OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [csaf] version range defined in CVE JSON 5.0

Dear Feng,

thank you for your comment.

CVE uses a direct connection between the version and its status. That does not align well with the CSAF approach of using the product_tree for all products mentioned in the advisory - so we would cut out that part.

However in that case, the CVE "derived" approach has problems to convey complex ranges like: >=2.2.0 <2.3.0 excluding 2.2.1

Please also have a look at the discussion of the CVEv5 ranges in vers: https://github.com/package-url/purl-spec/blob/version-range-spec/VERSION-RANGE-SPEC.rst#why-not-use-the-nvd-cve-v5-api-ranges

Best regards,
Thomas

-- 
Thomas Schmidt

From: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> On Behalf Of Feng Cao
Sent: Monday, March 7, 2022 8:29 PM
To: csaf@lists.oasis-open.org
Subject: [csaf] version range defined in CVE JSON 5.0

Dear members,
We had a short discussion about product version range and how CVE JSON covers it in our last meeting. 
I took a look into the latest CVE JSON 5.0 schema (https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json). Two simple cases for version range are covered as an optional way:
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "oneOf": [
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ {
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "required": ["version", "status"],
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "maxProperties": 2
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ },
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ {
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "required": ["version", "status", "versionType"],
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "oneOf": [
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ {"required": ["lessThan"]},
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ {"required": ["lessThanOrEqual"]}
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ]
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ }
Ideally, it would be great that the version info defined in CSAF and CVE JSON 5.0 would be the same. But the diversion will happen if "product_version_range" is used in CSAF.
On a positive note, "product_status" in CSAF has more categories than "status" in CVE JSON 5.0, which allows CSAF to provide more value.
Thanks,
--Feng
--Feng

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]