search

oasis-open / csaf-documentation

OASIS TC Open Repository: A GitHub repository for management of non-normative information about the work of the CSAF Technical Committee, including documentation
https://oasis-open.github.io/csaf-documentation/
BSD 3-Clause "New" or "Revised" License
19 stars 10 forks source link

CWE element error #4

Open dstrohl opened 3 years ago

dstrohl commented 3 years ago

Version 1.2 (http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html#_Toc493508771) section 6.9

The words say:

« The vuln:CWE element MUST be present zero or one time in any vuln:Vulnerability and if present it contains the MITRE standard Common Weakness Enumeration (CWE) and this value MUST match the pattern documented in section 2.2.13 Vulnerability CWE Type Model. » [CSAF-6.9-1]

The Type model says:

Vulnerability measures given as defined in the Common Weakness Enumeration (CWE) model are expected to be in a specific form to enhance interoperability. « Any CWE value MUST be completely matched by the following regular expression: CWE-[1-9]\d{0,5}

Which would indicate an element looking like:

CWE-601
 However the examples (examples 57 and 58) show: URL Redirection to Untrusted Site ('Open Redirect')
 Which indicates that there is an ID Attribute that must match the type model, and the contents of the element is the name of the CWE. I'm not sure which is correct, but it should be one or the other.
tschmidtb51 commented 3 years ago

This is also being addressed/changed in the current CSAF 2.0 Schema and CSAF 2.0 prose.