Re: [csaf] Groups - PDF - CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2 uploaded

["Troy Fridley (trfridle)" <trfridle@cisco.com>]

Stefan,

 

 

  I was reviewing the document this morning and for the most part it looks pretty good.  I think we can come up with some functional examples from published documents possible for those missing them.

 

The one thing that jumped out at me that we need to fix is the updated schema for CVSS v3 Vector string. Section 6.112.2.4 – The element contains a limit of 76 characters.  This was sufficient to hold a terminated string with maximum length values for a CVSS v2 Vector.  CVSS V3 vectors can be significantly longer.  118 characters for a complete Vector string with values for Base, Temporal, and Environmental.  If someone chooses, as is allowed by the spec, to use ND (Not Defined) for all the values for the Temporal and Environmental sections then it can be up to 138 characters.  Defacto practice though is to assume ND for any value not supplied in the vector string.

 

We probably want to increase that limit to 140 characters which leaves 2 bytes for termination or padding if needed. Someone please check my math.

 

Cheers,

-Troy

 

 

 

 

 

 

-- 

Troy Fridley, CISSP

Incident Manager, Cisco PSIRT

Phone: 614-336-4385

E-Mail: troy.fridley@cisco.com

PGP Key ID: 0x7B31ED20

 

From: <csaf@lists.oasis-open.org> on behalf of Stefan Hagen <stefan@hagen.link>
Date: Sunday, March 12, 2017 at 6:22 PM
To: "csaf@lists.oasis-open.org" <csaf@lists.oasis-open.org>
Subject: [csaf] Groups - PDF - CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2 uploaded

 

Submitter's message
git revision sha1.fba0ab6...
Intermediate editor revision 2017-03-12 of the prose specification in sync with the revision updates in kavi as of 2017-03-12.
This revision is an intermediate step to the first Tuesday-evening weekly revision push that is planned.
It contains quite some changes from my editor queue of making the document more meaningful and self-contained.
Also includes specific changes in response to first feedback from Mark-David
PDF variant
A detailed resolution log will follow as JIRA issue so we close the loop on the feedback and can track-back any time..
The word source document uses change mode for now since the first revision, so everyone can also see the changes since the previous Friday revision.
Some pending work items have already been noted with yellow background in the prose, others are still only in my mind so we have a fast converging working draft.
Feedback greatly appreciated!

PS: In case someone likes to read the Friday edition (previous thing) first, she can always pick elder revisions from the kavi document details page.
-- Mr. Stefan Hagen

Document Name: PDF - CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2

---

Description
The CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2 is the
definitive reference for the CVRF language.
Download Latest Revision
Public Download Link

---

Submitter: Mr. Stefan Hagen
Group: OASIS Common Security Advisory Framework (CSAF) TC
Folder: Working Drafts
Date submitted: 2017-03-12 15:21:57
Revision: 1

 

Attachment: smime.p7s
Description: S/MIME cryptographic signature