CVE Board Meeting 21 February 2018
Board Members in Attendance
Mark Cox (Red Hat)
Beverly Finch (Lenovo)
Kent Landfield (McAfee)
Pascal Meunier (CERIAS/Purdue University)
Scott Moore (IBM)
Kurt Seifried (Red Hat/DWF)
Taki Uchiyama (JPCERT/CC)
Dave Waltermire (NIST)
Members of MITRE CVE Team in Attendance
2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin
2:05 – 2:15:
Automation – George Theall
2:15 – 2:30:
2:30 – 3:40: Discussion on the 2nd CVE CNA Summit
3:40 – 3:50: Open Discussion
3:50 – 4:00: Action items, wrap-up – Chris Coffin
Review of Action Items from Last Meeting
Board Working Groups
Strategic Planning Working Group (Kent Landfield)
ISSUES: No SPWG meeting so no update.
BOARD DECISIONS: N/A
Automation Working Group (George Theall)
ISSUES: Discussed several use cases for the CNA Registry files that we’ve been talking about. There was consensus for using a UUID for identifying CNAs in both the CNA Registry and cvelist repos. Also, consensus on use of CNA Registry JSON in automatic handling of pull requests.
Dave Waltermire: Our engineers are working on implementing the import from the JSON feeds and we are running into a few problems. The general JSON schema doesn’t validate because it doesn’t have the state field in it. There’s the individual state ones as well that you may be having problems with. Also having problems with how to deal with references. The source attribute is more useful in the XML format than in the JSON schema. There is also extraneous white space that needs to be removed from the descriptions. I think we might be able to deal with it, but there are almost 10,000 descriptions that need the white space change. We found about 900 hyperlinks that don’t have proper encoding; maybe that’s something we should be validating for.
George: Can we support that in the schema as it currently stands? Kurt: Yes. George: Okay, it’s just a case of MITRE adding it in. We should be able to do it pretty easily. I’d like to talk about the schema validation problems, but maybe we can talk about that (in a separate call). Dave will have some of his engineers call George to discuss.
ACTIONS: MITRE to set up meeting between NIST/MITRE to discuss validation problems.
BOARD DECISIONS: N/A
JPCERT (Taki Uchiyama)
STATUS: Still waiting on some vendors that are wanting to become CNAs, but they aren’t technically CNAs yet. No further updates. Kurt: Are you going to be posting a list of what you cover? Taki: I haven’t really thought about that yet.
Chris Coffin: This is where the CNA registry will come in handy. At the summit, we had a CNA (Trend Micro) that discussed sending us their CVEs in Japanese so that may be of use to you.
Kent: We probably need a dedicated call on the topic of translations, to talk about the method of distribution and how to coordinate with the CNAs.
DWF (Kurt Seifried)
STATUS: In the process of bringing up a couple of sub-CNAs. We need to get the CNA registry set up sooner rather than later. Of the 80-some CNAs that we have, well over half have a large open source presence. Kurt asked that MITRE send him the official links to the CVE assignment training materials.
MITRE (CVE Team)
STATUS: We’ve talked to Synack, Samsung Mobile, and SonicWall, who all want to become CNAs. Tomorrow we will be talking to Sangoma (a VoIP company) and Cloudflare. As far as I know, all they do is services, so we’ll see what they’re interested in assigning IDs to. No new CNAs. HPE cleaned up their backlog of 180 CVE IDs and Huawei is working on doing the same.
DISCUSSION: Kent Landfield: You said Samsung Mobile and not Samsung Corp.; are we breaking up corporations into components or sub-sets? Jonathan: We are already doing that (Google Chrome). Samsung Corp is not ready to be a CNA, but their mobile component is. Chris Coffin: We may need a process to merge subsets as more come on board. It happens with larger corporations (IBM).
Jonathan: Regarding Samsung Mobile, KrCERT wants to become a root CNA for Korea and I told Samsung Mobile that if they do, we may want to move them under KrCERT.
Kent: This is another area where we need more discussion. We have no stand-up process for that. We need to walk through the requirements and document that.
Kurt: Can a sub-CNA pick which root CNA they want to be under?
Kent: We need to figure out the root structure first before we can answer that.
Kurt: I would suggest we go with geography because it seems easiest with respect to language and time zones.
Discussion on the 2nd CVE CNA Summit
Summary of Action Items
CVE Board Meeting 21 February 2018.docx (39K) Download Attachment
|Free forum by Nabble||Edit this page|