[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (CSAF-21) Zero or more CVSSv3 scores, overall CVSS logic
[ https://issues.oasis-open.org/browse/CSAF-21?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=65715#comment-65715 ] Feng Cao commented on CSAF-21: ------------------------------ In practice, the vendors might score Base Score differently, like Privilege Required, Score change, ..., by considering their deployment and usage. So the current logic in 1.2 follows 1.1: inside an instance of scoresetv2 or scoresetv3, base score is required to be 1, Temporal score and environment score can be presented w.r.t. that particular base score. > Zero or more CVSSv3 scores, overall CVSS logic > ---------------------------------------------- > > Key: CSAF-21 > URL: https://issues.oasis-open.org/browse/CSAF-21 > Project: OASIS Common Security Advisory Framework (CSAF) TC > Issue Type: Bug > Reporter: Art MANION > > From [~harold.booth]: I am afraid I missed the opportunity to mention concerns...I have one suggested change: line 456 in vuln.xsd should be: <xs:element name="ScoreSetV3" minOccurs="0" maxOccurs="unbounded"> to not require CVSSv3 > I believe the intent is: > For each vulnerability in a CVRF document > CVSSScoreSets are optional, there can be 0 or 1 > there can be 0 or more CVSSv2 scores > there can be 0 or more CVSSv3 scores > for either v2 or v3 there must be 1 and only 1 Base score > other CVSS scores and the vectors are optional > This means there can be one CVSS base score but more than one vector, or more than one Temporal score per vulnerability? -- This message was sent by Atlassian JIRA (v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]