Should references be categorized?

[EvansJonathan]

GOAL: Address reference formats in CNA rules.
CHANGE: Add descriptions and process for use of reference formats in CVE descriptions (e.g., MISC:, CONFIRM:, BUGTRAQ:, etc.)
OUTCOME: CNAs will make use of the reference formats to enrich the metadata surrounding entries.

References:
Way to categorize them? CONFIRM exists, do we need more tags? "Advisory" "Analysis" "Dispute" etc.
SUGGESTION: CNAs should use reference tags when possible.
CVEProject/automation-working-group#28

[EvansJonathan]

[Manion 2017-07-11]
Agree, but also consider more scalable reference format such as vxref:
https://github.com/FIRSTdotorg/vrdx-sig-vxref-wip/tree/master/vxref

[kurtseifried]

Can I suggest we add: CODESOURCE: (e.g. link to affected source code), CODEPATCH (link to patch for source code). Or something along those lines (I know this is pretty open source specific, but it's a significant # of cases).

[david-waltermire]

Perhaps we should look into using pre-defined link relations? We could easily write an IETF draft to add new relationships as needed, providing for extensibility. This has the advantage of also working with ROLIE.

[dadinolfi]

First, to be clear what we are referring to by reference formats in CVE:
http://cve.mitre.org/data/refs/index.html

References indicate the source of a reference, and the categorization of those sources was intended to facilitate searching those sources.

Many of these reference types have been used for years, and some are no longer used because the resource to which they referred has gone away or become unavailable.

There are three questions to be answered:

1. Should CNAs be required to supply reference types/categorizations? The use of reference types/categories is currently optional (and not mentioned in the CNA rules).
2. If they do use reference types/categories, what standard should be used?
3. How should that standard be developed and published?

As mentioned above, there is conversation directly related to this in the Automation WG GitHub Issue 28 CVEProject/automation-working-group#28

[dadinolfi]

Also mentioned here:
CVEProject/automation-working-group#1

[ghost]

I've been thinking about this and I'm not sure what this categorization information is useful for, e.g. are automated tools producing reports using these urls and categorizing them?

[chandanbn]

I'm not sure what this categorization information is useful for,

Mainly for human consumption and for people who need to respond to CVEs or take actions to remediate them. A huge list of unorganized URLs isn't helpful when we are in firefighting situations.

One can guess the content based on website address, but this can be hard for eg., pointers to archived emails on oss-security. Some emails can be the first report of a vulnerability, a vendor assessment, a patch, a poc, a dispute or a postmortem. One MLIST tag to categorize them all isn't of much help.

For eg., try going through the links on http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555, and give me a proof of concept test case, or all available code changes done across various implementations.