Kurt Seifried
Kurt Seifried
CSA checking in, we'll definitely be attending. A good example of this problem and the kind of data we need is https://github.com/cloudsecurityalliance/gsd-database/blob/main/2021/1002xxx/GSD-2021-1002352.json aka cve-2021-44228 The GSD (GlobalSecurityDatabase) is our attempt...
DWF is changing things up, so long story short: file an issue at https://github.com/distributedweaknessfiling/DWF-CNA-Registry and we can start the process (disclaimer: I'm away at RSA this coming week). As for...
Also it's not clear to me how: > Create a list of critical projects that the open source community depends on. How is this done? Surveys? Dependency crawling? Expert analysis?...
I also wasn't talking about critical infrastructure services. I'm not sure why you also changed the title. Also as a concrete example of what dpoes "criticality" mean, how about timezone...
Can I suggest another question you are all forgetting to ask? What happens if that piece of code disappears from its normal home (e.g. GitHub or also things like NPM/PEAR/CPAN/etc)?...
You are looking at "criticality" and making noises about "security". I assume part of this would then be the classical CIA triad, Confidentiality (not usually applicable, unless people want to...
Can we also add: DETECTION (e.g. https://github.com/VNCERT-CC/0dayex-checker) DISCUSSION (e.g. the reddit/twitter threads on this, they're not an article/web/evidence/etc)
I see the timestamp as "best effort" e.g. tweets have good (trustworthy) timestamps but a lot of forums have bad "1 month ago" or none at all, in which case...
e.g.: local-scripts % check-jsonschema --schemafile https://raw.githubusercontent.com/ossf/osv-schema/main/validation/schema.json osv.json Schema validation errors were encountered. osv.json::$.affected[0]: 'versions' is a required property ============ { "id": "GSD-2022-1000018", "modified": "2022-01-10T19:50:23.320957Z", "published": "2022-01-10T19:50:23.320957Z", "summary": "sctp: use call_rcu...
I think there are two aspects here: Nested data Data viewpoints within a specific instance So for example you have Red Hat Enterprise Linux 8, and 9, one is affected,...