OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2


On 06/04/17 01:37, Art Manion wrote:
> On 4/5/17 3:00 PM, Vincent Danen wrote:
>>> How can a vuln:CVSSScoreSets element have more than one CVSSScoreSet?
>>> This means a vulnerability can have two or more CVSS scores?  Can 
>>> anyone
>>> provide a use case/example?
> 
>> My understanding is you can have both CVSSv2 and CVSSv3, which qualifies 
>> for multiple scores.
> 
> One v2 and one v3 score seems reasonable, what I'm wondering about is a
> vulnerability having two or more v2 scores (or v3 scores).  Multiple
> same-version CVSS scores.

So I think I already answered this consistent with our schema - but may be wrong in my reasoning. (Maybe my feedback was not delivered everywhere? 
It arrived in the list archive at https://lists.oasis-open.org/archives/csaf/201704/msg00011.html ...)


Our "documents" - no matter what they specifically advise (e.g. "hot off the press vulnerable product alert", "monthly mass patch advisory as updated fixed product versions are available so the customer can orderly ensure balanced heartbeat like driven security enhancements", ...)
they are expected/able to publish information on relations: Product-Vulnerability - this is why (as I understand) our model mixes the product dimension into the container elements that store CVSS v(2|3) Scores.

The original answer attempt archived as https://lists.oasis-open.org/archives/csaf/201704/msg00011.html :

On 05/04/17 04:06, Art Manion wrote:
> On 2017-04-04 15:31, Mr. Stefan Hagen wrote:
>
>> I move, that the chair of the TC shall request a ballot for a full
>> majority vote from administration with the ballot question: "Every
>> vuln:CVSSScoreSets element if present MUST contain zero or more
>> CVSSScoreSetV2 and one or more CVSSScoreSetV3 elements" offering the
>> answers "yes", "no", and "abstain".
>
> Assuming discussion is allowed at this point...
>
> How can a vuln:CVSSScoreSets element have more than one CVSSScoreSet?
> This means a vulnerability can have two or more CVSS scores?  Can anyone
> provide a use case/example?

Sure, very simple (but I also had to dig coming from far away ...):


There is this ProductID element in the set of a ScoreSetVx ... so if I envision a monthly security patch advisory with approx. 100k lines of XML targeting the many platforms and products aggregated by the changes accumulated in a month and not by a specific vulnerability or product, this comes in quite handy.

All the best,
Stefan.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]