OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Switching to use first.org JSON schemas for CVSS scoring - issue #4

See previous emails #1-3 for issues related to using JSON schema from first.org. This email raises a fourth issue.

I think I've uncovered an oversight in the CVRF specification. Product IDs are associatedÂwith a specific CVSS score. The CVRF specification does indicate that within the scope of a vulnerability, a product id may be associated with exactly one CVSSv3 score, and exactly one CVSSv2 score. Just FYI, this is not a constraint that XML Schema can enforce.

Two issues here:
I think a simple solution to this problem is to assume that the first score in a vulnerability is the default score. Any additional scores require associated product IDs. In other words, the default scenario is one score for all products, with the ability to override for other products, if the score is different for those products for some reason.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]