Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: all previous curl CVEs as JSON ?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Timothe Litt <litt_at_acm.org>
Date: Mon, 1 May 2023 07:08:20 -0400
On 01-May-23 06:16, Daniel Stenberg via curl-library wrote:
> See https://github.com/curl/curl-www/pull/237
>
> Let me know how we can perfect this. This JSON file will be
> automatically generated and provided on the curl site at a fixed URL.
>
Good start. A few things to consider:
* Use "summary" rather than "name"; name implies uniqueness.
* Rather than hiding in description, add key for "known exploits" -
value can be boolean. [will this be updated if updates are
discovered after publication? If not, what's the value of having it?]
* Provide schema version in header object. "project" can be in header
object rather than each item. Also include data release ("as of")
date and/or version. URL of schema description could be useful too.
* Does each entry need a revision # (e.g. if the first fix is
incomplete/incorrect)?
* should reporter,patcher be arrays?
* example includes null severity values - should this be legal? Why
would "patcher" be null? [If there's a reason, why not omit the key?]
* including a link to the CVE on https://www.cve.org (was
cve.mitre.org) [text, and/or the GET API
<https://cveawg.mitre.org/api-docs/>to return the CVE record]
* providing a script that given a curl version (default to running
curl on PATH), lists the unpatched CVEs [Put in curl-config?]
* using the cve schema
https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json
* (I'm not a fan, but a list of commits required to fix - for the
selective patch distributions?)
* If this is automated, how does the automation know when to include a
CVE? When current release >= "last"? Does this fit the final
publication policy?
* An API to GET records applicable to a given curl version. (The full
list is interesting to researchers, but probably no one else. It
will get big.)
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
Received on 2023-05-01
Date: Mon, 1 May 2023 07:08:20 -0400
On 01-May-23 06:16, Daniel Stenberg via curl-library wrote:
> See https://github.com/curl/curl-www/pull/237
>
> Let me know how we can perfect this. This JSON file will be
> automatically generated and provided on the curl site at a fixed URL.
>
Good start. A few things to consider:
* Use "summary" rather than "name"; name implies uniqueness.
* Rather than hiding in description, add key for "known exploits" -
value can be boolean. [will this be updated if updates are
discovered after publication? If not, what's the value of having it?]
* Provide schema version in header object. "project" can be in header
object rather than each item. Also include data release ("as of")
date and/or version. URL of schema description could be useful too.
* Does each entry need a revision # (e.g. if the first fix is
incomplete/incorrect)?
* should reporter,patcher be arrays?
* example includes null severity values - should this be legal? Why
would "patcher" be null? [If there's a reason, why not omit the key?]
* including a link to the CVE on https://www.cve.org (was
cve.mitre.org) [text, and/or the GET API
<https://cveawg.mitre.org/api-docs/>to return the CVE record]
* providing a script that given a curl version (default to running
curl on PATH), lists the unpatched CVEs [Put in curl-config?]
* using the cve schema
https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json
* (I'm not a fan, but a list of commits required to fix - for the
selective patch distributions?)
* If this is automated, how does the automation know when to include a
CVE? When current release >= "last"? Does this fit the final
publication policy?
* An API to GET records applicable to a given curl version. (The full
list is interesting to researchers, but probably no one else. It
will get big.)
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
- application/pgp-signature attachment: OpenPGP digital signature