Re: [csaf] CVSS v2/v3 use in CVRF 1.2

["Vincent Danen" <vdanen@redhat.com>]

On 04/04/2017, at 20:06 PM, Art Manion wrote:

> On 2017-04-04 15:31, Mr. Stefan Hagen wrote:
>
> > I move, that the chair of the TC shall request a ballot for a full
> > majority vote from administration with the ballot question: "Every
> > vuln:CVSSScoreSets element if present MUST contain zero or more
> > CVSSScoreSetV2 and one or more CVSSScoreSetV3 elements" offering the
> > answers "yes", "no", and "abstain".
>
> Assuming discussion is allowed at this point...
>
> How can a vuln:CVSSScoreSets element have more than one CVSSScoreSet?
> This means a vulnerability can have two or more CVSS scores?  Can 
> anyone
> provide a use case/example?

My understanding is you can have both CVSSv2 and CVSSv3, which qualifies 
for multiple scores.

With respect to the comments about CVRF 1.1 vs 1.2, given CVSSv3 support 
is the only scoped change (correct?) it doesn't seem like it would be a 
problem to require a CVSSv3 score and, optionally, a CVSSv2 score.  If 
you want to use CVSSv2 as the default, keep using 1.1.  If you intend to 
use CVSSv3, use 1.2.  I can't see someone opting to default to v2 and 
optionally include v3 if they're already deciding to use v3 in some way 
(as I don't see any advantage in v2 over v3).

But that is just my opinion.  I'm content with minimum one score, either 
v2 OR v3, meaning you can default to whichever you prefer.

--
Vincent Danen / Red Hat Product Security