Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

scores to metrics and add source as optional property #761

Merged
merged 10 commits into from
Aug 9, 2024
Merged

scores to metrics and add source as optional property #761

merged 10 commits into from
Aug 9, 2024

Conversation

tschmidtb51
Copy link
Contributor

  • resolves Feature request: Add source (reference) to CVSS #624
  • rename scores to metrics
  • add new level content to group scores (and metrics)
  • add source as URI
  • adapt prose to reflect schema
  • adapt examples to reflect changed schema
  • adapt test files to reflect current schema

@tschmidtb51
Tests
2d777fb 
- addresses parts of oasis-tcs#341
- backport testfiles for 6.1.8 from CSAF 2.1
@tschmidtb51
Tests
b39cd0b 
- addresses parts of oasis-tcs#754, oasis-tcs#341
- add valid testfile for 6.1.8 in CSAF 2.0 and CSAF 2.1 that does not contain CVSS
@tschmidtb51
Tests
6e41a7a 
- addresses parts of oasis-tcs#754
- fix copy paste error (wrong filenames)
@tschmidtb51
Metrics
259bd7d 
- addresses parts of oasis-tcs#624
- rename scores to metrics
- add new level `content` to group scores (and metrics)
- add `source` as URI
@tschmidtb51
Metrics
8de4e06 
- addresses parts of oasis-tcs#624
- adopt prose in section 3 to reflect schema
@tschmidtb51
Metrics
f661236 
- addresses parts of oasis-tcs#624
- adopt prose in other sections to reflect schema
@tschmidtb51
Metrics
e4f3d51 
- addresses parts of oasis-tcs#624
- adapt examples to reflect changed schema
@tschmidtb51
Metrics
695031c 
- addresses parts of oasis-tcs#624
- adapt testfiles to reflect current schema
@tschmidtb51 tschmidtb51 added the csaf 2.1 csaf 2.1 work label Jul 31, 2024
@tschmidtb51 tschmidtb51 requested a review from sthagen July 31, 2024 16:52
@tschmidtb51 tschmidtb51 self-assigned this Jul 31, 2024
sthagen
sthagen approved these changes Jul 31, 2024
View reviewed changes
Copy link
Contributor

@sthagen sthagen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@tschmidtb51 tschmidtb51 linked an issue Jul 31, 2024 that may be closed by this pull request
Feature request: Add source (reference) to CVSS #624
Closed
mprpic
mprpic reviewed Jul 31, 2024
View reviewed changes
Copy link
Contributor

@mprpic mprpic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could the motivation behind the change from scores to metrics be documented in this PR or the associated issue? I understand why it's being renamed but not everyone may be familiar with the context leading to this change.

csaf_2.1/json_schema/csaf_json_schema.json
"title": "Source",
"description": "Contains the URL of the source that originally determined the metric.",
"type": "string",
"format": "uri"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to restrict this to URIs? The initial feature request notes "...add an optional source (or reference)", which makes me believe that setting this to an arbitrary text value is also desired.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not using this currently, but URLs might be more meaningful for consumers than general text, no? Something more like an identifier that one could build hard relational anlaysis on, kind of.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jaccoNCSCNL, any preference from you since you originally requested this feature?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As our goal should be automation, I'm quite hesitant to add generic text... As a source does not fall out of the sky, I think a URL is a reasonable choice. (It would have also been a URL if we choose to implement it via references).

@tschmidtb51
Copy link
Contributor Author

Could the motivation behind the change from scores to metrics be documented in this PR or the associated issue? I understand why it's being renamed but not everyone may be familiar with the context leading to this change.

Sure. I should have done that right away - there are mainly 2 reasons:

  1. It aligns with other schemas in the space (e.g. CVE).
  2. Metrics seems to be a more generic term and allows for later addition of other metrics that are not necessarily scores (e.g. SSVC).
  3. The keyword change allows CSAF viewers to support CSAF 2.1 with small additions of code, without having to branch on the CSAF version used.

@santosomar
Copy link
Contributor

A motion has been started and seconded at: https://groups.oasis-open.org/discussion/motion-for-761

If no objection received before 2024-08-07 23:00 UTC this motion will automatically carry.

@tschmidtb51 tschmidtb51 merged commit 6813142 into oasis-tcs:editor-revision-2024-07-31 Aug 9, 2024
10 checks passed
@santosomar
Copy link
Contributor

The motion to accept the pull request as suggested in https://github.com/oasis-tcs/csaf/pull/761 and include it into CSAF 2.1, has passed. https://groups.oasis-open.org/discussion/motion-for-761

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mprpic mprpic mprpic left review comments

@sthagen sthagen sthagen approved these changes

Assignees

@tschmidtb51 tschmidtb51

Labels
csaf 2.1 csaf 2.1 work
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature request: Add source (reference) to CVSS
4 participants
@tschmidtb51 @santosomar @sthagen @mprpic