OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2

On 04/05/2017, at 17:37 PM, Art Manion wrote:

On 4/5/17 3:00 PM, Vincent Danen wrote:
How can a vuln:CVSSScoreSets element have more than one CVSSScoreSet?
This means a vulnerability can have two or more CVSS scores?  Can
provide a use case/example?

My understanding is you can have both CVSSv2 and CVSSv3, which qualifies
for multiple scores.

One v2 and one v3 score seems reasonable, what I'm wondering about is a
vulnerability having two or more v2 scores (or v3 scores).  Multiple
same-version CVSS scores.

This shouldn't be an issue unless it's tied to temporal or environmental metrics, correct? Or, where CVSS becomes a bit weak, related to product usage of that piece of software. It would almost be as though you need to be able to associate a score to a product or component (for instance we might say CVE-X affects openstack in this way resulting in this score, but affects RHEL in this other way resulting in a different score).

This is something we probably want to look at for CSAF 2.0, not CVRF 1.2. I don't think it can be resolved easily. You could have 12 different CVSSv2 scores right now but it's almost pointless if you can't map that back to a particular product or scenario.

Vincent Danen / Red Hat Product Security

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]