Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Theall, George A

To support NVD's participation in the git pilot, MITRE proposes to add one or two attributes to reference objects in the CVE JSON files in the cvelist repo, which will allow NIST to regenerate the CVE List from the repo rather than having to rely on an older download file (allitems.xml). Specifically, we propose to add the following attributes :

 

- "source", which represents the source of the reference. It will have one of the values listed at https://cve.mitre.org/data/refs/#sources; eg, "CERT-VN", "CISCO", "CONFIRM", "REDHAT", etc.

 

- "name", which is a string that helps identify the reference among others in the same source; eg, "VU#584653" (for CERT-CC), "20180104 CPU Side-Channel Information Disclosure Vulnerabilities" (for "CISCO") "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE uses the reference URL as the name for the "CONFIRM" and "MISC" sources in the CVE List, we plan to omit this attribute for those two sources.

 

If there are objections from anyone on the Board list, please let us know and we will discuss in the next call. Otherwise, we will proceed with the change and implement early next week

 

 

George

--

[hidden email]

The MITRE Corporation

 

Reply | Threaded
Open this post in threaded view
|

Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Kurt Seifried


On Thu, Mar 1, 2018 at 5:51 AM, Theall, George A <[hidden email]> wrote:

To support NVD's participation in the git pilot, MITRE proposes to add one or two attributes to reference objects in the CVE JSON files in the cvelist repo, which will allow NIST to regenerate the CVE List from the repo rather than having to rely on an older download file (allitems.xml). Specifically, we propose to add the following attributes :

 

- "source", which represents the source of the reference. It will have one of the values listed at https://cve.mitre.org/data/refs/#sources; eg, "CERT-VN", "CISCO", "CONFIRM", "REDHAT", etc.

 

- "name", which is a string that helps identify the reference among others in the same source; eg, "VU#584653" (for CERT-CC), "20180104 CPU Side-Channel Information Disclosure Vulnerabilities" (for "CISCO") "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE uses the reference URL as the name for the "CONFIRM" and "MISC" sources in the CVE List, we plan to omit this attribute for those two sources.



Can I suggest instead of name we consider using the alias field? We would simply identify the namespaces, e.g. "RedHat-RHSA" (because we might want to also alias package names using e.g. "RedHat-RPMS") or "CERT-CC" and the data would otherwise be identical (e.g. an RHSA #). 
 

 

If there are objections from anyone on the Board list, please let us know and we will discuss in the next call. Otherwise, we will proceed with the change and implement early next week


Not an objection but a suggestion =) 
 

 

 

George

--

[hidden email]

The MITRE Corporation

 




--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Theall, George A
After private discussions with Kurt, we are amending the proposal to use an alias for each reference. Each alias will be declared in the "MITRE-REF" namespace and have as its value the reference as it appears in the CVE List. For example,

         {
            {
              "alias": {
                "alias_data": [
                  {
                    "namespace": ["MITRE-REF"],
                    "value": "CONFIRM:https://01.org/security/advisories/intel-oss-10002"
                  }
                ]
              },
            },
            "url" : "https://01.org/security/advisories/intel-oss-10002"
         },
         {
            {
              "alias": {
                "alias_data": [
                  {
                    "namespace": ["MITRE-REF"],
                    "value": "CISCO:20180104 CPU Side-Channel Information Disclosure Vulnerabilities"
                  }
                ]
              },
            },
            "url" : "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel"
         },
         {
            {
              "alias": {
                "alias_data": [
                  {
                    "namespace": ["MITRE-REF"],
                    "value": "REDHAT:RHSA-2018:0292"
                  }
                ]
              },
            },
            "url" : "https://access.redhat.com/errata/RHSA-2018:0292"
         },
         ...

George

-----Original Message-----
From: Kurt Seifried [mailto:[hidden email]]
Sent: Thursday, March 01, 2018 9:33 AM
To: Theall, George A <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>; cve-board-auto-list <[hidden email]>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation



On Thu, Mar 1, 2018 at 5:51 AM, Theall, George A <[hidden email] <mailto:[hidden email]> > wrote:


        To support NVD's participation in the git pilot, MITRE proposes to add one or two attributes to reference objects in the CVE JSON files in the cvelist repo, which will allow NIST to regenerate the CVE List from the repo rather than having to rely on an older download file (allitems.xml). Specifically, we propose to add the following attributes :

         

        - "source", which represents the source of the reference. It will have one of the values listed at https://cve.mitre.org/data/refs/#sources <https://cve.mitre.org/data/refs/#sources> ; eg, "CERT-VN", "CISCO", "CONFIRM", "REDHAT", etc.

         

        - "name", which is a string that helps identify the reference among others in the same source; eg, "VU#584653" (for CERT-CC), "20180104 CPU Side-Channel Information Disclosure Vulnerabilities" (for "CISCO") "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE uses the reference URL as the name for the "CONFIRM" and "MISC" sources in the CVE List, we plan to omit this attribute for those two sources.



Can I suggest instead of name we consider using the alias field? We would simply identify the namespaces, e.g. "RedHat-RHSA" (because we might want to also alias package names using e.g. "RedHat-RPMS") or "CERT-CC" and the data would otherwise be identical (e.g. an RHSA #).
 

       

         

        If there are objections from anyone on the Board list, please let us know and we will discuss in the next call. Otherwise, we will proceed with the change and implement early next week


Not an objection but a suggestion =)
 

       

         

         

        George

        --

        [hidden email] <mailto:[hidden email]>

        The MITRE Corporation

         




--


Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: [hidden email] <mailto:[hidden email]>

Reply | Threaded
Open this post in threaded view
|

RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Theall, George A
In reply to this post by Theall, George A
Chandan,

Looking at the discussion of "source" in the draft, I feel it's better to use something else for references - most source names are not associated with CNAs, and some, such as MISC, MLIST, and CONFIRM, are not even associated with a single site.

George

-----Original Message-----
From: Chandan Nandakumaraiah [mailto:[hidden email]]
Sent: Thursday, March 01, 2018 12:45 PM
To: Theall, George A <[hidden email]>; cve-editorial-board-list <[hidden email]>
Cc: cve-board-auto-list <[hidden email]>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation



On 3/1/18 4:51 AM, Theall, George A wrote:

> - "source", which represents the source of the reference. It will have
> one of the values listed at https://cve.mitre.org/data/refs/#sources
> eg, "CERT-VN", "CISCO", "CONFIRM", "REDHAT", etc.

"source" is already defined in the JSON v4 as an object, meant to be used for such purposes:

https://github.com/CVEProject/automation-working-group/blob/master/cve_json_schema/DRAFT-JSON-file-format-v4.md#source

If there is a CNA ID, use that instead of "REDHAT" or "CISCO"
example:

  references: {
    reference_data: [
      {
        name : "RedHat Security Advisory RHSA-2018:0151"
        url: "https://access.redhat.com/errata/RHSA-2018:0151",
        source : {
                CNA_ID: "CNA-72a82740-9249-4699-8803-5c4e4b590ce8",
        },
      },
   }


> - "name", which is a string that helps identify the reference among
> others in the same source; eg, "VU#584653" (for CERT-CC), "20180104
> CPU Side-Channel Information Disclosure Vulnerabilities" (for "CISCO")
> "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE uses the
> reference URL as the name for the "CONFIRM" and "MISC" sources in the
> CVE List, we plan to omit this attribute for those two sources.

This is OK. I remember seeing some CNAs already use this field.

Thanks
-Chandan
--
Security Incident Response Team
Juniper Networks
Reply | Threaded
Open this post in threaded view
|

RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Theall, George A
In reply to this post by Theall, George A
Hi Omar,

Public CVEs can have one or more references. [There must be at least one so that CVE is not the first point of disclosure, and we cap the maximum number at 500 currently to allow end-users to plan for storage if necessary.]

By the way, issue #28 in the AWG's tracker (https://github.com/CVEProject/automation-working-group/issues/28) might be relevant here. Perhaps we could have devise one or more tags for machine-readable references.

George

-----Original Message-----
From: Omar Santos (osantos) [mailto:[hidden email]]
Sent: Friday, March 02, 2018 3:41 PM
To: Theall, George A <[hidden email]>; Kurt Seifried <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>; cve-board-auto-list <[hidden email]>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation


Hi George and team,

Sorry that I am a bit late to the party. This makes complete sense and I really like the approach.

One minor question. As we evolve to more machine-readable formats and exchanges, we may eventually have different "URLs" for content. For example, one for the "human-readable advisory", another for an OVAL definition, another for CVRF/CSAF document. I assume that the URL is not restricted to one entity? (min zero, max: infinity)?

Great work on this!

Regards,

Omar Santos
Cisco PSIRT​




________________________________________
From: [hidden email] <[hidden email]> on behalf of Theall, George A <[hidden email]>
Sent: Friday, March 2, 2018 3:20 PM
To: Kurt Seifried
Cc: cve-editorial-board-list; cve-board-auto-list
Subject: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

After private discussions with Kurt, we are amending the proposal to use an alias for each reference. Each alias will be declared in the "MITRE-REF" namespace and have as its value the reference as it appears in the CVE List. For example,

         {
            {
              "alias": {
                "alias_data": [
                  {
                    "namespace": ["MITRE-REF"],
                    "value": "CONFIRM:https://01.org/security/advisories/intel-oss-10002";
                  }
                ]
              },
            },
            "url" : "https://01.org/security/advisories/intel-oss-10002";
         },
         {
            {
              "alias": {
                "alias_data": [
                  {
                    "namespace": ["MITRE-REF"],
                    "value": "CISCO:20180104 CPU Side-Channel Information Disclosure Vulnerabilities"
                  }
                ]
              },
            },
            "url" : "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel";
         },
         {
            {
              "alias": {
                "alias_data": [
                  {
                    "namespace": ["MITRE-REF"],
                    "value": "REDHAT:RHSA-2018:0292"
                  }
                ]
              },
            },
            "url" : "https://access.redhat.com/errata/RHSA-2018:0292";
         },
         ...

George

-----Original Message-----
From: Kurt Seifried [mailto:[hidden email]]
Sent: Thursday, March 01, 2018 9:33 AM
To: Theall, George A <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>; cve-board-auto-list <[hidden email]>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation



On Thu, Mar 1, 2018 at 5:51 AM, Theall, George A <[hidden email] <mailto:[hidden email]> > wrote:


        To support NVD's participation in the git pilot, MITRE proposes to add one or two attributes to reference objects in the CVE JSON files in the cvelist repo, which will allow NIST to regenerate the CVE List from the repo rather than having to rely on an older download file (allitems.xml). Specifically, we propose to add the following attributes :



        - "source", which represents the source of the reference. It will have one of the values listed at https://cve.mitre.org/data/refs/#sources <https://cve.mitre.org/data/refs/#sources>; ; eg, "CERT-VN", "CISCO", "CONFIRM", "REDHAT", etc.



        - "name", which is a string that helps identify the reference among others in the same source; eg, "VU#584653" (for CERT-CC), "20180104 CPU Side-Channel Information Disclosure Vulnerabilities" (for "CISCO") "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE uses the reference URL as the name for the "CONFIRM" and "MISC" sources in the CVE List, we plan to omit this attribute for those two sources.



Can I suggest instead of name we consider using the alias field? We would simply identify the namespaces, e.g. "RedHat-RHSA" (because we might want to also alias package names using e.g. "RedHat-RPMS") or "CERT-CC" and the data would otherwise be identical (e.g. an RHSA #).






        If there are objections from anyone on the Board list, please let us know and we will discuss in the next call. Otherwise, we will proceed with the change and implement early next week


Not an objection but a suggestion =)








        George

        --

        [hidden email] <mailto:[hidden email]>

        The MITRE Corporation






--


Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: [hidden email] <mailto:[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Kurt Seifried
In reply to this post by Kurt Seifried
What about Fedora? CentOS? Trust me when I say, we don't want the CNA UUID, e.g. other Linux vendors that are not CNAs (like well CentOS and Fedora =). 

Also things like RPMForge, RPMFusion, etc, etc. 

On Fri, Mar 2, 2018 at 3:24 PM, Chandan Nandakumaraiah <[hidden email]> wrote:
On 3/1/18 6:33 AM, Kurt Seifried wrote:
>
> Can I suggest instead of name we consider using the alias field? We
> would simply identify the namespaces, e.g. "RedHat-RHSA" (because we
> might want to also alias package names using e.g. "RedHat-RPMS")

You are kludging "type" and a "namespace" in "RedHat-RHSA"

I would suggest encoding "RedHat-RHSA" as:

        namespace: CNA-< Redhat's UUID >
        type: ['advisory']
        value: 'RHSA-2018:0380'
        url: 'https://access.redhat.com/errata/RHSA-2018:0380'

Encode "RedHat-RPMS" as :

        namespace: CNA-< Redhat's UUID >
        type: ['solution']
        value: 'ansible-2.4.3.0-1.el7ae.src.rpm'
        url: "https://downloads...."

Encode "RedHat-Bugzilla" as :

        namespace: CNA-< Redhat's UUID >
        type: ['defect']
        value: '1253012'
        url: 'https://bugzilla.redhat.com/show_bug.cgi?id=1253012'

Encode "RedHat-CVRF" as

        namespace: CNA-< Redhat's UUID >
        type: ['cvrf']
        value: 'cvrf-rhsa-2018-0002.xml'
        url:
'https://www.redhat.com/security/data/cvrf/2018/cvrf-rhsa-2018-0002.xml'

Is this more extensible and scalable?
If a CVE consumer wants automate fetching CVRFs or RPMs for a set of
CNAs they are interested in, this allows it.
They do not have to hardcode "RedHat-CVRF" into their scripting.

Thanks,
-Chandan

--
Security Incident Response Team
Juniper Networks



--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Kurt Seifried-2
So I just learned about grafeas (did a podcast with Chris Rosen as guest), anyways TL;DR: they are basically doing similar things with JSON including something that is very similar to the alias field I proposed:


Component TypeIdentifierExample
Debiandeb://dist(optional):arch:name:versiondeb://lucid:i386:acl:2.2.49-2
Dockerhttps://Namespace/name@sha256:https://gcr.io/scanning-customer/dockerimage@sha256:244fd47e07d1004f0aed9c156aa09083c82bf8944eceb67c946ff7430510a77b
Generic filefile://sha256::namefile://sha256:244fd47e07d1004f0aed9c156aa09083c82bf8944eceb67c946ff7430510a77b:foo.jar
Mavengav://group:artifact:versiongav://ant:ant:1.6.5
NPMnpm://package:versionnpm://mocha:2.4.5
NuGetnuget://module:versionnuget://log4net:9.0.1
Pythonpip://package:versionpip://raven:5.13.0
RPMrpm://dist(optional):arch:name:versionrpm://el6:i386:ImageMagick:6.7.2.7-4

So the above is similar in that you have a defined namespace and then some value. 

I'm going to reach out to them to see what we can do to coordinate/cooperate as they seem to have some good ideas, especially around consumption of the data in automated ways.


--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Kurt Seifried
That (and many other reasons) is exactly why I'm going to go talk to them. 


On Tue, Mar 13, 2018 at 2:58 PM, Chandan Nandakumaraiah <[hidden email]> wrote:


On 3/13/18 1:04 PM, Kurt Seifried wrote:
> So I just learned about grafeas (did a podcast with Chris Rosen as
> guest), anyways TL;DR: they are basically doing similar things with JSON
> including something that is very similar to the alias field I proposed:
>
> https://github.com/grafeas/grafeas
...
> So the above is similar in that you have a defined namespace and then
> some value. 

How are they solving the problem of identifying namespaces?
Who creates, assigns or manages namespaces?

Thanks,
-Chandan
--
Security Incident Response Team
Juniper Networks



--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Waltermire, David A.
It seems like the CNA/publisher registry might be a good way to support registration of namespaces if they are purely organizational in nature. If they are functional in nature (e.g., represent a model), we will need to come up with something else.

I think in general we need to better understand what we would want to do with this feature to figure out what makes the most sense.

Regards,
Dave

-------- Original Message --------
From: [hidden email] on behalf of Kurt Seifried <[hidden email]>
Date: Wed, March 14, 2018 6:14 AM +0900
To: Chandan Nandakumaraiah <[hidden email]>
CC: Kurt Seifried <[hidden email]>, cve-editorial-board-list <[hidden email]>, cve-board-auto-list <[hidden email]>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

That (and many other reasons) is exactly why I'm going to go talk to them. 


On Tue, Mar 13, 2018 at 2:58 PM, Chandan Nandakumaraiah <[hidden email]> wrote:


On 3/13/18 1:04 PM, Kurt Seifried wrote:
> So I just learned about grafeas (did a podcast with Chris Rosen as
> guest), anyways TL;DR: they are basically doing similar things with JSON
> including something that is very similar to the alias field I proposed:
>
> https://github.com/grafeas/grafeas
...
> So the above is similar in that you have a defined namespace and then
> some value. 

How are they solving the problem of identifying namespaces?
Who creates, assigns or manages namespaces?

Thanks,
-Chandan
--
Security Incident Response Team
Juniper Networks



--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Theall, George A
In reply to this post by Theall, George A
After further discussion, we have minor changes to the original proposal -- instead of "source", an attribute named "refsource" will be used for the reference source, and the "name" attribute will be populated for all sources, even "CONFIRM" and "MISC".

Attached is an example of the JSON for CVE-2017-5753 using the modified proposal.

If there are concerns from members of the Board, please let us know and we will discuss in the call next Wednesday. Absent any sustained objections, we are looking to put the changes into effect next Thursday.

George

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Theall, George A
Sent: Thursday, March 01, 2018 7:51 AM
To: cve-editorial-board-list <[hidden email]>
Cc: cve-board-auto-list <[hidden email]>
Subject: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

To support NVD's participation in the git pilot, MITRE proposes to add one or two attributes to reference objects in the CVE JSON files in the cvelist repo, which will allow NIST to regenerate the CVE List from the repo rather than having to rely on an older download file (allitems.xml). Specifically, we propose to add the following attributes :

 

- "source", which represents the source of the reference. It will have one of the values listed at https://cve.mitre.org/data/refs/#sources; eg, "CERT-VN", "CISCO", "CONFIRM", "REDHAT", etc.

 

- "name", which is a string that helps identify the reference among others in the same source; eg, "VU#584653" (for CERT-CC), "20180104 CPU Side-Channel Information Disclosure Vulnerabilities" (for "CISCO") "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE uses the reference URL as the name for the "CONFIRM" and "MISC" sources in the CVE List, we plan to omit this attribute for those two sources.

 

If there are objections from anyone on the Board list, please let us know and we will discuss in the next call. Otherwise, we will proceed with the change and implement early next week

 

 

George

--

[hidden email]

The MITRE Corporation

 


CVE-2017-5753.json (14K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Landfield, Kent

Hi George,

 

Quick question. For the language used, are we focusing on the three letter ISO 639-2 as the basis for language representation?  I did not see that anywhere (but I really didn’t look that hard…)

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!ありがとうधन्यवाद!

-- 

Kent Landfield

+1.817.637.8026

[hidden email]

 

From: <[hidden email]> on behalf of "Theall, George A" <[hidden email]>
Date: Friday, March 30, 2018 at 11:09 AM
To: cve-editorial-board-list <[hidden email]>
Cc: cve-board-auto-list <[hidden email]>
Subject: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

 

 

Attached is an example of the JSON for CVE-2017-5753 using the modified proposal.

 

If there are concerns from members of the Board, please let us know and we will discuss in the call next Wednesday. Absent any sustained objections, we are looking to put the changes into effect next Thursday.

 

George

 

-----Original Message-----

From: [hidden email] [[hidden email]] On Behalf Of Theall, George A

Sent: Thursday, March 01, 2018 7:51 AM

To: cve-editorial-board-list <[hidden email]>

Cc: cve-board-auto-list <[hidden email]>

Subject: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

 

To support NVD's participation in the git pilot, MITRE proposes to add one or two attributes to reference objects in the CVE JSON files in the cvelist repo, which will allow NIST to regenerate the CVE List from the repo rather than having to rely on an older download file (allitems.xml). Specifically, we propose to add the following attributes :

 

 

- "source", which represents the source of the reference. It will have one of the values listed at https://cve.mitre.org/data/refs/#sources; eg, "CERT-VN", "CISCO", "CONFIRM", "REDHAT", etc.

 

 

- "name", which is a string that helps identify the reference among others in the same source; eg, "VU#584653" (for CERT-CC), "20180104 CPU Side-Channel Information Disclosure Vulnerabilities" (for "CISCO") "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE uses the reference URL as the name for the "CONFIRM" and "MISC" sources in the CVE List, we plan to omit this attribute for those two sources.

 

 

If there are objections from anyone on the Board list, please let us know and we will discuss in the next call. Otherwise, we will proceed with the change and implement early next week

 

 

 

George

 

--

 

 

The MITRE Corporation

 

 

 

Reply | Threaded
Open this post in threaded view
|

RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Theall, George A
Hi Kent,

Exactly. The comes from the draft 4.0 spec; eg, see the minimal structure needed for CVE examples.

George

-----Original Message-----
From: Landfield, Kent [mailto:[hidden email]]
Sent: Monday, April 02, 2018 9:18 AM
To: Theall, George A <[hidden email]>; cve-editorial-board-list <[hidden email]>
Cc: cve-board-auto-list <[hidden email]>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Hi George,

 

Quick question. For the language used, are we focusing on the three letter ISO 639-2 as the basis for language representation?  I did not see that anywhere (but I really didn’t look that hard…)

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!, ありがとう, धन्यवाद!

--

Kent Landfield

+1.817.637.8026

[hidden email]

 

From: <[hidden email]> on behalf of "Theall, George A" <[hidden email]>
Date: Friday, March 30, 2018 at 11:09 AM
To: cve-editorial-board-list <[hidden email]>
Cc: cve-board-auto-list <[hidden email]>
Subject: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

 

After further discussion, we have minor changes to the original proposal -- instead of "source", an attribute named "refsource" will be used for the reference source, and the "name" attribute will be populated for all sources, even "CONFIRM" and "MISC".

 

Attached is an example of the JSON for CVE-2017-5753 using the modified proposal.

 

If there are concerns from members of the Board, please let us know and we will discuss in the call next Wednesday. Absent any sustained objections, we are looking to put the changes into effect next Thursday.

 

George

 

-----Original Message-----

From: [hidden email] <mailto:[hidden email]>  [mailto:[hidden email] <mailto:[hidden email]> ] On Behalf Of Theall, George A

Sent: Thursday, March 01, 2018 7:51 AM

To: cve-editorial-board-list <[hidden email] <mailto:[hidden email]> >

Cc: cve-board-auto-list <[hidden email] <mailto:[hidden email]> >

Subject: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

 

To support NVD's participation in the git pilot, MITRE proposes to add one or two attributes to reference objects in the CVE JSON files in the cvelist repo, which will allow NIST to regenerate the CVE List from the repo rather than having to rely on an older download file (allitems.xml). Specifically, we propose to add the following attributes :

 

 

- "source", which represents the source of the reference. It will have one of the values listed at https://cve.mitre.org/data/refs/#sources <https://cve.mitre.org/data/refs/#sources> ; eg, "CERT-VN", "CISCO", "CONFIRM", "REDHAT", etc.

 

 

- "name", which is a string that helps identify the reference among others in the same source; eg, "VU#584653" (for CERT-CC), "20180104 CPU Side-Channel Information Disclosure Vulnerabilities" (for "CISCO") "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE uses the reference URL as the name for the "CONFIRM" and "MISC" sources in the CVE List, we plan to omit this attribute for those two sources.

 

 

If there are objections from anyone on the Board list, please let us know and we will discuss in the next call. Otherwise, we will proceed with the change and implement early next week

 

 

 

George

 

--

 

[hidden email] <mailto:[hidden email]>

 

The MITRE Corporation

 

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Landfield, Kent

Thanks George!

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!ありがとうधन्यवाद!

-- 

Kent Landfield

+1.817.637.8026

[hidden email]

 

From: "Theall, George A" <[hidden email]>
Date: Monday, April 2, 2018 at 8:37 AM
To: Kent Landfield <[hidden email]>, cve-editorial-board-list <[hidden email]>
Cc: cve-board-auto-list <[hidden email]>
Subject: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

 

 

Exactly. The comes from the draft 4.0 spec; eg, see the minimal structure needed for CVE examples.

 

George

 

-----Original Message-----

From: Landfield, Kent [[hidden email]]

Sent: Monday, April 02, 2018 9:18 AM

To: Theall, George A <[hidden email]>; cve-editorial-board-list <[hidden email]>

Cc: cve-board-auto-list <[hidden email]>

Subject: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

 

Hi George,

 

 

Quick question. For the language used, are we focusing on the three letter ISO 639-2 as the basis for language representation?  I did not see that anywhere (but I really didn’t look that hard…)

 

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!, ありがとう, धन्यवाद!

 

--

 

Kent Landfield

 

+1.817.637.8026

 

 

 

From: <[hidden email]> on behalf of "Theall, George A" <[hidden email]>

Date: Friday, March 30, 2018 at 11:09 AM

To: cve-editorial-board-list <[hidden email]>

Cc: cve-board-auto-list <[hidden email]>

Subject: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

 

 

After further discussion, we have minor changes to the original proposal -- instead of "source", an attribute named "refsource" will be used for the reference source, and the "name" attribute will be populated for all sources, even "CONFIRM" and "MISC".

 

 

Attached is an example of the JSON for CVE-2017-5753 using the modified proposal.

 

 

If there are concerns from members of the Board, please let us know and we will discuss in the call next Wednesday. Absent any sustained objections, we are looking to put the changes into effect next Thursday.

 

 

George

 

 

-----Original Message-----

 

From: [hidden email] <[hidden email]>  [[hidden email] <[hidden email]> ] On Behalf Of Theall, George A

 

Sent: Thursday, March 01, 2018 7:51 AM

 

To: cve-editorial-board-list <[hidden email] <[hidden email]> >

 

Cc: cve-board-auto-list <[hidden email] <[hidden email]> >

 

Subject: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

 

 

To support NVD's participation in the git pilot, MITRE proposes to add one or two attributes to reference objects in the CVE JSON files in the cvelist repo, which will allow NIST to regenerate the CVE List from the repo rather than having to rely on an older download file (allitems.xml). Specifically, we propose to add the following attributes :

 

 

 

- "source", which represents the source of the reference. It will have one of the values listed at https://cve.mitre.org/data/refs/#sources <https://cve.mitre.org/data/refs/#sources> ; eg, "CERT-VN", "CISCO", "CONFIRM", "REDHAT", etc.

 

 

 

- "name", which is a string that helps identify the reference among others in the same source; eg, "VU#584653" (for CERT-CC), "20180104 CPU Side-Channel Information Disclosure Vulnerabilities" (for "CISCO") "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE uses the reference URL as the name for the "CONFIRM" and "MISC" sources in the CVE List, we plan to omit this attribute for those two sources.

 

 

 

If there are objections from anyone on the Board list, please let us know and we will discuss in the next call. Otherwise, we will proceed with the change and implement early next week

 

 

 

 

George

 

 

--

 

 

 

 

The MITRE Corporation

 

 

 

 

 

Reply | Threaded
Open this post in threaded view
|

RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Theall, George A
In reply to this post by Theall, George A
To let everyone know, we implemented the change and updated the JSON in the cvelist Git repo a short while ago.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Theall, George A
Sent: Friday, March 30, 2018 12:09 PM
To: cve-editorial-board-list <[hidden email]>
Cc: cve-board-auto-list <[hidden email]>
Subject: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

After further discussion, we have minor changes to the original proposal -- instead of "source", an attribute named "refsource" will be used for the reference source, and the "name" attribute will be populated for all sources, even "CONFIRM" and "MISC".

Attached is an example of the JSON for CVE-2017-5753 using the modified proposal.

If there are concerns from members of the Board, please let us know and we will discuss in the call next Wednesday. Absent any sustained objections, we are looking to put the changes into effect next Thursday.

George

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Theall, George A
Sent: Thursday, March 01, 2018 7:51 AM
To: cve-editorial-board-list <[hidden email]>
Cc: cve-board-auto-list <[hidden email]>
Subject: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

To support NVD's participation in the git pilot, MITRE proposes to add one or two attributes to reference objects in the CVE JSON files in the cvelist repo, which will allow NIST to regenerate the CVE List from the repo rather than having to rely on an older download file (allitems.xml). Specifically, we propose to add the following attributes :

 

- "source", which represents the source of the reference. It will have one of the values listed at https://cve.mitre.org/data/refs/#sources; eg, "CERT-VN", "CISCO", "CONFIRM", "REDHAT", etc.

 

- "name", which is a string that helps identify the reference among others in the same source; eg, "VU#584653" (for CERT-CC), "20180104 CPU Side-Channel Information Disclosure Vulnerabilities" (for "CISCO") "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE uses the reference URL as the name for the "CONFIRM" and "MISC" sources in the CVE List, we plan to omit this attribute for those two sources.

 

If there are objections from anyone on the Board list, please let us know and we will discuss in the next call. Otherwise, we will proceed with the change and implement early next week

 

 

George

--

[hidden email]

The MITRE Corporation

 
Reply | Threaded
Open this post in threaded view
|

Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Kurt Seifried
I believe they are not required per se, I asked about this on a board call (e.g. are we supposed to fill them out, or does NVD do this, or what?). My understanding was that we could fill it out, but it's not required.

On Thu, Apr 12, 2018 at 2:16 AM, Mark J Cox <[hidden email]> wrote:
If "refsource" and "name" are now required fields could you update the
schema to ensure they are present.

Cheers, Mark

On Thu, Apr 5, 2018 at 3:23 PM, Theall, George A <[hidden email]> wrote:
> To let everyone know, we implemented the change and updated the JSON in the cvelist Git repo a short while ago.
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Theall, George A
> Sent: Friday, March 30, 2018 12:09 PM
> To: cve-editorial-board-list <[hidden email]>
> Cc: cve-board-auto-list <[hidden email]>
> Subject: RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
>
> After further discussion, we have minor changes to the original proposal -- instead of "source", an attribute named "refsource" will be used for the reference source, and the "name" attribute will be populated for all sources, even "CONFIRM" and "MISC".
>
> Attached is an example of the JSON for CVE-2017-5753 using the modified proposal.
>
> If there are concerns from members of the Board, please let us know and we will discuss in the call next Wednesday. Absent any sustained objections, we are looking to put the changes into effect next Thursday.
>
> George
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Theall, George A
> Sent: Thursday, March 01, 2018 7:51 AM
> To: cve-editorial-board-list <[hidden email]>
> Cc: cve-board-auto-list <[hidden email]>
> Subject: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation
>
> To support NVD's participation in the git pilot, MITRE proposes to add one or two attributes to reference objects in the CVE JSON files in the cvelist repo, which will allow NIST to regenerate the CVE List from the repo rather than having to rely on an older download file (allitems.xml). Specifically, we propose to add the following attributes :
>
>
>
> - "source", which represents the source of the reference. It will have one of the values listed at https://cve.mitre.org/data/refs/#sources; eg, "CERT-VN", "CISCO", "CONFIRM", "REDHAT", etc.
>
>
>
> - "name", which is a string that helps identify the reference among others in the same source; eg, "VU#584653" (for CERT-CC), "20180104 CPU Side-Channel Information Disclosure Vulnerabilities" (for "CISCO") "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE uses the reference URL as the name for the "CONFIRM" and "MISC" sources in the CVE List, we plan to omit this attribute for those two sources.
>
>
>
> If there are objections from anyone on the Board list, please let us know and we will discuss in the next call. Otherwise, we will proceed with the change and implement early next week
>
>
>
>
>
> George
>
> --
>
> [hidden email]
>
> The MITRE Corporation
>
>



--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

Theall, George A
In reply to this post by Theall, George A
Mark,

Those attributes are optional - CNAs can elect to include them when they send us JSON.  MITRE will, though, include them when we sync the CVE List with the files in the repo.

I have created a pull request -- https://github.com/CVEProject/automation-working-group/pull/69 -- to add support for them in the schema for PUBLIC ids and invite someone else (eg, Kurt, Chris) to review and accept if they approve.

George

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Mark J Cox
Sent: Thursday, April 12, 2018 4:17 AM
To: Theall, George A <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>; cve-board-auto-list <[hidden email]>
Subject: Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

If "refsource" and "name" are now required fields could you update the schema to ensure they are present.

Cheers, Mark

On Thu, Apr 5, 2018 at 3:23 PM, Theall, George A <[hidden email]> wrote:

> To let everyone know, we implemented the change and updated the JSON in the cvelist Git repo a short while ago.
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of
> Theall, George A
> Sent: Friday, March 30, 2018 12:09 PM
> To: cve-editorial-board-list
> <[hidden email]>
> Cc: cve-board-auto-list <[hidden email]>
> Subject: RE: Notice of Pilot Activity in CVE Auto WG - Supporting
> NVD's Participation
>
> After further discussion, we have minor changes to the original proposal -- instead of "source", an attribute named "refsource" will be used for the reference source, and the "name" attribute will be populated for all sources, even "CONFIRM" and "MISC".
>
> Attached is an example of the JSON for CVE-2017-5753 using the modified proposal.
>
> If there are concerns from members of the Board, please let us know and we will discuss in the call next Wednesday. Absent any sustained objections, we are looking to put the changes into effect next Thursday.
>
> George
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of
> Theall, George A
> Sent: Thursday, March 01, 2018 7:51 AM
> To: cve-editorial-board-list
> <[hidden email]>
> Cc: cve-board-auto-list <[hidden email]>
> Subject: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's
> Participation
>
> To support NVD's participation in the git pilot, MITRE proposes to add one or two attributes to reference objects in the CVE JSON files in the cvelist repo, which will allow NIST to regenerate the CVE List from the repo rather than having to rely on an older download file (allitems.xml). Specifically, we propose to add the following attributes :
>
>
>
> - "source", which represents the source of the reference. It will have one of the values listed at https://cve.mitre.org/data/refs/#sources; eg, "CERT-VN", "CISCO", "CONFIRM", "REDHAT", etc.
>
>
>
> - "name", which is a string that helps identify the reference among others in the same source; eg, "VU#584653" (for CERT-CC), "20180104 CPU Side-Channel Information Disclosure Vulnerabilities" (for "CISCO") "RHSA-2018:0292" (for "REDHAT"), etc. Note that, while MITRE uses the reference URL as the name for the "CONFIRM" and "MISC" sources in the CVE List, we plan to omit this attribute for those two sources.
>
>
>
> If there are objections from anyone on the Board list, please let us
> know and we will discuss in the next call. Otherwise, we will proceed
> with the change and implement early next week
>
>
>
>
>
> George
>
> --
>
> [hidden email]
>
> The MITRE Corporation
>
>