On 01-May-23 06:16, Daniel Stenberg via curl-library wrote:
See https://github.com/curl/curl-www/pull/237Let me know how we can perfect this. This JSON file will be automatically generated and provided on the curl site at a fixed URL.
Good start. A few things to consider: * Use "summary" rather than "name"; name implies uniqueness. * Rather than hiding in description, add key for "known exploits" - value can be boolean. [will this be updated if updates are discovered after publication? If not, what's the value of having it?] * Provide schema version in header object. "project" can be in header object rather than each item. Also include data release ("as of") date and/or version. URL of schema description could be useful too. * Does each entry need a revision # (e.g. if the first fix is incomplete/incorrect)? * should reporter,patcher be arrays? * example includes null severity values - should this be legal? Why would "patcher" be null? [If there's a reason, why not omit the key?] * including a link to the CVE on https://www.cve.org (was cve.mitre.org) [text, and/or the GET API <https://cveawg.mitre.org/api-docs/>to return the CVE record] * providing a script that given a curl version (default to running curl on PATH), lists the unpatched CVEs [Put in curl-config?] * using the cve schema https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json * (I'm not a fan, but a list of commits required to fix - for the selective patch distributions?) * If this is automated, how does the automation know when to include a CVE? When current release >= "last"? Does this fit the final publication policy? * An API to GET records applicable to a given curl version. (The full list is interesting to researchers, but probably no one else. It will get big.) Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP digital signature
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html