[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (CSAF-14) Add CVSSv3 support to CVRF
[ https://issues.oasis-open.org/browse/CSAF-14?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=67654#comment-67654 ] Omar Santos commented on CSAF-14: --------------------------------- “CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2” Committee Specification 01. 13 September 2017 (http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html) now includes support for CVSSv3. http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html#_Toc493508836 2.2.12 Vulnerability CVSS Version 3 Type Model The calculations of the numerical CVSS version 3 scores are out of scope for this document. Constraints on the possible values are mapped as follows: « The BaseScoreV3, TemporalScoreV3, and EnvironmentalScoreV3 values MUST be single decimal values in the interval [0.0, 10.0] as enforced by the external CVSSv3 schema and thus must be elements of the following finite ordered set with 101 elements: {0.0, 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.9, 1.0, ... 9.9, 10.0} » [CSAF-2.2.12-1] The cvssVectorV3 value is a string which can be longer than the version 2 counterpart (up to 133 characters, where 2 characters have been added to the theoretical 131 characters of such a vector to account for newline characters on any platform). This string encapsulates all input for CVSS score calculation. « The cvssVectorV3 value MUST abide to the following length constraint (): length < 133 characters » [CSAF-2.2.12-2] The specific notation is expected to follow the guidelines set forth in the CVSS v3 documentation at [CVSS3] (cf. section “Vector String” pp.17,18 there). Note the 133-character limitation in CSAF CVRF to accommodate for the maximal length of 131 characters as derived from [CVSS3] plus accommodation for an added line end character notion for any platform. Non-normative comment: The Common Vulnerability Scoring System version 3 (CVSSv3) aggregation for vulnerabilities provides uniform grading and improved tracking of vulnerabilities over time across different reporting sources. For more information about CVSS version 3 cf. [CVSS3] > Add CVSSv3 support to CVRF > -------------------------- > > Key: CSAF-14 > URL: https://issues.oasis-open.org/browse/CSAF-14 > Project: OASIS Common Security Advisory Framework (CSAF) TC > Issue Type: New Feature > Reporter: Vincent Danen > Assignee: Feng Cao > > To track the addition of CVSSv3 for the next (hopefully quick) revision of CVRF (i.e. CVRF 1.2). This should be very easy to do quickly with no compatibility issues. -- This message was sent by Atlassian JIRA (v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]