OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [csaf] CVSS v2/v3 use in CVRF 1.2

So here is a use case:

Let's say you have vulnerability data spanning multiple years. And this data has varying degrees of age and analysis and several thousand entries have CVSSv2 and CVSSv3 scores and tens of thousands of entries have CVSSv2 only.

You wish to provide all of your data in a single format so your end-users do not need to parse/process different formats. CVRF 1.1 does not work for everything because it cannot support CVSSv3.

How do  you expect to deliver in a single format to your end-users if CVRF 1.2 requires CVSSv3 scores?

While I do understand the thinking around requiring CVSS v3 in CVRF 1.2, I see it as overly focusing on the single use case of describing new vulnerabilities from this time forward and not taking into account other use cases and usage models.

-----Original Message-----
From: csaf@lists.oasis-open.org [mailto:csaf@lists.oasis-open.org] On Behalf Of Vincent Danen
Sent: Wednesday, April 05, 2017 3:01 PM
To: Art Manion <amanion@cert.org>
Cc: Mr. Stefan Hagen <stefan@hagen.link>; csaf@lists.oasis-open.org
Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2

On 04/04/2017, at 20:06 PM, Art Manion wrote:

> On 2017-04-04 15:31, Mr. Stefan Hagen wrote:
>> I move, that the chair of the TC shall request a ballot for a full 
>> majority vote from administration with the ballot question: "Every 
>> vuln:CVSSScoreSets element if present MUST contain zero or more
>> CVSSScoreSetV2 and one or more CVSSScoreSetV3 elements" offering the 
>> answers "yes", "no", and "abstain".
> Assuming discussion is allowed at this point...
> How can a vuln:CVSSScoreSets element have more than one CVSSScoreSet?
> This means a vulnerability can have two or more CVSS scores?  Can 
> anyone provide a use case/example?

My understanding is you can have both CVSSv2 and CVSSv3, which qualifies for multiple scores.

With respect to the comments about CVRF 1.1 vs 1.2, given CVSSv3 support is the only scoped change (correct?) it doesn't seem like it would be a problem to require a CVSSv3 score and, optionally, a CVSSv2 score.  If you want to use CVSSv2 as the default, keep using 1.1.  If you intend to use CVSSv3, use 1.2.  I can't see someone opting to default to v2 and optionally include v3 if they're already deciding to use v3 in some way (as I don't see any advantage in v2 over v3).

But that is just my opinion.  I'm content with minimum one score, either
v2 OR v3, meaning you can default to whichever you prefer.

Vincent Danen / Red Hat Product Security

To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]