OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2

On 04/04/2017, at 20:06 PM, Art Manion wrote:

On 2017-04-04 15:31, Mr. Stefan Hagen wrote:

I move, that the chair of the TC shall request a ballot for a full
majority vote from administration with the ballot question: "Every
vuln:CVSSScoreSets element if present MUST contain zero or more
CVSSScoreSetV2 and one or more CVSSScoreSetV3 elements" offering the
answers "yes", "no", and "abstain".

Assuming discussion is allowed at this point...

How can a vuln:CVSSScoreSets element have more than one CVSSScoreSet?
This means a vulnerability can have two or more CVSS scores? Can anyone
provide a use case/example?

My understanding is you can have both CVSSv2 and CVSSv3, which qualifies for multiple scores.

With respect to the comments about CVRF 1.1 vs 1.2, given CVSSv3 support is the only scoped change (correct?) it doesn't seem like it would be a problem to require a CVSSv3 score and, optionally, a CVSSv2 score. If you want to use CVSSv2 as the default, keep using 1.1. If you intend to use CVSSv3, use 1.2. I can't see someone opting to default to v2 and optionally include v3 if they're already deciding to use v3 in some way (as I don't see any advantage in v2 over v3).

But that is just my opinion. I'm content with minimum one score, either v2 OR v3, meaning you can default to whichever you prefer.

Vincent Danen / Red Hat Product Security

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]