Problem/Motivation

I originally asked in Feb of 2022 if it was possible to automate the majority of the publishing process. At the time it would only have been possible to put the data in a format that would be easier to copy to the CVE program.

In the time since a formal JSON based API has been created which can allow leveraging our existing dataset to directly publish into the CVE database.

https://www.cve.org/allresources/CveServices documents the relevant API.

Significant time savings could be achieved by integrating the API directly into S.D.O.

Example tasks that could be automated:

  • Upon determination that the vulnerability exists a CVE can be reserved by a DST member confirming the issue (single click). This CVE ID can than be used in all communications eliminating the need for code names while allowing the reporter and maintainer to being working on documentation without the need for placeholders.
  • Upon publication of the Security Advisory the CVE could be programmatically published using already approved data in the Security Advisory (another 'single click' operation).

Steps to reproduce

N/A

Proposed resolution

Directly integrate SDO into the CNA Program CVE Service API

Remaining tasks

User interface changes

TBD

API changes

Data model changes

Comments

cmlara created an issue. See original summary.

yesct’s picture

yesct commented
Issue tags: +Security improvements
owen barton’s picture

owen barton commented
Related issues: +#3410338: Provide all security advisories in OpenSSF Vulnerability format for dependency tracking

Adding this related issue, which is a suggestion to add Open Source Vulnerability (OSV) format vulnerability advisories - I think there is quite a bit in common with the CVE schema and perhaps there is a way to do both.
I guess if we are planning to get official CVEs submitted for all vulnerabilities, then OSV may not strictly be necessary (since they would be aggregated by the various libraries scanners use).
On the other hand, if there are some that may not get assigned CVEs, or if we are concerned about CVE capacity/delays (which I think has been an issue recently), having vulnerabilities in OSV format would still be worthwhile.
I also came across this post describing how CPython handles this which includes a handy script to generate an OSV from a CVE.