[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2
On 04/05/2017, at 17:37 PM, Art Manion wrote:
On 4/5/17 3:00 PM, Vincent Danen wrote:How can a vuln:CVSSScoreSets element have more than one CVSSScoreSet?This means a vulnerability can have two or more CVSS scores? Can anyone provide a use case/example?My understanding is you can have both CVSSv2 and CVSSv3, which qualifiesfor multiple scores.One v2 and one v3 score seems reasonable, what I'm wondering about is avulnerability having two or more v2 scores (or v3 scores). Multiple same-version CVSS scores.
This shouldn't be an issue unless it's tied to temporal or environmental metrics, correct? Or, where CVSS becomes a bit weak, related to product usage of that piece of software. It would almost be as though you need to be able to associate a score to a product or component (for instance we might say CVE-X affects openstack in this way resulting in this score, but affects RHEL in this other way resulting in a different score).
This is something we probably want to look at for CSAF 2.0, not CVRF 1.2. I don't think it can be resolved easily. You could have 12 different CVSSv2 scores right now but it's almost pointless if you can't map that back to a particular product or scenario.
-- Vincent Danen / Red Hat Product Security
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]