Usage of Suse Security Data in VulnerableCode

Hey, We would like to integrate the suse backport [1][2] and suse scoring [3][4] data in vulnerablecode [5] which is a FOSS db of FOSS vulnerability data. We were not able to know under which license this security data comes. We would be grateful to have your acknowledgement over usage of the suse security data in vulnerablecode and have some kind of licensing declaration from your side. [1] - http://ftp.suse.com/pub/projects/security/yaml/ [2] - https://github.com/nexB/vulnerablecode/pull/1053 [3] - https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml [4] - https://github.com/nexB/vulnerablecode/pull/1050 [5] - https://github.com/nexB/vulnerablecode Regards,

Hi Tushar, Thanks for reaching out and your interest into our CVSS scoring. Right now I couldn't find any license reference to the YAML file you've linked, but it should be the same as our OVAL data that is under the Creative Commons License 4.0 with Attribution (CC-BY-4.0), and also includes the CVSS score. https://www.suse.com/support/security/oval/ I try to find out about the YAML file as well, but this could take a couple days. Best regards, Alex~ On Tue, Jan 10, 2023 at 01:05:23PM -0000, Tushar Goel wrote:
Hey,
We would like to integrate the suse backport [1][2] and suse scoring [3][4] data in vulnerablecode [5] which is a FOSS db of FOSS vulnerability data. We were not able to know under which license this security data comes. We would be grateful to have your acknowledgement over usage of the suse security data in vulnerablecode and have some kind of licensing declaration from your side. [1] - http://ftp.suse.com/pub/projects/security/yaml/ [2] - https://github.com/nexB/vulnerablecode/pull/1053 [3] - https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml [4] - https://github.com/nexB/vulnerablecode/pull/1050 [5] - https://github.com/nexB/vulnerablecode
Regards,
-- Alexander Bergmann <abergmann@suse.com> Security Engineer, GPG: E30A 65A4 0F50 0066 B2B5 F614 DE54 E875 9FFA 4886 SUSE Software Solutions Germany GmbH Maxfeldstr. 5, 90409 Nuremberg, Germany (HRB 36809, AG Nürnberg) Managing Director/Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman

Hi, As Alexander writes, all our security automation data is licensed CC-BY-4.0. "Creative Commons License 4.0 with Attribution (CC-BY-4.0)" FWIW the YAML file is a SUSE specific file only containing the CVSS scores: http://ftp.suse.com/pub/projects/security/yaml/ I would recommend using one of the standard formats for getting CVSS scores. Ciao, Marcus On Tue, Jan 10, 2023 at 04:33:46PM +0100, Alexander Bergmann wrote:
Hi Tushar,
Thanks for reaching out and your interest into our CVSS scoring.
Right now I couldn't find any license reference to the YAML file you've linked, but it should be the same as our OVAL data that is under the Creative Commons License 4.0 with Attribution (CC-BY-4.0), and also includes the CVSS score.
https://www.suse.com/support/security/oval/
I try to find out about the YAML file as well, but this could take a couple days.
Best regards, Alex~
On Tue, Jan 10, 2023 at 01:05:23PM -0000, Tushar Goel wrote:
Hey,
We would like to integrate the suse backport [1][2] and suse scoring [3][4] data in vulnerablecode [5] which is a FOSS db of FOSS vulnerability data. We were not able to know under which license this security data comes. We would be grateful to have your acknowledgement over usage of the suse security data in vulnerablecode and have some kind of licensing declaration from your side. [1] - http://ftp.suse.com/pub/projects/security/yaml/ [2] - https://github.com/nexB/vulnerablecode/pull/1053 [3] - https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml [4] - https://github.com/nexB/vulnerablecode/pull/1050 [5] - https://github.com/nexB/vulnerablecode
Regards,
-- Alexander Bergmann <abergmann@suse.com> Security Engineer, GPG: E30A 65A4 0F50 0066 B2B5 F614 DE54 E875 9FFA 4886 SUSE Software Solutions Germany GmbH Maxfeldstr. 5, 90409 Nuremberg, Germany (HRB 36809, AG Nürnberg) Managing Director/Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
-- Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman, HRB 36809, AG Nuernberg

Hi, FWIW. the backports data in the yaml directory is no longer generated and I have now deleted the data. Our PM only wishes that we publish data in standard formats. As Alexander writes, please use our OVAL, CVRF or CSAF data preferably. The YAML file with the CVSS scores will stay however for ease of consumption. Ciao, Marcus On Tue, Jan 10, 2023 at 06:47:06PM +0100, Marcus Meissner wrote:
Hi,
As Alexander writes, all our security automation data is licensed CC-BY-4.0. "Creative Commons License 4.0 with Attribution (CC-BY-4.0)"
FWIW the YAML file is a SUSE specific file only containing the CVSS scores: http://ftp.suse.com/pub/projects/security/yaml/
I would recommend using one of the standard formats for getting CVSS scores.
Ciao, Marcus
On Tue, Jan 10, 2023 at 04:33:46PM +0100, Alexander Bergmann wrote:
Hi Tushar,
Thanks for reaching out and your interest into our CVSS scoring.
Right now I couldn't find any license reference to the YAML file you've linked, but it should be the same as our OVAL data that is under the Creative Commons License 4.0 with Attribution (CC-BY-4.0), and also includes the CVSS score.
https://www.suse.com/support/security/oval/
I try to find out about the YAML file as well, but this could take a couple days.
Best regards, Alex~
On Tue, Jan 10, 2023 at 01:05:23PM -0000, Tushar Goel wrote:
Hey,
We would like to integrate the suse backport [1][2] and suse scoring [3][4] data in vulnerablecode [5] which is a FOSS db of FOSS vulnerability data. We were not able to know under which license this security data comes. We would be grateful to have your acknowledgement over usage of the suse security data in vulnerablecode and have some kind of licensing declaration from your side. [1] - http://ftp.suse.com/pub/projects/security/yaml/ [2] - https://github.com/nexB/vulnerablecode/pull/1053 [3] - https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml [4] - https://github.com/nexB/vulnerablecode/pull/1050 [5] - https://github.com/nexB/vulnerablecode
Regards,
-- Alexander Bergmann <abergmann@suse.com> Security Engineer, GPG: E30A 65A4 0F50 0066 B2B5 F614 DE54 E875 9FFA 4886 SUSE Software Solutions Germany GmbH Maxfeldstr. 5, 90409 Nuremberg, Germany (HRB 36809, AG Nürnberg) Managing Director/Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
-- Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman, HRB 36809, AG Nuernberg
-- Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman, HRB 36809, AG Nuernberg

Hey, Thank you Marcus and Alexander for your response. Regards, On Tue, Jan 10, 2023 at 11:23 PM Marcus Meissner <meissner@suse.de> wrote:
Hi,
FWIW. the backports data in the yaml directory is no longer generated and I have now deleted the data. Our PM only wishes that we publish data in standard formats.
As Alexander writes, please use our OVAL, CVRF or CSAF data preferably.
The YAML file with the CVSS scores will stay however for ease of consumption.
Ciao, Marcus On Tue, Jan 10, 2023 at 06:47:06PM +0100, Marcus Meissner wrote:
Hi,
As Alexander writes, all our security automation data is licensed CC-BY-4.0. "Creative Commons License 4.0 with Attribution (CC-BY-4.0)"
FWIW the YAML file is a SUSE specific file only containing the CVSS scores: http://ftp.suse.com/pub/projects/security/yaml/
I would recommend using one of the standard formats for getting CVSS scores.
Ciao, Marcus
On Tue, Jan 10, 2023 at 04:33:46PM +0100, Alexander Bergmann wrote:
Hi Tushar,
Thanks for reaching out and your interest into our CVSS scoring.
Right now I couldn't find any license reference to the YAML file you've linked, but it should be the same as our OVAL data that is under the Creative Commons License 4.0 with Attribution (CC-BY-4.0), and also includes the CVSS score.
https://www.suse.com/support/security/oval/
I try to find out about the YAML file as well, but this could take a couple days.
Best regards, Alex~
On Tue, Jan 10, 2023 at 01:05:23PM -0000, Tushar Goel wrote:
Hey,
We would like to integrate the suse backport [1][2] and suse scoring [3][4] data in vulnerablecode [5] which is a FOSS db of FOSS vulnerability data. We were not able to know under which license this security data comes. We would be grateful to have your acknowledgement over usage of the suse security data in vulnerablecode and have some kind of licensing declaration from your side. [1] - http://ftp.suse.com/pub/projects/security/yaml/ [2] - https://github.com/nexB/vulnerablecode/pull/1053 [3] - https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml [4] - https://github.com/nexB/vulnerablecode/pull/1050 [5] - https://github.com/nexB/vulnerablecode
Regards,
-- Alexander Bergmann <abergmann@suse.com> Security Engineer, GPG: E30A 65A4 0F50 0066 B2B5 F614 DE54 E875 9FFA 4886 SUSE Software Solutions Germany GmbH Maxfeldstr. 5, 90409 Nuremberg, Germany (HRB 36809, AG Nürnberg) Managing Director/Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
-- Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman, HRB 36809, AG Nuernberg
-- Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman, HRB 36809, AG Nuernberg
participants (3)
-
Alexander Bergmann
-
Marcus Meissner
-
Tushar Goel