On 1/25/2017 11:20 AM, Feng Cao wrote:
Hi folks,
This was brought up in today's meeting. Here are some facts so
that everyone can be on the same page when backward compatibility
is discussed.
For all the existing CVRF documents, namespace is 1.1 (i.e.
xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1").
So there should be any backward-compatibility issue for these
documents, assume the tool loads 1.1 xsd as before.
I mean "there should NOT be any backward-compatibility issue for
..." :-)
For the new documents using CVRF 1.2, namespace is 1.2 (likely,
urn:oasis:names:tc:...). So the tool should load 1.2 xsd and add
more code to handle it accordingly. Note that "ScoreSet" (i.e.
CVSS v2) in 1.1 is mandatory, which doesn't make any sense in 1.2
anymore. In 1.2, CVSS v3 should be mandatory (if the vendors still
prefer CVSS v2, they can use 1.1 as before). So there must be the
changes in "ScoreSet" anyway.
The clean solution in 1.2 is to remove ""ScoreSet", which is such
a confusion name, and add "ScoreSetV2" and ""ScoreSetV3". It would
be a minor change for the tool to SKIP "ScoreSet" and process
"ScoreSetV2" and ""ScoreSetV3" when it recognizes 1.2 in use.
Thanks,
Feng Cao
Oracle Security Alerts
|