Re: [csaf] CSAF JSON Schema - what to do about product statuses?

["Omar Santos (osantos)" <osantos@cisco.com>]

I like the suggested approach.

A separate note about the “product statuses”: a while back it was suggested to also add the product status of “under investigation”. Since some vendors may put an early response/advisory to a zero day (or open source vulnerability) and put products under investigation in their advisories and then update when the investigation is over. Not suggesting to decide on this now, since the current activity is to first convert the current specification in JSON; but something to keep in mind. I will put that in a Jira issue so that we can discuss at a later time.

Regards,

Omar Santos

PSIRT, Security Research and Operations

Cisco Systems, Inc.

Email: os@cisco.com

Phone: +1 919 392 8635

PGP Key: 0x3AF27EDC

On May 2, 2018, at 7:59 PM, Eric Johnson <eric@tibco.com> wrote:

In XML, a snippet of the document looks like this:

    <ProductStatuses>

      <Status Type="Known Affected">

        <ProductID>CVRFPID-103559</ProductID>

        <ProductID>CVRFPID-103763</ProductID>

...

The status can be one of several fixed choices "Fixed", "Known Affected", 

A straightforward translation to JSON turns this into:

"product_statuses": [

  {

    "status_type": "known affected",

    "product_ids": ["CVRFPID-103559", "CVRFPID-103763",

...

I think a slightly more elegant form for the world of JSON looks more like this:

"product_status" : {

  "fixed": [],

  "first_affected": [],

  "known_affected": [],

  "known_not_affected": [],

  "first_fixed": [],

  "recommended": [],

  "last_affected": []

}

The concrete example from above becomes:

"product_status": {

  "known_affected": ["CVRFPID-103559", "CVRFPID-103763", ...

},

Thoughts, comments?

Eric.