See previous emails #1-3 for issues related to using JSON schema from
first.org. This email raises a fourth issue.
I think I've uncovered an oversight in the CVRF specification. Product IDs are associatedÂwith a specific CVSS score. The CVRF specification does indicate that within the scope of a vulnerability, a product id may be associated with exactly one
CVSSv3 score, and exactly one
CVSSv2 score. Just FYI, this is not a constraint that XML Schema can enforce.
Two issues here:
- If a conforming implementationÂof CSAF parses a document with multiple scores associated with a single product ID, whatÂis the implementation supposed to do? Drop all score references, except the highest one? Emit a warning? Do nothing?
- What if a product ID is *not* associated with a score in the document? Is that a problem? What to do? Options include (a) warn, (b) assume theÂworst score available within a vulnerability, (c) reject the document?
- A sub-case here - what if *no* product IDs are identified (specification does not require this). If one and only one score is in the vulnerability, then can we assume that score?
I think a simple solution to this problem is to assume that the first score in a vulnerability is the default score. Any additional scores require associated product IDs. In other words, the default scenario is one score for all products, with the ability to override for other products, if the score is different for those products for some reason.
Eric.