[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [csaf] Switching to use the first.org JSON schemas for CVSS scoring - issue #3
Lucas Tamagna-DarrÂ| Director of Engineering - Detection Automation
Tenable Network Security
ltamagnadarr@tenable.com
See previous emails for issues #1, #2 related to using JSON schema from first.org. This email raises a 3rd issue.The existing CVRF specification allows CVSS scores to be provided, without requiring that a CVSS vector also be provided. The CVSS schemas from first.org require the presence of the CVSS vector.Question:
- How do we address the compatibility question that raises. How can existing CVRF documents migrate to CSAF, if vectors may not be present in the original CVRF?
Up until this point, the CSAF document format has been compatible with the existing CVRF format. However, with the switch to using JSON schemas from first.org, if a CVRF instance does not contain a CVSS vector, then it cannot be converted to the CSAF JSON form without being out of compliance.Options that I've thought of:
- Define a "placeholder" vector that satisfies the RE, but is obviously a bogus vector, and use that.
- Build an exhaustive table of every possible score, and the vectors that produce it. When producing a JSON document, provide a vector from that table.
- Refuse to convert such documents.
Thoughts?Eric.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]