OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Meeting follow up: CSAF JSON schema product information

Follow-up thoughts from meeting today. This is mostly just to capture the points to make sure what was discussed during the call doesn't get lost, and also so that those that didn't make the meeting get the same context.

These are just the questions that came up surrounding how product information is captured in the JSON data. Of course other stuff was covered in the call.

Question: Does the JSON CSAF document capture product information, or are references via CPE/SWID/SPDX sufficient?
Conclusion from the call this morning seems to be universally, "yes, store product information in JSON". Scenarios that make this essential:
Next question: How should the JSON capture and refer to the product information in the JSON file?
The overall structure of the current CVRF document is document metadata, vulnerabilities, and product data. I believe we agreed on today's call:
Question:ÂHow does the JSON capture the product information?
The CVRF model defines an effective model of an entity as a modeled object with a product ID, plus a collection of properties. Examples of properties include product name, version number, vendor. In the simplest form, this could be stored in a de-normalized, flat manner in JSON - an array of entries, where each entry captures all the properties such as vendor, product family, product name, version number. Denormalizing has risks (changes in one place but not another), takes space, and probably adds confusion. We can take a few paths to renormalizing the data, all of which we discussed in the call:
My proposal from the other day suggested using attribute sets, to the exclusion of hierarchical attribute declarations. I've had more thoughts on that. More on that in a separate email.

Question: How do we deal with product groups?
My somewhat glib answer to this question during the call was that this ends up being relatively simple, once we've defined the reference to a product. I still think that's true.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]