OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] (CSAF-14) Add CVSSv3 support to CVRF

     [ https://issues.oasis-open.org/browse/CSAF-14?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Omar Santos updated CSAF-14:
----------------------------

    Resolution: 
“CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2” Committee Specification 01. 13 September 2017 (http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html) now includes support for CVSSv3. 

http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html#_Toc493508836 

2.2.12 Vulnerability CVSS Version 3 Type Model 
The calculations of the numerical CVSS version 3 scores are out of scope for this document. Constraints on the possible values are mapped as follows: 
« The BaseScoreV3, TemporalScoreV3, and EnvironmentalScoreV3 values MUST be single decimal values in the interval [0.0, 10.0] as enforced by the external CVSSv3 schema and thus must be elements of the following finite ordered set with 101 elements: 
{0.0, 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.9, 1.0, ... 9.9, 10.0} 

» [CSAF-2.2.12-1] 
The cvssVectorV3 value is a string which can be longer than the version 2 counterpart (up to 133 characters, where 2 characters have been added to the theoretical 131 characters of such a vector to account for newline characters on any platform). This string encapsulates all input for CVSS score calculation. 
« The cvssVectorV3 value MUST abide to the following length constraint (): 
length < 133 characters 

» [CSAF-2.2.12-2] 
The specific notation is expected to follow the guidelines set forth in the CVSS v3 documentation at [CVSS3] (cf. section “Vector String” pp.17,18 there). 
Note the 133-character limitation in CSAF CVRF to accommodate for the maximal length of 131 characters as derived from [CVSS3] plus accommodation for an added line end character notion for any platform. 
Non-normative comment: 
The Common Vulnerability Scoring System version 3 (CVSSv3) aggregation for vulnerabilities provides uniform grading and improved tracking of vulnerabilities over time across different reporting sources. For more information about CVSS version 3 cf. [CVSS3]

> Add CVSSv3 support to CVRF
> --------------------------
>
>                 Key: CSAF-14
>                 URL: https://issues.oasis-open.org/browse/CSAF-14
>             Project: OASIS Common Security Advisory Framework (CSAF) TC
>          Issue Type: New Feature
>            Reporter: Vincent Danen
>            Assignee: Omar Santos
>
> To track the addition of CVSSv3 for the next (hopefully quick) revision of CVRF (i.e. CVRF 1.2).  This should be very easy to do quickly with no compatibility issues.



--
This message was sent by Atlassian JIRA
(v6.2.2#6258)

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]