Dear Feng, thank you for your comment. CVE uses a direct connection between the version and its status. That does not align well with the CSAF approach of using the product_tree for all products mentioned in the advisory - so we would cut out that part. However in that case, the CVE "derived" approach has problems to convey complex ranges like: >=2.2.0 <2.3.0 excluding 2.2.1 Please also have a look at the discussion of the CVEv5 ranges in vers:
https://github.com/package-url/purl-spec/blob/version-range-spec/VERSION-RANGE-SPEC.rst#why-not-use-the-nvd-cve-v5-api-ranges Best regards, Thomas -- Thomas Schmidt From:
csaf@lists.oasis-open.org <
csaf@lists.oasis-open.org> On Behalf Of Feng Cao Sent: Monday, March 7, 2022 8:29 PM To:
csaf@lists.oasis-open.org Subject: [csaf] version range defined in CVE JSON 5.0 Dear members, We had a short discussion about product version range and how CVE JSON covers it in our last meeting. I took a look into the latest CVE JSON 5.0 schema (
https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json ). Two simple cases for version range are covered as an optional way: "oneOf": [ { "required": ["version", "status"], "maxProperties": 2 }, { "required": ["version", "status", "versionType"], "oneOf": [ {"required": ["lessThan"]}, {"required": ["lessThanOrEqual"]} ] } Ideally, it would be great that the version info defined in CSAF and CVE JSON 5.0 would be the same. But the diversion will happen if "product_version_range" is used in CSAF. On a positive note, "product_status" in CSAF has more categories than "status" in CVE JSON 5.0, which allows CSAF to provide more value. Thanks, --Feng --Feng