Add a guide for creating CVE entries #86
Conversation
docs/cve-creation-guide.md
Outdated
|
|
||
| 1. Access [Mitre CVE Form](https://cveform.mitre.org/) | ||
| 1. Select a request type: **_Report Vulnerability/Request CVE ID_** | ||
| 1. Enter your e-mail address: **[email protected]_** |
There was a problem hiding this comment.
Authors/reporters should prob use their own email address here and not our list
|
|
||
| # Creating a CVE Request | ||
|
|
||
| This is an example of how to create a CVE with an older vulnerability from Mojolicious that did not have one previously assigned. |
There was a problem hiding this comment.
Should we use a general example like Foobar or something like that, rather than Mojolicious?
There was a problem hiding this comment.
I can change it it an example but likely should be generic
There was a problem hiding this comment.
@stigtsp the thing I like about using this example is that it exists and you can review the source info
There was a problem hiding this comment.
@stigtsp I looked at it but the example is likely best. The point was to give an example that someone could follow
|
|
||
| For some CPAN modules this is fairly simple. | ||
| For others you may need to do some additional research. | ||
| For _CPANSA-Mojolicious-2018-01_ CPAN::Audit lists the vulnerability as **Mojolicious** in the identifier but the description correctly identifies **_Mojo::UserAgent::CookieJar_**. |
There was a problem hiding this comment.
I'd say that in this example Mojolicious is the distribution name, and the product that contains the vuln.
There was a problem hiding this comment.
Yes, but in the case of a module like this it is specific to a certain part so it may be a case of a vulnerabilit that you are not encountering if you are not using Mojo::UserAgent::CookieJar
|
|
||
| This is an example of how to create a CVE with an older vulnerability from Mojolicious that did not have one previously assigned. | ||
|
|
||
| * CPANSA-Mojolicious-2018-01 |
There was a problem hiding this comment.
This might muddy the waters a bit, I don't think CPANSA identifiers are relevant for CVEs (except as URL references, but there are currently no way of linking to CPANSA resources)
There was a problem hiding this comment.
True but it is the specific issue in this example
docs/cve-creation-guide.md
Outdated
| You can provide additional information that you may have if it is relevant. | ||
|
|
||
| Some possible additional information: | ||
| 1. If the vulnerability is embargoed (not publicly acknowledged or under a non disclosure of some sort) mention it here |
There was a problem hiding this comment.
Also, maybe worth mentioning that a vuln that has been discussed in public is by default public and not embargoed.
So References should not be given for anything embargoed
No description provided.