mkonda
commented
4 years ago Great idea. Thanks for the input.
Closed paul-gould closed 4 years ago
mkonda
commented
4 years ago Great idea. Thanks for the input.
paul-gould
commented
4 years ago @mkonda sorry, I'm going to be awkward! Depending on the source, some of the findings we need to deal with have CVSSv2 vectors only, some have v3 only and some have both. So ideally, we need to accommodate all combinations.
I was thinking something along the lines of:
"cvssentries" : {
"type" : "array",
"items" : {
"type": "object",
"properties": {
"version" : { "type": "number" },
"vector": { "type": "string", "maxLength": 128 },
"score": { "type": "number", "minimum": 0, "maximum": 10 }
},
"required": [ "version", "vector" ]
}
}I've deliberately not put a constraint on the version number for forward compatibility, and strictly speaking the score isn't required because it can be derived from the vector, but the vector should be required to record the analysis of the finding.
What do you think?
Now that CVSSv3 is in widespread use, we need to be able to record the CVSS version along with the score. In many cases, the CVSS vector is more use in performing a risk assessment, so having that recorded as well would be good.
Having multiple CVSS entries would also be useful, to record both a v2 and v3 vector & score as well as potentially recording different analyses from different sources. This would be more difficult to do while maintaining backwards compatibility in the schema, though.