Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify Use of Identifiers #14

Closed
harold-owen opened this issue Aug 2, 2018 · 3 comments
Closed

Clarify Use of Identifiers #14

harold-owen opened this issue Aug 2, 2018 · 3 comments
Labels
question Further information is requested

Comments

@harold-owen
Copy link
Collaborator

It appears that all objects have identifiers. For some objects, the meaning of identifier is clear. For example Vulnerability and Known Chain use CVE ID, Product uses CPE, Provenance uses URL, etc.

However, for other objects it is unclear what the identifier would be: Scenario, Action, Impact, Barrier.

Are these identified by ordinal/sequence (1, 2, 3, etc.) within the parent object? E.g., Action 2 within Scenario 3

Maybe this should be treated in explanation.md.

@harold-owen harold-owen added the question Further information is requested label Aug 2, 2018
@david-waltermire
Copy link
Collaborator

There is a semantic difference between identifying something as part of a reference, such as a reference to a CVE ID, CPE, SWID, or URL, and an identifier for a specific object in the vulntology. In the latter case it may be useful to uniquely identify a specific scenario, action, impact or barrier in a vulntology record instance. At the moment, a specific scenario, action, impact or barrier is handled through a relationship, and the identity of the specific object being referenced in this relationship is anonymous. We do not have a specific representational form(s) defined yet for the Vulntology. A given representational form (e.g., XML, JSON, RDF, etc) would have to handle object identification in a way that is useful to that form. In the case of a hierarchical representation (e.g., XML, JSON) ordinal position may work. In the case of a graph (e.g., RDF), GUIDs may be useful for identifying objects.

We are going to need to think through how best to describe this. One way would be to add some conceptual text in the explanation.md stating that the Vulntology definition is an abstract definition of the ontology, and that specific representational concepts need to be addressed in a specific representational form. Would this work?

@harold-owen
Copy link
Collaborator Author

Adding conceptual text would help. But, if the identifier is not required, or is simply inferred from the relationships or the representational form, then can we just omit the -identifier from the object? It serves no purpose and adds no value.

Chris-Turner-NIST added a commit that referenced this issue Aug 31, 2018
…ns of type/subtype/values/properties. Also added changes to handle issues #3, #15, #9, #16 and #14
@Chris-Turner-NIST
Copy link
Collaborator

The changes listed above have removed the references to identifiers that are being called out. We may still want to approach this in the future when establishing the representational form, but for the sake of discussion it should no longer look as though we have ignored explaining an important component.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

3 participants