Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify the involvements section (1) #220

Closed
tschmidtb51 opened this issue Apr 13, 2021 · 3 comments · Fixed by #255
Closed

Clarify the involvements section (1) #220

tschmidtb51 opened this issue Apr 13, 2021 · 3 comments · Fixed by #255
Assignees
@sthagen @tschmidtb51
Labels
csaf 2.0 csaf 2.0 work documentation tc-discussion-needed

Comments

@tschmidtb51
Copy link
Contributor

During the review of #205 there were some comments regarding the definitions and explanations use in the involvements property:

@tolim stated in #205 (comment):

It is unclear to me how this value should be used. I would assume that disputed in the context of the party means, that the named party and its affiliation to the vulnerability is disputed (and not the vulnerability report in its entirety).
If there is no security implication, the vulnerability CVSS score would indicate this by a value of 0.
Is there any case, where the value disputed would be used? At least from a vendor perspective, this value will never be useful as disputed or non-responding parties will not be mentioned in the advisory.

@sthagen replied in #205 (comment):

Defining categories in deeply nested structures sometimes makes us miss the forrest for the trees - I will read CVRF v1.2 again to see how we did there. Thanks for bringing this scope / use question up @tolim

This issue is used to track the progress and provide a place for discussions.
@tschmidtb51 tschmidtb51 mentioned this issue Apr 13, 2021
Merged
@tschmidtb51 tschmidtb51 changed the title Clarify the involvements section Clarify the involvements section (1) Apr 13, 2021
@tschmidtb51
Copy link
Contributor Author

tschmidtb51 commented Apr 26, 2021
edited

@tolim: What about this use case:

A security researcher (let's call him Bob) applies for a CVE and gets it granted by a CERT (let's call that CERT-XY). The vendor (say FooBar) states he is not affected. This brings us to the situation where:

  • Bob could issue an advisory and use (state, party)-tuples: { (disputed, vendor), (completed, coordinator)
  • CERT-XY could issue an advisory and use (state, party)-tuples: { (disputed, vendor), (completed, coordinator)
  • FooBar could issue an "informational" advisory and use state disputed for the party vendor.

I agree that the latter one is probably unlikely.

Having written that example I think I see the problem too. The definition always refer to the vendor instead of referring to the party.

tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue May 22, 2021
@tschmidtb51
Clarification of involvements
efa7f02 
- addresses part of oasis-tcs#220 and oasis-tcs#221
- add date into involvement section
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue May 22, 2021
@tschmidtb51
Clarification of involvements
e0b004b 
- addresses part of oasis-tcs#220 and oasis-tcs#221
- rephrase descriptions to be more explicit
- replace type with category
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue May 22, 2021
@tschmidtb51
Clarification of involvements
20dbc1e 
- addresses part of oasis-tcs#220 and oasis-tcs#221
- address questions regarding unclear use of vendor
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue May 22, 2021
@tschmidtb51
Tests
87257aa 
- addresses part of oasis-tcs#220, oasis-tcs#221 and oasis-tcs#195
- add uniqueItems for list of involvements
- add test "Multiple Definition in Involvements"
tschmidtb51 added a commit to tschmidtb51/csaf that referenced this issue May 22, 2021
@tschmidtb51
Tests
dad7579 
- addresses part of oasis-tcs#220, oasis-tcs#221 and oasis-tcs#195
- add test "Missing Date in Involvements"
@tschmidtb51 tschmidtb51 mentioned this issue May 22, 2021
Merged
@tolim
Copy link
Contributor

tolim commented May 26, 2021

After reviewing the pull request, I agree to keep disputed in the spec. It definitely is useful for CERTs providing status reports on different vendors within one document.

@tschmidtb51
Copy link
Contributor Author

Merged into the oasis-tcs/csaf:master through #265.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sthagen sthagen

@tschmidtb51 tschmidtb51

Labels
csaf 2.0 csaf 2.0 work documentation tc-discussion-needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Clarification of involvements tschmidtb51/csaf
3 participants
@sthagen @tolim @tschmidtb51