[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [csaf] Proposal for CVSS future embrace
Looking at D): If I interpret it correctly, I think is says that no product ID may be used in more than one score set. If my interpretation is correct (and I hope I am wrong) if multiple scoring systems are used this would prevent using the same product ID for different scoring systems. Regards, -Harold -----Original Message----- From: csaf@lists.oasis-open.org [mailto:csaf@lists.oasis-open.org] On Behalf Of Mr. Stefan Hagen Sent: Wednesday, April 26, 2017 2:26 AM To: csaf@lists.oasis-open.org Subject: [csaf] Proposal for CVSS future embrace Dear members, to facilitate the business of our TC, I did many simple transformations on the contributed content from v1.1 and the XSD kindly provided by Feng Cao which seeded the v1.2 drafts until now. This night I did a first real modelling that would IMO better represent the transitive task of embedding and relating CVSS information of various versions. I hereby suggest to replace in vuln.xsd the hard wired V2/V3 mimic with the following: A) Type for the vector (cvssVector): Only one type (which constrains the length to the maximum needed for v2 and v3) and hopefully the future versions. String representing the components needed to compute the various scores for CVSS versions 2 and 3. Note, that v3 scores can be longer than v2 scores (up to 138 characters). It is assumed, that future versions of CVSS maintain the structure of the information break down and the required vector length. B) Only a ScoreSet *but* with a required Version attribute (xs:positiveInteger) This will hold the CVSS version that the content conforms to. Versions 2 and 3 fit the structure. It is assumed, that future versions 4, 5, ... will also fit. C) The Container content of every [0, nifty] ScoreSet to be a sequence: BaseScore (cvssv3:zeroToTenDecimalType) [1, 1] TemporalScore (cvssv3:zeroToTenDecimalType) [0, 1] EnvironmentalScore (cvssv3:zeroToTenDecimalType) [0, 1] Vector (vuln:cvssVector) [0, 1] vuln:ProductID [0, infty] I suggest we use the cvssv3:zeroToTenDecimalType or to be more concise declare our own finite field for these 0.0, 0.1, ... 10.0 allowed values. D) Change the path value of the selector in the uniqueness constraint UniqueScoreSetProductID into: .//vuln:CVSSScoreSets/vuln:ScoreSet/vuln:ProductID All in all this embraces the future in a reasonable way, and should allow for easy migration of older documents. Please note, that currently the per CVSSv3 required fixed prefix for vectors is not always used "in the wild" (and understandably so, as our cvrf v1.1 length might forbid legitimate values in CVSS v3. So a Version attribute on a single ScoreSet element instance might be an enhancement for existing documents when being transformed (see the Oracle example, where the CVSS3.0 prefix would now be signalled via the Version attribute value "3". Any feedback greatly appreciated esp. practical problems not known to me in my tower of thought ;-) Details: A) <xs:simpleType name="cvssVector"> <xs:annotation> <xs:documentation xml:lang="en">String representing the components needed to compute the various scores for CVSS versions 2 and 3. Note, that v3 scores can be longer than v2 scores (up to 138 characters). It is assumed, that future versions of CVSS maintain the structure of the information break down and the required vector length.</xs:documentation> </xs:annotation> <xs:restriction base="xs:token"> <xs:maxLength value="140"/> </xs:restriction> </xs:simpleType> B) and C) <xs:element name="ScoreSet" minOccurs="0" maxOccurs="unbounded"> <xs:annotation> <xs:documentation xml:lang="en">CVSS scores for a given product ID. If the ProductID attribute is omitted, the score applies to all vulnerable products.</xs:documentation> </xs:annotation> <xs:complexType> <xs:sequence> <xs:element name="BaseScore" type="cvssv3:zeroToTenDecimalType" minOccurs="1" maxOccurs="1"> <xs:annotation> <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Base Score which should be a float from 0 10.0.</xs:documentation> </xs:annotation> </xs:element> <xs:element name="TemporalScore" type="cvssv3:zeroToTenDecimalType" minOccurs="0" maxOccurs="1"> <xs:annotation> <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Temporal Score which should be a float from 0 10.0.</xs:documentation> </xs:annotation> </xs:element> <xs:element name="EnvironmentalScore" type="cvssv3:zeroToTenDecimalType" minOccurs="0" maxOccurs="1"> <xs:annotation> <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Environmental Score which should be a float from 0 10.0.</xs:documentation> </xs:annotation> </xs:element> <xs:element name="Vector" type="vuln:cvssVector" minOccurs="0" maxOccurs="1"> <xs:annotation> <xs:documentation xml:lang="en">The CVSS Vector string is the official notation that contains all of the values used to compute the Base, Temporal, and Environmental scores.</xs:documentation> </xs:annotation> </xs:element> <xs:element ref="vuln:ProductID" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="Version" type="xs:positiveInteger" use="required"> <xs:annotation> <xs:documentation xml:lang="en">The CVSS version that the content conforms to. Versions 2 and 3 fit the structure. It is assumed, that future versions 4, 5, ... will also fit.</xs:documentation> </xs:annotation> </xs:attribute> </xs:complexType> D) <xs:unique name="UniqueScoreSetProductID"> <xs:annotation> <xs:documentation xml:lang="en">This is to ensure that each CVSS score set mentions a given ProductID only one.</xs:documentation> </xs:annotation> <xs:selector xpath=".//vuln:CVSSScoreSets/vuln:ScoreSet/vuln:ProductID"/> <xs:field xpath="."/> </xs:unique> All the best, Stefan.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]