search

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
152 stars 40 forks source link

Clarify test "6.1.7 Multiple Scores with same Version per Product" #349

Closed tschmidtb51 closed 3 years ago

tschmidtb51 commented 3 years ago

Situation

reference: https://docs.oasis-open.org/csaf/csaf/v2.0/csd01/csaf-v2.0-csd01.html#617-multiple-scores-with-same-version-per-product

The first paragraph reads:

It must be tested that the same Product ID is not member of more than one CVSS-Vectors with the same version.

It is not explicitly stated that this applies only per vulnerability.

Proposal

Add an additional phrase at the beginning and make the paragraph read:

For each item in /vulnerabilities it must be tested that the same Product ID is not member of more than one CVSS-Vectors with the same version.

sthagen commented 3 years ago

Added as non-material because in the CSDPR01 version the test is missing the right subject. But, we can always discuss the scope …