On 01-May-23 06:16, Daniel Stenberg via curl-library wrote:
See https://github.com/curl/curl-www/pull/237

Let me know how we can perfect this. This JSON file will be automatically generated and provided on the curl site at a fixed URL.

Good start.  A few things to consider:

 * Use "summary" rather than "name"; name implies uniqueness.
 * Rather than hiding in description, add key for "known exploits" -
   value can be boolean. [will this be updated if updates are
   discovered after publication?  If not, what's the value of having it?]
 * Provide schema version in header object.  "project" can be in header
   object rather than each item.  Also include data release ("as of")
   date and/or version.  URL of schema description could be useful too.
 * Does each entry need a revision # (e.g. if the first fix is
   incomplete/incorrect)?
 * should reporter,patcher be arrays?
 * example includes null severity values - should this be legal? Why
   would "patcher" be null? [If there's a reason, why not omit the key?]
 * including a link to the CVE on https://www.cve.org (was
   cve.mitre.org) [text, and/or the GET API
   <https://cveawg.mitre.org/api-docs/>to return the CVE record]
 * providing a script that given a curl version (default to running
   curl on PATH), lists the unpatched CVEs [Put in curl-config?]
 * using the cve schema
   
https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json
 * (I'm not a fan, but a list of commits required to fix - for the
   selective patch distributions?)
 * If this is automated, how does the automation know when to include a
   CVE? When current release >= "last"?  Does this fit the final
   publication policy?
 * An API  to GET records applicable to a given curl version. (The full
   list is interesting to researchers, but probably no one else.  It
   will get big.)


Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html

Reply via email to