[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [csaf] Item: Various possible enhancements to the JSON format for representing vulnerabilities
Thank you, Eric! Some minor comments inline:
I agree that the âordinalâ provides no value and should be dropped.
To provide additional references to the TC. The following is the CVSS JSON schema:
And previous GitHub issue https://github.com/oasis-tcs/csaf/issues/9
If the TC decides that we should incorporate that enhancement, I will reopen the issue and track
We should probably at least make a reference to CVSS (e.g., CVSSScore); not to confuse it with a proprietary score. If we decide to incorporate the JSON schema from CVSS, we should at least support the minimal (version, vectorString, baseScore, baseSeverity):
They can be more than one product. In the past, we had the examples of Microsoft Office products, where MS Word can be associated to Office365, standalone, traditional Office, etcâ. Also open source components can be bundled with different distributions.
For instance, libABC included in RHEL, Canonical (Ubuntu), Debian, etc.. It may be that a vulnerability in libABC may only affect Ubuntu and Debian, but does not affect RHEL (or vice versa) because they way it was implemented. This is why we had the following
in CVRF 1.2 and earlier:
Default Component Of
External Component Of
Installed On
Installed With
Optional Component Of
Thanks again!
Omar
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]