OASIS Common Security Advisory Framework (CSAF) TC

 View Only

Switching to use first.org JSON schemas for CVSS scoring - issue #4

  • 1.  Switching to use first.org JSON schemas for CVSS scoring - issue #4

    Posted 11-15-2019 21:56
    See previous emails #1-3 for issues related to using JSON schema from first.org . This email raises a fourth issue. I think I've uncovered an oversight in the CVRF specification. Product IDs are associated with a specific CVSS score. The CVRF specification does indicate that within the scope of a vulnerability, a product id may be associated with exactly one CVSSv3 score , and exactly one CVSSv2 score . Just FYI, this is not a constraint that XML Schema can enforce. Two issues here: If a conforming implementation of CSAF parses a document with multiple scores associated with a single product ID, what is the implementation supposed to do? Drop all score references, except the highest one? Emit a warning? Do nothing? What if a product ID is *not* associated with a score in the document? Is that a problem? What to do? Options include (a) warn, (b) assume the worst score available within a vulnerability, (c) reject the document? A sub-case here - what if *no* product IDs are identified (specification does not require this). If one and only one score is in the vulnerability, then can we assume that score? I think a simple solution to this problem is to assume that the first score in a vulnerability is the default score. Any additional scores require associated product IDs. In other words, the default scenario is one score for all products, with the ability to override for other products, if the score is different for those products for some reason. Eric.