Closed cintek closed 1 year ago
bernhardreiter
commented
1 year ago Yes, can you look at the commit that added our version? The schema may have evolved since then and the version number in the file name v3.0 refers to the CVSS standard, not the revision of the JSON schema, I think...
cintek
commented
1 year ago Indeed, the schema did change a few times in the past. The wayback machine shows that the schema used in the repo did exist in the past.
Since I'm working on an advisory struct containing CVSS structs I can add the updated schema before I create a PR.
JanHoefelmeyer
commented
1 year ago Solved via #473
Something seems wrong with the schema for CVSS 3.0.
In https://github.com/csaf-poc/csaf_distribution/blob/main/csaf/schema/cvss-v3.0.json the pattern for vectorString is:
"^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"But at https://www.first.org/cvss/cvss-v3.0.json the pattern for vectorString is:
"^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"They are not identical.
I would expect that they are the same because they have the same ID.