Difference between schema in repo and schema on first.org for CVSS 3.0 #453
Assignees
Milestone
Comments
|
Yes, can you look at the commit that added our version? The schema may have evolved since then and the version number in the file name |
|
Indeed, the schema did change a few times in the past. The wayback machine shows that the schema used in the repo did exist in the past. Since I'm working on an advisory struct containing CVSS structs I can add the updated schema before I create a PR. |
bernhardreiter
modified the milestones:
Release 3.0.0-beta.2,
Release 3.0.0-beta.3 or 3.0.0-rc.1
|
Solved via #473 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Something seems wrong with the schema for CVSS 3.0.
In https://github.com/csaf-poc/csaf_distribution/blob/main/csaf/schema/cvss-v3.0.json the pattern for vectorString is:
"^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"But at https://www.first.org/cvss/cvss-v3.0.json the pattern for vectorString is:
"^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"They are not identical.
I would expect that they are the same because they have the same ID.
The text was updated successfully, but these errors were encountered: