On Wed, 21 Aug 2019 at 11:55, Mark J. Cox <m...@apache.org> wrote: > > > Many of the files have very long lines, so will be difficult to maintain. > > The Vulnogram tool is a nodejs app and the standalone files are generated > using a nodejs script. I was intending to just check in the compiled files > for now. > > > Also there is no indication of the source of the code and its license. > > https://github.com/Vulnogram/Vulnogram at the moment with a number of > customisations and patches I hope to fold many of these back into the > upstream project.
AFAICT the license is CC BY 3.0, which is only allowed in binary form: http://apache.org/legal/resolved.html#cc-by I'm not sure we can use the code in that case. > > Given that the tool requires a login, it could pre-populate the email > > address(es). > > Yes. > > > > hope we can integrate it in time for the ApacheCon security BoF > > > > When is that? > > https://www.apachecon.com/acna19/s/#/scheduledEvent/1337 although I'm away in > 6 days time until then. So if we don't want to pop the compiled stuff into > the tree I can always host it elsewhere for the BoF demo. > > Mark > > > > Thanks, Mark > > > > > > On Wed, Aug 7, 2019 at 9:05 AM Mark Cox <m...@apache.org> wrote: > > > > > > > Hi all! > > > > > > > > Many of our projects struggle with the format of creating Mitre CVEs and > > > > various text representations of vulnerabilities needed for public > > > > mailing > > > > lists as per our security policy. > > > > > > > > But, one of the CVE automation working group members has been working > > > > on a > > > > nice javascript tool that simplifies all this ( > > > > https://vulnogram.github.io/), and I'm working with it and him on making > > > > it so we can do an easy customisation to guide ASF projects through the > > > > process. > > > > > > > > The tool runs standalone just static content once built (it may pull > > > > from > > > > /public jsons too) so I'd really just need somewhere I can commit to > > > > that > > > > appears under whimsy. In the future the tool may even be able to submit > > > > direct to Mitre so it'd make sense to start it with requiring > > > > /committer/ > > > > access to run it. > > > > > > > > So this could be as simple as agreeing a location and allowing me to > > > > update things there? > > > > > > > > Mark > > > > > >
