[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cve container tags micro agenda



So for the mandatory must stuff and the optional version #:

My thinking was that we would have namespaces for tags (e.g. MITRE has one, DWF has one, Microsoft has one), and that an org could have multiple name spaces (e.g. "production" and "experimental") defined by an endpoint URL (where ideally information about the tags and what they mean is available). I'd also like to see some versioning because tag status/meaning may change over time (e.g. a tag is split into more tags to have more specific meanings). We could certainly live without the version # but it would be annoying in some ways. 

For the optional language thing I was thinking much like CVE descriptions we should probably give a hint, also I'm assuming some languages have the same words, spelled the same in ascii with different meanings.

As for sub tags I'm not sure. Having key pairs as opposed to just tags would certainly make somethings easier, but do we need it (e.g. I'm thinking of cases where a tag value might have different meanings within a schema, and there aren't any better words/tags to use to differentiate them). 

On Wed, Oct 18, 2017 at 11:56 AM, Kurt Seifried <kurt@seifried.org> wrote:

Tags Container for CVE entries:


Must:

Must specify some origin/name space

Must specify some tag value(s)


Optional:

Optional: can specify a tag version # (this can be a number, version #, date string)

Optional: can specify some language value for tag(s) (default eng?)


Possibile Option:

Possible Optional: can specify a value for the tag (so you can have a key pair store? Do we allow multiple values? Sort of a sub tag? e.g. "license":"GPLv2" which helps gives context)


Please note that tags can occur at multiple places, e.g. globally, within an affects, etc, like the other containers so some degree of access control will take place based on this most likely (e.g. I’m inclined to let Red Hat do whatever tags they want in a Red Hat vendor section vs. Allowing some random person to do so). 


Questions for operations:

Do we allow someone to add tags from MITRE’s name space for example, or can only MITRE do that? I think we have to let people use other peoples tags ior we would have a proliferation of tag name spaces that overlap. 

Can a namespace (e.g. DWF) declare that anyone can add tags? Do we have a free for all community tag section?


--
Kurt Seifried
kurt@seifried.org



--
Kurt Seifried
kurt@seifried.org

Page Last Updated or Reviewed: October 19, 2017