OASIS Common Security Advisory Framework (CSAF) TC

 View Only

CVSS representation in current CSAF JSON schema

  • 1.  CVSS representation in current CSAF JSON schema

    Posted 05-16-2019 03:35
    Hi folks, The latest version of the CSAF 2.0 schema draft is at:  https://github.com/oasis-tcs/csaf/blob/master/sandbox/csaf_2.0/json_schema/csaf_json_schema.json Chandan just provided a very relevant observation in GitHub via issue:  https://github.com/oasis-tcs/csaf/issues/9 ------ CVSS SIG has a recommended JSON schema for storing and exchanging CVSS scores: https://www.first.org/cvss/data-representations   There are few issues with CVSS in current csaf_json_schema.json: - CVSS scores are strings instead of a number. Which means consumers may have to convert a string to number to for proper processing. JSON allows numbers, so doesn't make sense to store a number as a string. - if CVSS version number is part of the field name (for eg., base_score_v3 ) when there is a CVSS 3.1 or 4.0, you may have to change the schema (and CSAF version). The FIRST CVSS json schema encodes it in a version field. This allows better abstractions, and backwards/forwards compatibility. - No validation on format of the vector string format. The FIRST CVSS json schema does have validation builtin. Suggested fix: make cvss_score_sets an array of objects that $ref to FIRST cvss json schema. ------ For completeness, the following is the example provided at the FIRST website ( https://www.first.org/cvss/data-representations  ): Minimal CVSS v3.0 information: {     version : 3.0 ,     vectorString : CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ,     baseScore : 7.8,     baseSeverity : HIGH } CVSS information including optional base metrics: {     version : 3.0 ,     vectorString : CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ,     attackVector : LOCAL ,     attackComplexity : LOW ,     privilegesRequired : NONE ,     userInteraction : REQUIRED ,     scope : UNCHANGED ,     confidentialityImpact : HIGH ,     integrityImpact : HIGH ,     availabilityImpact : HIGH ,     baseScore : 7.8,     baseSeverity : HIGH } Another observation I have is that the previous example also gives us flexibility to change the CVSS version and not be stuck with  score_set_v3 ,  base_score_v3 , temporal_score_v3 ,  environmental_score_v3 , etc. As we currently have in the schema ( https://github.com/oasis-tcs/csaf/blob/master/sandbox/csaf_2.0/json_schema/csaf_json_schema.json#L420 ). Any thoughts or comments?  Regards, Omar Santos Cisco PSIRT Email: os@cisco.com PGP Key: 8E19A9D13AF27EDC Attachment: signature.asc Description: Message signed with OpenPGP