Hi CSAF TC,
The information about product versions is critical for the users to identify if the products are affected. We had a brief discussion about the possibilities of semantic presentation in today's meeting.
The below is my proposal to design "version" in json for csaf. The goal is to cover the common use cases. More common cases can be added too if there is a consensus.
Thanks,
Feng Cao
Oracle Security Alerts
The list of the common use cases:
- individual versions
For example, CVE-2017-3240, RDBMS Security component of Oracle Database Server, the supported version that is affected is 12.1.0.2
âversionâ: {
âindividualsâ: [
âstrings of versionsâ, âstrings separated by commasâ
]
}
-prior to including all the releases
For example, CVE-2016-4694, Apache HTTP Server in Apple OS X before 10.12
âversionâ: {
âpriortoallâ: âstring of priortoall versionâ
}
-prior to including the specified release
For example, CVE-2016-6307, OpenSSL 1.1.0 before 1.1.0a
âversionâ: {
âpriortooneâ: [
{
âbranchâ: âstring of branchâ
âreleaseâ: âstring of releaseâ
}
]
}
-internals
For example, CVE-2016-8740, Apache HTTP Server 2.4.17 through 2.4.23
âversionâ: {
âintervalâ: [
{
âstartreleaseâ: âstring of releaseâ
âendreleaseâ: âstring of releaseâ
}
]
}
-earlier for all the releases
For example, MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitoring: Agent). Supported versions that are affected are 3.1.3.7856 and earlier
âversionâ: {
âearliertoallâ: âstring of releaseâ
}
-ealier for the specified release
For example, CVE-2016-6307, MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.6.34 and earlier and 5.7.16 and earlier
âversionâ: {
âearliertooneâ: [
{
âbranchâ: âstring of branchâ
âreleaseâ: âstring of releaseâ
}
]
}
Json schema for version inside product:
"version":{
âtypeâ:âobjectâ,
âdescriptionâ: {
type: âstringâ
},
âpropertiesâ:{
âindividualsâ: {
âtypeâ: âarrayâ,
âitemsâ: { âtypeâ:âstringâ}
},
âpriortoallâ: {
âtypeâ:âstringâ
},
âpriortooneâ: {
âtypeâ: âarrayâ,
âitemsâ: {
âtypeâ:âobjectâ,
âpropertiesâ:{
âbranchâ: {âtypeâ:âstringâ},
âreleaseâ:{âtypeâ:âstringâ}
},
ârequiredâ:[âbranchâ, âreleaseâ]
}
},
âintervalâ: {
âtypeâ: âarrayâ,
Items: {
âtypeâ:âobjectâ,
âpropertiesâ:{
âstartreleaseâ: {âtypeâ:âstringâ},
âendreleaseâ: {âtypeâ:âstringâ}
},
ârequiredâ:[âstartreleaseâ, âendreleaseâ]
}
},
âearliertoallâ: {
âtypeâ:âstringâ
},
âearliertooneâ: {
âtypeâ: âarrayâ,
Items: {
âtypeâ:âobjectâ,
âpropertiesâ:{
âbranchâ: {âtypeâ:âstringâ},
âreleaseâ:{âtypeâ:âstringâ}
},
ârequiredâ:[âbranchâ, âreleaseâ]
}
}
}
}