OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: CVSS logic


Harold Booth noted this on the call yesterday via chat:

> From [~harold.booth]: I am afraid I missed the opportunity to mention
> concerns...I have one suggested change: line 456 in vuln.xsd should
> be: <xs:element name="ScoreSetV3" minOccurs="0"
> maxOccurs="unbounded"> to not require CVSSv3

This caused me to look through the rest of the CVSS XML.

For each vulnerability in a CVRF document
  CVSSScoreSets are optional, there can be 0 or 1
    there can be 0 or more CVSSv2 scores
    there can be 0 or more CVSSv3 scores
      for either v2 or v3 there must be 1 and only 1 Base score
      other CVSS scores and the vectors are optional

This means there can be one CVSS base score but more than one vector, or
more than one Temporal score per vulnerability?

Do we need to clarify/tighten the CVSS score logic, beyond Harold's change?

JIRA ticket:


 - Art

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]