On 9/16/21 7:13 PM, Eric Covener wrote:
> On Thu, Sep 16, 2021 at 12:58 PM Mark J Cox <m...@apache.org> wrote:
>>
>> Hi; at the moment the ASF customisation to the tool is tracked in my github
>> fork along with issues. There's no specific place to discuss it other than
>> secur...@apache.org. That's all just because there's only me having worked
>> on it.
>>
>> There are going to be some big changes needed to the tool and running
>> instance in the coming months to support the new CVE Project v5.0 JSON
>> schema, as that is required for more of the future CVE project automation
>> (such as live submission to their database), so that will likely take up all
>> the time I can personally spend updating the tool in the near future.
>
> For the sake of discussion/argument: Do we want/need to reproduce this
> information on the website or is linking to the changelog sufficient?
> We lose our pseudo-scoring and the range of affected versions. We
> could bake them into our changelog-entry authoring/review.
I like to keep our current vulnerabilities page. On the contrary. I would like
to see it extended with the revision numbers that
fixed the actual issue.
I like the vulnerabilities page we and Tomcat has very much as it eases the
search and doesn't force me to got through changelogs
or other information not that quickly available.
Regards
RĂ¼diger
