RE: [csaf] CVSS v2/v3 use in CVRF 1.2

["Booth, Harold (Fed)" <harold.booth@nist.gov>]

Before voting can we have an opportunity to discuss? I am not sure everyone is aware of the consequences of the various options.

The proposal as written, if accepted, would require anyone who wish to provide data for vulnerabilities without CVSS v3.0 scores in the CVRF 1.1 format only and they would not be able to use the CVRF 1.2 format if they wish to share CVSS v2.0 scores. For data providers which have data on both new and old vulnerabilities it would require them (and their consumers) to use both CVRF 1.1 and 1.2. I see the restriction that one must always provide a CVSS v3.0 score when providing a score an unnecessary restriction on the format and limits the use cases for which this format could be used.

Regards,

-Harold

-----Original Message-----
From: csaf@lists.oasis-open.org [mailto:csaf@lists.oasis-open.org] On Behalf Of Vincent Danen
Sent: Tuesday, April 04, 2017 4:10 PM
To: Mr. Stefan Hagen <stefan@hagen.link>
Cc: csaf@lists.oasis-open.org
Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2

On 04/04/2017, at 13:31 PM, Mr. Stefan Hagen wrote:

> Dear Members, to enable a clearly documented decision on this crucial 
> question if we enforce CVSSv3 scoring with CSAF CVRF v1.2,
>
> I move, that the chair of the TC shall request a ballot for a full 
> majority vote from administration with the ballot question: "Every 
> vuln:CVSSScoreSets element if present MUST contain zero or more
> CVSSScoreSetV2 and one or more CVSSScoreSetV3 elements" offering the 
> answers "yes", "no", and "abstain".

How do we vote on this or are we waiting for the next meeting?  I think the above is reasonable and would vote for it.

> Please find below details on past and current (not yet decided) 
> cardinalities ...
>
>
> On 04/04/17 21:01, Art Manion wrote:
>> I'm going to try to summarize the discussion about the use of CVSS 
>> v2/v3, with the goal of creating a motion or voting position if 
>> needed.
>>
>> <https://issues.oasis-open.org/browse/CSAF-21?focusedCommentId=65728&;
>> page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel
>> #comment-65728>
>>
>> I read the above comment, but am still confused (it's me, not you 
>> Stefan), so I'm going to start with what I think should happen:
>>
>> A CVRF document contains 1 or more vulnerabilities A vulnerability 
>> contains 0 or 1 CVSSv2 scores A vulnerability contains 0 or 1 CVSSv3 
>> scores
>>
>> CVSSv2 or v3 scores must follow CVSS rules and contain a complete set 
>> of Base vectors and score.  Temporal, environmental (or modified 
>> base) are optional.
>
> Inside vuln.xsd v1.1 and in the contributed initial v1.2 draft from 
> Feng the following cardinalities apply:
>
> ScoreSet [1, infty] (v1.1), ScoreSetV2 [0, infty] and ScoreSetV3 [?, 
> infty] (both v1.2) MUST contain exactly one BaseScore (v1.1), 
> BaseScoreV2 and BaseScoreV3 respectively (both v1.2)
>
> AND
>
> ScoreSet (v1.1), ScoreSetV2 and ScoreSetV3 (both v1.2) contain [0, 1] 
> TemporalScore (v1.1), TemporalScoreV2 and TemporalScoreV3 respectively 
> (both v1.2)
>
> AND
>
> ScoreSet (v1.1), ScoreSetV2 and ScoreSetV3 (both v1.2) contain [0, 1] 
> EnvironmentalScore (v1.1), EnvironmentalScoreV2 and
> EnvironmentalScoreV3 respectively (both v1.2)
>
> AND
>
> ScoreSet (v1.1), ScoreSetV2 and ScoreSetV3 (both v1.2) contain [0, 1] 
> Vector (v1.1), VectorV2 and VectorV3 respectively (both v1.2)
>
> AND
>
> ScoreSet (v1.1), ScoreSetV2 and ScoreSetV3 (both v1.2) contain [0, 
> infty] vuln:ProductID (in any version I guess)
>
> So the Vectors are optional in every variant!
>
>
>> I believe Feng's position is that if a vulnerability has a CVSS 
>> score, it must be CVSSv3 (or must have CVSSv3 and can optionally also 
>> include CVSSv2?).  If a CVRF producer wants to use CVSSv2, they 
>> should use CVRF 1.1.
>>
>
> This is what I noted in the comment as my understanding, but have no 
> other feedback received, and think this was made clear by Feng.
>
>
> /Stefan


--
Vincent Danen / Red Hat Product Security

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php