OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: CVSS representation in current CSAF JSON schema

Hi folks,

The latest version of the CSAF 2.0 schema draft is at: 
https://github.com/oasis-tcs/csaf/blob/master/sandbox/csaf_2.0/json_schema/csaf_json_schema.json


Chandan just provided a very relevant observation in GitHub via issue: https://github.com/oasis-tcs/csaf/issues/9

------

CVSS SIG has a recommended JSON schema for storing and exchanging CVSS scores:

There are few issues with CVSS in current csaf_json_schema.json:

- CVSS scores are strings instead of a number. Which means consumers may have to convert a string to number to for proper processing. JSON allows numbers, so doesn't make sense to store a number as a string.
- if CVSS version number is part of the field name (for eg., "base_score_v3") when there is a CVSS 3.1 or 4.0, you may have to change the schema (and CSAF version). The FIRST CVSS json schema encodes it in a "version" field. This allows better abstractions, and backwards/forwards compatibility.
- No validation on format of the vector string format. The FIRST CVSS json schema does have validation builtin.

Suggested fix: make cvss_score_sets an array of objects that $ref to FIRST cvss json schema.

------


For completeness, the following is the example provided at the FIRST website (https://www.first.org/cvss/data-representations ):

Minimal CVSS v3.0 information:

{
    "version": "3.0",
    "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "baseScore": 7.8,
    "baseSeverity": "HIGH"
}


CVSS information including optional base metrics:

{
    "version": "3.0",
    "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "attackVector": "LOCAL",
    "attackComplexity": "LOW",
    "privilegesRequired": "NONE",
    "userInteraction": "REQUIRED",
    "scope": "UNCHANGED",
    "confidentialityImpact": "HIGH",
    "integrityImpact": "HIGH",
    "availabilityImpact": "HIGH",
    "baseScore": 7.8,
    "baseSeverity": "HIGH"
}

Another observation I have is that the previous example also gives us flexibility to change the âCVSS versionâ and not be âstuckâ with âscore_set_v3â, âbase_score_v3â, âtemporal_score_v3â, âenvironmental_score_v3â, etc. As we currently have in the schema (https://github.com/oasis-tcs/csaf/blob/master/sandbox/csaf_2.0/json_schema/csaf_json_schema.json#L420).

Any thoughts or comments? 


Regards,


Omar Santos
Cisco PSIRT
Email: os@cisco.com
PGP Key: 8E19A9D13AF27EDC


Attachment: signature.asc
Description: Message signed with OpenPGP

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]