[Oval-devel] Project schedule update

Javier Fernández-Sanguino Peña jfs at computer.org
Fri Jun 22 17:40:27 UTC 2007 

On Fri, Jun 22, 2007 at 03:09:15PM +0500, Pavel Vinogradov wrote:
>  During interim period i change order of week tasks and start from
> development of OVAL definitions generator. And now i fully update project
> schedule conform to current status. Schedule now available on Debian Wiki
> [1] and i will update it weekly conform to my progress.
> 

Great! Thanks for updating it this is going to help us much more
in tracking how the project is going. A few comments, though:

(Week #4)
* Start experiments with dpkg library (read documentation and write code
samples)
    --> Shouldn't it be APT's library. Dpkg doesn't provide a library,
        apt does. (the name should still be 'DPKGInfoProbe' however)

(Week #7)
* Implement downloading of OVAL definitions
    -> Is this the download of OVAL definitions from Server to Agent
       or the generation of new OVAL definitions by the Server?
       (maybe based on the advisories through e-mail, RSS feed or so)
       The server has to have some way to generate up to date definitions.
       (the only easy way I see right now is by parsing the emails
       sent to debian-security-announce)

(Week #10)

It would be nice if the OVAL generation could be integrated with the
National Vulnerability Database (which provides now CVSS scores and,
consequently, ratings for vulnerabilities) or the Security Tracker
(which provides information of vulnerabilities which have *not* 
been fixed by a DSA yet)

I don't think that it would be necessary to change the interpreter generator
but have:
    - a tool that given a set of OVAL definitions, downloads data from
      NVD and completes them including risk information and (maybe)
      additional references
    - a tool that reads a set of OVAL definitions and adds to them (if they are
      not yet there) OVAL definitions based on data from the Security Tracker 
      (that would help replace debsecan)
 
Note that I said, it would be nice, if it's not possible to fit them in the
timeframe for Gsoc they could well be things to do in the future.

Regards

Javier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/oval-devel/attachments/20070622/f9ab261f/attachment.pgp

More information about the Oval-devel mailing list