Skip to content

Latest commit

 

History

History
708 lines (582 loc) · 56.9 KB

whats-new-csaf-v2.0-cn01.md

File metadata and controls

708 lines (582 loc) · 56.9 KB
Raw

OASIS Logo

OASIS Committee Note

What's New in CSAF Version 2.0

Committee Note 01

05 November 2021

 

Technical Committee:

OASIS Common Security Advisory Framework (CSAF) TC

Chair:

Omar Santos (osantos@cisco.com), Cisco Systems

Editors:

Martin Prpic (mprpic@redhat.com), Red Hat
Stefan Hagen (stefan@hagen.link), Individual
Thomas Schmidt (thomas.schmidt@bsi.bund.de), Federal Office for Information Security (BSI) Germany

Related work:

This document is related to:

Abstract:

This document describes the changes between Common Security Advisory Framework Version 2.0 and earlier related specifications.

Status:

This is a Non-Standards Track Work Product. The patent provisions of the OASIS IPR Policy do not apply.

This document was last revised or approved by the OASIS Common Security Advisory Framework (CSAF) TC on the above date. The level of approval is also listed above. Check the "Latest stage" location noted above for possible later revisions of this document. Any other numbered Versions and other technical work produced by the Technical Committee (TC) are listed at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=csaf#technical.

TC members should send comments on this document to the TC's email list. Others should send comments to the TC's public comment list, after subscribing to it by following the instructions at the "Send A Comment" button on the TC's web page at https://www.oasis-open.org/committees/csaf/.

Citation format:

When referencing this document the following citation format should be used:

[What's-New-v2.0]

What's New in CSAF Version 2.0. Edited by Martin Prpic, Stefan Hagen, and Thomas Schmidt. 05 November 2021. OASIS Committee Note 01. https://docs.oasis-open.org/csaf/whats-new-csaf/v2.0/cn01/whats-new-csaf-v2.0-cn01.html. Latest stage: https://docs.oasis-open.org/csaf/whats-new-csaf/v2.0/whats-new-csaf-v2.0.html.

Notices

Copyright © OASIS Open 2021. All Rights Reserved.

Distributed under the terms of the OASIS IPR Policy.

The name "OASIS" is a trademark of OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs.

For complete copyright information please see the full Notices section in an Appendix below.

Table of Contents

[[TOC will be inserted here]]

1 Introduction

Introductory material.

1.1 One way to produce OASIS-formatted HTML from Markdown

Here is a customized command line which will generate HTML from this markdown file (named whats-new-csaf-v2.0-cn01.md):

pandoc -f gfm -t html whats-new-csaf-v2.0-cn01.md -c styles/markdown-styles-v1.8a-cn.css --toc --toc-depth=5 -s -o whats-new-csaf-v2.0-cn01.html --metadata title="What's New in CSAF Version 2.0"

We are currently using pandoc 2.6 from https://github.com/jgm/pandoc/releases/tag/2.6.

This also requires the presence of a .css file containing the HTML styles (like styles/markdown-styles-v1.8a-cn.css).

Note this command generates a Table of Contents (TOC) in HTML which is located at the top of the HTML document, and which requires additional editing in order to be published in the expected OASIS style. This editing can be handled by OASIS staff during publication. Alternatively, the TC may generate a TOC via other tools or processes.

1.2 Glossary

1.2.1 Definitions of terms

1.2.2 Acronyms and abbreviations

1.2.3 Document conventions

  • Naming conventions
  • Font colors and styles
  • Typographic conventions

1.3 Some markdown usage examples

Text.

Note that text paragraphs in markdown should be separated by a blank line between them -

Otherwise the separate paragraphs will be joined together when the HTML is generated. Even if the text appears to be separate lines in the markdown source.

To avoid having the usual vertical space between paragraphs,
append two or more space characters to the end of the lines
which will generate an HTML break tag instead of a new paragraph tag
(as demonstrated here).

1.3.1 Figures and Captions

FIGURE EXAMPLE: <note caption is best ABOVE figure, to allow a link to it to display image - same for table captions>

Figure 1 -- Title of Figure

image-label should be meaningful (this image is missing)

Figure 2 -- OpenC2 Message Exchange

message exchange

1.3.2 Tables

1.3.2.1 Basic Table

Table 1-1. Table Label

Item Description
Item 1 Something
(second line)
Item 2 Something
Item 3 Something
(second line)
Item 4 text

1.3.2.2 Table with Three Columns and Some Bold Text

text.

Title 1 Title 2 title 3
something something something else that is a long string of text that might need to wrap around inside the table box and will just continue until the column divider is reached
something something something

1.3.2.3 Table with a caption which can be referenced

Table 1-5. See reference label construction
Name Description
content Message body as specified by content_type and msg_type.

Here is a reference to the table caption: Please see Table 1-5 or other meaningful label

1.3.3 Lists

Bulleted list:

  • bullet item 1.
  • Bold bullet item 2.
  • bullet item 3.
  • bullet item 4.

Indented or multi-level bullet list - add two spaces per level before bullet character (* or -):

  • main bullet type
    • Example second bullet
      • See third level
        • fourth level

Numbered list:

  1. item 1
  2. item 2
  3. item 3

1.3.4 Reference Label Construction

REFERENCES and ANCHORS

  • in markdown source, format the Reference tags as level 6 headings like: ###### [OpenC2-HTTPS-v1.0]
[OpenC2-HTTPS-v1.0]

Specification for Transfer of OpenC2 Messages via HTTPS Version 1.0. Edited by...

  • reference text has to be on a separate line below the tag

  • format cross-references (citations of the references) like: see [[OpenC2-HTTPS-v1.0](#openc2-https-v10)]
    "see [OpenC2-HTTPS-v1.0]"
    (note the outer square brackets in markdown will appear in the visible HTML text)

  • The text in the Reference tag (following ###### ) will become an HTML anchor using the following conversion rules:

    • punctuation marks will be dropped (including "[" )
    • leading white spaces will be dropped
    • upper case will be converted to lower
    • spaces between letters will be converted to a single hyphen

  • The same HTML anchor construction rules apply to cross-references and to section headings.

    • Thus, a section heading like "## 1.2 References"
    • becomes an anchor in HTML like <a href="#12-references">
    • referenced in the markdown like: see Section 1.2
    • (in markdown: "see [Section 1.2](#12-references")
    • similar HTML anchors are also used in constructing the TOC

1.3.5 Code Blocks

Text to appear as an indented code block with grey background and monospace font - use three back-ticks before and after the code block).

Note the actual backticks will not appear in the HTML version. If it's necessary to display visible backticks, place a back-slash before them like: ``` .

{   
    "target": {
        "x_kmip_2.0": {
            {"kmip_type": "json"},
            {"operation": "RekeyKeyPair"},
            {"name": "publicWebKey11DEC2017"}
        }
    }
}

Text to be highlighted as code can also be surrounded by a single "backtick" character: code text

1.4 Page Breaks

Add horizontal rule lines where page breaks are desired in the PDF - before each major section

  • insert the line rules in markdown by inserting 3 or more hyphens on a line by themselves: ---
  • place these before each main section in markdown (usually "#" - which generates the HTML <h1> tag)

2 Section Heading

text.

2.1 Level 2 Heading

text.

2.1.1 Level 3 Heading

text.

2.1.1.1 Level 4 Heading

text.

2.1.1.1.1 Level 5 Heading

This is the deepest level, because six # gets transformed into a Reference tag.

2.2 Next Heading

text.

Appendix A. Informative References

This appendix contains the informative references that are used in this document.

While any hyperlinks included in this appendix were valid at the time of publication, OASIS cannot guarantee their long-term validity.

(Reference sources: For references to IETF RFCs, use the approved citation formats at:
http://docs.oasis-open.org/templates/ietf-rfc-list/ietf-rfc-list.html.
For references to W3C Recommendations, use the approved citation formats at:
http://docs.oasis-open.org/templates/w3c-recommendations-list/w3c-recommendations-list.html.
Remove this note before submitting for publication.)

[CSAF-v2.0]

Common Security Advisory Framework Version 2.0. Edited by Langley Rock, Stefan Hagen, and Thomas Schmidt. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html

[CVRF-v1.2]

CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2. Edited by Stefan Hagen. Latest version: http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/csaf-cvrf-v1.2.html

Appendix B. Acknowledgments

(Note: A Work Product approved by the TC must include a list of people who participated in the development of the Work Product. This is generally done by collecting the list of names in this appendix. This list shall be initially compiled by the Chair, and any Member of the TC may add or remove their names from the list by request.
Remove this note before submitting for publication.)

B.1 Special Thanks

Substantial contributions to this document from the following individuals are gratefully acknowledged:

Participant Name, Affiliation or "Individual Member"

B.2 Participants

The following individuals have participated in the creation of this document and are gratefully acknowledged:

tc-full-name TC Members:

First Name Last Name Company
Philippe Alcon Marvelous Networks
Alex Amir Viacat
Kris Anders Trend Mission
Darren Anysteel Macro Networks

Appendix C. Revision History

Revision Date Editor Changes Made
filename-v1.0-wd01 yyyy-mm-dd Editor Name Initial working draft

Appendix D. Notices

Copyright © OASIS Open 2021. All Rights Reserved.

All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.

The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.

This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

The name "OASIS" is a trademark of OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, while reserving the right to enforce its marks against misleading uses. Please see https://www.oasis-open.org/policies-guidelines/trademark for above guidance.

Appendix E. Mapping

This informative appendix provides a mapping by path between the elements in CSAF CVRF 1.2 and CSAF 2.0. It is intended to aid in the transition to CSAF 2.0.

E.1 Newly introduced elements

  • /document: Groups the document-level metadata elements. Previously, these elements were grouped through the namespace cvrf.
  • /document/csaf_version: Gives the version of the CSAF specification which the document was generated for.
  • /document/distribution/tlp: Provides details about the TLP classification of the document.
  • /document/lang: Identifies the language used by this document, corresponding to IETF BCP 47 / RFC 5646. Previously, this was done through xml:lang attributes per element.
  • /document/publisher/name: Contains the name of the issuing party. Previously, this was included in /cvrf:cvrfdoc/cvrf:DocumentPublisher/cvrf:IssuingAuthority/text(). See conversion rule in section 9.1.5 of CSAF specification.
  • /document/publisher/namespace: Contains a URL which is under control of the issuing party and can be used as a globally unique identifier for that issuing party. It replaces the //cvrf:DocumentPublisher/@VendorID. See conversion rule in section 9.1.5 of CSAF specification.
  • /document/source_lang: If this copy of the document is a translation then the value of this property describes from which language this document was translated.
  • /document/tracking/generator/engine: Contains information about the engine that generated the CSAF document. This was introduced as intermediate level to group name and version of engine logically. In a CVRF-CSAF conversion, the converter SHOULD replace this objects according to its own values.
  • /document/tracking/generator/engine/version: Contains the version of the engine that generated the CSAF document. Previously, this was part of the cvrf:Engine element.
  • /product_tree/*/product/product_identification_helper: Provides at least one method which aids in identifying the product in an asset database. It was introduced to group different ways to identify a product/
  • /product_tree/*/product/product_identification_helper/hashes: Contains a list of cryptographic hashes usable to identify files.
  • /product_tree/*/product/product_identification_helper/purl: The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.
  • /product_tree/*/product/product_identification_helper/sbom_urls: Contains a list of URLs where SBOMs for this product can be retrieved.
  • /product_tree/*/product/product_identification_helper/serial_numbers: Contains a list of parts, or full serial numbers.
  • /product_tree/*/product/product_identification_helper/skus: Contains a list of parts, or full stock keeping units.
  • /product_tree/*/product/product_identification_helper/x_generic_uris: Contains a list of identifiers which are either vendor-specific or derived from a standard not yet supported.
  • /vulnerabilities[]/involvements[]/date: Holds the date and time of the involvement entry.
  • /vulnerabilities[]/product_status/under_investigation: It is not known yet whether these versions are or are not affected by the vulnerability. However, it is still under investigation - the result will be provided in a later release of the document.
  • /vulnerabilities[]/remediations[]/restart_required: Provides information on category of restart is required by this remediation to become effective.
  • /vulnerabilities[]/scores[]: Specifies information about (at least one) score of the vulnerability and for which products the given value applies. Previously, products where directly tied to the vuln:ScoreSetV2 or vuln:ScoreSetV3.
  • /vulnerabilities[]/scores[]/cvss_v2/*: Additional elements were introduced through the use of the FIRST CVSSv2 schema.
  • /vulnerabilities[]/scores[]/cvss_v3/*: Additional elements were introduced through the use of the FIRST CVSSv3 schemas.

E.2 Changed elements

  • */acknowledgments[]/organization: See conversion rule in section 9.1.5 of CSAF specification.
  • /document/publisher/category: The possible values have been extended.
  • /document/publisher/issuing_authority: Name of the issuing party is now a separate field. See E.1
  • /document/tracking/generator/engine/name: Version of the engine is now a separate field. See E.1
  • /document/tracking/revision_history[]/number: See conversion rule in section 9.1.5 of CSAF specification.
  • /document/tracking/version: See conversion rule in section 9.1.5 of CSAF specification.
  • /product_tree/relationships[]/full_product_name: See conversion rule in section 9.1.5 of CSAF specification.
  • /vulnerabilities[]/remediations[]/category: The CVRF CSAF Vulnerability Remediation Type Will Not Fix was renamed into no_fix_planned.
  • /vulnerabilities[]/scores[]: See conversion rules in section 9.1.5 of CSAF specification. Note: As the way changed how products are tied to score values, score values from vuln:ScoreSetV2 and vuln:ScoreSetV3 SHOULD be joined if the address the same product set. Therefore, the number of score elements can be different from Count(vuln:ScoreSetV2 or vuln:ScoreSetV3).

E.3 Obsolete CVRF elements

  • //cvrf:Note/@Ordinal
  • //cvrf:DocumentPublisher/@VendorID
  • //vuln:Vulnerability/@Ordinal
  • //vuln:Note/@Ordinal

E.4 Mapped elements

CSAF Attribute CSAF CVRF 1.2 Path Note
/ /cvrf:cvrfdoc
/document see E.1
/document/acknowledgments /cvrf:cvrfdoc/cvrf:Acknowledgments
/document/acknowledgments[i] /cvrf:cvrfdoc/cvrf:Acknowledgments/cvrf:Acknowledgment[i+1]
/document/acknowledgments[i]/names /cvrf:cvrfdoc/cvrf:Acknowledgments/cvrf:Acknowledgment[i+1]/cvrf:Name
/document/acknowledgments[i]/names[j] /cvrf:cvrfdoc/cvrf:Acknowledgments/cvrf:Acknowledgment[i+1]/cvrf:Name[j+1]/text()
/document/acknowledgments[i]/organization /cvrf:cvrfdoc/cvrf:Acknowledgments/cvrf:Acknowledgment[i+1]/cvrf:Organization[1]/text() see E.2
/document/acknowledgments[i]/summary /cvrf:cvrfdoc/cvrf:Acknowledgments/cvrf:Acknowledgment[i+1]/cvrf:Description/text()
/document/acknowledgments[i]/urls /cvrf:cvrfdoc/cvrf:Acknowledgments/cvrf:Acknowledgment[i+1]/cvrf:URL
/document/acknowledgments[i]/urls[j] /cvrf:cvrfdoc/cvrf:Acknowledgments/cvrf:Acknowledgment[i+1]/cvrf:URL[j+1]/text()
/document/aggregate_severity /cvrf:cvrfdoc/cvrf:AggregateSeverity
/document/aggregate_severity/namespace /cvrf:cvrfdoc/cvrf:AggregateSeverity/@Namespace
/document/aggregate_severity/text /cvrf:cvrfdoc/cvrf:AggregateSeverity/text()
/document/category /cvrf:cvrfdoc/cvrf:DocumentType/text()
/document/csaf_version see E.1
/document/distribution /cvrf:cvrfdoc/cvrf:DocumentDistribution
/document/distribution/text /cvrf:cvrfdoc/cvrf:DocumentDistribution/text()
/document/distribution/tlp see E.1
/document/distribution/tlp/label see parent
/document/distribution/tlp/url see parent
/document/lang see E.1
/document/notes /cvrf:cvrfdoc/cvrf:DocumentNotes
/document/notes[i] /cvrf:cvrfdoc/cvrf:DocumentNotes/cvrf:Note[i+1]
/document/notes[i]/audience /cvrf:cvrfdoc/cvrf:DocumentNotes/cvrf:Note[i+1]/@Audience
/document/notes[i]/category /cvrf:cvrfdoc/cvrf:DocumentNotes/cvrf:Note[i+1]/@Type
/document/notes[i]/text /cvrf:cvrfdoc/cvrf:DocumentNotes/cvrf:Note[i+1]/text()
/document/notes[]/title /cvrf:cvrfdoc/cvrf:DocumentNotes/cvrf:Note[i+1]/@Title
/document/publisher /cvrf:cvrfdoc/cvrf:DocumentPublisher
/document/publisher/category /cvrf:cvrfdoc/cvrf:DocumentPublisher/@Type see E.2
/document/publisher/contact_details /cvrf:cvrfdoc/cvrf:DocumentPublisher/cvrf:ContactDetails/text()
/document/publisher/issuing_authority /cvrf:cvrfdoc/cvrf:DocumentPublisher/cvrf:IssuingAuthority/text() see E.2
/document/publisher/name see E.1
/document/publisher/namespace see E.1
/document/references /cvrf:cvrfdoc/cvrf:DocumentReferences
/document/references[i] /cvrf:cvrfdoc/cvrf:DocumentReferences/cvrf:Reference[i+1]
/document/references[i]/category /cvrf:cvrfdoc/cvrf:DocumentReferences/cvrf:Reference[i+1]/@Type
/document/references[i]/summary /cvrf:cvrfdoc/cvrf:DocumentReferences/cvrf:Reference[i+1]/cvrf:Description/text()
/document/references[]/url /cvrf:cvrfdoc/cvrf:DocumentReferences/cvrf:Reference[i+1]/cvrf:URL/text()
/document/source_lang see E.1
/document/title /cvrf:cvrfdoc/cvrf:DocumentTitle/text()
/document/tracking /cvrf:cvrfdoc/cvrf:DocumentTracking
/document/tracking/aliases /cvrf:cvrfdoc/cvrf:DocumentTracking/cvrf:Identification/cvrf:Alias
/document/tracking/aliases[i] /cvrf:cvrfdoc/cvrf:DocumentTracking/cvrf:Identification/cvrf:Alias[i+1]/text()
/document/tracking/current_release_date /cvrf:cvrfdoc/cvrf:DocumentTracking/cvrf:CurrentReleaseDate/text()
/document/tracking/generator /cvrf:cvrfdoc/cvrf:DocumentTracking/cvrf:Generator
/document/tracking/generator/date /cvrf:cvrfdoc/cvrf:DocumentTracking/cvrf:Generator/cvrf:Date/text()
/document/tracking/generator/engine see E.1
/document/tracking/generator/engine/name /cvrf:cvrfdoc/cvrf:DocumentTracking/cvrf:Generator/cvrf:Engine/text() see E.2
/document/tracking/generator/engine/version see E.1
/document/tracking/id /cvrf:cvrfdoc/cvrf:DocumentTracking/cvrf:Identification/cvrf:ID/text()
/document/tracking/initial_release_date /cvrf:cvrfdoc/cvrf:DocumentTracking/cvrf:InitialReleaseDate/text()
/document/tracking/revision_history /cvrf:cvrfdoc/cvrf:DocumentTracking/cvrf:RevisionHistory
/document/tracking/revision_history[i] /cvrf:cvrfdoc/cvrf:DocumentTracking/cvrf:RevisionHistory/cvrf:Revision[i+1]
/document/tracking/revision_history[]/date /cvrf:cvrfdoc/cvrf:DocumentTracking/cvrf:RevisionHistory/cvrf:Revision[i+1]/cvrf:Date/text()
/document/tracking/revision_history[]/number /cvrf:cvrfdoc/cvrf:DocumentTracking/cvrf:RevisionHistory/cvrf:Revision[i+1]/cvrf:Number/text() see E.2
/document/tracking/revision_history[]/summary /cvrf:cvrfdoc/cvrf:DocumentTracking/cvrf:RevisionHistory/cvrf:Revision[i+1]/cvrf:Description/text()
/document/tracking/status /cvrf:cvrfdoc/cvrf:DocumentTracking/cvrf:Status/text()
/document/tracking/version /cvrf:cvrfdoc/cvrf:DocumentTracking/cvrf:Version/text() see E.2
/product_tree /cvrf:cvrfdoc/prod:ProductTree
/product_tree/branches /cvrf:cvrfdoc/prod:ProductTree/prod:Branch
/product_tree/branches[i] /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]
/product_tree/branches[i]/branches /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch
/product_tree/branches[i]/branches[j] /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]
/product_tree/branches[i]/branches[j]/branches /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/prod:Branch
/product_tree/branches[i]/branches[j]/branches[k] /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/prod:Branch[k+1]
/product_tree/branches[i]/branches[j]/branches[k]/branches /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/prod:Branch[k+1]/prod:Branch
/product_tree/branches[i]/branches[j]/branches[k]/branches[l] /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/prod:Branch[k+1]/prod:Branch[l+1]
/product_tree/branches[i]/branches[j]/branches[k]/branches[l]/category /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/prod:Branch[k+1]/prod:Branch[l+1]/@Type
/product_tree/branches[i]/branches[j]/branches[k]/branches[l]/name /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/prod:Branch[k+1]/prod:Branch[l+1]/@Name
/product_tree/branches[i]/branches[j]/branches[k]/category /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/prod:Branch[k+1]/@Type
/product_tree/branches[i]/branches[j]/branches[k]/name /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/prod:Branch[k+1]/@Name
/product_tree/branches[i]/branches[j]/branches[k]/product /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/prod:Branch[k+1]/prod:FullProductName
/product_tree/branches[i]/branches[j]/branches[k]/product/name /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/prod:Branch[k+1]/prod:FullProductName/text()
/product_tree/branches[i]/branches[j]/branches[k]/product/product_id /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/prod:Branch[k+1]/prod:FullProductName/@ProductID
/product_tree/branches[i]/branches[j]/branches[k]/product/product_identification_helper see E.1
/product_tree/branches[i]/branches[j]/branches[k]/product/product_identification_helper/cpe /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/prod:Branch[k+1]/prod:FullProductName/@CPE
/product_tree/branches[i]/branches[j]/branches[k]/product/product_identification_helper/hashes see E.1
/product_tree/branches[i]/branches[j]/branches[k]/product/product_identification_helper/purl see E.1
/product_tree/branches[i]/branches[j]/branches[k]/product/product_identification_helper/sbom_urls see E.1
/product_tree/branches[i]/branches[j]/branches[k]/product/product_identification_helper/serial_numbers see E.1
/product_tree/branches[i]/branches[j]/branches[k]/product/product_identification_helper/skus see E.1
/product_tree/branches[i]/branches[j]/branches[k]/product/product_identification_helper/x_generic_uris see E.1
/product_tree/branches[i]/branches[j]/category /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/@Type
/product_tree/branches[i]/branches[j]/name /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/@Name
/product_tree/branches[i]/branches[j]/product /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/prod:FullProductName
/product_tree/branches[i]/branches[j]/product/name /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/prod:FullProductName/text()
/product_tree/branches[i]/branches[j]/product/product_id /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/prod:FullProductName/@ProductID
/product_tree/branches[i]/branches[j]/product/product_identification_helper see E.1
/product_tree/branches[i]/branches[j]/product/product_identification_helper/cpe /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:Branch[j+1]/prod:FullProductName/@CPE
/product_tree/branches[i]/branches[j]/product/product_identification_helper/hashes see E.1
/product_tree/branches[i]/branches[j]/product/product_identification_helper/hashes[] see E.1
/product_tree/branches[i]/branches[j]/product/product_identification_helper/hashes[]/file_hashes see parent
/product_tree/branches[i]/branches[j]/product/product_identification_helper/hashes[]/filename see parent
/product_tree/branches[i]/branches[j]/product/product_identification_helper/purl see E.1
/product_tree/branches[i]/branches[j]/product/product_identification_helper/sbom_urls see E.1
/product_tree/branches[i]/branches[j]/product/product_identification_helper/sbom_urls[] see E.1
/product_tree/branches[i]/branches[j]/product/product_identification_helper/serial_numbers see E.1
/product_tree/branches[i]/branches[j]/product/product_identification_helper/serial_numbers[] see E.1
/product_tree/branches[i]/branches[j]/product/product_identification_helper/skus see E.1
/product_tree/branches[i]/branches[j]/product/product_identification_helper/skus[] see E.1
/product_tree/branches[i]/branches[j]/product/product_identification_helper/x_generic_uris see E.1
/product_tree/branches[i]/branches[j]/product/product_identification_helper/x_generic_uris[] see E.1
/product_tree/branches[i]/branches[j]/product/product_identification_helper/x_generic_uris[]/namespace see parent
/product_tree/branches[i]/branches[j]/product/product_identification_helper/x_generic_uris[]/uri see parent
/product_tree/branches[i]/category /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/@Type
/product_tree/branches[i]/name /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/@Name
/product_tree/branches[i]/product /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:FullProductName
/product_tree/branches[i]/product/name /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:FullProductName/text()
/product_tree/branches[i]/product/product_id /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:FullProductName/@ProductID
/product_tree/branches[i]/product/product_identification_helper see E.1
/product_tree/branches[i]/product/product_identification_helper/cpe /cvrf:cvrfdoc/prod:ProductTree/prod:Branch[i+1]/prod:FullProductName/@CPE
/product_tree/branches[i]/product/product_identification_helper/hashes see E.1
/product_tree/branches[i]/product/product_identification_helper/hashes[] see E.1
/product_tree/branches[i]/product/product_identification_helper/hashes[]/file_hashes see parent
/product_tree/branches[i]/product/product_identification_helper/hashes[]/file_hashes[] see parent
/product_tree/branches[i]/product/product_identification_helper/hashes[]/file_hashes[]/algorithm see parent
/product_tree/branches[i]/product/product_identification_helper/hashes[]/file_hashes[]/value see parent
/product_tree/branches[i]/product/product_identification_helper/hashes[]/filename see parent
/product_tree/branches[i]/product/product_identification_helper/purl see E.1
/product_tree/branches[i]/product/product_identification_helper/sbom_urls see E.1
/product_tree/branches[i]/product/product_identification_helper/sbom_urls[] see E.1
/product_tree/branches[i]/product/product_identification_helper/serial_numbers see E.1
/product_tree/branches[i]/product/product_identification_helper/serial_numbers[] see E.1
/product_tree/branches[i]/product/product_identification_helper/skus see E.1
/product_tree/branches[i]/product/product_identification_helper/skus[] see E.1
/product_tree/branches[i]/product/product_identification_helper/x_generic_uris see E.1
/product_tree/branches[i]/product/product_identification_helper/x_generic_uris[] see E.1
/product_tree/branches[i]/product/product_identification_helper/x_generic_uris[]/namespace see parent
/product_tree/branches[i]/product/product_identification_helper/x_generic_uris[]/uri see parent
/product_tree/full_product_names /cvrf:cvrfdoc/prod:ProductTree/prod:FullProductName
/product_tree/full_product_names[i] /cvrf:cvrfdoc/prod:ProductTree/prod:FullProductName[i+1]
/product_tree/full_product_names[i]/name /cvrf:cvrfdoc/prod:ProductTree/prod:FullProductName[i+1]/text()
/product_tree/full_product_names[i]/product_id /cvrf:cvrfdoc/prod:ProductTree/prod:FullProductName[i+1]/@ProductID
/product_tree/full_product_names[i]/product_identification_helper see E.1
/product_tree/full_product_names[i]/product_identification_helper/cpe /cvrf:cvrfdoc/prod:ProductTree/prod:FullProductName[i+1]/@CPE
/product_tree/full_product_names[i]/product_identification_helper/hashes see E.1
/product_tree/full_product_names[i]/product_identification_helper/hashes[] see E.1
/product_tree/full_product_names[i]/product_identification_helper/hashes[]/file_hashes see parent
/product_tree/full_product_names[i]/product_identification_helper/hashes[]/file_hashes[] see parent
/product_tree/full_product_names[i]/product_identification_helper/hashes[]/file_hashes[]/algorithm see parent
/product_tree/full_product_names[i]/product_identification_helper/hashes[]/file_hashes[]/value see parent
/product_tree/full_product_names[i]/product_identification_helper/hashes[]/filename see parent
/product_tree/full_product_names[i]/product_identification_helper/purl see E.1
/product_tree/full_product_names[i]/product_identification_helper/sbom_urls see E.1
/product_tree/full_product_names[i]/product_identification_helper/sbom_urls[] see E.1
/product_tree/full_product_names[i]/product_identification_helper/serial_numbers see E.1
/product_tree/full_product_names[i]/product_identification_helper/serial_numbers[] see E.1
/product_tree/full_product_names[i]/product_identification_helper/skus see E.1
/product_tree/full_product_names[i]/product_identification_helper/skus[] see E.1
/product_tree/full_product_names[i]/product_identification_helper/x_generic_uris see E.1
/product_tree/full_product_names[i]/product_identification_helper/x_generic_uris[] see E.1
/product_tree/full_product_names[i]/product_identification_helper/x_generic_uris[]/namespace see parent
/product_tree/full_product_names[i]/product_identification_helper/x_generic_uris[]/uri see parent
/product_tree/product_groups /cvrf:cvrfdoc/prod:ProductTree/prod:ProductGroups
/product_tree/product_groups[i] /cvrf:cvrfdoc/prod:ProductTree/prod:ProductGroups/prod:Group[i+1]
/product_tree/product_groups[i]/group_id /cvrf:cvrfdoc/prod:ProductTree/prod:ProductGroups/prod:Group[i+1]/@GroupID
/product_tree/product_groups[i]/product_ids /cvrf:cvrfdoc/prod:ProductTree/prod:ProductGroups/prod:Group[i+1]/prod:ProductID
/product_tree/product_groups[i]/product_ids[j] /cvrf:cvrfdoc/prod:ProductTree/prod:ProductGroups/prod:Group[i+1]/prod:ProductID[j+1]/text()
/product_tree/product_groups[i]/summary /cvrf:cvrfdoc/prod:ProductTree/prod:ProductGroups/prod:Group[i+1]/prod:Description/text()
/product_tree/relationships /cvrf:cvrfdoc/prod:ProductTree/prod:Relationship
/product_tree/relationships[i] /cvrf:cvrfdoc/prod:ProductTree/prod:Relationship[i+1]
/product_tree/relationships[i]/category /cvrf:cvrfdoc/prod:ProductTree/prod:Relationship[i+1]/@RelationType
/product_tree/relationships[i]/full_product_name /cvrf:cvrfdoc/prod:ProductTree/prod:Relationship[i+1]/prod:FullProductName[1] see E.2
/product_tree/relationships[i]/full_product_name/name /cvrf:cvrfdoc/prod:ProductTree/prod:Relationship[i+1]/prod:FullProductName[1]/text() see E.2
/product_tree/relationships[i]/full_product_name/product_id /cvrf:cvrfdoc/prod:ProductTree/prod:Relationship[i+1]/prod:FullProductName[1]/@ProductID see E.2
/product_tree/relationships[i]/full_product_name/product_identification_helper see E.1
/product_tree/relationships[i]/full_product_name/product_identification_helper/cpe /cvrf:cvrfdoc/prod:ProductTree/prod:Relationship[i+1]/prod:FullProductName[1]/@CPE see E.2
/product_tree/relationships[i]/full_product_name/product_identification_helper/hashes see E.1
/product_tree/relationships[i]/full_product_name/product_identification_helper/hashes[] see E.1
/product_tree/relationships[i]/full_product_name/product_identification_helper/hashes[]/file_hashes see parent
/product_tree/relationships[i]/full_product_name/product_identification_helper/hashes[]/file_hashes[] see parent
/product_tree/relationships[i]/full_product_name/product_identification_helper/hashes[]/file_hashes[]/algorithm see parent
/product_tree/relationships[i]/full_product_name/product_identification_helper/hashes[]/file_hashes[]/value see parent
/product_tree/relationships[i]/full_product_name/product_identification_helper/hashes[]/filename see parent
/product_tree/relationships[i]/full_product_name/product_identification_helper/purl see E.1
/product_tree/relationships[i]/full_product_name/product_identification_helper/sbom_urls see E.1
/product_tree/relationships[i]/full_product_name/product_identification_helper/sbom_urls[] see E.1
/product_tree/relationships[i]/full_product_name/product_identification_helper/serial_numbers see E.1
/product_tree/relationships[i]/full_product_name/product_identification_helper/serial_numbers[] see E.1
/product_tree/relationships[i]/full_product_name/product_identification_helper/skus see E.1
/product_tree/relationships[i]/full_product_name/product_identification_helper/skus[] see E.1
/product_tree/relationships[i]/full_product_name/product_identification_helper/x_generic_uris see E.1
/product_tree/relationships[i]/full_product_name/product_identification_helper/x_generic_uris[] see E.1
/product_tree/relationships[i]/full_product_name/product_identification_helper/x_generic_uris[]/namespace see parent
/product_tree/relationships[i]/full_product_name/product_identification_helper/x_generic_uris[]/uri see parent
/product_tree/relationships[i]/product_reference /cvrf:cvrfdoc/prod:ProductTree/prod:Relationship[i+1]/@ProductReference
/product_tree/relationships[i]/relates_to_product_reference /cvrf:cvrfdoc/prod:ProductTree/prod:Relationship[i+1]/@RelatesToProductReference
/vulnerabilities /cvrf:cvrfdoc/vuln:Vulnerability
/vulnerabilities[i] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]
/vulnerabilities[i]/acknowledgments /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Acknowledgments
/vulnerabilities[i]/acknowledgments[j] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Acknowledgments/vuln:Acknowledgment[j+1]
/vulnerabilities[i]/acknowledgments[j]/names /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Acknowledgments/vuln:Acknowledgment[j+1]/vuln:Name
/vulnerabilities[i]/acknowledgments[j]/names[k] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Acknowledgments/vuln:Acknowledgment[j+1]/vuln:Name[k+1]/text()
/vulnerabilities[i]/acknowledgments[j]/organization /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Acknowledgments/vuln:Acknowledgment[j+1]/vuln:Organization[1]/text() see E.2
/vulnerabilities[i]/acknowledgments[j]/summary /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Acknowledgments/vuln:Acknowledgment[j+1]/vuln:Description/text()
/vulnerabilities[i]/acknowledgments[j]/urls /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Acknowledgments/vuln:Acknowledgment[j+1]/vuln:URL
/vulnerabilities[i]/acknowledgments[j]/urls[k] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Acknowledgments/vuln:Acknowledgment[j+1]/vuln:URL[k+1]/text()
/vulnerabilities[i]/cve /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CVE/text()
/vulnerabilities[i]/cwe /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CWE
/vulnerabilities[i]/cwe/id /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CWE/@ID
/vulnerabilities[i]/cwe/name /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CWE/text()
/vulnerabilities[i]/discovery_date /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:DiscoveryDate/text()
/vulnerabilities[i]/id /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ID
/vulnerabilities[i]/id/system_name /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ID/@SystemName
/vulnerabilities[i]/id/text /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ID/text()
/vulnerabilities[i]/involvements /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Involvements
/vulnerabilities[i]/involvements[j] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Involvements/vuln:Involvement[j+1]
/vulnerabilities[i]/involvements[j]/date see E.1
/vulnerabilities[i]/involvements[j]/party /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Involvements/vuln:Involvement[j+1]/@Party
/vulnerabilities[i]/involvements[j]/status /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Involvements/vuln:Involvement[j+1]/@Status
/vulnerabilities[i]/involvements[j]/summary /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Involvements/vuln:Involvement[j+1]/vuln:Description/text()
/vulnerabilities[i]/notes /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Notes
/vulnerabilities[i]/notes[j] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Notes/vuln:Note[j+1]
/vulnerabilities[i]/notes[j]/audience /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Notes/vuln:Note[j+1]/@Audience
/vulnerabilities[i]/notes[j]/category /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Notes/vuln:Note[j+1]/@Type
/vulnerabilities[i]/notes[j]/text /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Notes/vuln:Note[j+1]/text()
/vulnerabilities[i]/notes[j]/title /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Notes/vuln:Note[j+1]/@Title
/vulnerabilities[i]/product_status /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ProductStatuses
/vulnerabilities[i]/product_status/first_affected /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ProductStatuses/vuln:Status[@Type="First Affected"]
/vulnerabilities[i]/product_status/first_affected[j] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ProductStatuses/vuln:Status[@Type="First Affected"]/vuln:ProductID[j+1]
/vulnerabilities[i]/product_status/first_fixed /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ProductStatuses/vuln:Status[@Type="First Fixed"]
/vulnerabilities[i]/product_status/first_fixed[j] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ProductStatuses/vuln:Status[@Type="First Fixed"]/vuln:ProductID[j+1]
/vulnerabilities[i]/product_status/fixed /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ProductStatuses/vuln:Status[@Type="Fixed"]
/vulnerabilities[i]/product_status/fixed[j] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ProductStatuses/vuln:Status[@Type="Fixed"]/vuln:ProductID[j+1]
/vulnerabilities[i]/product_status/known_affected /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ProductStatuses/vuln:Status[@Type="Known Affected"]
/vulnerabilities[i]/product_status/known_affected[j] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ProductStatuses/vuln:Status[@Type="Known Affected"]/vuln:ProductID[j+1]
/vulnerabilities[i]/product_status/known_not_affected /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ProductStatuses/vuln:Status[@Type="Known Not Affected"]
/vulnerabilities[i]/product_status/known_not_affected[j] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ProductStatuses/vuln:Status[@Type="Known Not Affected"]/vuln:ProductID[j+1]
/vulnerabilities[i]/product_status/last_affected /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ProductStatuses/vuln:Status[@Type="Last Affected"]
/vulnerabilities[i]/product_status/last_affected[j] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ProductStatuses/vuln:Status[@Type="Last Affected"]/vuln:ProductID[j+1]
/vulnerabilities[i]/product_status/recommended /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ProductStatuses/vuln:Status[@Type="Recommended"]
/vulnerabilities[i]/product_status/recommended[j] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ProductStatuses/vuln:Status[@Type="Recommended"]/vuln:ProductID[j+1]
/vulnerabilities[i]/product_status/under_investigation see E.1
/vulnerabilities[i]/product_status/under_investigation[] see E.1
/vulnerabilities[i]/references /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:References
/vulnerabilities[i]/references[j] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:References/vuln:Reference[j+1]
/vulnerabilities[i]/references[j]/category /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:References/vuln:Reference[j+1]/@Type
/vulnerabilities[i]/references[j]/summary /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:References/vuln:Reference[j+1]/vuln:Description/text()
/vulnerabilities[i]/references[j]/url /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:References/vuln:Reference[j+1]/vuln:URL/text()
/vulnerabilities[i]/release_date /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:ReleaseDate/text()
/vulnerabilities[i]/remediations /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Remediations
/vulnerabilities[i]/remediations[j] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Remediations/vuln:Remediation[j+1]
/vulnerabilities[i]/remediations[j]/category /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Remediations/vuln:Remediation[j+1]/@Type see E.2
/vulnerabilities[i]/remediations[j]/date /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Remediations/vuln:Remediation[j+1]/@Date
/vulnerabilities[i]/remediations[j]/details /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Remediations/vuln:Remediation[j+1]/vuln:Description/text()
/vulnerabilities[i]/remediations[j]/entitlements /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Remediations/vuln:Remediation[j+1]/vuln:Entitlement
/vulnerabilities[i]/remediations[j]/entitlements[] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Remediations/vuln:Remediation[j+1]/vuln:Entitlement[k+1]/text()
/vulnerabilities[i]/remediations[j]/group_ids /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Remediations/vuln:Remediation[j+1]/vuln:GroupID
/vulnerabilities[i]/remediations[j]/group_ids[k] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Remediations/vuln:Remediation[j+1]/vuln:GroupID[k+1]/text()
/vulnerabilities[i]/remediations[j]/product_ids /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Remediations/vuln:Remediation[j+1]/vuln:ProductID
/vulnerabilities[i]/remediations[j]/product_ids[k] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Remediations/vuln:Remediation[j+1]/vuln:ProductID[k+1]/text()
/vulnerabilities[i]/remediations[j]/restart_required see E.1
/vulnerabilities[i]/remediations[j]/restart_required/category see parent
/vulnerabilities[i]/remediations[j]/restart_required/details see parent
/vulnerabilities[i]/remediations[]/url /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Remediations/vuln:Remediation[j+1]/vuln:URL/text()
/vulnerabilities[i]/scores /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CVSSScoreSets
/vulnerabilities[i]/scores[] see E.1, E.2
/vulnerabilities[i]/scores[n]/cvss_v2 /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CVSSScoreSets/vuln:ScoreSetV2[k] see E.2
/vulnerabilities[i]/scores[n]/cvss_v2/version see E.1
/vulnerabilities[i]/scores[n]/cvss_v2/vectorString /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CVSSScoreSets/vuln:ScoreSetV2[j]/vuln:VectorV2/text()
/vulnerabilities[i]/scores[n]/cvss_v2/accessVector see E.1
/vulnerabilities[i]/scores[n]/cvss_v2/accessComplexity see E.1
/vulnerabilities[i]/scores[n]/cvss_v2/authentication see E.1
/vulnerabilities[i]/scores[n]/cvss_v2/confidentialityImpact see E.1
/vulnerabilities[i]/scores[n]/cvss_v2/integrityImpact see E.1
/vulnerabilities[i]/scores[n]/cvss_v2/availabilityImpact see E.1
/vulnerabilities[i]/scores[n]/cvss_v2/baseScore /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CVSSScoreSets/vuln:ScoreSetV2[j]/vuln:BaseScoreV2/text()
/vulnerabilities[i]/scores[n]/cvss_v2/exploitability see E.1
/vulnerabilities[i]/scores[n]/cvss_v2/remediationLevel see E.1
/vulnerabilities[i]/scores[n]/cvss_v2/reportConfidence see E.1
/vulnerabilities[i]/scores[n]/cvss_v2/temporalScore /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CVSSScoreSets/vuln:ScoreSetV2[j]/vuln:TemporalScoreV2/text()
/vulnerabilities[i]/scores[n]/cvss_v2/collateralDamagePotential see E.1
/vulnerabilities[i]/scores[n]/cvss_v2/targetDistribution see E.1
/vulnerabilities[i]/scores[n]/cvss_v2/confidentialityRequirement see E.1
/vulnerabilities[i]/scores[n]/cvss_v2/integrityRequirement see E.1
/vulnerabilities[i]/scores[n]/cvss_v2/availabilityRequirement see E.1
/vulnerabilities[i]/scores[n]/cvss_v2/environmentalScore /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CVSSScoreSets/vuln:ScoreSetV2[j]/vuln:EnvironmentalScoreV2/text() see E.1
/vulnerabilities[i]/scores[n]/cvss_v3 /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CVSSScoreSets/vuln:ScoreSetV3[k] see E.2
/vulnerabilities[i]/scores[n]/cvss_v3/version see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/vectorString /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CVSSScoreSets/vuln:ScoreSetV3[k]/vuln:VectorV3/text()
/vulnerabilities[i]/scores[n]/cvss_v3/attackVector see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/attackComplexity see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/privilegesRequired see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/userInteraction see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/scope see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/confidentialityImpact see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/integrityImpact see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/availabilityImpact see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/baseScore /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CVSSScoreSets/vuln:ScoreSetV3[k]/vuln:BaseScoreV3/text()
/vulnerabilities[i]/scores[n]/cvss_v3/baseSeverity see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/exploitCodeMaturity see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/remediationLevel see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/reportConfidence see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/temporalScore /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CVSSScoreSets/vuln:ScoreSetV3[k]/vuln:TemporalScoreV3/text()
/vulnerabilities[i]/scores[n]/cvss_v3/temporalSeverity see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/confidentialityRequirement see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/integrityRequirement see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/availabilityRequirement see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/modifiedAttackVector see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/modifiedAttackComplexity see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/modifiedPrivilegesRequired see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/modifiedUserInteraction see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/modifiedScope see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/modifiedConfidentialityImpact see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/modifiedIntegrityImpact see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/modifiedAvailabilityImpact see E.1
/vulnerabilities[i]/scores[n]/cvss_v3/environmentalScore /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CVSSScoreSets/vuln:ScoreSetV3[k]/vuln:EnvironmentalScoreV3/text()
/vulnerabilities[i]/scores[n]/cvss_v3/environmentalSeverity see E.1
/vulnerabilities[i]/scores[n]/products /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CVSSScoreSets/vuln:ScoreSetV2[j]/vuln:ProductID or /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CVSSScoreSets/vuln:ScoreSetV3[k]/vuln:ProductID see E.2
/vulnerabilities[i]/scores[n]/products[l] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CVSSScoreSets/vuln:ScoreSetV2[j]/vuln:ProductID[l+1]/text() or /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:CVSSScoreSets/vuln:ScoreSetV3[k]/vuln:ProductID[l+1]/text() see E.2
/vulnerabilities[i]/threats /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Threats
/vulnerabilities[i]/threats[j] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Threats/vuln:Threat[j+1]
/vulnerabilities[i]/threats[j]/category /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Threats/vuln:Threat[j+1]/@Type
/vulnerabilities[i]/threats[j]/date /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Threats/vuln:Threat[j+1]/@Date
/vulnerabilities[i]/threats[j]/details /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Threats/vuln:Threat[j+1]/vuln:Description/text()
/vulnerabilities[i]/threats[j]/group_ids /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Threats/vuln:Threat[j+1]/vuln:GroupID
/vulnerabilities[i]/threats[j]/group_ids[k] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Threats/vuln:Threat[j+1]/vuln:GroupID[k+1]/text()
/vulnerabilities[i]/threats[j]/product_ids /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Threats/vuln:Threat[j+1]/vuln:ProductID
/vulnerabilities[i]/threats[j]/product_ids[k] /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Threats/vuln:Threat[j+1]/vuln:ProductID[k+1]/text()
/vulnerabilities[i]/title /cvrf:cvrfdoc/vuln:Vulnerability[i+1]/vuln:Title/text()