OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2

On 13/04/17 04:47, Art Manion wrote:
> On 2017-04-12 14:35, Vincent Danen wrote:
>> This is something we probably want to look at for CSAF 2.0, not CVRF 
>> 1.2.  I don't think it can be resolved easily.  You could have 12 
>> different CVSSv2 scores right now but it's almost pointless if you can't 
>> map that back to a particular product or scenario.
> Agreed.  Thus, I'm proposing that CVRF 1.2 should allow zero or one CVSS
> v2 score and zero or one CVSS v3 score.
> A separate question remains:  If there is a CVSS score, must it be v3
> (and have an optional single v2 score)?  My position is that the score
> can be either v2 or v3 (or both).

Please note, that in at least this mail https://lists.oasis-open.org/archives/csaf/201704/msg00004.html is shown, that the product mappings are readily possible in these elements (and that to me is why these score sets are allowed more than once.

So I guess the " ... or more" is not the point, but the enforcement of v3 is.

I noted, that there are very vehement proponents of both camps.

New from these emailed arguments to me was the mentioning of large corpuses of long term revised "observational" CVRF documents, that hold CVSS v2 scores and that one may want to transform into the new version of CVRF without the re-evaluation of the described facts into a CVSS v3 score.

All the best,

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]