oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
147 stars 39 forks source link

CSAF 2.0 JSON schema draft review: Vulnerability element #12

Closed santosomar closed 5 years ago

santosomar commented 5 years ago

This issue has been created to collect feedback on the CSAF 2.0 JSON schema draft Vulnerability section/element.

santosomar commented 5 years ago

One vulnerability can have more than one vendor Bug IDs associated to them. For example, multiple BugZilla bug IDs, in the case of Cisco CSCaa12345, CSCbb23456, etc...

Currently, the schema only supports one. We probably should change to allow multiple instances:

 "vulnerabilities": {
      "type": "array",
      "items": {
        "type": "object",
        "propertyNames": {
          "enum": [
            "acknowledgments",
            "cve",
            "cvss_score_sets",
            "discovery_date",
            "id",
            "involvements",
            "ordinal",
            "notes",
            "product_status",
            "references",
            "release_date",
            "remediations",
            "threats",
            "title"
          ]
        },
        "required": [
          "ordinal"
        ],
santosomar commented 5 years ago

Vendors can add specific bug identifiers outside of the id field. The id field will remain the same, as in CVRF 1.2. Or each bug ID can be a list of comma-separated "IDs" within the field (i.e., CSCaa12345,CSCbb23456, etc.)

santosomar commented 5 years ago

Update: The TC has approved that the CVSS score should be represented the same way that FIRST defines it in their schema.