I like the suggested approach.
A separate note about the “product statuses”: a while back it was suggested to also add the product status of “under investigation”. Since some vendors may put an early response/advisory to a zero day (or open source vulnerability) and put products under
investigation in their advisories and then update when the investigation is over. Not suggesting to decide on this now, since the current activity is to first convert the current specification in JSON; but something to keep in mind. I will put that in a Jira
issue so that we can discuss at a later time.
Regards,
Omar Santos
PSIRT, Security Research and Operations
Cisco Systems, Inc.
Email:
os@cisco.com Phone: +1
919 392 8635
PGP Key: 0x3AF27EDC
On May 2, 2018, at 7:59 PM, Eric Johnson <
eric@tibco.com > wrote:
In XML, a snippet of the document looks like this:
<ProductStatuses>
<Status Type="Known Affected">
<ProductID>CVRFPID-103559</ProductID>
<ProductID>CVRFPID-103763</ProductID>
...
The status can be one of several
fixed choices "Fixed", "Known Affected",
A straightforward translation to JSON turns this into:
"product_statuses": [
{
"status_type": "known affected",
"product_ids": [" CVRFPID-103559",
" CVRFPID-103763",
...
I
think a slightly more elegant form for the world of JSON looks more like this:
"product_status" : {
"fixed": [],
"first_affected": [],
"known_affected": [],
"known_not_affected": [],
"first_fixed": [],
"recommended": [],
"last_affected": []
}
The concrete example from above becomes:
"product_status": {
"known_affected": [ " CVRFPID-103559",
" CVRFPID-103763",
...
},
Thoughts, comments?
Eric.