[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [csaf] CSAF product identification and version numbers
On 1/3/19 9:15 PM, Eric Johnson wrote:
/Question:/ÂDo we want the CSAF JSON format to be sufficient to generate the MITRE CVE data? If the answer to that question is yes, that moots my next question, as that would force the inclusion of vendor, name, and version.
I think this would be useful, and would support the profile idea if there is not strong desire to chagne or fork the CVRF spec more directly.
/Question:/ÂDo we want the CSAF JSON format to be able to model the existing CVRF data (except for use of the xml:lang capabilities we've already addressed)? That is, is it possible to go CVRF --> JSON --> CVRF (and get equivalent output)? Note that the reverse JSON --> CVRF --> JSON (with equivalent output) will not be possible due to the likely enhancements of the JSON format, as well as the built-in extensibility of the JSON format.
I'd think yes, we do want a newer JSON format to model/match existing XML, as closely as possible. This doesn't preclude future changes to one or both formats to accommodate new use cases, like CVE integration (or NIST VDO integration).
And one last: /Question: /do we have a place where we're documenting the requirements of the JSON format?
There's a JIRA project: https://issues.oasis-open.org/projects/CSAF/issues/CSAF-13?filter=allopenissues Not sure if there is a wiki or other collaborative document feature. - Art
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]