OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
The current version of scores doesn't reflect the relationship between the list of products and (CVSS-) scores correctly. I suggest the following changes:
define an object which contains: "products", "cvss_v20", "cvss_v30", "cvss_v31"
make "products" required (This reduces complexity: An implicit score applies for all products is not longer allowed - there is explicitly specified to which products this score belongs.)
set "minItems" as 2 ("products" and one score)
add an editorial remark like: 'Should use "cvss_v31". "cvss_v20" will be deprecated in CSAF 2.1/ further versions'
The current version of
scores
doesn't reflect the relationship between the list of products and (CVSS-) scores correctly. I suggest the following changes: