OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] (CSAF-14) Add CVSSv3 support to CVRF

    [ https://issues.oasis-open.org/browse/CSAF-14?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=67654#comment-67654 ] 

Omar Santos commented on CSAF-14:

“CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2” Committee Specification 01. 13 September 2017 (http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html) now includes support for CVSSv3.


2.2.12 Vulnerability CVSS Version 3 Type Model
The calculations of the numerical CVSS version 3 scores are out of scope for this document. Constraints on the possible values are mapped as follows:
« The BaseScoreV3, TemporalScoreV3, and EnvironmentalScoreV3 values MUST be single decimal values in the interval [0.0, 10.0] as enforced by the external CVSSv3 schema and thus must be elements of the following finite ordered set with 101 elements:
{0.0, 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.9, 1.0, ... 9.9, 10.0}

» [CSAF-2.2.12-1]
The cvssVectorV3 value is a string which can be longer than the version 2 counterpart (up to 133 characters, where 2 characters have been added to the theoretical 131 characters of such a vector to account for newline characters on any platform). This string encapsulates all input for CVSS score calculation.
« The cvssVectorV3 value MUST abide to the following length constraint ():
length < 133 characters

» [CSAF-2.2.12-2]
The specific notation is expected to follow the guidelines set forth in the CVSS v3 documentation at [CVSS3] (cf. section “Vector String” pp.17,18 there).
Note the 133-character limitation in CSAF CVRF to accommodate for the maximal length of 131 characters as derived from [CVSS3] plus accommodation for an added line end character notion for any platform.
Non-normative comment:
The Common Vulnerability Scoring System version 3 (CVSSv3) aggregation for vulnerabilities provides uniform grading and improved tracking of vulnerabilities over time across different reporting sources. For more information about CVSS version 3 cf. [CVSS3]

> Add CVSSv3 support to CVRF
> --------------------------
>                 Key: CSAF-14
>                 URL: https://issues.oasis-open.org/browse/CSAF-14
>             Project: OASIS Common Security Advisory Framework (CSAF) TC
>          Issue Type: New Feature
>            Reporter: Vincent Danen
>            Assignee: Feng Cao
> To track the addition of CVSSv3 for the next (hopefully quick) revision of CVRF (i.e. CVRF 1.2).  This should be very easy to do quickly with no compatibility issues.

This message was sent by Atlassian JIRA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]