[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: CVSS representation in current CSAF JSON schema
Hi folks, The latest version of the CSAF 2.0 schema draft is at: Chandan just provided a very relevant observation in GitHub via issue: https://github.com/oasis-tcs/csaf/issues/9 ------ CVSS SIG has a recommended JSON schema for storing and exchanging CVSS scores: There are few issues with CVSS in current csaf_json_schema.json: - CVSS scores are strings instead of a number. Which means consumers may have to convert a string to number to for proper processing. JSON allows numbers, so doesn't make sense to store a number as a string. - if CVSS version number is part of the field name (for eg., "base_score_v3") when there is a CVSS 3.1 or 4.0, you may have to change the schema (and CSAF version). The FIRST CVSS json schema encodes it in a "version" field. This allows better abstractions, and backwards/forwards compatibility. - No validation on format of the vector string format. The FIRST CVSS json schema does have validation builtin. Suggested fix: make cvss_score_sets an array of objects that $ref to FIRST cvss json schema. ------ For completeness, the following is the example provided at the FIRST website (https://www.first.org/cvss/data-representations ): Minimal CVSS v3.0 information: { "version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH" } CVSS information including optional base metrics: { "version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH" } Another observation I have is that the previous example also gives us flexibility to change the âCVSS versionâ and not be âstuckâ with âscore_set_v3â, âbase_score_v3â, âtemporal_score_v3â, âenvironmental_score_v3â, etc. As we currently have in the schema (https://github.com/oasis-tcs/csaf/blob/master/sandbox/csaf_2.0/json_schema/csaf_json_schema.json#L420). Any thoughts or comments? |
Attachment:
signature.asc
Description: Message signed with OpenPGP
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]