Open froh opened 3 years ago
oh. this basically comes from the transition from cvrf 1.1 to cvrf 1.2: https://www.suse.com/support/security/cvrf/
the reference parser contains schema definitions for both, 1.1 and 1.2. they indeed only differ in allowing for cvss v3 scores, as shown above:
git clone https://github.com/oasis-open/csaf-parser
cd csaf-parser
for d in common/ cvrf/ prod/ vuln/
do
emacsclient -e " ( ediff-directories \"$d/1.1\" \"$d/1.2\" \".*\" ) "
done
Hi,
the SUSE CVRF files contain cvss2 and cvss3 scores.
cvrf-opensuse-su-2015:0225-1.xml
cvrf-opensuse-su-2020:1236-1.xml
The current handling in suse/cvrf/types.go does not handle this and drops the SUSE score sets.