Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot

Theall, George A

The CVE Automation Working Group (AWG) has operated a pilot since May 2017 to explore sharing of CVE data using git.

 

The first phase involved use of a private, MITRE-hosted git repository and ran from May through August of this year.  Participation was limited to members of the Automation Group.

 

The second phase has been a short, transitional one in which activity shifted to a public repo hosted on Github.com and a process was established to perform some basic validation of JSON files in pull requests (submissions) against the minimal schema automatically. In the past 6 weeks, there have been over a hundred pull requests, nearly all of which have been accepted.

 

The Automation Working Group now proposes a third phase of the pilot, to focus on several workflow issues :

 

1. Extended automatic validation of pull requests.

 

Note the goal here is to identify areas of concern for further review, either by the submitter or the primary CNA.

 

  a. Check GPG signatures on commits.

  b. Identify when requests to populate or modify descriptions by a CNA involve ids allocated to a different CNA.

  c. Identify when references are "broken".

  d. Identify if none of the references associated with a CVE id specifically mention that id.

 

2. Automatic acceptance by policy of pull requests.

 

  a. Requests from IBM that populate or update descriptions provided automatic validation has not identified any areas of concern.

  b. Requests from any pilot participant that solely add references.

  c. Requests from the NVD that add CVSS / CPE information that is separate from what may have been added by the assigning CNA.

 

3. Handling of updates to a single entry by multiple maintainers.

 

The goal here is to see if multiple stakeholders can update a single entry; for example, a description update from the assigning CNA, reference additions from other CNAs, and adds of CVSS and CPE information by the NVD. Of particular interest is whether it’s possible to support updates in close proximity to one another, such as might happen with a vulnerability such as Heartbleed.

 

4. Identification of workflows for addressing issues in entries across participants.

 

In addition, we would like to see the pilot opened up all interested root CNAs.

 

Unless there are sustained objections from the Board (ie, "silence begets acceptance"), we propose to start the third phase of the pilot after next week’s Board call, on Wednesday, December 13th, and let it run through May 2018.

 

George

--

[hidden email]

The MITRE Corporation

 

Reply | Threaded
Open this post in threaded view
|

Re: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot

Landfield, Kent

I have no issues with the proposal but would like to understand the term “root CNA”.  Are you talking about all CNAs today or just the DWF and JPCERT/CC?

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!ありがとうधन्यवाद!

 

-- 

Kent Landfield

+1.817.637.8026

[hidden email]

 

 

From: <[hidden email]> on behalf of "Theall, George A" <[hidden email]>
Date: Wednesday, December 6, 2017 at 3:16 PM
To: cve-editorial-board-list <[hidden email]>
Subject: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot

 

The CVE Automation Working Group (AWG) has operated a pilot since May 2017 to explore sharing of CVE data using git.

 

The first phase involved use of a private, MITRE-hosted git repository and ran from May through August of this year.  Participation was limited to members of the Automation Group.

 

The second phase has been a short, transitional one in which activity shifted to a public repo hosted on Github.com and a process was established to perform some basic validation of JSON files in pull requests (submissions) against the minimal schema automatically. In the past 6 weeks, there have been over a hundred pull requests, nearly all of which have been accepted.

 

The Automation Working Group now proposes a third phase of the pilot, to focus on several workflow issues :

 

1. Extended automatic validation of pull requests.

 

Note the goal here is to identify areas of concern for further review, either by the submitter or the primary CNA.

 

  a. Check GPG signatures on commits.

  b. Identify when requests to populate or modify descriptions by a CNA involve ids allocated to a different CNA.

  c. Identify when references are "broken".

  d. Identify if none of the references associated with a CVE id specifically mention that id.

 

2. Automatic acceptance by policy of pull requests.

 

  a. Requests from IBM that populate or update descriptions provided automatic validation has not identified any areas of concern.

  b. Requests from any pilot participant that solely add references.

  c. Requests from the NVD that add CVSS / CPE information that is separate from what may have been added by the assigning CNA.

 

3. Handling of updates to a single entry by multiple maintainers.

 

The goal here is to see if multiple stakeholders can update a single entry; for example, a description update from the assigning CNA, reference additions from other CNAs, and adds of CVSS and CPE information by the NVD. Of particular interest is whether it’s possible to support updates in close proximity to one another, such as might happen with a vulnerability such as Heartbleed.

 

4. Identification of workflows for addressing issues in entries across participants.

 

In addition, we would like to see the pilot opened up all interested root CNAs.

 

Unless there are sustained objections from the Board (ie, "silence begets acceptance"), we propose to start the third phase of the pilot after next week’s Board call, on Wednesday, December 13th, and let it run through May 2018.

 

George

--

[hidden email]

The MITRE Corporation

 

Reply | Threaded
Open this post in threaded view
|

RE: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot

Theall, George A
Kent,

We would like to extend the pilot to all CNAs except sub-CNAs (as they need to pass assignment information and updates to the root that manages them).

George

-----Original Message-----
From: Landfield, Kent [mailto:[hidden email]]
Sent: Wednesday, December 06, 2017 4:30 PM
To: Theall, George A <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot

I have no issues with the proposal but would like to understand the term “root CNA”.  Are you talking about all CNAs today or just the DWF and JPCERT/CC?

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!, ありがとう, धन्यवाद!

 

--

Kent Landfield

+1.817.637.8026

[hidden email]

 

 

From: <[hidden email]> on behalf of "Theall, George A" <[hidden email]>
Date: Wednesday, December 6, 2017 at 3:16 PM
To: cve-editorial-board-list <[hidden email]>
Subject: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot

 

The CVE Automation Working Group (AWG) has operated a pilot since May 2017 to explore sharing of CVE data using git.

 

The first phase involved use of a private, MITRE-hosted git repository and ran from May through August of this year.  Participation was limited to members of the Automation Group.

 

The second phase has been a short, transitional one in which activity shifted to a public repo hosted on Github.com and a process was established to perform some basic validation of JSON files in pull requests (submissions) against the minimal schema automatically. In the past 6 weeks, there have been over a hundred pull requests, nearly all of which have been accepted.

 

The Automation Working Group now proposes a third phase of the pilot, to focus on several workflow issues :

 

1. Extended automatic validation of pull requests.

 

Note the goal here is to identify areas of concern for further review, either by the submitter or the primary CNA.

 

  a. Check GPG signatures on commits.

  b. Identify when requests to populate or modify descriptions by a CNA involve ids allocated to a different CNA.

  c. Identify when references are "broken".

  d. Identify if none of the references associated with a CVE id specifically mention that id.

 

2. Automatic acceptance by policy of pull requests.

 

  a. Requests from IBM that populate or update descriptions provided automatic validation has not identified any areas of concern.

  b. Requests from any pilot participant that solely add references.

  c. Requests from the NVD that add CVSS / CPE information that is separate from what may have been added by the assigning CNA.

 

3. Handling of updates to a single entry by multiple maintainers.

 

The goal here is to see if multiple stakeholders can update a single entry; for example, a description update from the assigning CNA, reference additions from other CNAs, and adds of CVSS and CPE information by the NVD. Of particular interest is whether it’s possible to support updates in close proximity to one another, such as might happen with a vulnerability such as Heartbleed.

 

4. Identification of workflows for addressing issues in entries across participants.

 

In addition, we would like to see the pilot opened up all interested root CNAs.

 

Unless there are sustained objections from the Board (ie, "silence begets acceptance"), we propose to start the third phase of the pilot after next week’s Board call, on Wednesday, December 13th, and let it run through May 2018.

 

George

--

[hidden email]

The MITRE Corporation

 

Reply | Threaded
Open this post in threaded view
|

Re: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot

Landfield, Kent
Thanks, that makes sense.  

(As a project, we need to get a consistent set of terminology… ;-))

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!, ありがとう, धन्यवाद!
 
--
Kent Landfield
+1.817.637.8026
[hidden email]
 

On 12/6/17, 3:38 PM, "Theall, George A" <[hidden email]> wrote:

    Kent,
   
    We would like to extend the pilot to all CNAs except sub-CNAs (as they need to pass assignment information and updates to the root that manages them).
   
    George
   
    -----Original Message-----
    From: Landfield, Kent [mailto:[hidden email]]
    Sent: Wednesday, December 06, 2017 4:30 PM
    To: Theall, George A <[hidden email]>; cve-editorial-board-list <[hidden email]>
    Subject: Re: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot
   
    I have no issues with the proposal but would like to understand the term “root CNA”.  Are you talking about all CNAs today or just the DWF and JPCERT/CC?
   
     
   
    Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!, ありがとう, धन्यवाद!
   
     
   
    --
   
    Kent Landfield
   
    +1.817.637.8026
   
    [hidden email]
   
     
   
     
   
    From: <[hidden email]> on behalf of "Theall, George A" <[hidden email]>
    Date: Wednesday, December 6, 2017 at 3:16 PM
    To: cve-editorial-board-list <[hidden email]>
    Subject: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot
   
     
   
    The CVE Automation Working Group (AWG) has operated a pilot since May 2017 to explore sharing of CVE data using git.
   
     
   
    The first phase involved use of a private, MITRE-hosted git repository and ran from May through August of this year.  Participation was limited to members of the Automation Group.
   
     
   
    The second phase has been a short, transitional one in which activity shifted to a public repo hosted on Github.com and a process was established to perform some basic validation of JSON files in pull requests (submissions) against the minimal schema automatically. In the past 6 weeks, there have been over a hundred pull requests, nearly all of which have been accepted.
   
     
   
    The Automation Working Group now proposes a third phase of the pilot, to focus on several workflow issues :
   
     
   
    1. Extended automatic validation of pull requests.
   
     
   
    Note the goal here is to identify areas of concern for further review, either by the submitter or the primary CNA.
   
     
   
      a. Check GPG signatures on commits.
   
      b. Identify when requests to populate or modify descriptions by a CNA involve ids allocated to a different CNA.
   
      c. Identify when references are "broken".
   
      d. Identify if none of the references associated with a CVE id specifically mention that id.
   
     
   
    2. Automatic acceptance by policy of pull requests.
   
     
   
      a. Requests from IBM that populate or update descriptions provided automatic validation has not identified any areas of concern.
   
      b. Requests from any pilot participant that solely add references.
   
      c. Requests from the NVD that add CVSS / CPE information that is separate from what may have been added by the assigning CNA.
   
     
   
    3. Handling of updates to a single entry by multiple maintainers.
   
     
   
    The goal here is to see if multiple stakeholders can update a single entry; for example, a description update from the assigning CNA, reference additions from other CNAs, and adds of CVSS and CPE information by the NVD. Of particular interest is whether it’s possible to support updates in close proximity to one another, such as might happen with a vulnerability such as Heartbleed.
   
     
   
    4. Identification of workflows for addressing issues in entries across participants.
   
     
   
    In addition, we would like to see the pilot opened up all interested root CNAs.
   
     
   
    Unless there are sustained objections from the Board (ie, "silence begets acceptance"), we propose to start the third phase of the pilot after next week’s Board call, on Wednesday, December 13th, and let it run through May 2018.
   
     
   
    George
   
    --
   
    [hidden email]
   
    The MITRE Corporation
   
     
   
   

Reply | Threaded
Open this post in threaded view
|

Re: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot

Kurt Seifried
In reply to this post by Theall, George A
Shouldn't we simply define this as "All the CNAs listed at
https://cve.mitre.org/cve/request_id.html"? Essentially they are TLD's
that can directly to MITRE. Everyone else talks to their parent (and
so on).

On Wed, Dec 6, 2017 at 2:37 PM, Theall, George A <[hidden email]> wrote:

> Kent,
>
> We would like to extend the pilot to all CNAs except sub-CNAs (as they need to pass assignment information and updates to the root that manages them).
>
> George
>
> -----Original Message-----
> From: Landfield, Kent [mailto:[hidden email]]
> Sent: Wednesday, December 06, 2017 4:30 PM
> To: Theall, George A <[hidden email]>; cve-editorial-board-list <[hidden email]>
> Subject: Re: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot
>
> I have no issues with the proposal but would like to understand the term “root CNA”.  Are you talking about all CNAs today or just the DWF and JPCERT/CC?
>
>
>
> Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!, ありがとう, धन्यवाद!
>
>
>
> --
>
> Kent Landfield
>
> +1.817.637.8026
>
> [hidden email]
>
>
>
>
>
> From: <[hidden email]> on behalf of "Theall, George A" <[hidden email]>
> Date: Wednesday, December 6, 2017 at 3:16 PM
> To: cve-editorial-board-list <[hidden email]>
> Subject: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot
>
>
>
> The CVE Automation Working Group (AWG) has operated a pilot since May 2017 to explore sharing of CVE data using git.
>
>
>
> The first phase involved use of a private, MITRE-hosted git repository and ran from May through August of this year.  Participation was limited to members of the Automation Group.
>
>
>
> The second phase has been a short, transitional one in which activity shifted to a public repo hosted on Github.com and a process was established to perform some basic validation of JSON files in pull requests (submissions) against the minimal schema automatically. In the past 6 weeks, there have been over a hundred pull requests, nearly all of which have been accepted.
>
>
>
> The Automation Working Group now proposes a third phase of the pilot, to focus on several workflow issues :
>
>
>
> 1. Extended automatic validation of pull requests.
>
>
>
> Note the goal here is to identify areas of concern for further review, either by the submitter or the primary CNA.
>
>
>
>   a. Check GPG signatures on commits.
>
>   b. Identify when requests to populate or modify descriptions by a CNA involve ids allocated to a different CNA.
>
>   c. Identify when references are "broken".
>
>   d. Identify if none of the references associated with a CVE id specifically mention that id.
>
>
>
> 2. Automatic acceptance by policy of pull requests.
>
>
>
>   a. Requests from IBM that populate or update descriptions provided automatic validation has not identified any areas of concern.
>
>   b. Requests from any pilot participant that solely add references.
>
>   c. Requests from the NVD that add CVSS / CPE information that is separate from what may have been added by the assigning CNA.
>
>
>
> 3. Handling of updates to a single entry by multiple maintainers.
>
>
>
> The goal here is to see if multiple stakeholders can update a single entry; for example, a description update from the assigning CNA, reference additions from other CNAs, and adds of CVSS and CPE information by the NVD. Of particular interest is whether it’s possible to support updates in close proximity to one another, such as might happen with a vulnerability such as Heartbleed.
>
>
>
> 4. Identification of workflows for addressing issues in entries across participants.
>
>
>
> In addition, we would like to see the pilot opened up all interested root CNAs.
>
>
>
> Unless there are sustained objections from the Board (ie, "silence begets acceptance"), we propose to start the third phase of the pilot after next week’s Board call, on Wednesday, December 13th, and let it run through May 2018.
>
>
>
> George
>
> --
>
> [hidden email]
>
> The MITRE Corporation
>
>
>



--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot

Coffin, Chris
> Shouldn't we simply define this as "All the CNAs listed at https://cve.mitre.org/cve/request_id.html"? Essentially they are TLD's that can directly to MITRE. Everyone else talks to their parent (and so on).

Agreed.

Chris

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Wednesday, December 6, 2017 4:21 PM
To: Theall, George A <[hidden email]>
Cc: Landfield, Kent <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git Pilot

Shouldn't we simply define this as "All the CNAs listed at https://cve.mitre.org/cve/request_id.html"? Essentially they are TLD's that can directly to MITRE. Everyone else talks to their parent (and so on).

On Wed, Dec 6, 2017 at 2:37 PM, Theall, George A <[hidden email]> wrote:

> Kent,
>
> We would like to extend the pilot to all CNAs except sub-CNAs (as they need to pass assignment information and updates to the root that manages them).
>
> George
>
> -----Original Message-----
> From: Landfield, Kent [mailto:[hidden email]]
> Sent: Wednesday, December 06, 2017 4:30 PM
> To: Theall, George A <[hidden email]>; cve-editorial-board-list
> <[hidden email]>
> Subject: Re: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the
> Git Pilot
>
> I have no issues with the proposal but would like to understand the term “root CNA”.  Are you talking about all CNAs today or just the DWF and JPCERT/CC?
>
>
>
> Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!, ありがとう, धन्यवाद!
>
>
>
> --
>
> Kent Landfield
>
> +1.817.637.8026
>
> [hidden email]
>
>
>
>
>
> From: <[hidden email]> on behalf of
> "Theall, George A" <[hidden email]>
> Date: Wednesday, December 6, 2017 at 3:16 PM
> To: cve-editorial-board-list
> <[hidden email]>
> Subject: Notice of Pilot Activity in CVE Auto WG - Phase 3 of the Git
> Pilot
>
>
>
> The CVE Automation Working Group (AWG) has operated a pilot since May 2017 to explore sharing of CVE data using git.
>
>
>
> The first phase involved use of a private, MITRE-hosted git repository and ran from May through August of this year.  Participation was limited to members of the Automation Group.
>
>
>
> The second phase has been a short, transitional one in which activity shifted to a public repo hosted on Github.com and a process was established to perform some basic validation of JSON files in pull requests (submissions) against the minimal schema automatically. In the past 6 weeks, there have been over a hundred pull requests, nearly all of which have been accepted.
>
>
>
> The Automation Working Group now proposes a third phase of the pilot, to focus on several workflow issues :
>
>
>
> 1. Extended automatic validation of pull requests.
>
>
>
> Note the goal here is to identify areas of concern for further review, either by the submitter or the primary CNA.
>
>
>
>   a. Check GPG signatures on commits.
>
>   b. Identify when requests to populate or modify descriptions by a CNA involve ids allocated to a different CNA.
>
>   c. Identify when references are "broken".
>
>   d. Identify if none of the references associated with a CVE id specifically mention that id.
>
>
>
> 2. Automatic acceptance by policy of pull requests.
>
>
>
>   a. Requests from IBM that populate or update descriptions provided automatic validation has not identified any areas of concern.
>
>   b. Requests from any pilot participant that solely add references.
>
>   c. Requests from the NVD that add CVSS / CPE information that is separate from what may have been added by the assigning CNA.
>
>
>
> 3. Handling of updates to a single entry by multiple maintainers.
>
>
>
> The goal here is to see if multiple stakeholders can update a single entry; for example, a description update from the assigning CNA, reference additions from other CNAs, and adds of CVSS and CPE information by the NVD. Of particular interest is whether it’s possible to support updates in close proximity to one another, such as might happen with a vulnerability such as Heartbleed.
>
>
>
> 4. Identification of workflows for addressing issues in entries across participants.
>
>
>
> In addition, we would like to see the pilot opened up all interested root CNAs.
>
>
>
> Unless there are sustained objections from the Board (ie, "silence begets acceptance"), we propose to start the third phase of the pilot after next week’s Board call, on Wednesday, December 13th, and let it run through May 2018.
>
>
>
> George
>
> --
>
> [hidden email]
>
> The MITRE Corporation
>
>
>



--

Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: [hidden email]