[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE Broken References

I'm always for whatever makes things easier, I would suggest the link to archive.org, the only caveat being that if they don't have a page they serve a 200 with an error page so people will need to parse those pages to make sure it's not the generic "oh we don't have that page archives", maybe just add the link text but not hyperlink it?

On Tue, Oct 31, 2017 at 1:04 PM, Coffin, Chris <ccoffin@mitre.org> wrote:



In continuation of the Board call discussion regarding broken references, the CVE team created a few examples of how we might deal with broken CVE references in the future. One problem that we were recently pointed to is where a reference domain was reused by another organization entirely. In these cases, we may want to modify the CVE reference when we become aware of this.


A couple of points to keep in mind:

  • The examples here are specific to the CVE list on the web site only and not the CVE list downloads (e.g., CSV, XML, etc.).
  • If we can automate the process and the pages are likely to have been archived, it would probably be useful to point folks to something like the Wayback Machine.
  • It appears that some of the older references/domains currently referenced are not archived. For these we could just automatically update based on example #1 below (or something else if there are other better ideas)
  • We should probably make it clear when this situation exists, especially when we are including an archive reference (see the options below).
  • Including the Wayback Machine links would not always be a guarantee a useful archive of the reference would be available, just that we think it would be reasonably likely for the associated domain. Similarly, just because we did include a Wayback Machine link wouldn't mean the reference won’t be archived there, only that we didn’t think it was likely to be.
  • We are not intending to perform proactive reference maintenance. The examples here apply to cases where an entire domain has been removed and we are made aware of it. We could also do this in one off situations where it seems appropriate.


Example #1 – Remove hyperlink for broken references (see example1.jpg)

In this example, we simply remove the hyperlink and mark the reference URL in some way that makes it clear it is no longer functioning. We could do this automatically for domains that we know are no longer existing. The point here is that the previous reference url does have some value for folks who are trying to track something down and removing it entirely would hinder this ability. What we are doing is just keeping the casual user of the CVE web site list from clicking on the link.


Example #2 – Add archived calendar URL (see example2.jpg)

In the second example, we have included a case where we feel there’s a good likelihood people can find the page archived by following the link. The text in parenthesis would be hyperlinked to a calendar showing when the page appears to have been archived. In the case of the Wayback Machine, it appears that creating this url is automatable. As mentioned above in the points, I don’t believe it would be a good idea to just change the url to point to something else. We would want to make it clear when the reference is broken, but also include the archived reference in a form such as this.


What are folks thoughts on these examples? Other options?






Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: November 01, 2017