OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: CSAF JSON Schema - distinction between an array of instances and just one instance.

This is another example of a side effect of direct conversion from XML.

In one of the sample documents we have this:

   "vulnerability": {
      "ordinal": "1",
      "title": "Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability",

And in the other we have this:

   "vulnerability": [
         "ordinal": "1",
         "notes": {
            "note": {

The key point to note is the first form indicates an object model where just a single vulnerability appears in the document. The second form indicates that multiple vulnerabilities appear. More concisely, the difference between /vulnerability, and /vulnerability[].

Again, JSON schema oddly makes it easy to accommodate having this form.

However, allowing for this special case syntax makes the schema slightly more complicated, and almost certainly will complicate absolutely every single piece of code that ever needs to parse this JSON format.

My suggestion is that in all cases where multiples values are possible, we do not allow the "singleton" form, but only allow the array form.

The complete list of scenarios where the two sample documents conflict include:

- /document_tracking/revision_tracking/revision vs. /document_tracking/revision_tracking/revision[]
- /product_tree/branch vs. /product_tree/branch[]
- /vulnerability vs. /vulnerability[]
- /vulnerability/notes/note vs. /vulnerability/notes/note[]

Any objections to changing the sample JSON documents to use the array form, and simplifying the schema to match?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]