[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (CSAF-21) zero or more CVSSv3 scores, overall CVSS logic
Art MANION created CSAF-21:
------------------------------
Summary: zero or more CVSSv3 scores, overall CVSS logic
Key: CSAF-21
URL: https://issues.oasis-open.org/browse/CSAF-21
Project: OASIS Common Security Advisory Framework (CSAF) TC
Issue Type: Bug
Reporter: Art MANION
From [~harold.booth]: I am afraid I missed the opportunity to mention concerns...I have one suggested change: line 456 in vuln.xsd should be: <xs:element name="ScoreSetV3" minOccurs="0" maxOccurs="unbounded"> to not require CVSSv3
I believe the intent is:
For each vulnerability in a CVRF document
CVSSScoreSets are optional, there can be 0 or 1
there can be 0 or more CVSSv2 scores
there can be 0 or more CVSSv3 scores
for either v2 or v3 there must be 1 and only 1 Base score
other CVSS scores and the vectors are optional
This means there can be one CVSS base score but more than one vector, or more than one Temporal score per vulnerability?
--
This message was sent by Atlassian JIRA
(v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]