MITRE can now accept CVE ID publication notifications formatted in JSON

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

MITRE can now accept CVE ID publication notifications formatted in JSON

Adinolfi, Daniel R

Greetings,

 

Thanks to the efforts of the CVE Automation Working Group, MITRE can accept CVE ID publication notifications formatted in JSON. This is in addition to using the file formats described in Appendix B of the CNA Rules.

 

The format specification is here:

<https://github.com/CVEProject/automation-working-group/blob/master/cve_json_schema/DRAFT-JSON-file-format-v4.md>

 

The full specification and some examples are listed here:

<https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema>

 

You can submit a request using the JSON format to notify MITRE that a CVE ID entry is ready to be published. You can send this request through the CVE Request form:

 

Choose "Notify CVE about a publication", enter the link to the advisory and CVE IDs in the required fields, and add the JSON-formatted data into the "Additional information and CVE ID description updates" field.

 

Note, you can update multiple CVE IDs with the same request as shown in the "Minimal example needed for CVE [multiple entries]" on the format specification page. 

 

If you have any questions or feedback on the JSON format or its use, please submit that feedback through the CVE Request form or by emailing [hidden email].

 

Thanks, and many thanks to everyone who worked to develop this new format standard.

 

-Dan, for the CVE Team

 

 

Reply | Threaded
Open this post in threaded view
|

Re: MITRE can now accept CVE ID publication notifications formatted in JSON

William Cox
Is this process open for third parties to update CVE entries when information is found? Couple of examples:

1. Update a CVE that is currently reserved in order to reflect it’s publication
2. Update a published CVE to amend the content, description or references.

And what is a reasonable volume for such a third party that would not be overly burdensome to MITRE? Black Duck’s research is in the position to know of thousands of CVEs in use but not published fully in CVE. Some of these we know about from advisory feeds out of Debian and Red Hat, although not clear if they are the CNA for such CVEs.


--
William Cox
Senior Software Engineer
Black Duck Software
[hidden email]

> On Apr 12, 2017, at 15:30, Adinolfi, Daniel R <[hidden email]> wrote:
>
> Greetings,
>
> Thanks to the efforts of the CVE Automation Working Group, MITRE can accept CVE ID publication notifications formatted in JSON. This is in addition to using the file formats described in Appendix B of the CNA Rules.
>
> The format specification is here:
> <https://github.com/CVEProject/automation-working-group/blob/master/cve_json_schema/DRAFT-JSON-file-format-v4.md>
>
> The full specification and some examples are listed here:
> <https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema>
>
> You can submit a request using the JSON format to notify MITRE that a CVE ID entry is ready to be published. You can send this request through the CVE Request form:
>
> Choose "Notify CVE about a publication", enter the link to the advisory and CVE IDs in the required fields, and add the JSON-formatted data into the "Additional information and CVE ID description updates" field.
>
> Note, you can update multiple CVE IDs with the same request as shown in the "Minimal example needed for CVE [multiple entries]" on the format specification page.
>
> If you have any questions or feedback on the JSON format or its use, please submit that feedback through the CVE Request form or by emailing [hidden email].
>
> Thanks, and many thanks to everyone who worked to develop this new format standard.
>
> -Dan, for the CVE Team
>
>


Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more Click Here.

Reply | Threaded
Open this post in threaded view
|

Re: MITRE can now accept CVE ID publication notifications formatted in JSON

Adinolfi, Daniel R

Greetings,

 

Yes, this process is open for third parties. Because MITRE would be receiving the information in a standardized format, we can process them using some automation tools that we've developed and continue to develop to speed up publication. If Black Duck has a batch, we can work with you to get then to us and get them integrated into the CVE list.

 

Thanks.

 

-Dan

 

From: William Cox <[hidden email]>
Date: Wednesday, April 19, 2017 at 15:43
To: "Adinolfi, Daniel R" <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: Re: MITRE can now accept CVE ID publication notifications formatted in JSON

 

Is this process open for third parties to update CVE entries when information is found? Couple of examples:

1. Update a CVE that is currently reserved in order to reflect it’s publication
2. Update a published CVE to amend the content, description or references.

And what is a reasonable volume for such a third party that would not be overly burdensome to MITRE? Black Duck’s research is in the position to know of thousands of CVEs in use but not published fully in CVE. Some of these we know about from advisory feeds out of Debian and Red Hat, although not clear if they are the CNA for such CVEs.


--
William Cox
Senior Software Engineer
Black Duck Software
[hidden email]

> On Apr 12, 2017, at 15:30, Adinolfi, Daniel R <[hidden email]> wrote:
>
> Greetings,
>
> Thanks to the efforts of the CVE Automation Working Group, MITRE can accept CVE ID publication notifications formatted in JSON. This is in addition to using the file formats described in Appendix B of the CNA Rules.
>
> The format specification is here:
> <https://github.com/CVEProject/automation-working-group/blob/master/cve_json_schema/DRAFT-JSON-file-format-v4.md>
>
> The full specification and some examples are listed here:
> <https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema>
>
> You can submit a request using the JSON format to notify MITRE that a CVE ID entry is ready to be published. You can send this request through the CVE Request form:
>
> Choose "Notify CVE about a publication", enter the link to the advisory and CVE IDs in the required fields, and add the JSON-formatted data into the "Additional information and CVE ID description updates" field.
>
> Note, you can update multiple CVE IDs with the same request as shown in the "Minimal example needed for CVE [multiple entries]" on the format specification page.
>
> If you have any questions or feedback on the JSON format or its use, please submit that feedback through the CVE Request form or by emailing [hidden email].
>
> Thanks, and many thanks to everyone who worked to develop this new format standard.
>
> -Dan, for the CVE Team
>
>

Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more Click Here.