search

CISecurity / OVALRepo

263 stars 121 forks source link

Recently updated content missing repo metadata #133

Open DavidRies opened 8 years ago

DavidRies commented 8 years ago

So, I noticed that several recently committed definition updates are not showing up in the list of recently updated definitions on the site. For example, see: https://github.com/CISecurity/OVALRepo/commit/434bbdb9828cb3e4f102497e595129d9cb6fdfda

If you look at the updated definitions, you'll see that they do not include metadata indicating that they've been updated. For example:

      <dates>
        <submitted date="2013-11-15T17:30:00.000-05:00">
          <contributor organization="Hewlett-Packard">Chandan M C</contributor>
        </submitted>
        <status_change date="2013-11-21T13:18:01.032-05:00">DRAFT</status_change>
        <status_change date="2013-12-09T04:00:08.324-05:00">INTERIM</status_change>
        <status_change date="2013-12-30T04:00:14.643-05:00">ACCEPTED</status_change>
      </dates>

This metadata is required to power the contributor and recently updated stats, searching and etc.

Including this metadata should be required of contributors and confirming that it's there should be a part of QA (ideally a part of the script).

wmunyan commented 8 years ago

Sorry, I havent responded to this one. The <status_change> elements in the example above represent the automatic updates that MITRE had processed. Each update is separated by 2 weeks of time for users and contributors to make modifications. If no comments or updates occurred in the 2 week time period, the status automatically updated...So no real contributors are making any changes. Any modifications made to the content for actual updates do indeed require a <modified> tag and contributor information

DavidRies commented 8 years ago

Hi Bill, that makes sense. There's certainly no contributor for an status_change.

I don't remember what prompted this, so maybe it was all a mistake. Out of curiosity, do you check to ensure the appropriate contributor metadata has been added into contributions? Is this a scripted check of some sort or manual?

wmunyan commented 8 years ago

Part of the QA script checks to ensure the last <status_change> value is the same as the definition's <status>. Other than that, I currently manually check that the appropriate <modified> or <submitted> contributor information is present and correct.