference the CVE itself (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-XXXXXX) if the description contains sufficient detail to fully explain the CVE (e.g. code patch information).

Kurt Seifried
kurt@seifried.org

Follow-Ups:
- Re: CVEs with no REF URL (or a REF URL that is self referential)
  - From: Kurt Seifried <kseifried@redhat.com>

References:
- CVEs with no REF URL (or a REF URL that is self referential)
  - From: Kurt Seifried <kurt@seifried.org>

Prev by Date: CVEs with no REF URL (or a REF URL that is self referential)
Next by Date: Re: CVEs with no REF URL (or a REF URL that is self referential)
Previous by thread: CVEs with no REF URL (or a REF URL that is self referential)
Next by thread: Re: CVEs with no REF URL (or a REF URL that is self referential)
Index(es):
- Date
- Thread