On 01-May-23 06:16, Daniel Stenberg via curl-library wrote:
See https://github.com/curl/curl-www/pull/237Let me know how we can perfect this. This JSON file will be automatically generated and provided on the curl site at a fixed URL.
Good start. A few things to consider:
* Use "summary" rather than "name"; name implies uniqueness.
* Rather than hiding in description, add key for "known exploits" -
value can be boolean. [will this be updated if updates are
discovered after publication? If not, what's the value of having it?]
* Provide schema version in header object. "project" can be in header
object rather than each item. Also include data release ("as of")
date and/or version. URL of schema description could be useful too.
* Does each entry need a revision # (e.g. if the first fix is
incomplete/incorrect)?
* should reporter,patcher be arrays?
* example includes null severity values - should this be legal? Why
would "patcher" be null? [If there's a reason, why not omit the key?]
* including a link to the CVE on https://www.cve.org (was
cve.mitre.org) [text, and/or the GET API
<https://cveawg.mitre.org/api-docs/>to return the CVE record]
* providing a script that given a curl version (default to running
curl on PATH), lists the unpatched CVEs [Put in curl-config?]
* using the cve schema
https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json
* (I'm not a fan, but a list of commits required to fix - for the
selective patch distributions?)
* If this is automated, how does the automation know when to include a
CVE? When current release >= "last"? Does this fit the final
publication policy?
* An API to GET records applicable to a given curl version. (The full
list is interesting to researchers, but probably no one else. It
will get big.)
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP digital signature
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
