Dear colleagues, Stefan and I prepared a new editor revision to address the comments from the public review phase. You can find the changes at:
https://github.com/oasis-tcs/csaf/pull/543/files or view the complete artifacts at
https://github.com/oasis-tcs/csaf/tree/editor-revision-2022-05-14/csaf_2.0 All the changes included so far are deemed non-material. Please take some time and review the changes so that we are able to proceed fast at our next meeting on May 18, 2022. If you haven't marked that meeting in your calendar, please do so now. There are a few open issues, I would like to highlight: -
https://github.com/oasis-tcs/csaf/issues/512: This is about the categories in remediation, especially about the "none_available". I suggested with
https://github.com/oasis-tcs/csaf/pull/540/files a solution that is non-material. The other solution would be to rename values from the schema (what is of course material). -
https://github.com/oasis-tcs/csaf/issues/530: This is about CWE. Currently, we allow only one CWE per vulnerability. The submitter requested to be able to have multiple CWEs per vulnerability. That requires a schema change and would be material. As I haven't come across a situation where I needed two CWEs, I would like to hear from the TC members a) whether that would be valid in a CVE record b) use cases / examples where that is needed Luckily: That was not submitted as CSD02 Public Feedback. Therefore, we should discuss that but are not in a hurry. -
https://github.com/oasis-tcs/csaf/issues/517: Just for completeness. We have a PR pending with just the link missing. If we receive the link before Wednesday, we'll add that into the editor revision. Otherwise, we'll add the stub and edit that together with the TC admins once the link is out. Best regards, Thomas -- Thomas Schmidt