“CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2” Committee Specification 01. 13 September 2017 (http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html) now includes support for CVSSv3.
http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html#_Toc493508836
2.2.12 Vulnerability CVSS Version 3 Type Model
The calculations of the numerical CVSS version 3 scores are out of scope for this document. Constraints on the possible values are mapped as follows:
« The BaseScoreV3, TemporalScoreV3, and EnvironmentalScoreV3 values MUST be single decimal values in the interval [0.0, 10.0] as enforced by the external CVSSv3 schema and thus must be elements of the following finite ordered set with 101 elements:
{0.0, 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.9, 1.0, ... 9.9, 10.0}
» [CSAF-2.2.12-1]
The cvssVectorV3 value is a string which can be longer than the version 2 counterpart (up to 133 characters, where 2 characters have been added to the theoretical 131 characters of such a vector to account for newline characters on any platform). This string encapsulates all input for CVSS score calculation.
« The cvssVectorV3 value MUST abide to the following length constraint ():
length < 133 characters
» [CSAF-2.2.12-2]
The specific notation is expected to follow the guidelines set forth in the CVSS v3 documentation at [CVSS3] (cf. section “Vector String” pp.17,18 there).
Note the 133-character limitation in CSAF CVRF to accommodate for the maximal length of 131 characters as derived from [CVSS3] plus accommodation for an added line end character notion for any platform.
Non-normative comment:
The Common Vulnerability Scoring System version 3 (CVSSv3) aggregation for vulnerabilities provides uniform grading and improved tracking of vulnerabilities over time across different reporting sources. For more information about CVSS version 3 cf. [CVSS3]