[openssl-project] Mitre GIT CVE pilot, vulnerability JSON files

Mark J Cox mark at openssl.org
Mon Feb 12 11:18:57 UTC 2018

Mostly this is a note for any future release managers but also a FYI
to anyone interested.

We're participating in the CVE Automation Working Group pilot to
provide CVE information via git[1].  This means when we do any future
security release of OpenSSL we can send information about each CVE
directly to Mitre (via a forked github repo and pull request) rather
than filling out their web based form.

In order to prepare for the pilot we've also switched from providing
CVE information from the Mitre plain text format to JSON[2].   The
JSON files do not have to be written by hand, unlike the text versions
we had to create, and are instead created using a script[4] from the
XML format[3] we use to populate the OpenSSL site.

Step by step Instructions for release managers are (temporarily)
included in cvepool.txt file in the private repo.

Mark J Cox

[1] https://github.com/CVEProject/cvelist/
[2] https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema
[3] https://www.openssl.org/news/vulnerabilities.xml
[4] https://github.com/openssl/web/blob/master/bin/vulnxml2json.py

More information about the openssl-project mailing list