OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [csaf] CSAF JSON Schema - what to do about product statuses?

I like the suggested approach.

A separate note about the “product statuses”: a while back it was suggested to also add the product status of “under investigation”. Since some vendors may put an early response/advisory to a zero day (or open source vulnerability) and put products under investigation in their advisories and then update when the investigation is over. Not suggesting to decide on this now, since the current activity is to first convert the current specification in JSON; but something to keep in mind. I will put that in a Jira issue so that we can discuss at a later time.


Omar Santos
PSIRT, Security Research and Operations
Cisco Systems, Inc.
Email: os@cisco.com
PGP Key: 0x3AF27EDC

On May 2, 2018, at 7:59 PM, Eric Johnson <eric@tibco.com> wrote:

In XML, a snippet of the document looks like this:

      <Status Type="Known Affected">

The status can be one of several fixed choices "Fixed", "Known Affected", 
A straightforward translation to JSON turns this into:
"product_statuses": [
    "status_type": "known affected",
    "product_ids": ["CVRFPID-103559", "CVRFPID-103763",


I think a slightly more elegant form for the world of JSON looks more like this:

"product_status" : {
  "fixed": [],
  "first_affected": [],
  "known_affected": [],
  "known_not_affected": [],
  "first_fixed": [],
  "recommended": [],
  "last_affected": []

The concrete example from above becomes:

"product_status": {
  "known_affected": ["CVRFPID-103559", "CVRFPID-103763", ...

Thoughts, comments?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]