[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [was] Agenda for Thursday 25th
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Folks, I too cannot make the call today -- am making a last-minute (and unscheduled) trip to NY to give a talk at a client. That said, I have two points, for Ingo/Mark and Rogan respectively: - - I agree with the naming convention concerns Ingo has. My recommendation would be to stick to all lower case, no numbers, and to substitute dashes for spaces. (e.g., 'risk-ranking'). I've seen this convention before and it seems to work well. - - For marshalling/unmarshalling XML into Java objects I recommend JAXB. Jakarta's Commons Digester also works well, and of course there's plain old SAX parsing too. See my earlier attempt at the schema, in which I included a JAXB implementation that reads/writes XML. I included a little demo app... In general, I am strongly in favor of continuing to use schema. That's all for now -- must run. Andrew Ingo Struck wrote: > Folks, > > I will try to participate today - let's see if it works overseas. ;o) > Sorry for my silence during the last weeks, but we are currently > setting up a very gainful project right now, that will last till December. > > Some annotations regarding the "draft" > - naming: please remove all non-alpha chars from the names. > names containing blanks or other special characters are always problematic > during data processing (normalization etc. pp.) > "VulnDB's" or "Risk Ranking" are not acceptable > - naming: please hold on to a strict naming convention, lets say > all lowercase or java convention (starting with a lowercase char), > e.g. "Risk Ranking" -> "riskRanking" > - Remedy group: I don't think that a "Patch" is sufficient here. Most often > the remedy does not consist of a simple patch, but of an abstract > instruction. Thus the remedy should contain a textual description too. > - ApplicableTo left out: I guess this is *the* criterion one would like to > search for. The default scenario for me is: "I have got app server x and > web server y on platform z, so what issues are known for that?" > Everything else is only a refinement (e.g. "only those of the last month", > "only the GPLd ones", etc.) > So the applicableTo thing is a central point for retrieval. > BTW the ApplicableTo as found in the current VulnXML DTD is one of > the most over-worked things there: the cardinality and structure of the > parts should be exactly what we need, so we could just adopt that part. > - data entry stuff: I still dont understand why we should write yet another > "skunkwork" editor to perform data entry based upon xml:schema while > having a completely functional DTD based editor online that could be > easily adapted. > > As for the extension of the VulnXML execution logic: > I think it would be better to write a working executor based upon > what we have now as a proof-of-concept (the python based stuff > is rather outdated and I dont know, if someone is willing to adapt it) > before thinking of extensions. > > Let's discuss the the minutiae later on. :o) > > Kind regards > > Ingo To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/was/members/leave_workgroup.php. - -- Andrew Jaquith Program Director @stake, Inc. 196 Broadway Cambridge, MA 02139 USA Direct: 617.768.2711 Mobile: 617.501.3278 Fax: 617.621.1478 Email: ajaquith@atstake.com PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x898CF546 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/csq1iZurRomM9UYRAvB9AKCAsdVkR1f2YBYEoLvkmhPCuYJ7hACghGBC T2uJVr1FUVbhU4kLdANF8wU= =ysfJ -----END PGP SIGNATURE-----
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]