OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Why does the "relationship" model allow for multiple FullProductName elements?


Question for the list, as I'm trying to hammer out a tool to read in the XML format and spit out the JSON format.

In the "Relationship" section of the CVRF spec (section 5.1.3), the relationship is defined to relate "ProductReference" (a product ID) to "RelatesToProductReference" (another product ID) with relationship "RelationType". This relationship is then defined by a "FullProductName" which names the relationship.

For example "CoolLibrary_2.0.1" (ProductReference) could be "Installed on" (RelationType) the project "CoolPlatform_1.5.2" (RelatesToProductReference). The Relationship element exists to nameÂthis relationship, perhaps with a name like "CoolPlatform_1.5.2:CoolLibrary_2.0.1". Naming this relationship happens with a "FullProductName" XML element, which defines the ID for the product, and a human readable name for the same. Once named, the relationship could be identified with a specific vulnerability.

Here's why I'm confused. The XML Schema for the "Relationship" element allows for "1" to "unbounded" instances of this element. Why is the upper limit "unbounded"? As near as I can tell, it is only useful to have a single "FullProductName" appear under the Relationship element.

I'm asking, because I'm concerned that I'm misinterpreting the specification. Anyone have any clues?

Eric.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]