[CSAF-21] Zero or more CVSSv3 scores, overall CVSS logic - OASIS Technical Committees Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None

Proposal:

Hide

Clarify the CVSS score logic, decide and implement in the XML

Make CVSSv3 optional, 0+ (or maybe 0 or 1 depending on decision about logic)

Show
Clarify the CVSS score logic, decide and implement in the XML Make CVSSv3 optional, 0+ (or maybe 0 or 1 depending on decision about logic)
Resolution:

Hide

Resolved in meeting #6 on 2017-APR-26 as documented in https://www.oasis-open.org/committees/download.php/60612/csaf-minutes-20170426-meeting-6.html in section 6.1

Show
Resolved in meeting #6 on 2017-APR-26 as documented in https://www.oasis-open.org/committees/download.php/60612/csaf-minutes-20170426-meeting-6.html in section 6.1

Description

From Harold Booth: I am afraid I missed the opportunity to mention concerns...I have one suggested change: line 456 in vuln.xsd should be: <xs:element name="ScoreSetV3" minOccurs="0" maxOccurs="unbounded"> to not require CVSSv3

I believe the intent is:

For each vulnerability in a CVRF document
CVSSScoreSets are optional, there can be 0 or 1
there can be 0 or more CVSSv2 scores
there can be 0 or more CVSSv3 scores
for either v2 or v3 there must be 1 and only 1 Base score
other CVSS scores and the vectors are optional

This means there can be one CVSS base score but more than one vector, or more than one Temporal score per vulnerability?

Attachments

Activity

People

Assignee:

Unassigned

Reporter:

Art MANION [X] (Inactive)

Watchers:

4 Start watching this issue

Dates

Created:

23/Feb/17 4:09 PM

Updated:

26/Apr/17 7:04 PM