OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2

Dear Members, to enable a clearly documented decision on this crucial question if we enforce CVSSv3 scoring with CSAF CVRF v1.2,

I move, that the chair of the TC shall request a ballot for a full majority vote from administration with the ballot question: "Every vuln:CVSSScoreSets element if present MUST contain zero or more CVSSScoreSetV2 and one or more CVSSScoreSetV3 elements" offering the answers "yes", "no", and "abstain".


Please find below details on past and current (not yet decided) cardinalities ...


On 04/04/17 21:01, Art Manion wrote:
> I'm going to try to summarize the discussion about the use of CVSS
> v2/v3, with the goal of creating a motion or voting position if needed.
> 
> <https://issues.oasis-open.org/browse/CSAF-21?focusedCommentId=65728&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-65728>
> 
> I read the above comment, but am still confused (it's me, not you
> Stefan), so I'm going to start with what I think should happen:
> 
> A CVRF document contains 1 or more vulnerabilities
> A vulnerability contains 0 or 1 CVSSv2 scores
> A vulnerability contains 0 or 1 CVSSv3 scores
> 
> CVSSv2 or v3 scores must follow CVSS rules and contain a complete set of
> Base vectors and score.  Temporal, environmental (or modified base) are
> optional.

Inside vuln.xsd v1.1 and in the contributed initial v1.2 draft from Feng
the following cardinalities apply:

ScoreSet [1, infty] (v1.1), ScoreSetV2 [0, infty] and ScoreSetV3 [?, infty] (both v1.2) MUST contain exactly one
BaseScore (v1.1), BaseScoreV2 and BaseScoreV3 respectively (both v1.2)

AND

ScoreSet (v1.1), ScoreSetV2 and ScoreSetV3 (both v1.2) contain [0, 1]
TemporalScore (v1.1), TemporalScoreV2 and TemporalScoreV3 respectively (both v1.2)

AND

ScoreSet (v1.1), ScoreSetV2 and ScoreSetV3 (both v1.2) contain [0, 1]
EnvironmentalScore (v1.1), EnvironmentalScoreV2 and EnvironmentalScoreV3 respectively (both v1.2)

AND

ScoreSet (v1.1), ScoreSetV2 and ScoreSetV3 (both v1.2) contain [0, 1]
Vector (v1.1), VectorV2 and VectorV3 respectively (both v1.2)
  
AND

ScoreSet (v1.1), ScoreSetV2 and ScoreSetV3 (both v1.2) contain [0, infty]
vuln:ProductID (in any version I guess)

So the Vectors are optional in every variant!


> I believe Feng's position is that if a vulnerability has a CVSS score,
> it must be CVSSv3 (or must have CVSSv3 and can optionally also include
> CVSSv2?).  If a CVRF producer wants to use CVSSv2, they should use CVRF 1.1.
> 

This is what I noted in the comment as my understanding, but have no other feedback received, and think this was made clear by Feng.


/Stefan

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]