[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (CSAF-21) Zero or more CVSSv3 scores, overall CVSS logic
[ https://issues.oasis-open.org/browse/CSAF-21?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=65715#comment-65715 ]
Feng Cao commented on CSAF-21:
------------------------------
In practice, the vendors might score Base Score differently, like Privilege Required, Score change, ..., by considering their deployment and usage.
So the current logic in 1.2 follows 1.1: inside an instance of scoresetv2 or scoresetv3, base score is required to be 1, Temporal score and environment score can be presented w.r.t. that particular base score.
> Zero or more CVSSv3 scores, overall CVSS logic
> ----------------------------------------------
>
> Key: CSAF-21
> URL: https://issues.oasis-open.org/browse/CSAF-21
> Project: OASIS Common Security Advisory Framework (CSAF) TC
> Issue Type: Bug
> Reporter: Art MANION
>
> From [~harold.booth]: I am afraid I missed the opportunity to mention concerns...I have one suggested change: line 456 in vuln.xsd should be: <xs:element name="ScoreSetV3" minOccurs="0" maxOccurs="unbounded"> to not require CVSSv3
> I believe the intent is:
> For each vulnerability in a CVRF document
> CVSSScoreSets are optional, there can be 0 or 1
> there can be 0 or more CVSSv2 scores
> there can be 0 or more CVSSv3 scores
> for either v2 or v3 there must be 1 and only 1 Base score
> other CVSS scores and the vectors are optional
> This means there can be one CVSS base score but more than one vector, or more than one Temporal score per vulnerability?
--
This message was sent by Atlassian JIRA
(v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]