[AppStream] Adding CVE information to <releases>

Richard Hughes hughsient at gmail.com
Sun Sep 15 08:48:32 UTC 2019 

On Sun, 15 Sep 2019 at 01:26, Matthias Klumpp <matthias at tenstral.net> wrote:
> My initial impulse was something like this:
>     <bugfix type="cve">CVE-2016-00000</bugfix>
>     <bugfix type="url">https://bugzilla.redhat.com/show_bug.cgi?id=12345</bugfix>

This needs a parent tag, although bugfix is more expressive than <issue>

> But what if people want to mention issues fixed that aren't bugs, like
> linking to features?

I think that encroaches on the release notes URL.

>     <issues>
>       <issue type="cve">CVE-2016-00000</issue>
>       <issue type="url">https://bugzilla.redhat.com/show_bug.cgi?id=12345</issue>
>     </issues>

It does seem weird to have the "subject" of the CVE tag be the ID and
the subject of the URL to be a, well, URL.

> The name is okay. I dislike (bug)fix because it is less universal

Also, bugfix implies there was a bug to begin with, which some legal
teams don't like to admit -- this is why they're "issues" on GitHub
for example.

> In general, I think at least CVE IDs make a lot of sense to have, and
> having issue number URLs may be useful too. To make URLs more useful,
> something like this may also work:
> ```
> <issues>
>   <issue type="cve">CVE-2016-00000</issue>
>   <issue url="https://bugzilla.redhat.com/show_bug.cgi?id=12345">12345</issue>
> </issues>

I think this is pretty close. CVE can have a URL too, for instance
https://nvd.nist.gov/vuln/detail/CVE-2016-00000 -- given what we both
agree on, there seems to be a few options:

<issues>
  <issue type="cve"
url="https://nvd.nist.gov/vuln/detail/CVE-2016-00000">CVE-2016-00000</cve>
  <issue url="https://bugzilla.redhat.com/show_bug.cgi?id=12345">RHBZ#12345</issue>
</issues>

or

<issues>
  <cve>CVE-2016-12345<cve>
  <url>https://bugzilla.redhat.com/show_bug.cgi?id=12345</url>
</issues>

or

<issues>
  <url type="cve"
id="CVE-2016-00000">https://nvd.nist.gov/vuln/detail/CVE-2016-00000</url>
  <url id="rhbz#12345">https://bugzilla.redhat.com/show_bug.cgi?id=12345</url>
</issues>

I guess we've got to consider than metainfo.xml files are typically
written by hand, and we ought to make the schema as simple as
possible. Perhaps <cve>CVE-2016-12345<cve> is indeed the easiest thing
to understand.

Richard.

More information about the AppStream mailing list