[CSAF-28] Proposal for CVSS future embrace - OASIS Technical Committees Issue Tracker

Details

Type: Improvement
Status: Closed
Priority: Critical
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: 1.2_CSD01_WD01
Component/s: None
Labels:
None
Environment:

[Proposed]

Proposal:

Hide

Updated Proposal with private 0.0 - 10.0 cvssScoreType:

I hereby suggest to replace in vuln.xsd the hard wired V2/V3 mimic with the following:

A) Types for the vector (cvssVector) and the scale of the CVSS scalar scores (for v2/3 in [0.0, 10.0]):

A.1)
Only one type (which constrains the length to the maximum needed for v2 and v3) and hopefully the future versions.

String representing the components needed to compute the
various scores for CVSS versions 2 and 3. Note, that v3 scores can be longer than v2 scores
(up to 138 characters). It is assumed, that future versions of CVSS maintain the structure
of the information break down and the required vector length.

A.2)
New vuln:cvssScoreType compatible with the CVSS v2 and v3 decimal scores but private to CSAF CVRF.
This allows for decoupling of namespaces (no need to import cvss namespaces with specific schema versions anymore).

B) Only a ScoreSet but with a required Version attribute (xs:positiveInteger)

This will hold the CVSS version that the content conforms to.
Versions 2 and 3 fit the structure. It is assumed, that future versions 4, 5, ... will also fit.

C) The Container content of every [0, nifty] ScoreSet to be a sequence:

BaseScore (vuln:cvssScoreType) [1, 1]
TemporalScore (vuln:cvssScoreType) [0, 1]
EnvironmentalScore (vuln:cvssScoreType) [0, 1]
Vector (vuln:cvssVector) [0, 1]
vuln:ProductID [0, infty]

D) Change the path value of the selector in the uniqueness constraint UniqueScoreSetProductID into:

.//vuln:CVSSScoreSets/vuln:ScoreSet/vuln:ProductID

All in all this embraces the future in a reasonable way, and should allow for easy migration of older documents.

Details:

A)

A.1)

<xs:simpleType name="cvssVector">
<xs:annotation>
<xs:documentation xml:lang="en">String representing the components needed to compute the
various scores for CVSS versions 2 and 3. Note, that v3 scores can be longer than v2 scores
(up to 138 characters). It is assumed, that future versions of CVSS maintain the structure
of the information break down and the required vector length.</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:token">
<xs:maxLength value="140"/>
</xs:restriction>
</xs:simpleType>

A.2)

<xsd:simpleType name="cvssScoreType">
<xsd:annotation>
<xsd:documentation>Value restriction to single decimal values from 0.0 to 10.0, as used in CVSS scores</xsd:documentation>
</xsd:annotation>
<xsd:restriction base="xsd:decimal">
<xsd:minInclusive value="0"/>
<xsd:maxInclusive value="10"/>
<xsd:fractionDigits value="1"/>
</xsd:restriction>
</xsd:simpleType>

B) and C)

<xs:element name="ScoreSet" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation xml:lang="en">CVSS scores for a given product ID. If the
ProductID attribute is omitted, the score applies to all vulnerable
products.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element name="BaseScore" type="vuln:cvssScoreType" minOccurs="1"
maxOccurs="1">
<xs:annotation>
<xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of
the computed CVSS Base Score which should be a float from 0 –
10.0.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="TemporalScore" type="vuln:cvssScoreType"
minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of
the computed CVSS Temporal Score which should be a float from 0 –
10.0.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="EnvironmentalScore" type="vuln:cvssScoreType"
minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of
the computed CVSS Environmental Score which should be a float from 0 –
10.0.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Vector" type="vuln:cvssVector" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation xml:lang="en">The CVSS Vector string is the official
notation that contains all of the values used to compute the Base,
Temporal, and Environmental scores.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element ref="vuln:ProductID" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:positiveInteger" use="required">
<xs:annotation>
<xs:documentation xml:lang="en">The CVSS version that the content
conforms to. Versions 2 and 3 fit the structure. It is assumed, that
future versions 4, 5, ... will also fit.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
</xs:element>

D)

<xs:unique name="UniqueScoreSetProductID">
<xs:annotation>
<xs:documentation xml:lang="en">This is to ensure that each CVSS score set mentions a given
ProductID only one.</xs:documentation>
</xs:annotation>
<xs:selector xpath=".//vuln:CVSSScoreSets/vuln:ScoreSet/vuln:ProductID"/>
<xs:field xpath="."/>
</xs:unique>

Show
Updated Proposal with private 0.0 - 10.0 cvssScoreType: I hereby suggest to replace in vuln.xsd the hard wired V2/V3 mimic with the following: A) Types for the vector (cvssVector) and the scale of the CVSS scalar scores (for v2/3 in [0.0, 10.0] ): A.1) Only one type (which constrains the length to the maximum needed for v2 and v3) and hopefully the future versions. String representing the components needed to compute the various scores for CVSS versions 2 and 3. Note, that v3 scores can be longer than v2 scores (up to 138 characters). It is assumed, that future versions of CVSS maintain the structure of the information break down and the required vector length. A.2) New vuln:cvssScoreType compatible with the CVSS v2 and v3 decimal scores but private to CSAF CVRF. This allows for decoupling of namespaces (no need to import cvss namespaces with specific schema versions anymore). B) Only a ScoreSet but with a required Version attribute (xs:positiveInteger) This will hold the CVSS version that the content conforms to. Versions 2 and 3 fit the structure. It is assumed, that future versions 4, 5, ... will also fit. C) The Container content of every [0, nifty] ScoreSet to be a sequence: BaseScore (vuln:cvssScoreType) [1, 1] TemporalScore (vuln:cvssScoreType) [0, 1] EnvironmentalScore (vuln:cvssScoreType) [0, 1] Vector (vuln:cvssVector) [0, 1] vuln:ProductID [0, infty] D) Change the path value of the selector in the uniqueness constraint UniqueScoreSetProductID into: .//vuln:CVSSScoreSets/vuln:ScoreSet/vuln:ProductID All in all this embraces the future in a reasonable way, and should allow for easy migration of older documents. Details: A) A.1) <xs:simpleType name="cvssVector"> <xs:annotation> <xs:documentation xml:lang="en">String representing the components needed to compute the various scores for CVSS versions 2 and 3. Note, that v3 scores can be longer than v2 scores (up to 138 characters). It is assumed, that future versions of CVSS maintain the structure of the information break down and the required vector length.</xs:documentation> </xs:annotation> <xs:restriction base="xs:token"> <xs:maxLength value="140"/> </xs:restriction> </xs:simpleType> A.2) <xsd:simpleType name="cvssScoreType"> <xsd:annotation> <xsd:documentation>Value restriction to single decimal values from 0.0 to 10.0, as used in CVSS scores</xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:decimal"> <xsd:minInclusive value="0"/> <xsd:maxInclusive value="10"/> <xsd:fractionDigits value="1"/> </xsd:restriction> </xsd:simpleType> B) and C) <xs:element name="ScoreSet" minOccurs="0" maxOccurs="unbounded"> <xs:annotation> <xs:documentation xml:lang="en">CVSS scores for a given product ID. If the ProductID attribute is omitted, the score applies to all vulnerable products.</xs:documentation> </xs:annotation> <xs:complexType> <xs:sequence> <xs:element name="BaseScore" type="vuln:cvssScoreType" minOccurs="1" maxOccurs="1"> <xs:annotation> <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Base Score which should be a float from 0 – 10.0.</xs:documentation> </xs:annotation> </xs:element> <xs:element name="TemporalScore" type="vuln:cvssScoreType" minOccurs="0" maxOccurs="1"> <xs:annotation> <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Temporal Score which should be a float from 0 – 10.0.</xs:documentation> </xs:annotation> </xs:element> <xs:element name="EnvironmentalScore" type="vuln:cvssScoreType" minOccurs="0" maxOccurs="1"> <xs:annotation> <xs:documentation xml:lang="en">The CVSS Base Score is the numeric value of the computed CVSS Environmental Score which should be a float from 0 – 10.0.</xs:documentation> </xs:annotation> </xs:element> <xs:element name="Vector" type="vuln:cvssVector" minOccurs="0" maxOccurs="1"> <xs:annotation> <xs:documentation xml:lang="en">The CVSS Vector string is the official notation that contains all of the values used to compute the Base, Temporal, and Environmental scores.</xs:documentation> </xs:annotation> </xs:element> <xs:element ref="vuln:ProductID" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="Version" type="xs:positiveInteger" use="required"> <xs:annotation> <xs:documentation xml:lang="en">The CVSS version that the content conforms to. Versions 2 and 3 fit the structure. It is assumed, that future versions 4, 5, ... will also fit.</xs:documentation> </xs:annotation> </xs:attribute> </xs:complexType> </xs:element> D) <xs:unique name="UniqueScoreSetProductID"> <xs:annotation> <xs:documentation xml:lang="en">This is to ensure that each CVSS score set mentions a given ProductID only one.</xs:documentation> </xs:annotation> <xs:selector xpath=".//vuln:CVSSScoreSets/vuln:ScoreSet/vuln:ProductID"/> <xs:field xpath="."/> </xs:unique>
Resolution:

Hide

As decided in meeting https://www.oasis-open.org/apps/org/workgroup/csaf/event.php?event_id=44455 #6 on 2017-APR-26 the issue will be closed without action.

Show
As decided in meeting https://www.oasis-open.org/apps/org/workgroup/csaf/event.php?event_id=44455 #6 on 2017-APR-26 the issue will be closed without action.

Description

Originally proposed in a mail to the TC list (archived for public access at https://lists.oasis-open.org/archives/csaf/201704/msg00040.html ):

Better represent the transitive task of embedding and relating CVSS information of various versions.

Ideally the CVSS elements are valid CVSS "documents" themselves, but having read through many real world CVRF v1.1 documents they are (often understandably so) not.

Either CVSS v3 content is tunneld throught the CVRF v1.1 ScoreSet element (which suits a CVSS v2 content model) and this version info is noted out of band (say in some web page of publisher domain or the CVSS v3 vector is stored without the fixed prefix (required by CVSS v3) to safe space in the length constraint of the CVRF v1.1 Vector element.

To a) mitigate the current discussion on the cardinalities of elements for storage of CVSS v2 and v3 content and b) avoid clumsy model names and c) be future proof to a reasonable extent without introducing an xs:any black hole a version attributed superset ScoreSet element is suggested.

Please note, that currently the per CVSSv3 required fixed prefix for vectors is not always
used "in the wild" (and understandably so, as our cvrf v1.1 length might forbid legitimate values in CVSS v3.
So a Version attribute on a single ScoreSet element instance might be an enhancement for existing documents
when being transformed (see the Oracle example, where the CVSS3.0 prefix would now be signalled
via the Version attribute value "3".

Any feedback greatly appreciated esp. practical problems not known to me in my tower of thought

Proposal for CVSS future embrace

Details

Description

Attachments

Activity

People

Dates