Re: DWF relationship with UVI

3 views
Skip to first unread message

Ariadne Conill

unread,
Sep 2, 2021, 3:17:28 AMSep 2
to Chris, UVI Discussion Group
Hi,

On Wed, 1 Sep 2021, Chris wrote:

> Is there any relationship with UVI?
> https://cloudsecurityalliance.org/blog/2021/07/15/got-vulnerability-cloud-security-alliance-wants-to-identify-it/
> https://universalvulnerabilityidentifier.org/
>
> The UVI repo path structure and file format is conspicuously similar
> https://github.com/cloudsecurityalliance/uvi-database/blob/main/2021/1000xxx/
>
> That may simply be a coincidence from a convention both projects implements by a workflow or library I've not used before

DWF and UVI are basically the same project, but UVI is a superset of what
DWF was trying to do.

> Given my research into DWF is starting today, I did notice it was discussed at RSA 2017 and at least 2 of the Redhat urls about DWF are 404 now. Is there still a Redhat relationship? I digress.
>
> So I'm quite familiar with CSA and the UVI seems to have begun more recently than DWF, so one may argue that DWF was first, however it appears UVI has momentum and reached a similar level of maturity
> as DWF has in all this time. So I wonder why there should be two separate/competing 'community' initiatives with the same goal.
>
> So I really hope that UVI and DWF have a plan to merge/unify or diverge and refocus efforts on distinct problems spaces, or something.

The people who were doing DWF are the same people doing UVI.

> I'm keen to contribute somewhere, not sure where yet. A lot of questions needs answers before I can decide where the very limited time I can give is best spent, these were the main questions for now,
> Let's discuss!

Great, glad to see you here.

Ariadne

Josh Bressers

unread,
Sep 2, 2021, 10:48:25 AMSep 2
to Ariadne Conill, Chris, UVI Discussion Group
Hi Chris,

To add a bit to Ariadne's fantastic answers

DWF has a somewhat strange history, the project was created, folded into CVE, then created again as an experiment to understand if the future should be augmenting CVE or starting something new. It became pretty clear that something new was the right path forward, which is where UVI then came from. The project has been rather slow to get moving, we would welcome any help and ideas.

You can find the current dataset here

Figuring out how to represent the data is a pretty big task.

The current tools we're working with are here

I look forward to your ideas and comments!

--
    Josh

Reply all
Reply to author
Forward
0 new messages