OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2

On 05/04/17 04:06, Art Manion wrote:
> On 2017-04-04 15:31, Mr. Stefan Hagen wrote:
>> I move, that the chair of the TC shall request a ballot for a full
>> majority vote from administration with the ballot question: "Every
>> vuln:CVSSScoreSets element if present MUST contain zero or more
>> CVSSScoreSetV2 and one or more CVSSScoreSetV3 elements" offering the
>> answers "yes", "no", and "abstain".
> Assuming discussion is allowed at this point...
> How can a vuln:CVSSScoreSets element have more than one CVSSScoreSet?
> This means a vulnerability can have two or more CVSS scores?  Can anyone
> provide a use case/example?

Sure, very simple (but I also had to dig coming from far away ...):

There is this ProductID element in the set of a ScoreSetVx ... so if I envision a monthly security patch advisory with approx. 100k lines of XML targeting the many platforms and products aggregated by the changes accumulated in a month and not by a specific vulnerability or product, this comes in quite handy.

All the best,

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]