backward compatibility in 1.2 clarification

[Feng Cao <feng.cao@oracle.com>]

Hi folks,

This was brought up in today's meeting. Here are some facts so that everyone can be on the same page when backward compatibility is discussed.

For all the existing CVRF documents, namespace is 1.1 (i.e. xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1"). So there should be any backward-compatibility issue for these documents, assume the tool loads 1.1 xsd as before.

For the new documents using CVRF 1.2, namespace is 1.2 (likely, urn:oasis:names:tc:...). So the tool should load 1.2 xsd and add more code to handle it accordingly. Note that "ScoreSet" (i.e. CVSS v2) in 1.1 is mandatory, which doesn't make any sense in 1.2 anymore. In 1.2, CVSS v3 should be mandatory (if the vendors still prefer CVSS v2, they can use 1.1 as before). So there must be the changes in "ScoreSet" anyway.

The clean solution in 1.2 is to remove ""ScoreSet", which is such a confusion name, and add "ScoreSetV2" and ""ScoreSetV3". It would be a minor change for the tool to SKIP "ScoreSet" and process "ScoreSetV2" and ""ScoreSetV3" when it recognizes 1.2 in use.

Thanks,

Feng Cao
Oracle Security Alerts