Re: [was] Agenda for Thursday 25th

[Andrew Jaquith <ajaquith@atstake.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Folks,

I too cannot make the call today -- am making a last-minute (and 
unscheduled) trip to NY to give a talk at a client.

That said, I have two points, for Ingo/Mark and Rogan respectively:

- - I agree with the naming convention concerns Ingo has. My 
recommendation would be to stick to all lower case, no numbers, and to 
substitute dashes for spaces. (e.g., 'risk-ranking'). I've seen this 
convention before and it seems to work well.

- - For marshalling/unmarshalling XML into Java objects I recommend JAXB. 
Jakarta's Commons Digester also works well, and of course there's plain 
old SAX parsing too. See my earlier attempt at the schema, in which I 
included a JAXB implementation that reads/writes XML. I included a 
little demo app...

In general, I am strongly in favor of continuing to use schema.

That's all for now -- must run.

Andrew


Ingo Struck wrote:
> Folks, 
> 
> I will try to participate today - let's see if it works overseas. ;o)
> Sorry for my silence during the last weeks, but we are currently
> setting up a very gainful project right now, that will last till December.
> 
> Some annotations regarding the "draft"
> - naming: please remove all non-alpha chars from the names.
>   names containing blanks or other special characters are always problematic
>   during data processing (normalization etc. pp.)
>   "VulnDB's" or "Risk Ranking" are not acceptable
> - naming: please hold on to a strict naming convention, lets say
>   all lowercase or java convention (starting with a lowercase char),
>   e.g. "Risk Ranking" -> "riskRanking"
> - Remedy group: I don't think that a "Patch" is sufficient here. Most often
>   the remedy does not consist of a simple patch, but of an abstract
>   instruction. Thus the remedy should contain a textual description too.
> - ApplicableTo left out: I guess this is *the* criterion one would like to
>   search for. The default scenario for me is: "I have got app server x and
>   web server y on platform z, so what issues are known for that?"
>   Everything else is only a refinement (e.g. "only those of the last month",
>   "only the GPLd ones", etc.)
>   So the applicableTo thing is a central point for retrieval.
>   BTW the ApplicableTo as found in the current VulnXML DTD is one of
>   the most over-worked things there: the cardinality and structure of the
>   parts should be exactly what we need, so we could just adopt that part.
> - data entry stuff: I still dont understand why we should write yet another
>   "skunkwork" editor to perform data entry based upon xml:schema while
>   having a completely functional DTD based editor online that could be
>   easily adapted.
> 
> As for the extension of the VulnXML execution logic:
> I think it would be better to write a working executor based upon
> what we have now as a proof-of-concept (the python based stuff
> is rather outdated and I dont know, if someone is willing to adapt it)
> before thinking of extensions. 
> 
> Let's discuss the the minutiae later on. :o)
> 
> Kind regards
> 
> Ingo

To unsubscribe from this mailing list (and be removed from the roster of 
the OASIS TC), go to 
http://www.oasis-open.org/apps/org/workgroup/was/members/leave_workgroup.php.



- -- 
Andrew Jaquith
Program Director
@stake, Inc.
196 Broadway
Cambridge, MA 02139
USA

Direct:  617.768.2711
Mobile:  617.501.3278
Fax:     617.621.1478
Email:   ajaquith@atstake.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x898CF546
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/csq1iZurRomM9UYRAvB9AKCAsdVkR1f2YBYEoLvkmhPCuYJ7hACghGBC
T2uJVr1FUVbhU4kLdANF8wU=
=ysfJ
-----END PGP SIGNATURE-----