OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: adding a new value for "category" in "remediation"

Dear TC members,

I'd like to discuss about adding a new value for "category" in
"remediation".

Problem:

The third party CVEs will be announced in advisories. Some of them are
re-scored with CVSSv3.1 = 0.0. "known_not_affected" is used in
"product_status". In "remediation", "category" doesn't have a matching
value for "known_not_affected"

(the question on why to announce them with CVSSv3.1=0.0 is to provide
the info to the customers, as their scanners might catch the third party
components, and then they will ask the support).

Solution:

Add a new value, such as "patch_for_not_affected".

Thanks,

Feng Cao, PHD, CISSP, PMP
Oracle Security Alerts

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]