[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [csaf] Switching to use the first.org JSON schemas for CVSS scoring - issue #2
Lucas Tamagna-DarrÂ| Director of Engineering - Detection Automation
Tenable Network Security
ltamagnadarr@tenable.com
Hi CSAF-TCSee previous email for issue #1 related to using JSON schema from first.org. This email raises a 2nd issue.To wit: first.org does not define any compliance criteria, at least not that I could find. CVSS score structures could be valid according to the schema, but still incorrect.Questions:
- Do we care if the score is inconsistent - for example, the score does not match the vector, or the severity does not match the score?
- What are the conformance criteria? Do we leave it unspecified, leave it up to the implementation to check, or do we require that implementations check for score data consistency?
- If we allow implementations to continue with inconsistent data, do we require that actual values be generated from the vector?
- The regular _expression_ in the first.org JSON -schema allows for bogus vectors. Do we expect implementations to catch those bogus vectors?
Eric.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]