On Tue, Apr 4, 2017 at 1:19 PM, Booth, Harold (Fed) <
harold.booth@nist.gov > wrote: Before voting can we have an opportunity to discuss? I am not sure everyone is aware of the consequences of the various options. (If following the rules of Robert's Rules of order, discussion isn't supposed to happen unless there's an open motion. In practice, I haven't seen that much in OASIS-TCs.) The proposal as written, if accepted, would require anyone who wish to provide data for vulnerabilities without CVSS v3.0 scores in the CVRF 1.1 format only and they would not be able to use the CVRF 1.2 format if they wish to share CVSS v2.0 scores. For data providers which have data on both new and old vulnerabilities it would require them (and their consumers) to use both CVRF 1.1 and 1.2. I see the restriction that one must always provide a CVSS v3.0 score when providing a score an unnecessary restriction on the format and limits the use cases for which this format could be used. I don't have a position on the compatibility question, as I don't think I or my company have a need to support 1.1 format. If 1.2 is incompatible with 1.1 (as it appears it is), then any clients that need to support 1.1 documents will have to support both 1.1 & 1.2 formats. Either that, or we have to figure out a compatibility mode for 1.1 documents. For compatibility, pne option is to add a "Legacy" indication of some kind to the XML model. With that model the legacy element would you allow either only a CVSSv2 score, or no score whatsoever. Instead of CVSSScoreSets as currently spec'd, it could be "CVSSScoreSets" or "LegacyCVSSScoreSets", which has a content model that only allows zero or one CVSSv2 scores.... The content model for Vulnerability would change to allow just one of CVSSScoreSets or LegacyCVSSScoreSets. Again, I have no position on this. Seems like the choice comes down to supporting seamless migration of 1.1 format to 1.2 format or not. Eric. Regards, -Harold -----Original Message----- From:
csaf@lists.oasis-open.org [mailto:
csaf@lists.oasis-open. org ] On Behalf Of Vincent Danen Sent: Tuesday, April 04, 2017 4:10 PM To: Mr. Stefan Hagen <
stefan@hagen.link> Cc:
csaf@lists.oasis-open.org Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2 On 04/04/2017, at 13:31 PM, Mr. Stefan Hagen wrote: > Dear Members, to enable a clearly documented decision on this crucial > question if we enforce CVSSv3 scoring with CSAF CVRF v1.2, > > I move, that the chair of the TC shall request a ballot for a full > majority vote from administration with the ballot question: "Every > vuln:CVSSScoreSets element if present MUST contain zero or more > CVSSScoreSetV2 and one or more CVSSScoreSetV3 elements" offering the > answers "yes", "no", and "abstain". How do we vote on this or are we waiting for the next meeting? I think the above is reasonable and would vote for it. > Please find below details on past and current (not yet decided) > cardinalities ... > > > On 04/04/17 21:01, Art Manion wrote: >> I'm going to try to summarize the discussion about the use of CVSS >> v2/v3, with the goal of creating a motion or voting position if >> needed. >> >> <
https://issues.oasis-open.org /browse/CSAF-21?focusedComment Id=65728& >> page=com.atlassian.jira.plugin .system.issuetabpanels:comment -tabpanel >> #comment-65728> >> >> I read the above comment, but am still confused (it's me, not you >> Stefan), so I'm going to start with what I think should happen: >> >> A CVRF document contains 1 or more vulnerabilities A vulnerability >> contains 0 or 1 CVSSv2 scores A vulnerability contains 0 or 1 CVSSv3 >> scores >> >> CVSSv2 or v3 scores must follow CVSS rules and contain a complete set >> of Base vectors and score. Temporal, environmental (or modified >> base) are optional. > > Inside vuln.xsd v1.1 and in the contributed initial v1.2 draft from > Feng the following cardinalities apply: > > ScoreSet [1, infty] (v1.1), ScoreSetV2 [0, infty] and ScoreSetV3 [?, > infty] (both v1.2) MUST contain exactly one BaseScore (v1.1), > BaseScoreV2 and BaseScoreV3 respectively (both v1.2) > > AND > > ScoreSet (v1.1), ScoreSetV2 and ScoreSetV3 (both v1.2) contain [0, 1] > TemporalScore (v1.1), TemporalScoreV2 and TemporalScoreV3 respectively > (both v1.2) > > AND > > ScoreSet (v1.1), ScoreSetV2 and ScoreSetV3 (both v1.2) contain [0, 1] > EnvironmentalScore (v1.1), EnvironmentalScoreV2 and > EnvironmentalScoreV3 respectively (both v1.2) > > AND > > ScoreSet (v1.1), ScoreSetV2 and ScoreSetV3 (both v1.2) contain [0, 1] > Vector (v1.1), VectorV2 and VectorV3 respectively (both v1.2) > > AND > > ScoreSet (v1.1), ScoreSetV2 and ScoreSetV3 (both v1.2) contain [0, > infty] vuln:ProductID (in any version I guess) > > So the Vectors are optional in every variant! > > >> I believe Feng's position is that if a vulnerability has a CVSS >> score, it must be CVSSv3 (or must have CVSSv3 and can optionally also >> include CVSSv2?). If a CVRF producer wants to use CVSSv2, they >> should use CVRF 1.1. >> > > This is what I noted in the comment as my understanding, but have no > other feedback received, and think this was made clear by Feng. > > > /Stefan -- Vincent Danen / Red Hat Product Security ------------------------------ ------------------------------ --------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/app s/org/workgroup/portal/my_work groups.php ------------------------------ ------------------------------ --------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/app s/org/workgroup/portal/my_work groups.php