tschmidtb51
commented
1 week ago @jdstefaniak I might be missing an important detail or I didn't fully understand your request...
Test 6.1.8 just fails, if a CVSS is invalid. If no CVSS value is given, the test is omitted (as the scores array is not required). So you can create a CSAF payload that does not have any CVSS details without failing test 6.1.8.
We can also add a valid example that shows this in our validator/data test file collection.
At the moment the test case is a binary pass/fail case: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#618-invalid-cvss:~:text=CSAFPID%2D9080700.-,6.1.8%20Invalid%20CVSS,-It%20MUST%20be
When CVE records exist but are empty of the required details, they will, expectedly, fail the aforementioned test case.
However; there exist a number of NIST records for which no CVSS details are present, yet as they exist vulnerability scanners do pick them up and readily add those partial CVE records to their reports, examples: https://nvd.nist.gov/vuln/detail/CVE-2023-31346 https://nvd.nist.gov/vuln/detail/CVE-2023-31347 OR https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=openssl&search_type=last3months&isCpeNameSearch=false
Given the CNA rules do not make the presence of the CVSS string a mandatory requirement for a CVE record: https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_5-1_Required_CVE_Record_Content:~:text=a%20CVE%20Record.-,Required%20CVE%20Record%20Content,-5.1.1%20SHOULD%20contain
I am wondering if we could consider some sort of "placeholder statement" that would enable the successful creation of a CSAF payload in the case of a test failure in 6.1.8.
Such a "placeholder statement" could read along the lines of: “Public Record incomplete at this time” as an example.
Thank You, members of the TC, for your attention to this suggestion.
JD