Re: [csaf] backward compatibility in 1.2 clarification

["Vincent Danen" <vdanen@redhat.com>]

On 01/25/2017, at 12:25 PM, Feng Cao wrote:

Yeah, I noted something similar in 
https://issues.oasis-open.org/browse/CSAF-14 and agree with you.  I knew 
that the CVSSScoreSets was optional, but when you used it, ScoreSet was 
mandatory this does require some level of backwards incompatibility.

> On 1/25/2017 11:20 AM, Feng Cao wrote:
> > Hi folks,
> >
> > This was brought up in today's meeting. Here are some facts so that
> > everyone can be on the same page when backward compatibility is 
> > discussed.
> >
> > For all the existing CVRF documents, namespace is 1.1 (i.e.
> > xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1";). So there
> > should be any backward-compatibility issue for these documents, 
> > assume
> > the tool loads 1.1 xsd as before.
>
> I mean "there should NOT be any backward-compatibility issue for ..." 
> :-)
>
> > For the new documents using CVRF 1.2, namespace is 1.2 (likely,
> > urn:oasis:names:tc:...). So the tool should load 1.2 xsd and add more
> > code to handle it accordingly. Note that "ScoreSet" (i.e. CVSS v2) in
> > 1.1 is mandatory, which doesn't make any sense in 1.2 anymore. In 
> > 1.2,
> > CVSS v3 should be mandatory (if the vendors still prefer CVSS v2, 
> > they
> > can use 1.1 as before). So there must be the changes in "ScoreSet" 
> > anyway.
> >
> > The clean solution in 1.2 is to remove ""ScoreSet", which is such a
> > confusion name, and add "ScoreSetV2" and ""ScoreSetV3". It would be a
> > minor change for the tool to SKIP "ScoreSet" and process "ScoreSetV2"
> > and ""ScoreSetV3" when it recognizes 1.2 in use.
> >
> > Thanks,
> >
> > Feng Cao
> > Oracle Security Alerts


--
Vincent Danen / Red Hat Product Security