[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (CSAF-21) Zero or more CVSSv3 scores, overall CVSS logic
[ https://issues.oasis-open.org/browse/CSAF-21?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=65728#comment-65728 ]
Stefan Hagen commented on CSAF-21:
----------------------------------
We did not even open this issue, but the discussion and decision is required IMO to continue. Question to decide (in the commenters understanding):
Exactly 1 of the 2 following alternatives must be taken (we cannot pursuit both!):
1. As suggested in this issues proposal, and based on the optional character of the container:
CVSSScoreSets MUST contain ScoreSetV2 [0, infty] and ScoreSetV3 [0, infty] and in that order.
2. As understood from Feng ("Any CVSSv2 only providers MUST either stick with CVRFv1.1 or be silent about CVSSScoreSets"):
CVSSScoreSets MUST contain ScoreSetV2 [0, infty] and ScoreSetV3 [1, infty] and in that order.
The other part of the proposal here reads like unanimous consent here to the commenter in that,
Any CVSSScoreSetVx with x == 1 or x == 2 MUST have a BaseScoreVx and if it has, this BaseScore MUST
have zero or one Env., Temp., Vector information contributing sibling elements that semantically MUST NOT contradict the BaseScoreVx given.and zero or more productID "Links".
It is further understood, that if there are due to some reason, multiple temporal or environmental or vector "mixes" required, a producer can always provide "additional" Score set entries noting the additionally needed what nots (only expectation for me would be, that any additional info given inside one scoreset MUST NOT contradict the BaseScoreVx info.
Could we please discuss / agree on these details - and esp. vote on the mailing list for the TC decision on the exclusive alternative version cardinality proposals?
As this goes to the TC mailing list, please especially note, that hereby I suggest to either
a) start a short statement of positions by supporters of every one of the alternatives on the mailing list.
or to (even better if all debate already happened)
b) go for a majority vote on the mailing list
> Zero or more CVSSv3 scores, overall CVSS logic
> ----------------------------------------------
>
> Key: CSAF-21
> URL: https://issues.oasis-open.org/browse/CSAF-21
> Project: OASIS Common Security Advisory Framework (CSAF) TC
> Issue Type: Bug
> Reporter: Art MANION
> Assignee: Omar Santos
>
> From [~harold.booth]: I am afraid I missed the opportunity to mention concerns...I have one suggested change: line 456 in vuln.xsd should be: <xs:element name="ScoreSetV3" minOccurs="0" maxOccurs="unbounded"> to not require CVSSv3
> I believe the intent is:
> For each vulnerability in a CVRF document
> CVSSScoreSets are optional, there can be 0 or 1
> there can be 0 or more CVSSv2 scores
> there can be 0 or more CVSSv3 scores
> for either v2 or v3 there must be 1 and only 1 Base score
> other CVSS scores and the vectors are optional
> This means there can be one CVSS base score but more than one vector, or more than one Temporal score per vulnerability?
--
This message was sent by Atlassian JIRA
(v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]