OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: ScoreSetVx mixes CVSS vx score info with product Identifiers

[Only changed the subject in attempt to separate the concerns.]

Already in CVRF v1.1, our schema targets inside CVSSScoreSets - ScoreSetVx elements 
*not* the isolated CVSS vx score of whatever, but instead the specific applicable related ProductID references 
*and* the vx CVSS score data. 
So in my understanding, the author(s) of such a document MAY choose to use zero ProductID elements, but I understand this only makes sense, in "dedicated" single product advisories / publications, where the context is clear and in all other cases the author(s) SHOULD add the Product ID relation(s).


On 13/04/17 23:20, Masato wrote:
> - zero or one CVSSv2 and zero or one CVSSv3
> - recommendation: either v2 or v3 (or both)
> because sometimes I would like to publish advisory without scores.
> at first, wish to advertise threat to the Internet.
> Next, evaluate the detail of vulnerability with scores.
> BR
> Masato
> On 2017/04/13 11:47, Art Manion wrote:
>> On 2017-04-12 14:35, Vincent Danen wrote:
>>> This is something we probably want to look at for CSAF 2.0, not CVRF 
>>> 1.2.  I don't think it can be resolved easily.  You could have 12 
>>> different CVSSv2 scores right now but it's almost pointless if you can't 
>>> map that back to a particular product or scenario.
>> Agreed.  Thus, I'm proposing that CVRF 1.2 should allow zero or one CVSS
>> v2 score and zero or one CVSS v3 score.
>> A separate question remains:  If there is a CVSS score, must it be v3
>> (and have an optional single v2 score)?  My position is that the score
>> can be either v2 or v3 (or both).

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]