OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [csaf] design "version" in json


Thank you Feng!

Just a quick question (for the purpose of clarification and further discussion from the TC here).

Currently, CSAF/CVRF 1.2 has the following "Vulnerability Product Affected Status Type Model"
http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html#_Toc493508846 
  • First Affected
  • Known Affected
  • Known Not Affected
  • First Fixed
  • Fixed
  • Recommended
  • Last Affected

Will your suggestion replace or modify those values? The reason that I ask is because  âfirst affectedâ, âfirst fixedâ, and âlast affectedâ could be an overlap of your suggestion below.


Regards,


Omar Santos
Cisco PSIRT
Email: os@cisco.com
PGP Key: 8E19A9D13AF27EDC




On Nov 28, 2018, at 7:54 PM, Feng Cao <feng.cao@oracle.com> wrote:

Hi CSAF TC,

The information about product versions is critical for the users to identify if the products are affected. We had a brief discussion about the possibilities of semantic presentation in today's meeting.

The below is my proposal to design "version" in json for csaf. The goal is to cover the common use cases. More common cases can be added too if there is a consensus.

Thanks,

Feng Cao

Oracle Security Alerts


The list of the common use cases:

 - individual versions

For example, CVE-2017-3240, RDBMS Security component of Oracle Database Server, the supported version that is affected is 12.1.0.2
  âversionâ: {
                                  âindividualsâ: [
     âstrings of versionsâ, âstrings separated by commasâ
       ]
               }

-prior to including all the releases

               For example, CVE-2016-4694, Apache HTTP Server in Apple OS X before 10.12

   âversionâ: {
                              âpriortoallâ:  âstring of priortoall versionâ

                              }              

-prior to including the specified release

For example, CVE-2016-6307, OpenSSL 1.1.0 before 1.1.0a
   âversionâ: {
                              âpriortooneâ:  [
{
âbranchâ: âstring of branchâ
âreleaseâ: âstring of releaseâ
}

                                              ]

               }            

-internals

             For example, CVE-2016-8740, Apache HTTP Server 2.4.17 through 2.4.23

  âversionâ: {
                              âintervalâ:  [
{
âstartreleaseâ: âstring of releaseâ
âendreleaseâ: âstring of releaseâ
}
]
               }            

 

-earlier for all the releases

For example, MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitoring: Agent). Supported versions that are affected are 3.1.3.7856 and earlier
  âversionâ: {
                              âearliertoallâ:  âstring of releaseâ
               }
              

-ealier for the specified release

For example, CVE-2016-6307, MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.6.34 and earlier and 5.7.16 and earlier

 

  âversionâ: {
                              âearliertooneâ:  [
{
âbranchâ: âstring of branchâ
âreleaseâ: âstring of releaseâ
}
]
               }

Json schema for version inside product:

 "version":{


               âtypeâ:âobjectâ,
  âdescriptionâ: {
 type: âstringâ
   },
               âpropertiesâ:{
                              âindividualsâ: {
                                             âtypeâ: âarrayâ,
                                             âitemsâ: { âtypeâ:âstringâ}
                              },

                                                                          

                              âpriortoallâ: {
                                             âtypeâ:âstringâ
                              },

                             

                              âpriortooneâ: {
                                             âtypeâ: âarrayâ,
                                             âitemsâ: {
                                                            âtypeâ:âobjectâ,
                                                            âpropertiesâ:{
                                                                           âbranchâ: {âtypeâ:âstringâ},
                                                                           âreleaseâ:{âtypeâ:âstringâ}
                                                            },
                                                            ârequiredâ:[âbranchâ, âreleaseâ]
                                             }
                              },

 

                              âintervalâ: {
                                             âtypeâ: âarrayâ,
                                             Items: {
                                                            âtypeâ:âobjectâ,
                                                            âpropertiesâ:{
                                                                           âstartreleaseâ: {âtypeâ:âstringâ},
                                                                           âendreleaseâ: {âtypeâ:âstringâ}
                                                            },
                                                            ârequiredâ:[âstartreleaseâ, âendreleaseâ]
                                             }
                              },

 

                              âearliertoallâ: {
                                             âtypeâ:âstringâ
                              },

                                            

                              âearliertooneâ: {
                                             âtypeâ: âarrayâ,
                                             Items: {
                                                            âtypeâ:âobjectâ,
                                                            âpropertiesâ:{
                                                                           âbranchâ: {âtypeâ:âstringâ},
                                                                           âreleaseâ:{âtypeâ:âstringâ}
                                                            },
                                                            ârequiredâ:[âbranchâ, âreleaseâ]
                                             }
                              }

                             

               }             
}






[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]