Hi folks, The latest version of the CSAF 2.0 schema draft is at:
https://github.com/oasis-tcs/csaf/blob/master/sandbox/csaf_2.0/json_schema/csaf_json_schema.json Chandan just provided a very relevant observation in GitHub via issue:
https://github.com/oasis-tcs/csaf/issues/9 ------ CVSS SIG has a recommended JSON schema for storing and exchanging CVSS scores:
https://www.first.org/cvss/data-representations There are few issues with CVSS in current csaf_json_schema.json: - CVSS scores are strings instead of a number. Which means consumers may have to convert a string to number to for proper processing. JSON allows numbers, so doesn't make sense to store a number as a string. - if CVSS version number is part of the field name (for eg., base_score_v3 ) when there is a CVSS 3.1 or 4.0, you may have to change the schema (and CSAF version). The FIRST CVSS json schema encodes it in a version field. This allows better abstractions, and backwards/forwards compatibility. - No validation on format of the vector string format. The FIRST CVSS json schema does have validation builtin. Suggested fix: make cvss_score_sets an array of objects that $ref to FIRST cvss json schema. ------ For completeness, the following is the example provided at the FIRST website (
https://www.first.org/cvss/data-representations ): Minimal CVSS v3.0 information: { version : 3.0 , vectorString : CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H , baseScore : 7.8, baseSeverity : HIGH } CVSS information including optional base metrics: { version : 3.0 , vectorString : CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H , attackVector : LOCAL , attackComplexity : LOW , privilegesRequired : NONE , userInteraction : REQUIRED , scope : UNCHANGED , confidentialityImpact : HIGH , integrityImpact : HIGH , availabilityImpact : HIGH , baseScore : 7.8, baseSeverity : HIGH } Another observation I have is that the previous example also gives us flexibility to change the CVSS version and not be stuck with score_set_v3 , base_score_v3 , temporal_score_v3 , environmental_score_v3 , etc. As we currently have in the schema (
https://github.com/oasis-tcs/csaf/blob/master/sandbox/csaf_2.0/json_schema/csaf_json_schema.json#L420 ). Any thoughts or comments? Regards, Omar Santos Cisco PSIRT Email:
os@cisco.com PGP Key: 8E19A9D13AF27EDC Attachment: signature.asc Description: Message signed with OpenPGP