Content of glibc advisories vs. CVE JSON v5 and CNA rules?

public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed

From: Carlos O'Donell <carlos@redhat.com>
To: libc-alpha <libc-alpha@sourceware.org>,
	Siddhesh Poyarekar <siddhesh@redhat.com>,
	Adhemerval Zanella <adhemerval.zanella@linaro.org>
Subject: Content of glibc advisories vs. CVE JSON v5 and CNA rules?
Date: Thu, 2 May 2024 17:40:18 -0400	[thread overview]
Message-ID: <f55977ff-ec74-40a9-ae6d-2a80d453e4d2@redhat.com> (raw)

I want to make it as easy as a cut-and-paste to complete the work of
publishing the CVE data when the advisory text is complete.

When the glibc security team publishes an advisory as part of CNA process
we must comply with the CNA Rules and our goal is to use CVE JSONv5 format
uploads.

The JSONv5 format has a title and description field that must be provided.

The most interesting part is that the CVE description has some explicit
requirements in [1] that mean we would adopt similar requirements for
the text of our own advisories.

My opinion is as follows:

- The first line of our advisories should be the CVE title.
- The descriptive text of the advisory should be the CVE description.
  - Note the rules say "8.2.6 MAY contain information not listed here."
    so we can provide whatever else we want.

Thoughts?

-- 
Cheers,
Carlos.

[1] https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_8-2_cve_record_prose_description_requirements

next             reply	other threads:[~2024-05-02 21:40 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-05-02 21:40 Carlos O'Donell [this message]
2024-05-03 12:57 ` Siddhesh Poyarekar
2024-05-08 13:46   ` Carlos O'Donell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f55977ff-ec74-40a9-ae6d-2a80d453e4d2@redhat.com \
    --to=carlos@redhat.com \
    --cc=adhemerval.zanella@linaro.org \
    --cc=libc-alpha@sourceware.org \
    --cc=siddhesh@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).