OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [csaf] Item: Various possible enhancements to the JSON format for representing vulnerabilities

Thank you, Eric! Some minor comments inline:

On Aug 27, 2019, at 8:28 PM, Eric Johnson <eric@tibco.com> wrote:


In working on the JSON format, I've observed the following possible areas of enhancement:

- Drop "ordinal" from JSON output - this field adds no value to the serialized output, that I can tell. I am planning to update the export logic of the conversion tool to automatically supply ordinals for the XML format, which made me think they should just be dropped from the JSON.

I agree that the âordinalâ provides no value and should be dropped. 

- use JSON schema for CVSS? Omar suggested this in an email on May 15. Seems like it might be a good ideaâ

To provide additional references to the TC. The following is the CVSS JSON schema:

If the TC decides that we should incorporate that enhancement, I will reopen the issue and track 

- Change CVSSScoreSets to just "Scoring" in JSON, with children for v3.0 v3.1, etc.

We should probably at least make a reference to CVSS (e.g., CVSSScore); not to confuse it with a proprietary score. If we decide to incorporate the JSON schema from CVSS, we should at least support the minimal (version, vectorString, baseScore, baseSeverity):

    "version": "3.1",
    "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "baseScore": 7.8,
    "baseSeverity": "HIGH"

- Why does Relationship include a _list_ of products? I believe it should just be one. Anyone know differently?

They can be more than one product. In the past, we had the examples of Microsoft Office products, where MS Word can be associated to Office365, standalone, traditional Office, etcâ. Also open source components can be bundled with different distributions. For instance, libABC included in RHEL, Canonical (Ubuntu), Debian, etc.. It may be that a vulnerability in libABC may only affect Ubuntu and Debian, but does not affect RHEL (or vice versa)  because they way it was implemented. This is why we had the following in CVRF 1.2 and earlier:

Default Component Of
External Component Of
Installed On
Installed With
Optional Component Of

Thanks again!


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]