Add optional CAPEC to vulnerabilities

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code

https://github.com/oasis-tcs/csaf

Other

152 stars 40 forks source link

Add optional CAPEC to vulnerabilities #766

Open CERT-VDE opened 3 months ago

CERT-VDE commented 3 months ago

It should be possible to add MITREs Common Attack Pattern Enumerations and Classifications (CAPEC) to a vulnerability in CSAF. This field should be optional like it is in CVE entries and may be an array of multiple CAPECs. This may add information to CSAF advisories that help to asses risks of a vulnerability.

tschmidtb51 commented 3 months ago

@CERT-VDE The comments mailing list is now back online. Please formally announce your suggestion there, e.g. through "Please see our suggest in Github Issue XYZ (https://github.com/oasis-tcs/csaf/issues/XYZ)."

Thank you!

santosomar commented 2 months ago

During the TC meeting on September 25, 2024, we discussed the prioritization of including CAPEC in CSAF 2.1. The consensus was to consider this for a future release rather than for 2.1. Please share any additional use cases or suggestions for reprioritization in the comments section of this issue.