Closed santosomar closed 5 years ago
One vulnerability can have more than one vendor Bug IDs associated to them. For example, multiple BugZilla bug IDs, in the case of Cisco CSCaa12345, CSCbb23456, etc...
Currently, the schema only supports one. We probably should change to allow multiple instances:
"vulnerabilities": {
"type": "array",
"items": {
"type": "object",
"propertyNames": {
"enum": [
"acknowledgments",
"cve",
"cvss_score_sets",
"discovery_date",
"id",
"involvements",
"ordinal",
"notes",
"product_status",
"references",
"release_date",
"remediations",
"threats",
"title"
]
},
"required": [
"ordinal"
],
Vendors can add specific bug identifiers outside of the id
field. The id
field will remain the same, as in CVRF 1.2. Or each bug ID can be a list of comma-separated "IDs" within the field (i.e., CSCaa12345,CSCbb23456, etc.)
Update: The TC has approved that the CVSS score should be represented the same way that FIRST defines it in their schema.
This issue has been created to collect feedback on the CSAF 2.0 JSON schema draft Vulnerability section/element.