RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

To: Chandan Nandakumaraiah <cbn@juniper.net>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
From: "Theall, George A" <gtheall@mitre.org>
Date: Fri, 2 Mar 2018 15:33:18 -0500
Accept-language: en-US
Authentication-results: spf=none (sender IP is 198.49.146.235) smtp.mailfrom=LISTS.MITRE.ORG; imc.mitre.org; dkim=none (message not signed) header.d=none;imc.mitre.org; dmarc=none action=none header.from=mitre.org;
Cc: cve-board-auto-list <cve-board-auto-list@lists.mitre.org>
Delivery-date: Fri Mar 2 15:34:37 2018
In-reply-to: <b80d86c2-4d3b-00ee-34d9-1639b1a3f6f9@juniper.net>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <SN1PR09MB07360F2095982406AE646F42B6C60@SN1PR09MB0736.namprd09.prod.outlook.com> <b80d86c2-4d3b-00ee-34d9-1639b1a3f6f9@juniper.net>
Sender: "owner-cve-editorial-board-list@lists.mitre.org" <owner-cve-editorial-board-list@lists.mitre.org>
Thread-index: AdOxW/wrcf67jZi8SRaj1ItS8Zj/mQAKQo4AADfGXjA=
Thread-topic: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Chandan,

Looking at the discussion of "source" in the draft, I feel it's better 
to use something else for references - most source names are not 
associated with CNAs, and some, such as MISC, MLIST, and CONFIRM, are 
not even associated with a single site.

George

-----Original Message-----
From: Chandan Nandakumaraiah [mailto:cbn@juniper.net] 
Sent: Thursday, March 01, 2018 12:45 PM
To: Theall, George A <gtheall@mitre.org>; cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>
Cc: cve-board-auto-list <cve-board-auto-list@lists.mitre.org>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's 
Participation



On 3/1/18 4:51 AM, Theall, George A wrote:

> - "source", which represents the source of the reference. It will 
> have 
> one of the values listed at https://cve.mitre.org/data/refs/#sources
> eg, "CERT-VN", "CISCO", "CONFIRM", "REDHAT", etc.

"source" is already defined in the JSON v4 as an object, meant to be 
used for such purposes:

https://github.com/CVEProject/automation-working-group/blob/master/cve_json_schema/DRAFT-JSON-file-format-v4.md#source

If there is a CNA ID, use that instead of "REDHAT" or "CISCO"
example:

  references: {
    reference_data: [
      {
        name : "RedHat Security Advisory RHSA-2018:0151"
        url: "https://access.redhat.com/errata/RHSA-2018:0151";,
        source : {
                CNA_ID: "CNA-72a82740-9249-4699-8803-5c4e4b590ce8",
        },
      },
   }


> - "name", which is a string that helps identify the reference among 
> others in the same source; eg, "VU#584653" (for CERT-CC), "20180104 
> CPU Side-Channel Information Disclosure Vulnerabilities" (for 
> "CISCO") 
> "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE uses the 
> reference URL as the name for the "CONFIRM" and "MISC" sources in the 
> CVE List, we plan to omit this attribute for those two sources.

This is OK. I remember seeing some CNAs already use this field.

Thanks
-Chandan
--
Security Incident Response Team
Juniper Networks

References:
- Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
  - From: "Theall, George A" <gtheall@mitre.org>

Prev by Date: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
Next by Date: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
Previous by thread: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
Next by thread: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
Index(es):
- Date
- Thread