mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-06-19 17:32:41 +00:00
- Updated steps CNAs can use to send us data.
This commit is contained in:
CVE Team
parent
89922cb88b
commit
a0fd2a17aa
@ -25,22 +25,66 @@ commits](https://help.github.com/articles/signing-commits-with-gpg/).
|
|||||||
|
|
||||||
## Sending Data about CVE Entries to MITRE
|
## Sending Data about CVE Entries to MITRE
|
||||||
|
|
||||||
0. If you haven't done so already, fork the _cvelist_ repository.
|
0. If you haven't done so already, create an account on Github.com
|
||||||
|
and fork the _cvelist_ repository. For example, if your account name
|
||||||
|
is `$YOU`, this will result in a new repo named $YOU/cvelist.
|
||||||
|
[**NB**: `$YOU` is used throughout the rest of this file; substitute
|
||||||
|
your own account name in any names, commands, URLs, etc.] Then clone
|
||||||
|
your repo on a local host, such as your workstation or a *nix
|
||||||
|
system where you have shell access.
|
||||||
|
|
||||||
1. Ensure your [fork is up to date](https://help.github.com/articles/syncing-a-fork/),
|
1. Ensure your [fork is up to
|
||||||
especially prior to creating a new branch (every time you create a new branch).
|
date](https://help.github.com/articles/syncing-a-fork/), especially
|
||||||
|
prior to creating a new branch (every time you create a new branch).
|
||||||
|
|
||||||
2. Create a new branch. We recommend grouping related updates into a
|
2. Optionally push any updates from the upstream `CVEProject/cvelist`
|
||||||
single submission and using a separate branch for each submission.
|
master back to Github.com (eg, `git push`).
|
||||||
For example, one CNA may choose to have a single submission for each
|
|
||||||
monthly patch bundle, while another may opt for a daily submission.
|
2. Create a new branch, separate from `master`, for each submission.
|
||||||
|
We encourage you to include in that multiple, related updates whenever
|
||||||
|
possible. For example, if you publish monthly advisories, you might
|
||||||
|
name your branch `Nov-2017` and use that to send us assignment
|
||||||
|
information for all the CVE ids you assigned in that month. If
|
||||||
|
instead you publish advisories only as needed, you might name your
|
||||||
|
branch using the advisory id (eg, `SA-2017-11-03`) and include in
|
||||||
|
that assignment information for the CVE ids you assigned for only
|
||||||
|
this one advisory. For now, let's assume you've named your branch
|
||||||
|
`$YOUR_BRANCH` (eg, `git checkout -b $YOUR_BRANCH`).
|
||||||
|
|
||||||
3. Make changes to one or more files. **NB:** limit your changes to
|
3. Make changes to one or more files. **NB:** limit your changes to
|
||||||
only those portions of the JSON that need to be updated rather than
|
only those portions of the JSON that need to be updated rather than
|
||||||
naively overwriting the entire file.
|
naively overwriting the entire file.
|
||||||
|
|
||||||
4. Create a pull request to merge the changes in your new branch into
|
4. Validate any files you change against the JSON schema and
|
||||||
the cvelist master.
|
ensure they pass.
|
||||||
|
|
||||||
|
5. **Review your updates carefully** and make sure they contain
|
||||||
|
**only information you intend to make public**. Once those reach
|
||||||
|
Github.com, it' extremely difficult if not impossible to put it back
|
||||||
|
under wraps. For example, you may be able to check that every CVE id
|
||||||
|
is mentioned in one of the references associated with it to avoid
|
||||||
|
making public information about a vulnerability ahead of schedule.
|
||||||
|
Also, review the details in the description. Do they agree with
|
||||||
|
information in the associated references?
|
||||||
|
|
||||||
|
6. Commit your changes (eg, `git commit -av`) and, if necessary, push
|
||||||
|
your branch from your local copy of your repo to Github.com (eg, `git
|
||||||
|
push origin $YOUR_BRANCH`).
|
||||||
|
|
||||||
|
7. Create a pull request to merge the changes in your new branch into
|
||||||
|
`CVEProject/cvelist` master. You can do this by browsing to
|
||||||
|
https://github.com/$YOU/cvelist/pull/new/master and then filling in
|
||||||
|
the form. There are several fields that you need to worry about :
|
||||||
|
|
||||||
|
* `base fork` is the upstream repo in which you want your updates merged - `CVEProject/cvelist`
|
||||||
|
* `base` is the branch in the upstream repo in which the changes should be placed - `master`
|
||||||
|
* `head fork` is your repo from which the updates should be taken; eg, `$YOU/cvelist`
|
||||||
|
* `compare` is the branch in your repo where the changes are; eg, `$YOUR_BRANCH`
|
||||||
|
|
||||||
|
If you created your pull request using the URL above, make sure that
|
||||||
|
Github reports that the branches can be merged. If not, say because
|
||||||
|
you forgot to ensure your fork was synched with the upstream master,
|
||||||
|
make additional commits in your branch to resolve the merge conflicts.
|
||||||
|
|
||||||
After a pull request has been submitted, the CVE Team will review the
|
After a pull request has been submitted, the CVE Team will review the
|
||||||
submission and work with you to resolve issues. Then the CVE Team
|
submission and work with you to resolve issues. Then the CVE Team
|
||||||
@ -60,10 +104,10 @@ github.com/CVEProject/cvelist --> fork --> github.com/$YOU/cvelist
|
|||||||
| /localpath/repo/cvelist
|
| /localpath/repo/cvelist
|
||||||
create | pull request | |
|
create | pull request | |
|
||||||
| git branch git branch
|
| git branch git branch
|
||||||
github.com/$YOU/cvelist/cve_assign_20170915 | |
|
github.com/$YOU/cvelist/$YOUR_BRANCH | |
|
||||||
| | V
|
| | V
|
||||||
| V some_other_branch
|
| V some_other_branch
|
||||||
`-- push to your github <-- cve_assign_20170915
|
`-- push to your github <-- $YOUR_BRANCH
|
||||||
```
|
```
|
||||||
|
|
||||||
## Contact
|
## Contact
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user