OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [csaf] Switching to use the first.org JSON schemas for CVSS scoring - issue #2

Lucas Tamagna-DarrÂ| Director of Engineering - Detection Automation
Tenable Network Security


On Thu, Nov 14, 2019 at 11:38 PM Eric Johnson <eric@tibco.com> wrote:

See previous email for issue #1 related to using JSON schema from first.org. This email raises a 2nd issue.

To wit: first.org does not define any compliance criteria, at least not that I could find. CVSS score structures could be valid according to the schema, but still incorrect.

  • Do we care if the score is inconsistent - for example, the score does not match the vector, or the severity does not match the score?
Yes, if only because it is fairly simple to create a vector->score->severity calculator and there should be an expectation that the suppliers of the data should be specifying accurate information rather than the consumers validating the consistency of the vector/score/severity.Â
  • What are the conformance criteria? Do we leave it unspecified, leave it up to the implementation to check, or do we require that implementations check for score data consistency?
  • If we allow implementations to continue with inconsistent data, do we require that actual values be generated from the vector?
If we're going to allow for inconsistent data, I suggest we make the score and severity optional and only the vector required. Â
  • The regular _expression_ in the first.org JSON -schema allows for bogus vectors. Do we expect implementations to catch those bogus vectors?
This seems like a reasonable expectation.ÂÂ

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]