[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [csaf] backward compatibility in 1.2 clarification
On 01/25/2017, at 12:25 PM, Feng Cao wrote:Yeah, I noted something similar in https://issues.oasis-open.org/browse/CSAF-14 and agree with you. I knew that the CVSSScoreSets was optional, but when you used it, ScoreSet was mandatory this does require some level of backwards incompatibility.
On 1/25/2017 11:20 AM, Feng Cao wrote:Hi folks, This was brought up in today's meeting. Here are some facts so thateveryone can be on the same page when backward compatibility is discussed.For all the existing CVRF documents, namespace is 1.1 (i.e. xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1"). So thereshould be any backward-compatibility issue for these documents, assumethe tool loads 1.1 xsd as before.I mean "there should NOT be any backward-compatibility issue for ..." :-)For the new documents using CVRF 1.2, namespace is 1.2 (likely, urn:oasis:names:tc:...). So the tool should load 1.2 xsd and add more code to handle it accordingly. Note that "ScoreSet" (i.e. CVSS v2) in1.1 is mandatory, which doesn't make any sense in 1.2 anymore. In 1.2, CVSS v3 should be mandatory (if the vendors still prefer CVSS v2, they can use 1.1 as before). So there must be the changes in "ScoreSet" anyway.The clean solution in 1.2 is to remove ""ScoreSet", which is such a confusion name, and add "ScoreSetV2" and ""ScoreSetV3". It would be a minor change for the tool to SKIP "ScoreSet" and process "ScoreSetV2" and ""ScoreSetV3" when it recognizes 1.2 in use. Thanks, Feng Cao Oracle Security Alerts
-- Vincent Danen / Red Hat Product Security
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]