Hi CSAF-TC
See previous email for issue #1 related to using JSON schema from
first.org. This email raises a 2nd issue.
To wit:
first.org does not define any compliance criteria, at least not that I could find. CVSS score structures could be valid according to the schema, but still incorrect.
Questions:
- Do we care if the score is inconsistent - for example, the score does not match the vector, or the severity does not match the score?
- What are the conformance criteria? Do we leave it unspecified, leave it up to the implementation to check, or do we require that implementations check for score data consistency?
- If we allow implementations to continue with inconsistent data, do we require that actual values be generated from the vector?
- The regular _expression_ in the first.org JSON -schema allows for bogus vectors. Do we expect implementations to catch those bogus vectors?
Eric.