
Security advisories and JSA-2020-0001 - jupenur
https://community.jitsi.org/t/introducing-security-advisories-and-jsa-2020-0001/72023
======
m4r71n
Side note: I wish there was an accepted industry-wide, machine-readable format
for security advisories. It's kind of a pain that every project out there
defines their own way, ranging from atrocious blog posts:

[https://chromereleases.googleblog.com/2020/02/stable-
channel...](https://chromereleases.googleblog.com/2020/02/stable-channel-
update-for-desktop.html)

to plain text files:

[http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2015-001.t...](http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2015-001.txt)

or custom XMLs:

[https://www.openssl.org/news/vulnerabilities.xml](https://www.openssl.org/news/vulnerabilities.xml)

The CVRF standard promised to be this but is largely unused since it's fairly
rigid and requires a lot of investment to get it right.

Even GitHub's advisories are fairly limited in the metadata they provide and
only accessible through the GraphQL API.

~~~
netsec_burn
What about CVE+CPE? The NIST NVD provides a CVE+CPE API for your machine
readable format, and CVE's are collected by MITRE.

~~~
m4r71n
Yes, but which open source project publishes CPEs for their vulnerability
information? :-) Plus, an important part of every security advisory is
specifying which versions are affected by a particular vulnerability versus
which contain the fix and are thus no longer affected.

