Automate publishing of CVE's

Created on 9 October 2024, 6 months ago

Problem/Motivation

I originally asked in Feb of 2022 if it was possible to automate the majority of the publishing process. At the time it would only have been possible to put the data in a format that would be easier to copy to the CVE program.

In the time since a formal JSON based API has been created which can allow leveraging our existing dataset to directly publish into the CVE database.

https://www.cve.org/allresources/CveServices documents the relevant API.

Significant time savings could be achieved by integrating the API directly into S.D.O.

Example tasks that could be automated:

  • Upon determination that the vulnerability exists a CVE can be reserved by a DST member confirming the issue (single click). This CVE ID can than be used in all communications eliminating the need for code names while allowing the reporter and maintainer to being working on documentation without the need for placeholders.
  • Upon publication of the Security Advisory the CVE could be programmatically published using already approved data in the Security Advisory (another 'single click' operation).

Steps to reproduce

N/A

Proposed resolution

Directly integrate SDO into the CNA Program CVE Service API

Remaining tasks

User interface changes

TBD

API changes

Data model changes

πŸ“Œ Task
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States cmlara

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @cmlara
  • πŸ‡ΊπŸ‡ΈUnited States yesct
  • πŸ‡ΊπŸ‡ΈUnited States Owen Barton

    Adding this related issue, which is a suggestion to add Open Source Vulnerability (OSV) format vulnerability advisories - I think there is quite a bit in common with the CVE schema and perhaps there is a way to do both.
    I guess if we are planning to get official CVEs submitted for all vulnerabilities, then OSV may not strictly be necessary (since they would be aggregated by the various libraries scanners use).
    On the other hand, if there are some that may not get assigned CVEs, or if we are concerned about CVE capacity/delays (which I think has been an issue recently), having vulnerabilities in OSV format would still be worthwhile.
    I also came across this post describing how CPython handles this which includes a handy script to generate an OSV from a CVE.

Production build 0.71.5 2024