-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify Use of Identifiers #14
Comments
There is a semantic difference between identifying something as part of a reference, such as a reference to a CVE ID, CPE, SWID, or URL, and an identifier for a specific object in the vulntology. In the latter case it may be useful to uniquely identify a specific scenario, action, impact or barrier in a vulntology record instance. At the moment, a specific scenario, action, impact or barrier is handled through a relationship, and the identity of the specific object being referenced in this relationship is anonymous. We do not have a specific representational form(s) defined yet for the Vulntology. A given representational form (e.g., XML, JSON, RDF, etc) would have to handle object identification in a way that is useful to that form. In the case of a hierarchical representation (e.g., XML, JSON) ordinal position may work. In the case of a graph (e.g., RDF), GUIDs may be useful for identifying objects. We are going to need to think through how best to describe this. One way would be to add some conceptual text in the explanation.md stating that the Vulntology definition is an abstract definition of the ontology, and that specific representational concepts need to be addressed in a specific representational form. Would this work? |
Adding conceptual text would help. But, if the identifier is not required, or is simply inferred from the relationships or the representational form, then can we just omit the -identifier from the object? It serves no purpose and adds no value. |
The changes listed above have removed the references to identifiers that are being called out. We may still want to approach this in the future when establishing the representational form, but for the sake of discussion it should no longer look as though we have ignored explaining an important component. |
It appears that all objects have identifiers. For some objects, the meaning of identifier is clear. For example Vulnerability and Known Chain use CVE ID, Product uses CPE, Provenance uses URL, etc.
However, for other objects it is unclear what the identifier would be: Scenario, Action, Impact, Barrier.
Are these identified by ordinal/sequence (1, 2, 3, etc.) within the parent object? E.g., Action 2 within Scenario 3
Maybe this should be treated in explanation.md.
The text was updated successfully, but these errors were encountered: