Security advisories and JSA-2020-0001 (opens in new tab)

(community.jitsi.org)

10 pointsjupenur5y ago3 comments

3 comments

Side note: I wish there was an accepted industry-wide, machine-readable format for security advisories. It's kind of a pain that every project out there defines their own way, ranging from atrocious blog posts:

https://chromereleases.googleblog.com/2020/02/stable-channel...

to plain text files:

http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2015-001.t...

or custom XMLs:

https://www.openssl.org/news/vulnerabilities.xml

The CVRF standard promised to be this but is largely unused since it's fairly rigid and requires a lot of investment to get it right.

Even GitHub's advisories are fairly limited in the metadata they provide and only accessible through the GraphQL API.

netsec_burn5y ago

What about CVE+CPE? The NIST NVD provides a CVE+CPE API for your machine readable format, and CVE's are collected by MITRE.

m4r71n5y ago

Yes, but which open source project publishes CPEs for their vulnerability information? :-) Plus, an important part of every security advisory is specifying which versions are affected by a particular vulnerability versus which contain the fix and are thus no longer affected.

j / k navigate · click thread line to collapse

3 comments

m4r71n5y ago

https://chromereleases.googleblog.com/2020/02/stable-channel...

to plain text files:

http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2015-001.t...

or custom XMLs:

https://www.openssl.org/news/vulnerabilities.xml

The CVRF standard promised to be this but is largely unused since it's fairly rigid and requires a lot of investment to get it right.

Even GitHub's advisories are fairly limited in the metadata they provide and only accessible through the GraphQL API.

netsec_burn5y ago

What about CVE+CPE? The NIST NVD provides a CVE+CPE API for your machine readable format, and CVE's are collected by MITRE.

m4r71n5y ago

j / k navigate · click thread line to collapse