[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [csaf] Item: Various possible enhancements to the JSON format for representing vulnerabilities
Question: In the json, why are elements names with â_tâ? Is this short or abbreviation for something? Can we make a longer more meaningful name?
Mike
Â
Â
Michael Gorski
ENGINEER.SOFTWARE ENGINEERING
Tel:
Â
Â
Â
Â
Cisco Systems, Inc.
Â
Â
Â
United States
Think before you print.
This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
Please click here for Company Registration Information.
Â
Â
From: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> On Behalf Of Omar Santos (osantos)
Sent: Tuesday, August 27, 2019 7:56 PM
To: Eric Johnson <eric@tibco.com>
Cc: csaf@lists.oasis-open.org
Subject: Re: [csaf] Item: Various possible enhancements to the JSON format for representing vulnerabilitiesÂ
Thank you, Eric! Some minor comments inline:
On Aug 27, 2019, at 8:28 PM, Eric Johnson <eric@tibco.com> wrote:
Â
Hi CSAF-TC,
Â
In working on the JSON format, I've observed the following possible areas of enhancement:
Â
- Drop "ordinal" from JSON output - this field adds no value to the serialized output, that I can tell. I am planning to update the export logic of the conversion tool to automatically supply ordinals for the XML format, which made me think they should just be dropped from the JSON.
Â
I agree that the âordinalâ provides no value and should be dropped.Â
Â
- use JSON schema for CVSS? Omar suggested this in an email on May 15. Seems like it might be a good ideaâ
Â
To provide additional references to the TC. The following is the CVSS JSON schema:
Â
And previous GitHub issueÂhttps://github.com/oasis-tcs/csaf/issues/9
Â
If the TC decides that we should incorporate that enhancement, I will reopen the issue and trackÂ
Â
- Change CVSSScoreSets to just "Scoring" in JSON, with children for v3.0 v3.1, etc.
Â
We should probably at least make a reference to CVSS (e.g., CVSSScore); not to confuse it with a proprietary score. If we decide to incorporate the JSON schema from CVSS, we should at least support the minimal (version, vectorString, baseScore, baseSeverity):
Â
Â
{
ÂÂÂ "version": "3.1",
ÂÂÂ "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
ÂÂÂ "baseScore": 7.8,
ÂÂÂ "baseSeverity": "HIGH"
}
Â
Â
- Why does Relationship include a _list_ of products? I believe it should just be one. Anyone know differently?Â
Â
Â
They can be more than one product. In the past, we had the examples of Microsoft Office products, where MS Word can be associated to Office365, standalone, traditional Office, etcâ. Also open source components can be bundled with different distributions. For instance, libABC included in RHEL, Canonical (Ubuntu), Debian, etc.. It may be that a vulnerability in libABC may only affect Ubuntu and Debian, but does not affect RHEL (or vice versa) Âbecause they way it was implemented. This is why we had the following in CVRF 1.2 and earlier:
Â
Default Component Of
External Component Of
Installed On
Installed With
Optional Component Of
Â
Â
Thanks again!
Omar
Â
Eric.
Â
Â
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]