Thank you Feng!
Just a quick question (for the purpose of clarification and further discussion from the TC here).
Currently, CSAF/CVRF 1.2 has the following "Vulnerability Product Affected Status Type Model"
http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html#_Toc493508846 First Affected Known Affected Known Not Affected First Fixed Fixed Recommended Last Affected
Will your suggestion replace or modify those values? The reason that I ask is because âfirst affectedâ, âfirst fixedâ, and âlast affectedâ could be an overlap of your suggestion below.
Regards,
Omar Santos
Cisco PSIRT
Email:
os@cisco.com PGP Key: 8E19A9D13AF27EDC
On Nov 28, 2018, at 7:54 PM, Feng Cao <
feng.cao@oracle.com > wrote:
Hi CSAF TC,
The information about product versions is critical for the users to identify if the products are affected. We had a brief discussion about the possibilities of semantic presentation in today's meeting.
The below is my proposal to design "version" in json for csaf. The goal is to cover the common use cases. More common cases can be added too if there is a consensus.
Thanks,
Feng Cao
Oracle Security Alerts
ZH-CN
X-NONE
MicrosoftInternetExplorer4
The list of the common use cases:
- individual versions
For example, CVE-2017-3240, RDBMS Security component of Oracle Database Server, the supported version that is affected is 12.1.0.2
âversionâ: {
âindividualsâ: [
âstrings of versionsâ, âstrings separated by commasâ
]
}
-prior to including all the releases
For example, CVE-2016-4694, Apache HTTP Server in Apple OS X before 10.12
âversionâ: {
âpriortoallâ: âstring of priortoall versionâ
}
-prior to including the specified release
For example, CVE-2016-6307, OpenSSL 1.1.0 before 1.1.0a
âversionâ: {
âpriortooneâ: [
{
âbranchâ: âstring of branchâ
âreleaseâ: âstring of releaseâ
}
]
}
-internals
For example, CVE-2016-8740, Apache HTTP Server 2.4.17 through 2.4.23
âversionâ: {
âintervalâ: [
{
âstartreleaseâ: âstring of releaseâ
âendreleaseâ: âstring of releaseâ
}
]
}
-earlier for all the releases
For example, MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitoring: Agent). Supported versions that are affected are 3.1.3.7856 and earlier
âversionâ: {
âearliertoallâ: âstring of releaseâ
}
-ealier for the specified release
For example, CVE-2016-6307, MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.6.34 and earlier and 5.7.16 and earlier
âversionâ: {
âearliertooneâ: [
{
âbranchâ: âstring of branchâ
âreleaseâ: âstring of releaseâ
}
]
}
Json schema for version inside product:
"version":{
âtypeâ:âobjectâ,
âdescriptionâ: {
type: âstringâ
},
âpropertiesâ:{
âindividualsâ: {
âtypeâ: âarrayâ,
âitemsâ: { âtypeâ:âstringâ}
},
âpriortoallâ: {
âtypeâ:âstringâ
},
âpriortooneâ: {
âtypeâ: âarrayâ,
âitemsâ: {
âtypeâ:âobjectâ,
âpropertiesâ:{
âbranchâ: {âtypeâ:âstringâ},
âreleaseâ:{âtypeâ:âstringâ}
},
ârequiredâ:[âbranchâ, âreleaseâ]
}
},
âintervalâ: {
âtypeâ: âarrayâ,
Items: {
âtypeâ:âobjectâ,
âpropertiesâ:{
âstartreleaseâ: {âtypeâ:âstringâ},
âendreleaseâ: {âtypeâ:âstringâ}
},
ârequiredâ:[âstartreleaseâ, âendreleaseâ]
}
},
âearliertoallâ: {
âtypeâ:âstringâ
},
âearliertooneâ: {
âtypeâ: âarrayâ,
Items: {
âtypeâ:âobjectâ,
âpropertiesâ:{
âbranchâ: {âtypeâ:âstringâ},
âreleaseâ:{âtypeâ:âstringâ}
},
ârequiredâ:[âbranchâ, âreleaseâ]
}
}
}
}