OASIS Common Security Advisory Framework (CSAF) TC

  • 1.  CSAF JSON Schema - what to do about product statuses?

    Posted 05-02-2018 23:59
    In XML, a snippet of the document looks like this:     <ProductStatuses>       <Status Type="Known Affected">         <ProductID>CVRFPID-103559</ProductID>         <ProductID>CVRFPID-103763</ProductID> ... The status can be one of several fixed choices "Fixed", "Known Affected",  A straightforward translation to JSON turns this into: "product_statuses": [   {     "status_type": "known affected",     "product_ids": [" CVRFPID-103559", " CVRFPID-103763", ... I think a slightly more elegant form for the world of JSON looks more like this: "product_status" : {   "fixed": [],   "first_affected": [],   "known_affected": [],   "known_not_affected": [],   "first_fixed": [],   "recommended": [],   "last_affected": [] } The concrete example from above becomes: "product_status": {   "known_affected": [ " CVRFPID-103559", " CVRFPID-103763", ... }, Thoughts, comments? Eric.


  • 2.  Re: [csaf] CSAF JSON Schema - what to do about product statuses?

    Posted 05-03-2018 00:16




    Agree with your suggestion.
     
    Allan

    From: <csaf@lists.oasis-open.org> on behalf of Eric Johnson <eric@tibco.com>
    Date: Wednesday, May 2, 2018 at 4:59 PM
    To: "csaf@lists.oasis-open.org" <csaf@lists.oasis-open.org>
    Subject: [csaf] CSAF JSON Schema - what to do about product statuses?


     


    In XML, a snippet of the document looks like this:


     



        <ProductStatuses>


          <Status Type="Known Affected">


            <ProductID>CVRFPID-103559</ProductID>


            <ProductID>CVRFPID-103763</ProductID>


    ...



     


    The status can be one of several
    fixed choices
    "Fixed", "Known Affected", 


    A straightforward translation to JSON turns this into:


    "product_statuses": [


      {


        "status_type": "known affected",


        "product_ids": [" CVRFPID-103559", "CVRFPID-103763",







    ...







    I think a slightly more elegant form for the world of JSON looks more like this:








    "product_status" : {


      "fixed": [],


      "first_affected": [],


      "known_affected": [],


      "known_not_affected": [],


      "first_fixed": [],


      "recommended": [],


      "last_affected": []


    }


     


    The concrete example from above becomes:


     


    "product_status": {


      "known_affected": ["CVRFPID-103559", "CVRFPID-103763", ...


    },


     


    Thoughts, comments?


     


    Eric.


     









  • 3.  Re: [csaf] CSAF JSON Schema - what to do about product statuses?

    Posted 05-03-2018 00:27



    I like the suggested approach.


    A separate note about the “product statuses”: a while back it was suggested to also add the product status of “under investigation”. Since some vendors may put an early response/advisory to a zero day (or open source vulnerability) and put products under
    investigation in their advisories and then update when the investigation is over. Not suggesting to decide on this now, since the current activity is to first convert the current specification in JSON; but something to keep in mind. I will put that in a Jira
    issue so that we can discuss at a later time.


    Regards,


    Omar Santos
    PSIRT, Security Research and Operations
    Cisco Systems, Inc.
    Email:  os@cisco.com
    Phone:  +1
    919 392 8635
    PGP Key: 0x3AF27EDC


    On May 2, 2018, at 7:59 PM, Eric Johnson < eric@tibco.com > wrote:




    In XML, a snippet of the document looks like this:



        <ProductStatuses>
          <Status Type="Known Affected">
            <ProductID>CVRFPID-103559</ProductID>
            <ProductID>CVRFPID-103763</ProductID>
    ...




    The status can be one of several
    fixed choices "Fixed", "Known Affected", 
    A straightforward translation to JSON turns this into:
    "product_statuses": [
      {
        "status_type": "known affected",
        "product_ids": [" CVRFPID-103559",
    " CVRFPID-103763",


    ...


    I
    think a slightly more elegant form for the world of JSON looks more like this:



    "product_status" : {
      "fixed": [],
      "first_affected": [],
      "known_affected": [],
      "known_not_affected": [],
      "first_fixed": [],
      "recommended": [],
      "last_affected": []
    }




    The concrete example from above becomes:




    "product_status": {

      "known_affected": [ " CVRFPID-103559",
    " CVRFPID-103763",
    ...

    },




    Thoughts, comments?




    Eric.