Re: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot

[Kurt Seifried <kseifried@redhat.com>]

Shouldn't we simply define this as "All the CNAs listed at
https://cve.mitre.org/cve/request_id.html";? Essentially they are TLD's
that can directly to MITRE. Everyone else talks to their parent (and
so on).

On Wed, Dec 6, 2017 at 2:37 PM, Theall, George A <gtheall@mitre.org> 
wrote:
> Kent,
>
> We would like to extend the pilot to all CNAs except sub-CNAs (as 
> they need to pass assignment information and updates to the root that 
> manages them).
>
> George
>
> -----Original Message-----
> From: Landfield, Kent [mailto:Kent_Landfield@McAfee.com]
> Sent: Wednesday, December 06, 2017 4:30 PM
> To: Theall, George A <gtheall@mitre.org>; cve-editorial-board-list 
> <cve-editorial-board-list@lists.mitre.org>
> Subject: Re: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the 
> Git Pilot
>
> I have no issues with the proposal but would like to understand the 
> term “root CNA”.  Are you talking about all CNAs today or just the 
> DWF and JPCERT/CC?
>
>
>
> Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!, ありがとう, 
> धन्यवाद!
>
>
>
> --
>
> Kent Landfield
>
> +1.817.637.8026
>
> kent_landfield@mcafee.com
>
>
>
>
>
> From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of 
> "Theall, George A" <gtheall@mitre.org>
> Date: Wednesday, December 6, 2017 at 3:16 PM
> To: cve-editorial-board-list 
> <cve-editorial-board-list@lists.mitre.org>
> Subject: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git 
> Pilot
>
>
>
> The CVE Automation Working Group (AWG) has operated a pilot since May 
> 2017 to explore sharing of CVE data using git.
>
>
>
> The first phase involved use of a private, MITRE-hosted git 
> repository and ran from May through August of this year.  
> Participation was limited to members of the Automation Group.
>
>
>
> The second phase has been a short, transitional one in which activity 
> shifted to a public repo hosted on Github.com and a process was 
> established to perform some basic validation of JSON files in pull 
> requests (submissions) against the minimal schema automatically. In 
> the past 6 weeks, there have been over a hundred pull requests, 
> nearly all of which have been accepted.
>
>
>
> The Automation Working Group now proposes a third phase of the pilot, 
> to focus on several workflow issues :
>
>
>
> 1. Extended automatic validation of pull requests.
>
>
>
> Note the goal here is to identify areas of concern for further 
> review, either by the submitter or the primary CNA.
>
>
>
>   a. Check GPG signatures on commits.
>
>   b. Identify when requests to populate or modify descriptions by a 
> CNA involve ids allocated to a different CNA.
>
>   c. Identify when references are "broken".
>
>   d. Identify if none of the references associated with a CVE id 
> specifically mention that id.
>
>
>
> 2. Automatic acceptance by policy of pull requests.
>
>
>
>   a. Requests from IBM that populate or update descriptions provided 
> automatic validation has not identified any areas of concern.
>
>   b. Requests from any pilot participant that solely add references.
>
>   c. Requests from the NVD that add CVSS / CPE information that is 
> separate from what may have been added by the assigning CNA.
>
>
>
> 3. Handling of updates to a single entry by multiple maintainers.
>
>
>
> The goal here is to see if multiple stakeholders can update a single 
> entry; for example, a description update from the assigning CNA, 
> reference additions from other CNAs, and adds of CVSS and CPE 
> information by the NVD. Of particular interest is whether it’s 
> possible to support updates in close proximity to one another, such 
> as might happen with a vulnerability such as Heartbleed.
>
>
>
> 4. Identification of workflows for addressing issues in entries 
> across participants.
>
>
>
> In addition, we would like to see the pilot opened up all interested 
> root CNAs.
>
>
>
> Unless there are sustained objections from the Board (ie, "silence 
> begets acceptance"), we propose to start the third phase of the pilot 
> after next week’s Board call, on Wednesday, December 13th, and let it 
> run through May 2018.
>
>
>
> George
>
> --
>
> gtheall@mitre.org
>
> The MITRE Corporation
>
>
>



-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com