[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [csaf] Groups - PDF - CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2 uploaded
Stefan, I was reviewing the document this morning and for the most part it looks pretty good. I think we can come up with some functional examples from published documents possible for those missing them. The one thing that jumped out at me that we need to fix is the updated schema for CVSS v3 Vector string. Section 6.112.2.4 – The element contains a limit of 76 characters. This was sufficient to hold a terminated string with maximum length values for a CVSS v2 Vector. CVSS V3 vectors can be significantly longer. 118 characters for a complete Vector string with values for Base, Temporal, and Environmental. If someone chooses, as is allowed by the spec, to use ND (Not Defined) for all the values for the Temporal and Environmental sections then it can be up to 138 characters. Defacto practice though is to assume ND for any value not supplied in the vector string. We probably want to increase that limit to 140 characters which leaves 2 bytes for termination or padding if needed. Someone please check my math. Cheers, -Troy -- PGP Key ID: 0x7B31ED20 From: <csaf@lists.oasis-open.org> on behalf of Stefan Hagen <stefan@hagen.link> Submitter's message
|
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]