Vulnerability:CWE discrepancies

[zpevma]

While working on Vulnerabilities section I noticed the following discrepancy in CVRF: In the specification of CVRF 1.2 is stated that CWE element MUST be present zero or one time, while in xsd scheme of CVRF 1.2 the occurrence is not bounded <xs:element name="CWE" minOccurs="0" maxOccurs="unbounded">.

The second related discrepancy in CSAF: vulnerabilities property in this specification does not have any property marked as mandatory (not even CWE), while here it says It must be tested that the CWE is given.

These two discrepancies raises questions how to approach this in the implementation:

1. If there is no bound on number of CWE in CVRF document and the program gets >1 CWE on the input. How to handle this issue?
2. If CWE is mandatory field for CSAF and this element is not present in the input CVRF document. How to handle this issue?

[tschmidtb51]

These two discrepancies raises questions how to approach this in the implementation:

1. If there is no bound on number of CWE in CVRF document and the program gets >1 CWE on the input. How to handle this issue?

This seems to be a defect in the CVRF CSAF 1.2 XSD. Please handle as follows:

If more than one vuln:CWE instance is given, the CVRF CSAF converter converts the first one into the cwe. In addition, the converter outputs a warning that information might be lost during conversion of the cwe.

2. If CWE is mandatory field for CSAF and this element is not present in the input CVRF document. How to handle this issue?

CWE is not mandatory. The test you mention (It must be tested that the CWE is given.) is informative. Therefore, it does not result in any warning (but an information in the checker part). It MUST NOT be implemented in the conversion part.

Does that answer your question?

[zpevma]

Does that answer your question?

Yes, all clarified, thank you!