Hi Nathan. At the moment the CVE project relies on us doing the submission via a pilot GitHub program. So what happens when you take it to READY is that one of 3 people from the ASF security team have to manually do some things to make that submission happen (exporting the JSON and submitting it in git). There is no further work for the PMC at that point. Once we've done our submission usually it is picked up and in the cve.org database within an hour, although if there are issues with the data causing some back-and-forward it can be longer.
I'm assuming the CVE you are talking about is CVE-2022-26850? That one took an hour after you placed it in READY state for us to submit it, then https://github.com/CVEProject/cvelist/pull/5195 was merged automatically within about 10 mins, so the entry was live on cve.org in about 90 minutes after your emails. (The sync to the legacy Mitre version of CVE takes a bit longer, and to NVD longer still right now). In the coming months the new CVE automation API will be introduced that allows ASF to push directly skipping that Git Pilot stage. However we may still initially gate that so that it requires security team review - we're finding the majority of entries need small tweaks to be acceptable before pushing so we'll figure out how to decide on that gate, if it's only for select projects, if better instructions or code to parse the text in the tool can help, etc. (We have a similar gate on the CVE allocation which is automated right now, where projects that tend to get these things right every time have direct access, and other projects require some security team intervention first.) This automation change also changes the schema and will also allow the pushing of CVSS scores right through the chain, although again that'll be a discussion as it'll likely only be enabled per project as most projects don't produce them (and we didn't recommend using them in general, that's probably a discussion for the public security list later!). Regards, Mark ASF Security On Fri, Apr 8, 2022 at 2:00 AM Nathan Gough <[email protected]> wrote: > Hi, > > I recently submitted a CVE through the ASF Vulnogram tool and found that > the report did not seem to make its way through to mitre.org. Is this > expected and is there a reason it will not be pushed through to Mitre/no > easy button to submit it? Am I supposed to manually enter the information > through Mitre's form? > > I guess I'm wondering what happens when the CVE goes from 'Ready' to > 'Public'. Is any of the information submitted behind the scenes to CVE > trackers, or is the only way that systems receive this data through the > [email protected] email? > > Also, does the tool allow for entering a CVSS score? Seems like that is > missing from nvd.nist.gov etc. > > Thanks! > Nathan >
