[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [csaf] version range defined in CVE JSON 5.0
Dear Feng, thank you for your comment. CVE uses a direct connection between the version and its status. That does not align well with the CSAF approach of using the product_tree for all products mentioned in the advisory - so we would cut out that part. However in that case, the CVE "derived" approach has problems to convey complex ranges like: >=2.2.0 <2.3.0 excluding 2.2.1 Please also have a look at the discussion of the CVEv5 ranges in vers: https://github.com/package-url/purl-spec/blob/version-range-spec/VERSION-RANGE-SPEC.rst#why-not-use-the-nvd-cve-v5-api-ranges Best regards, Thomas -- Thomas Schmidt From: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> On Behalf Of Feng Cao Sent: Monday, March 7, 2022 8:29 PM To: csaf@lists.oasis-open.org Subject: [csaf] version range defined in CVE JSON 5.0 Dear members, We had a short discussion about product version range and how CVE JSON covers it in our last meeting. I took a look into the latest CVE JSON 5.0 schema (https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json). Two simple cases for version range are covered as an optional way: ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "oneOf": [ ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ { ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "required": ["version", "status"], ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "maxProperties": 2 ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ }, ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ { ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "required": ["version", "status", "versionType"], ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "oneOf": [ ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ {"required": ["lessThan"]}, ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ {"required": ["lessThanOrEqual"]} ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ] ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ } Ideally, it would be great that the version info defined in CSAF and CVE JSON 5.0 would be the same. But the diversion will happen if "product_version_range" is used in CSAF. On a positive note, "product_status" in CSAF has more categories than "status" in CVE JSON 5.0, which allows CSAF to provide more value. Thanks, --Feng --Feng
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]