OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: version range defined in CVE JSON 5.0

Dear members,

We had a short discussion about product version range and how CVE JSON covers it in our last meeting.

I took a look into the latest CVE JSON 5.0 schema (https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json). Two simple cases for version range are covered as an optional way:

                        "oneOf": [
                            {
                                "required": ["version", "status"],
                                "maxProperties": 2
                            },
                            {
                                "required": ["version", "status", "versionType"],
                                "oneOf": [
                                    {"required": ["lessThan"]},
                                    {"required": ["lessThanOrEqual"]}
                                ]
                            }

Ideally, it would be great that the version info defined in CSAF and CVE JSON 5.0 would be the same. But the diversion will happen if "product_version_range" is used in CSAF.

On a positive note, "product_status" in CSAF has more categories than "status" in CVE JSON 5.0, which allows CSAF to provide more value.

Thanks,

--Feng

--Feng

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]