Re: [csaf] Switching to use the first.org JSON schemas for CVSS scoring - issue #2

[Luke Tamagna-Darr <ltamagnadarr@tenable.com>]

Lucas Tamagna-DarrÂ| Director of Engineering - Detection Automation
Tenable Network Security
ltamagnadarr@tenable.com

On Thu, Nov 14, 2019 at 11:38 PM Eric Johnson <eric@tibco.com> wrote:

Hi CSAF-TC

See previous email for issue #1 related to using JSON schema from first.org. This email raises a 2nd issue.

To wit: first.org does not define any compliance criteria, at least not that I could find. CVSS score structures could be valid according to the schema, but still incorrect.

Questions:

• Do we care if the score is inconsistent - for example, the score does not match the vector, or the severity does not match the score?

Yes, if only because it is fairly simple to create a vector->score->severity calculator and there should be an expectation that the suppliers of the data should be specifying accurate information rather than the consumers validating the consistency of the vector/score/severity.Â

• What are the conformance criteria? Do we leave it unspecified, leave it up to the implementation to check, or do we require that implementations check for score data consistency?
• If we allow implementations to continue with inconsistent data, do we require that actual values be generated from the vector?

If we're going to allow for inconsistent data, I suggest we make the score and severity optional and only the vector required. Â

• The regular _expression_ in the first.org JSON -schema allows for bogus vectors. Do we expect implementations to catch those bogus vectors?

This seems like a reasonable expectation.ÂÂ

Eric.